# Flog Txt Version 1 # Analyzer Version: 3.2.2 # Analyzer Build Date: Mar 3 2020 14:14:30 # Log Creation Date: 01.04.2020 04:33:22.491 Process: id = "1" image_name = "weeli.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\weeli.exe" page_root = "0x49484000" os_pid = "0x734" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x454" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\weeli.exe\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0x688 [0068.641] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77710000 [0073.981] GetProcAddress (hModule=0x77710000, lpProcName="CryptAcquireContextA") returned 0x777191dd [0073.981] CryptAcquireContextA (in: phProv=0x3e5018, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x3e5018*=0x4f0458) returned 1 [0074.425] lstrlenA (lpString="ya chubstvuu bol' gde-to v grude, i moi rani v serdce ne zalechit'") returned 66 [0074.425] GetProcessHeap () returned 0x4e0000 [0074.425] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x42) returned 0x4f02e0 [0074.425] lstrlenA (lpString="ya chubstvuu bol' gde-to v grude, i moi rani v serdce ne zalechit'") returned 66 [0074.425] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77710000 [0074.426] GetProcAddress (hModule=0x77710000, lpProcName="CryptCreateHash") returned 0x7771df4e [0074.426] CryptCreateHash (in: hProv=0x4f0458, Algid=0x8004, hKey=0x0, dwFlags=0x0, phHash=0x3e501c | out: phHash=0x3e501c) returned 1 [0074.427] lstrlenA (lpString="ya chubstvuu bol' gde-to v grude, i moi rani v serdce ne zalechit'") returned 66 [0074.427] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77710000 [0074.427] GetProcAddress (hModule=0x77710000, lpProcName="CryptHashData") returned 0x7771df36 [0074.427] CryptHashData (hHash=0x4f04e0, pbData=0x4f02e0, dwDataLen=0x42, dwFlags=0x0) returned 1 [0074.427] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77710000 [0074.428] GetProcAddress (hModule=0x77710000, lpProcName="CryptDeriveKey") returned 0x77753188 [0074.428] CryptDeriveKey (in: hProv=0x4f0458, Algid=0x6801, hBaseData=0x4f04e0, dwFlags=0x1, phKey=0x3e5014 | out: phKey=0x3e5014*=0x4f0f58) returned 1 [0074.430] GetProcessHeap () returned 0x4e0000 [0074.430] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x4f02e0 | out: hHeap=0x4e0000) returned 1 [0074.430] GetCommandLineW () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\weeli.exe\" " [0074.430] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x759d0000 [0085.896] GetProcAddress (hModule=0x759d0000, lpProcName="CommandLineToArgvW") returned 0x759e9ee8 [0085.896] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\weeli.exe\" ", pNumArgs=0x20f7b4 | out: pNumArgs=0x20f7b4) returned 0x4f5370*="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\weeli.exe" [0085.896] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="") returned 0x78 [0085.897] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0x0) returned 0x0 [0085.897] GetLastError () returned 0x0 [0085.897] lstrlenA (lpString="BgIAAACkAABSU0ExAAgAAAEAAQCj9Dj9W2Xbd4XQjaVr/aJCqQHzkG5eTnizhOm4Ryt9mZncXWWta0eH5QppPdQ2a9aUWl2RmHSlJPIJvQ/yLEFEgm/B+ZTZreVHe/HcUzXqbvDCd61HHqXhjNuGII8XTxqOWT0UAkYCUxZr65Paqc9gMYvd49AV8TOwg6WDb/Z1Kyt1JUOppcwxWXFTNOtfA7MSjhyDDt1lXyJ840ragysGefLH2AENvMDrGhU4fhyWZeI+akTvBKE51rh9Ixg+xDbWhThwpW3b4oYnGSSk3gcfRk+PQkRfdyFo9FSR6bEAKhzX9omJTTU0dGN+YWanpasJ/NF2skLYraJShvS9Fmzc") returned 368 [0085.897] LoadLibraryA (lpLibFileName="crypt32.dll") returned 0x77550000 [0087.192] GetProcAddress (hModule=0x77550000, lpProcName="CryptStringToBinaryA") returned 0x77585d77 [0087.195] CryptStringToBinaryA (in: pszString="BgIAAACkAABSU0ExAAgAAAEAAQCj9Dj9W2Xbd4XQjaVr/aJCqQHzkG5eTnizhOm4Ryt9mZncXWWta0eH5QppPdQ2a9aUWl2RmHSlJPIJvQ/yLEFEgm/B+ZTZreVHe/HcUzXqbvDCd61HHqXhjNuGII8XTxqOWT0UAkYCUxZr65Paqc9gMYvd49AV8TOwg6WDb/Z1Kyt1JUOppcwxWXFTNOtfA7MSjhyDDt1lXyJ840ragysGefLH2AENvMDrGhU4fhyWZeI+akTvBKE51rh9Ixg+xDbWhThwpW3b4oYnGSSk3gcfRk+PQkRfdyFo9FSR6bEAKhzX9omJTTU0dGN+YWanpasJ/NF2skLYraJShvS9Fmzc", cchString=0x170, dwFlags=0x1, pbBinary=0x0, pcbBinary=0x20f79c, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x0, pcbBinary=0x20f79c, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0087.195] GetProcessHeap () returned 0x4e0000 [0087.195] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x114) returned 0x4fc520 [0087.195] lstrlenA (lpString="BgIAAACkAABSU0ExAAgAAAEAAQCj9Dj9W2Xbd4XQjaVr/aJCqQHzkG5eTnizhOm4Ryt9mZncXWWta0eH5QppPdQ2a9aUWl2RmHSlJPIJvQ/yLEFEgm/B+ZTZreVHe/HcUzXqbvDCd61HHqXhjNuGII8XTxqOWT0UAkYCUxZr65Paqc9gMYvd49AV8TOwg6WDb/Z1Kyt1JUOppcwxWXFTNOtfA7MSjhyDDt1lXyJ840ragysGefLH2AENvMDrGhU4fhyWZeI+akTvBKE51rh9Ixg+xDbWhThwpW3b4oYnGSSk3gcfRk+PQkRfdyFo9FSR6bEAKhzX9omJTTU0dGN+YWanpasJ/NF2skLYraJShvS9Fmzc") returned 368 [0087.195] CryptStringToBinaryA (in: pszString="BgIAAACkAABSU0ExAAgAAAEAAQCj9Dj9W2Xbd4XQjaVr/aJCqQHzkG5eTnizhOm4Ryt9mZncXWWta0eH5QppPdQ2a9aUWl2RmHSlJPIJvQ/yLEFEgm/B+ZTZreVHe/HcUzXqbvDCd61HHqXhjNuGII8XTxqOWT0UAkYCUxZr65Paqc9gMYvd49AV8TOwg6WDb/Z1Kyt1JUOppcwxWXFTNOtfA7MSjhyDDt1lXyJ840ragysGefLH2AENvMDrGhU4fhyWZeI+akTvBKE51rh9Ixg+xDbWhThwpW3b4oYnGSSk3gcfRk+PQkRfdyFo9FSR6bEAKhzX9omJTTU0dGN+YWanpasJ/NF2skLYraJShvS9Fmzc", cchString=0x170, dwFlags=0x1, pbBinary=0x4fc520, pcbBinary=0x20f79c, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x4fc520, pcbBinary=0x20f79c, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0087.195] CryptAcquireContextA (in: phProv=0x3e500c, szContainer="rsa public", szProvider=0x0, dwProvType=0x1, dwFlags=0x0 | out: phProv=0x3e500c*=0x0) returned 0 [0087.775] CryptAcquireContextA (in: phProv=0x3e500c, szContainer="v etom skrucheni problemi i trava", szProvider=0x0, dwProvType=0x1, dwFlags=0x8 | out: phProv=0x3e500c*=0x4fc640) returned 1 [0087.981] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77710000 [0087.982] GetProcAddress (hModule=0x77710000, lpProcName="CryptImportKey") returned 0x7771c532 [0087.982] CryptImportKey (in: hProv=0x4fc640, pbData=0x4fc520, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x3e5010 | out: phKey=0x3e5010*=0x4ff008) returned 1 [0087.982] GetProcessHeap () returned 0x4e0000 [0087.982] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x4fc520 | out: hHeap=0x4e0000) returned 1 [0087.982] GetLogicalDrives () returned 0x4 [0087.982] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0087.982] GetProcessHeap () returned 0x4e0000 [0087.982] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x4) returned 0x4ff048 [0087.983] lstrcpyW (in: lpString1=0x20f4f0, lpString2="C:\\" | out: lpString1="C:\\") returned="C:\\" [0087.983] lstrcatW (in: lpString1="C:\\", lpString2="NEPHILIM-DECRYPT.txt" | out: lpString1="C:\\NEPHILIM-DECRYPT.txt") returned="C:\\NEPHILIM-DECRYPT.txt" [0087.983] CreateFileW (lpFileName="C:\\NEPHILIM-DECRYPT.txt" (normalized: "c:\\nephilim-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7c [0087.986] lstrlenA (lpString="KnQYYfBkSyQBxgUKvI25xcUOAxgGeQ9X156cpb/iOu6xb0OYGfOp4tGoRwSFQKk4WUHkimbbs/wj67iT//fRfs2deyDM0fZMLtCLC4DRSguJTLQMBPM4JRUVp9XGjas/Xax5YdPgbHzcidaDQixqS13uM+OxeKi0oht+6lc+Dk8haahO7QskwBHHhQwTIVBSPP+vDNKSQe9sKv9n/m1y4lFtAtGyGG/3VU3Y2FxMhI08OEvPxxCaL1fNrnRTDVED9LcHHjcX6yZZgCvWQqu63ForrFJkcw0wF/OqmTh40G5FnFhkwbMXGXQ+Ehc4mxZ9FFMFlt5MriRX43094FvNctca+3AFwrNsrPxOg561OOZWjaxZ2y5tcoqEtbMcVvk0yiBa103sBo6NoDX6PqfvijniXFGM0Hvbz5jHOJcCnjfeCFOL8s/LAgbmPTpfc0ECksiUJZ8BtDIfv+YbwWX4VXf0BCV7aVeHG5wAAP6fUBpa4zdTCA9YvRXLnA7XtaHjlYAsjHtIs0VppwTSKptOnrpRrm3yNRZBKdaZfbB8wqc09SM9/dY/i8MVIb+2hssdj87SzFmNNDX3BEDG/dzGpoHBNhfwajemT/Q2ZOYLA24YjI6DOO566FycNbo/Lk8g7vQRBdQkfiQj5YmKXIRkZ0nBkHmCH6/DuHLIXxX7FiCpy0v7QtnnnoGnfXFwTBLd6/nAjXEQjAycKrWhU1NnoupkhJ7LePKNFT/YUw64lstOmsW+rnD62/KzxlSHglR3Jvkv/F6vdBf3t/wD/Zr7rOOJzd8nmChOqFEK/uwvrVAersE2AMgBcXergNJe8o+6VCU7DRpzhjFcIBbjSvKJBdyz2S57NbIV1qmBRYgkBJ4yCjo219//qEVqC8TUieUFwacDjjt0KUYIEPvLdN7CDthdpxRR2U6Fs5CQaZNd5P+tDZXhMl4raPiaEWR1iJ8ecAGs3hEAUbR3vJHZKXqT/dngtFHUlVvjB5suk/YkY1vYijRevWshHv9rD+jq0P0fF+wUGdHwT6jJxMsRR+TmVKA2LdnwphGjt/+05koGotCg4CfGIlNlir59TW2vRGv6yc0lPYhmdSPvEHc6viFLXqTTWAUeZ72RLguY/oZm69LLMrPWkMy0X9pAhbVdcLAqeTgh6wPZ6oKq9vCQ4aqgRLIt73+sv6VmIuV2dCLsYtxmV7BM0hYIU13VwwKWvYmcsXhkQaKK2v0a1onebQ0u8TH+GybcUR91YZD5/rRvSvZRNbRZENPoS4q2NlRCTdOBZ+Qi0QARk4JgxP3Eib2Tp/38VLr554ettl7TCubfSLCkmTgX8BcFAy2YU0+1nJYdRy35sITbTRkbFcGKk7VgnjvYx7DqcVgVbkdF2GBDZKftIgj1qCIk9fahgLrVAqlDXfOECp2lc1/yXzt0yk6xuis4Yqf2X2rGwFjuLRrDVF0x/sWhQX84OHj14R2PX2GKzUQarJfVG6dh/PSN1+tn/vWw+QFQhGbvJVou1nC7s7/+1D+JESUb+QT0laJkXODqyzXiLmRx+tSeDe3P88PGPVZlHXomHPBhSxUNaAO5PIsYcK7vNEjB+c+QI9as9RA+wazV1OsBZcIewBoGrpktxmHmphBZU7DyK+tBos5XpwQ1Y0SlPP7H8T4nnpMSH7qhhpdbuSam0caCa7jG6KcPEM7S+N6WPEojmZH/x3wDJs7cmOnEz1pFS1grmTFB5vs2eueDXDv0i46Gsnqgu+7Hjc27ubjPjNqqx7h/DpC0umIw2mHInD3Pr61B+NpploHt+xJk0R1Q9cXet9dkUv1GbwW/wcg30zlMudXU") returned 1828 [0087.986] CryptStringToBinaryA (in: pszString="KnQYYfBkSyQBxgUKvI25xcUOAxgGeQ9X156cpb/iOu6xb0OYGfOp4tGoRwSFQKk4WUHkimbbs/wj67iT//fRfs2deyDM0fZMLtCLC4DRSguJTLQMBPM4JRUVp9XGjas/Xax5YdPgbHzcidaDQixqS13uM+OxeKi0oht+6lc+Dk8haahO7QskwBHHhQwTIVBSPP+vDNKSQe9sKv9n/m1y4lFtAtGyGG/3VU3Y2FxMhI08OEvPxxCaL1fNrnRTDVED9LcHHjcX6yZZgCvWQqu63ForrFJkcw0wF/OqmTh40G5FnFhkwbMXGXQ+Ehc4mxZ9FFMFlt5MriRX43094FvNctca+3AFwrNsrPxOg561OOZWjaxZ2y5tcoqEtbMcVvk0yiBa103sBo6NoDX6PqfvijniXFGM0Hvbz5jHOJcCnjfeCFOL8s/LAgbmPTpfc0ECksiUJZ8BtDIfv+YbwWX4VXf0BCV7aVeHG5wAAP6fUBpa4zdTCA9YvRXLnA7XtaHjlYAsjHtIs0VppwTSKptOnrpRrm3yNRZBKdaZfbB8wqc09SM9/dY/i8MVIb+2hssdj87SzFmNNDX3BEDG/dzGpoHBNhfwajemT/Q2ZOYLA24YjI6DOO566FycNbo/Lk8g7vQRBdQkfiQj5YmKXIRkZ0nBkHmCH6/DuHLIXxX7FiCpy0v7QtnnnoGnfXFwTBLd6/nAjXEQjAycKrWhU1NnoupkhJ7LePKNFT/YUw64lstOmsW+rnD62/KzxlSHglR3Jvkv/F6vdBf3t/wD/Zr7rOOJzd8nmChOqFEK/uwvrVAersE2AMgBcXergNJe8o+6VCU7DRpzhjFcIBbjSvKJBdyz2S57NbIV1qmBRYgkBJ4yCjo219//qEVqC8TUieUFwacDjjt0KUYIEPvLdN7CDthdpxRR2U6Fs5CQaZNd5P+tDZXhMl4raPiaEWR1iJ8ecAGs3hEAUbR3vJHZKXqT/dngtFHUlVvjB5suk/YkY1vYijRevWshHv9rD+jq0P0fF+wUGdHwT6jJxMsRR+TmVKA2LdnwphGjt/+05koGotCg4CfGIlNlir59TW2vRGv6yc0lPYhmdSPvEHc6viFLXqTTWAUeZ72RLguY/oZm69LLMrPWkMy0X9pAhbVdcLAqeTgh6wPZ6oKq9vCQ4aqgRLIt73+sv6VmIuV2dCLsYtxmV7BM0hYIU13VwwKWvYmcsXhkQaKK2v0a1onebQ0u8TH+GybcUR91YZD5/rRvSvZRNbRZENPoS4q2NlRCTdOBZ+Qi0QARk4JgxP3Eib2Tp/38VLr554ettl7TCubfSLCkmTgX8BcFAy2YU0+1nJYdRy35sITbTRkbFcGKk7VgnjvYx7DqcVgVbkdF2GBDZKftIgj1qCIk9fahgLrVAqlDXfOECp2lc1/yXzt0yk6xuis4Yqf2X2rGwFjuLRrDVF0x/sWhQX84OHj14R2PX2GKzUQarJfVG6dh/PSN1+tn/vWw+QFQhGbvJVou1nC7s7/+1D+JESUb+QT0laJkXODqyzXiLmRx+tSeDe3P88PGPVZlHXomHPBhSxUNaAO5PIsYcK7vNEjB+c+QI9as9RA+wazV1OsBZcIewBoGrpktxmHmphBZU7DyK+tBos5XpwQ1Y0SlPP7H8T4nnpMSH7qhhpdbuSam0caCa7jG6KcPEM7S+N6WPEojmZH/x3wDJs7cmOnEz1pFS1grmTFB5vs2eueDXDv0i46Gsnqgu+7Hjc27ubjPjNqqx7h/DpC0umIw2mHInD3Pr61B+NpploHt+xJk0R1Q9cXet9dkUv1GbwW/wcg30zlMudXU", cchString=0x724, dwFlags=0x1, pbBinary=0x0, pcbBinary=0x20f708, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x0, pcbBinary=0x20f708, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0087.986] GetProcessHeap () returned 0x4e0000 [0087.986] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x55b) returned 0x500330 [0087.987] lstrlenA (lpString="KnQYYfBkSyQBxgUKvI25xcUOAxgGeQ9X156cpb/iOu6xb0OYGfOp4tGoRwSFQKk4WUHkimbbs/wj67iT//fRfs2deyDM0fZMLtCLC4DRSguJTLQMBPM4JRUVp9XGjas/Xax5YdPgbHzcidaDQixqS13uM+OxeKi0oht+6lc+Dk8haahO7QskwBHHhQwTIVBSPP+vDNKSQe9sKv9n/m1y4lFtAtGyGG/3VU3Y2FxMhI08OEvPxxCaL1fNrnRTDVED9LcHHjcX6yZZgCvWQqu63ForrFJkcw0wF/OqmTh40G5FnFhkwbMXGXQ+Ehc4mxZ9FFMFlt5MriRX43094FvNctca+3AFwrNsrPxOg561OOZWjaxZ2y5tcoqEtbMcVvk0yiBa103sBo6NoDX6PqfvijniXFGM0Hvbz5jHOJcCnjfeCFOL8s/LAgbmPTpfc0ECksiUJZ8BtDIfv+YbwWX4VXf0BCV7aVeHG5wAAP6fUBpa4zdTCA9YvRXLnA7XtaHjlYAsjHtIs0VppwTSKptOnrpRrm3yNRZBKdaZfbB8wqc09SM9/dY/i8MVIb+2hssdj87SzFmNNDX3BEDG/dzGpoHBNhfwajemT/Q2ZOYLA24YjI6DOO566FycNbo/Lk8g7vQRBdQkfiQj5YmKXIRkZ0nBkHmCH6/DuHLIXxX7FiCpy0v7QtnnnoGnfXFwTBLd6/nAjXEQjAycKrWhU1NnoupkhJ7LePKNFT/YUw64lstOmsW+rnD62/KzxlSHglR3Jvkv/F6vdBf3t/wD/Zr7rOOJzd8nmChOqFEK/uwvrVAersE2AMgBcXergNJe8o+6VCU7DRpzhjFcIBbjSvKJBdyz2S57NbIV1qmBRYgkBJ4yCjo219//qEVqC8TUieUFwacDjjt0KUYIEPvLdN7CDthdpxRR2U6Fs5CQaZNd5P+tDZXhMl4raPiaEWR1iJ8ecAGs3hEAUbR3vJHZKXqT/dngtFHUlVvjB5suk/YkY1vYijRevWshHv9rD+jq0P0fF+wUGdHwT6jJxMsRR+TmVKA2LdnwphGjt/+05koGotCg4CfGIlNlir59TW2vRGv6yc0lPYhmdSPvEHc6viFLXqTTWAUeZ72RLguY/oZm69LLMrPWkMy0X9pAhbVdcLAqeTgh6wPZ6oKq9vCQ4aqgRLIt73+sv6VmIuV2dCLsYtxmV7BM0hYIU13VwwKWvYmcsXhkQaKK2v0a1onebQ0u8TH+GybcUR91YZD5/rRvSvZRNbRZENPoS4q2NlRCTdOBZ+Qi0QARk4JgxP3Eib2Tp/38VLr554ettl7TCubfSLCkmTgX8BcFAy2YU0+1nJYdRy35sITbTRkbFcGKk7VgnjvYx7DqcVgVbkdF2GBDZKftIgj1qCIk9fahgLrVAqlDXfOECp2lc1/yXzt0yk6xuis4Yqf2X2rGwFjuLRrDVF0x/sWhQX84OHj14R2PX2GKzUQarJfVG6dh/PSN1+tn/vWw+QFQhGbvJVou1nC7s7/+1D+JESUb+QT0laJkXODqyzXiLmRx+tSeDe3P88PGPVZlHXomHPBhSxUNaAO5PIsYcK7vNEjB+c+QI9as9RA+wazV1OsBZcIewBoGrpktxmHmphBZU7DyK+tBos5XpwQ1Y0SlPP7H8T4nnpMSH7qhhpdbuSam0caCa7jG6KcPEM7S+N6WPEojmZH/x3wDJs7cmOnEz1pFS1grmTFB5vs2eueDXDv0i46Gsnqgu+7Hjc27ubjPjNqqx7h/DpC0umIw2mHInD3Pr61B+NpploHt+xJk0R1Q9cXet9dkUv1GbwW/wcg30zlMudXU") returned 1828 [0087.987] CryptStringToBinaryA (in: pszString="KnQYYfBkSyQBxgUKvI25xcUOAxgGeQ9X156cpb/iOu6xb0OYGfOp4tGoRwSFQKk4WUHkimbbs/wj67iT//fRfs2deyDM0fZMLtCLC4DRSguJTLQMBPM4JRUVp9XGjas/Xax5YdPgbHzcidaDQixqS13uM+OxeKi0oht+6lc+Dk8haahO7QskwBHHhQwTIVBSPP+vDNKSQe9sKv9n/m1y4lFtAtGyGG/3VU3Y2FxMhI08OEvPxxCaL1fNrnRTDVED9LcHHjcX6yZZgCvWQqu63ForrFJkcw0wF/OqmTh40G5FnFhkwbMXGXQ+Ehc4mxZ9FFMFlt5MriRX43094FvNctca+3AFwrNsrPxOg561OOZWjaxZ2y5tcoqEtbMcVvk0yiBa103sBo6NoDX6PqfvijniXFGM0Hvbz5jHOJcCnjfeCFOL8s/LAgbmPTpfc0ECksiUJZ8BtDIfv+YbwWX4VXf0BCV7aVeHG5wAAP6fUBpa4zdTCA9YvRXLnA7XtaHjlYAsjHtIs0VppwTSKptOnrpRrm3yNRZBKdaZfbB8wqc09SM9/dY/i8MVIb+2hssdj87SzFmNNDX3BEDG/dzGpoHBNhfwajemT/Q2ZOYLA24YjI6DOO566FycNbo/Lk8g7vQRBdQkfiQj5YmKXIRkZ0nBkHmCH6/DuHLIXxX7FiCpy0v7QtnnnoGnfXFwTBLd6/nAjXEQjAycKrWhU1NnoupkhJ7LePKNFT/YUw64lstOmsW+rnD62/KzxlSHglR3Jvkv/F6vdBf3t/wD/Zr7rOOJzd8nmChOqFEK/uwvrVAersE2AMgBcXergNJe8o+6VCU7DRpzhjFcIBbjSvKJBdyz2S57NbIV1qmBRYgkBJ4yCjo219//qEVqC8TUieUFwacDjjt0KUYIEPvLdN7CDthdpxRR2U6Fs5CQaZNd5P+tDZXhMl4raPiaEWR1iJ8ecAGs3hEAUbR3vJHZKXqT/dngtFHUlVvjB5suk/YkY1vYijRevWshHv9rD+jq0P0fF+wUGdHwT6jJxMsRR+TmVKA2LdnwphGjt/+05koGotCg4CfGIlNlir59TW2vRGv6yc0lPYhmdSPvEHc6viFLXqTTWAUeZ72RLguY/oZm69LLMrPWkMy0X9pAhbVdcLAqeTgh6wPZ6oKq9vCQ4aqgRLIt73+sv6VmIuV2dCLsYtxmV7BM0hYIU13VwwKWvYmcsXhkQaKK2v0a1onebQ0u8TH+GybcUR91YZD5/rRvSvZRNbRZENPoS4q2NlRCTdOBZ+Qi0QARk4JgxP3Eib2Tp/38VLr554ettl7TCubfSLCkmTgX8BcFAy2YU0+1nJYdRy35sITbTRkbFcGKk7VgnjvYx7DqcVgVbkdF2GBDZKftIgj1qCIk9fahgLrVAqlDXfOECp2lc1/yXzt0yk6xuis4Yqf2X2rGwFjuLRrDVF0x/sWhQX84OHj14R2PX2GKzUQarJfVG6dh/PSN1+tn/vWw+QFQhGbvJVou1nC7s7/+1D+JESUb+QT0laJkXODqyzXiLmRx+tSeDe3P88PGPVZlHXomHPBhSxUNaAO5PIsYcK7vNEjB+c+QI9as9RA+wazV1OsBZcIewBoGrpktxmHmphBZU7DyK+tBos5XpwQ1Y0SlPP7H8T4nnpMSH7qhhpdbuSam0caCa7jG6KcPEM7S+N6WPEojmZH/x3wDJs7cmOnEz1pFS1grmTFB5vs2eueDXDv0i46Gsnqgu+7Hjc27ubjPjNqqx7h/DpC0umIw2mHInD3Pr61B+NpploHt+xJk0R1Q9cXet9dkUv1GbwW/wcg30zlMudXU", cchString=0x724, dwFlags=0x1, pbBinary=0x500330, pcbBinary=0x20f708, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x500330, pcbBinary=0x20f708, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0087.987] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77710000 [0087.987] GetProcAddress (hModule=0x77710000, lpProcName="CryptDecrypt") returned 0x77753178 [0087.987] CryptDecrypt (in: hKey=0x4f0f58, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x500330, pdwDataLen=0x20f700 | out: pbData=0x500330, pdwDataLen=0x20f700) returned 1 [0087.988] WriteFile (in: hFile=0x7c, lpBuffer=0x500330*, nNumberOfBytesToWrite=0x55b, lpNumberOfBytesWritten=0x20f6f8, lpOverlapped=0x0 | out: lpBuffer=0x500330*, lpNumberOfBytesWritten=0x20f6f8*=0x55b, lpOverlapped=0x0) returned 1 [0087.990] GetProcessHeap () returned 0x4e0000 [0087.990] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x500330 | out: hHeap=0x4e0000) returned 1 [0087.990] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x3e1b8f, lpParameter=0x4ff048, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xd8 [0087.991] Sleep (dwMilliseconds=0x1f4) [0088.501] WaitForSingleObject (hHandle=0xd8, dwMilliseconds=0xffffffff) returned 0x0 [0119.692] LoadLibraryA (lpLibFileName="user32.dll") returned 0x77130000 [0119.692] GetProcAddress (hModule=0x77130000, lpProcName="GetDesktopWindow") returned 0x77150a19 [0119.692] GetDesktopWindow () returned 0x10010 [0119.693] LoadLibraryA (lpLibFileName="user32.dll") returned 0x77130000 [0119.693] GetProcAddress (hModule=0x77130000, lpProcName="GetWindowRect") returned 0x77147f34 [0119.693] GetWindowRect (in: hWnd=0x10010, lpRect=0x20f71c | out: lpRect=0x20f71c) returned 1 [0119.694] GetTempPathW (in: nBufferLength=0x104, lpBuffer=0x20f4e0 | out: lpBuffer="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\") returned 0x25 [0119.694] lstrcatW (in: lpString1="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\", lpString2="\\god.jpg" | out: lpString1="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\\\god.jpg") returned="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\\\god.jpg" [0119.694] lstrlenA (lpString="KnQYYfBkSyQBxgUKvI25xcUOAxgGeQ9X156cpb/iOu6xb0OYGfOp4tGoRwSFQKk4WUHkimbbs/wj67iT//fRfs2deyDM0fZMLtCLC4DRSguJTLQMBPM4JRUVp9XGjas/Xax5YdPgbHzcidaDQixqS13uM+OxeKi0oht+6lc+Dk8haahO7QskwBHHhQwTIVBSPP+vDNKSQe9sKv9n/m1y4lFtAtGyGG/3VU3Y2FxMhI08OEvPxxCaL1fNrnRTDVED9LcHHjcX6yZZgCvWQqu63ForrFJkcw0wF/OqmTh40G5FnFhkwbMXGXQ+Ehc4mxZ9FFMFlt5MriRX43094FvNctca+3AFwrNsrPxOg561OOZWjaxZ2y5tcoqEtbMcVvk0yiBa103sBo6NoDX6PqfvijniXFGM0Hvbz5jHOJcCnjfeCFOL8s/LAgbmPTpfc0ECksiUJZ8BtDIfv+YbwWX4VXf0BCV7aVeHG5wAAP6fUBpa4zdTCA9YvRXLnA7XtaHjlYAsjHtIs0VppwTSKptOnrpRrm3yNRZBKdaZfbB8wqc09SM9/dY/i8MVIb+2hssdj87SzFmNNDX3BEDG/dzGpoHBNhfwajemT/Q2ZOYLA24YjI6DOO566FycNbo/Lk8g7vQRBdQkfiQj5YmKXIRkZ0nBkHmCH6/DuHLIXxX7FiCpy0v7QtnnnoGnfXFwTBLd6/nAjXEQjAycKrWhU1NnoupkhJ7LePKNFT/YUw64lstOmsW+rnD62/KzxlSHglR3Jvkv/F6vdBf3t/wD/Zr7rOOJzd8nmChOqFEK/uwvrVAersE2AMgBcXergNJe8o+6VCU7DRpzhjFcIBbjSvKJBdyz2S57NbIV1qmBRYgkBJ4yCjo219//qEVqC8TUieUFwacDjjt0KUYIEPvLdN7CDthdpxRR2U6Fs5CQaZNd5P+tDZXhMl4raPiaEWR1iJ8ecAGs3hEAUbR3vJHZKXqT/dngtFHUlVvjB5suk/YkY1vYijRevWshHv9rD+jq0P0fF+wUGdHwT6jJxMsRR+TmVKA2LdnwphGjt/+05koGotCg4CfGIlNlir59TW2vRGv6yc0lPYhmdSPvEHc6viFLXqTTWAUeZ72RLguY/oZm69LLMrPWkMy0X9pAhbVdcLAqeTgh6wPZ6oKq9vCQ4aqgRLIt73+sv6VmIuV2dCLsYtxmV7BM0hYIU13VwwKWvYmcsXhkQaKK2v0a1onebQ0u8TH+GybcUR91YZD5/rRvSvZRNbRZENPoS4q2NlRCTdOBZ+Qi0QARk4JgxP3Eib2Tp/38VLr554ettl7TCubfSLCkmTgX8BcFAy2YU0+1nJYdRy35sITbTRkbFcGKk7VgnjvYx7DqcVgVbkdF2GBDZKftIgj1qCIk9fahgLrVAqlDXfOECp2lc1/yXzt0yk6xuis4Yqf2X2rGwFjuLRrDVF0x/sWhQX84OHj14R2PX2GKzUQarJfVG6dh/PSN1+tn/vWw+QFQhGbvJVou1nC7s7/+1D+JESUb+QT0laJkXODqyzXiLmRx+tSeDe3P88PGPVZlHXomHPBhSxUNaAO5PIsYcK7vNEjB+c+QI9as9RA+wazV1OsBZcIewBoGrpktxmHmphBZU7DyK+tBos5XpwQ1Y0SlPP7H8T4nnpMSH7qhhpdbuSam0caCa7jG6KcPEM7S+N6WPEojmZH/x3wDJs7cmOnEz1pFS1grmTFB5vs2eueDXDv0i46Gsnqgu+7Hjc27ubjPjNqqx7h/DpC0umIw2mHInD3Pr61B+NpploHt+xJk0R1Q9cXet9dkUv1GbwW/wcg30zlMudXU") returned 1828 [0119.694] CryptStringToBinaryA (in: pszString="KnQYYfBkSyQBxgUKvI25xcUOAxgGeQ9X156cpb/iOu6xb0OYGfOp4tGoRwSFQKk4WUHkimbbs/wj67iT//fRfs2deyDM0fZMLtCLC4DRSguJTLQMBPM4JRUVp9XGjas/Xax5YdPgbHzcidaDQixqS13uM+OxeKi0oht+6lc+Dk8haahO7QskwBHHhQwTIVBSPP+vDNKSQe9sKv9n/m1y4lFtAtGyGG/3VU3Y2FxMhI08OEvPxxCaL1fNrnRTDVED9LcHHjcX6yZZgCvWQqu63ForrFJkcw0wF/OqmTh40G5FnFhkwbMXGXQ+Ehc4mxZ9FFMFlt5MriRX43094FvNctca+3AFwrNsrPxOg561OOZWjaxZ2y5tcoqEtbMcVvk0yiBa103sBo6NoDX6PqfvijniXFGM0Hvbz5jHOJcCnjfeCFOL8s/LAgbmPTpfc0ECksiUJZ8BtDIfv+YbwWX4VXf0BCV7aVeHG5wAAP6fUBpa4zdTCA9YvRXLnA7XtaHjlYAsjHtIs0VppwTSKptOnrpRrm3yNRZBKdaZfbB8wqc09SM9/dY/i8MVIb+2hssdj87SzFmNNDX3BEDG/dzGpoHBNhfwajemT/Q2ZOYLA24YjI6DOO566FycNbo/Lk8g7vQRBdQkfiQj5YmKXIRkZ0nBkHmCH6/DuHLIXxX7FiCpy0v7QtnnnoGnfXFwTBLd6/nAjXEQjAycKrWhU1NnoupkhJ7LePKNFT/YUw64lstOmsW+rnD62/KzxlSHglR3Jvkv/F6vdBf3t/wD/Zr7rOOJzd8nmChOqFEK/uwvrVAersE2AMgBcXergNJe8o+6VCU7DRpzhjFcIBbjSvKJBdyz2S57NbIV1qmBRYgkBJ4yCjo219//qEVqC8TUieUFwacDjjt0KUYIEPvLdN7CDthdpxRR2U6Fs5CQaZNd5P+tDZXhMl4raPiaEWR1iJ8ecAGs3hEAUbR3vJHZKXqT/dngtFHUlVvjB5suk/YkY1vYijRevWshHv9rD+jq0P0fF+wUGdHwT6jJxMsRR+TmVKA2LdnwphGjt/+05koGotCg4CfGIlNlir59TW2vRGv6yc0lPYhmdSPvEHc6viFLXqTTWAUeZ72RLguY/oZm69LLMrPWkMy0X9pAhbVdcLAqeTgh6wPZ6oKq9vCQ4aqgRLIt73+sv6VmIuV2dCLsYtxmV7BM0hYIU13VwwKWvYmcsXhkQaKK2v0a1onebQ0u8TH+GybcUR91YZD5/rRvSvZRNbRZENPoS4q2NlRCTdOBZ+Qi0QARk4JgxP3Eib2Tp/38VLr554ettl7TCubfSLCkmTgX8BcFAy2YU0+1nJYdRy35sITbTRkbFcGKk7VgnjvYx7DqcVgVbkdF2GBDZKftIgj1qCIk9fahgLrVAqlDXfOECp2lc1/yXzt0yk6xuis4Yqf2X2rGwFjuLRrDVF0x/sWhQX84OHj14R2PX2GKzUQarJfVG6dh/PSN1+tn/vWw+QFQhGbvJVou1nC7s7/+1D+JESUb+QT0laJkXODqyzXiLmRx+tSeDe3P88PGPVZlHXomHPBhSxUNaAO5PIsYcK7vNEjB+c+QI9as9RA+wazV1OsBZcIewBoGrpktxmHmphBZU7DyK+tBos5XpwQ1Y0SlPP7H8T4nnpMSH7qhhpdbuSam0caCa7jG6KcPEM7S+N6WPEojmZH/x3wDJs7cmOnEz1pFS1grmTFB5vs2eueDXDv0i46Gsnqgu+7Hjc27ubjPjNqqx7h/DpC0umIw2mHInD3Pr61B+NpploHt+xJk0R1Q9cXet9dkUv1GbwW/wcg30zlMudXU", cchString=0x724, dwFlags=0x1, pbBinary=0x0, pcbBinary=0x20f4c4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x0, pcbBinary=0x20f4c4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0119.694] GetProcessHeap () returned 0x4e0000 [0119.694] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x55b) returned 0x502cf8 [0119.694] lstrlenA (lpString="KnQYYfBkSyQBxgUKvI25xcUOAxgGeQ9X156cpb/iOu6xb0OYGfOp4tGoRwSFQKk4WUHkimbbs/wj67iT//fRfs2deyDM0fZMLtCLC4DRSguJTLQMBPM4JRUVp9XGjas/Xax5YdPgbHzcidaDQixqS13uM+OxeKi0oht+6lc+Dk8haahO7QskwBHHhQwTIVBSPP+vDNKSQe9sKv9n/m1y4lFtAtGyGG/3VU3Y2FxMhI08OEvPxxCaL1fNrnRTDVED9LcHHjcX6yZZgCvWQqu63ForrFJkcw0wF/OqmTh40G5FnFhkwbMXGXQ+Ehc4mxZ9FFMFlt5MriRX43094FvNctca+3AFwrNsrPxOg561OOZWjaxZ2y5tcoqEtbMcVvk0yiBa103sBo6NoDX6PqfvijniXFGM0Hvbz5jHOJcCnjfeCFOL8s/LAgbmPTpfc0ECksiUJZ8BtDIfv+YbwWX4VXf0BCV7aVeHG5wAAP6fUBpa4zdTCA9YvRXLnA7XtaHjlYAsjHtIs0VppwTSKptOnrpRrm3yNRZBKdaZfbB8wqc09SM9/dY/i8MVIb+2hssdj87SzFmNNDX3BEDG/dzGpoHBNhfwajemT/Q2ZOYLA24YjI6DOO566FycNbo/Lk8g7vQRBdQkfiQj5YmKXIRkZ0nBkHmCH6/DuHLIXxX7FiCpy0v7QtnnnoGnfXFwTBLd6/nAjXEQjAycKrWhU1NnoupkhJ7LePKNFT/YUw64lstOmsW+rnD62/KzxlSHglR3Jvkv/F6vdBf3t/wD/Zr7rOOJzd8nmChOqFEK/uwvrVAersE2AMgBcXergNJe8o+6VCU7DRpzhjFcIBbjSvKJBdyz2S57NbIV1qmBRYgkBJ4yCjo219//qEVqC8TUieUFwacDjjt0KUYIEPvLdN7CDthdpxRR2U6Fs5CQaZNd5P+tDZXhMl4raPiaEWR1iJ8ecAGs3hEAUbR3vJHZKXqT/dngtFHUlVvjB5suk/YkY1vYijRevWshHv9rD+jq0P0fF+wUGdHwT6jJxMsRR+TmVKA2LdnwphGjt/+05koGotCg4CfGIlNlir59TW2vRGv6yc0lPYhmdSPvEHc6viFLXqTTWAUeZ72RLguY/oZm69LLMrPWkMy0X9pAhbVdcLAqeTgh6wPZ6oKq9vCQ4aqgRLIt73+sv6VmIuV2dCLsYtxmV7BM0hYIU13VwwKWvYmcsXhkQaKK2v0a1onebQ0u8TH+GybcUR91YZD5/rRvSvZRNbRZENPoS4q2NlRCTdOBZ+Qi0QARk4JgxP3Eib2Tp/38VLr554ettl7TCubfSLCkmTgX8BcFAy2YU0+1nJYdRy35sITbTRkbFcGKk7VgnjvYx7DqcVgVbkdF2GBDZKftIgj1qCIk9fahgLrVAqlDXfOECp2lc1/yXzt0yk6xuis4Yqf2X2rGwFjuLRrDVF0x/sWhQX84OHj14R2PX2GKzUQarJfVG6dh/PSN1+tn/vWw+QFQhGbvJVou1nC7s7/+1D+JESUb+QT0laJkXODqyzXiLmRx+tSeDe3P88PGPVZlHXomHPBhSxUNaAO5PIsYcK7vNEjB+c+QI9as9RA+wazV1OsBZcIewBoGrpktxmHmphBZU7DyK+tBos5XpwQ1Y0SlPP7H8T4nnpMSH7qhhpdbuSam0caCa7jG6KcPEM7S+N6WPEojmZH/x3wDJs7cmOnEz1pFS1grmTFB5vs2eueDXDv0i46Gsnqgu+7Hjc27ubjPjNqqx7h/DpC0umIw2mHInD3Pr61B+NpploHt+xJk0R1Q9cXet9dkUv1GbwW/wcg30zlMudXU") returned 1828 [0119.694] CryptStringToBinaryA (in: pszString="KnQYYfBkSyQBxgUKvI25xcUOAxgGeQ9X156cpb/iOu6xb0OYGfOp4tGoRwSFQKk4WUHkimbbs/wj67iT//fRfs2deyDM0fZMLtCLC4DRSguJTLQMBPM4JRUVp9XGjas/Xax5YdPgbHzcidaDQixqS13uM+OxeKi0oht+6lc+Dk8haahO7QskwBHHhQwTIVBSPP+vDNKSQe9sKv9n/m1y4lFtAtGyGG/3VU3Y2FxMhI08OEvPxxCaL1fNrnRTDVED9LcHHjcX6yZZgCvWQqu63ForrFJkcw0wF/OqmTh40G5FnFhkwbMXGXQ+Ehc4mxZ9FFMFlt5MriRX43094FvNctca+3AFwrNsrPxOg561OOZWjaxZ2y5tcoqEtbMcVvk0yiBa103sBo6NoDX6PqfvijniXFGM0Hvbz5jHOJcCnjfeCFOL8s/LAgbmPTpfc0ECksiUJZ8BtDIfv+YbwWX4VXf0BCV7aVeHG5wAAP6fUBpa4zdTCA9YvRXLnA7XtaHjlYAsjHtIs0VppwTSKptOnrpRrm3yNRZBKdaZfbB8wqc09SM9/dY/i8MVIb+2hssdj87SzFmNNDX3BEDG/dzGpoHBNhfwajemT/Q2ZOYLA24YjI6DOO566FycNbo/Lk8g7vQRBdQkfiQj5YmKXIRkZ0nBkHmCH6/DuHLIXxX7FiCpy0v7QtnnnoGnfXFwTBLd6/nAjXEQjAycKrWhU1NnoupkhJ7LePKNFT/YUw64lstOmsW+rnD62/KzxlSHglR3Jvkv/F6vdBf3t/wD/Zr7rOOJzd8nmChOqFEK/uwvrVAersE2AMgBcXergNJe8o+6VCU7DRpzhjFcIBbjSvKJBdyz2S57NbIV1qmBRYgkBJ4yCjo219//qEVqC8TUieUFwacDjjt0KUYIEPvLdN7CDthdpxRR2U6Fs5CQaZNd5P+tDZXhMl4raPiaEWR1iJ8ecAGs3hEAUbR3vJHZKXqT/dngtFHUlVvjB5suk/YkY1vYijRevWshHv9rD+jq0P0fF+wUGdHwT6jJxMsRR+TmVKA2LdnwphGjt/+05koGotCg4CfGIlNlir59TW2vRGv6yc0lPYhmdSPvEHc6viFLXqTTWAUeZ72RLguY/oZm69LLMrPWkMy0X9pAhbVdcLAqeTgh6wPZ6oKq9vCQ4aqgRLIt73+sv6VmIuV2dCLsYtxmV7BM0hYIU13VwwKWvYmcsXhkQaKK2v0a1onebQ0u8TH+GybcUR91YZD5/rRvSvZRNbRZENPoS4q2NlRCTdOBZ+Qi0QARk4JgxP3Eib2Tp/38VLr554ettl7TCubfSLCkmTgX8BcFAy2YU0+1nJYdRy35sITbTRkbFcGKk7VgnjvYx7DqcVgVbkdF2GBDZKftIgj1qCIk9fahgLrVAqlDXfOECp2lc1/yXzt0yk6xuis4Yqf2X2rGwFjuLRrDVF0x/sWhQX84OHj14R2PX2GKzUQarJfVG6dh/PSN1+tn/vWw+QFQhGbvJVou1nC7s7/+1D+JESUb+QT0laJkXODqyzXiLmRx+tSeDe3P88PGPVZlHXomHPBhSxUNaAO5PIsYcK7vNEjB+c+QI9as9RA+wazV1OsBZcIewBoGrpktxmHmphBZU7DyK+tBos5XpwQ1Y0SlPP7H8T4nnpMSH7qhhpdbuSam0caCa7jG6KcPEM7S+N6WPEojmZH/x3wDJs7cmOnEz1pFS1grmTFB5vs2eueDXDv0i46Gsnqgu+7Hjc27ubjPjNqqx7h/DpC0umIw2mHInD3Pr61B+NpploHt+xJk0R1Q9cXet9dkUv1GbwW/wcg30zlMudXU", cchString=0x724, dwFlags=0x1, pbBinary=0x502cf8, pcbBinary=0x20f4c4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x502cf8, pcbBinary=0x20f4c4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0119.694] CryptDecrypt (in: hKey=0x4f0f58, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x502cf8, pdwDataLen=0x20f4c4 | out: pbData=0x502cf8, pdwDataLen=0x20f4c4) returned 1 [0119.694] GetProcessHeap () returned 0x4e0000 [0119.694] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x55c) returned 0x503260 [0119.694] LoadLibraryA (lpLibFileName="gdi32.dll") returned 0x770a0000 [0119.695] GetProcAddress (hModule=0x770a0000, lpProcName="CreateFontW") returned 0x770bb600 [0119.695] CreateFontW (cHeight=28, cWidth=0, cEscapement=0, cOrientation=0, cWeight=400, bItalic=0x0, bUnderline=0x0, bStrikeOut=0x0, iCharSet=0x1, iOutPrecision=0x2, iClipPrecision=0x0, iQuality=0x0, iPitchAndFamily=0x0, pszFaceName="Comic Sans MS") returned 0x7e0a09ec [0119.696] LoadLibraryA (lpLibFileName="user32.dll") returned 0x77130000 [0119.696] GetProcAddress (hModule=0x77130000, lpProcName="GetDC") returned 0x771472c4 [0119.696] GetDC (hWnd=0x0) returned 0x40109b7 [0119.696] LoadLibraryA (lpLibFileName="gdi32.dll") returned 0x770a0000 [0119.696] GetProcAddress (hModule=0x770a0000, lpProcName="CreateCompatibleDC") returned 0x770b54f4 [0119.696] CreateCompatibleDC (hdc=0x40109b7) returned 0x470109f0 [0119.696] LoadLibraryA (lpLibFileName="gdi32.dll") returned 0x770a0000 [0119.697] GetProcAddress (hModule=0x770a0000, lpProcName="SelectObject") returned 0x770b4f70 [0119.697] SelectObject (hdc=0x470109f0, h=0x7e0a09ec) returned 0x18a002e [0119.697] lstrlenA (lpString="Two things have happened to your company.\r\n==========================================================================================================================\r\nAll of your files have been encrypted with military grade algorithms.\r\nThe only way to retrieve your data is with our software.\r\nRestoration of your data requires a private key which only we possess.\r\n==========================================================================================================================\r\nInformation that we deemed valuable or sensitive was downloaded from your network to a secure location.\r\nWe can provide proof that your files have been extracted.\r\nIf you do not contact us we will start leaking the data periodically in parts.\r\n==========================================================================================================================\r\nTo confirm that our decryption software works email to us 2 files from random computers. \r\nYou will receive further instructions after you send us the test files.\r\nWe will make sure you retrieve your data swiftly and securely and that your data is not leaked when our demands are met.\r\nIf we do not come to an agreement your data will be leaked on this website.\r\nTOR link: http://hxt254aygrsziejn.onion\r\n\r\nContact us via email:\r\nDeanlivermore@protonmail.com\r\nrobertatravels@mail.com\r\nBernardocarlos@tutanota.com") returned 1371 [0119.697] LoadLibraryA (lpLibFileName="gdi32.dll") returned 0x770a0000 [0119.697] GetProcAddress (hModule=0x770a0000, lpProcName="GetTextExtentPoint32A") returned 0x770bd349 [0119.697] GetTextExtentPoint32A (in: hdc=0x470109f0, lpString="Two things have happened to your company.\r\n==========================================================================================================================\r\nAll of your files have been encrypted with military grade algorithms.\r\nThe only way to retrieve your data is with our software.\r\nRestoration of your data requires a private key which only we possess.\r\n==========================================================================================================================\r\nInformation that we deemed valuable or sensitive was downloaded from your network to a secure location.\r\nWe can provide proof that your files have been extracted.\r\nIf you do not contact us we will start leaking the data periodically in parts.\r\n==========================================================================================================================\r\nTo confirm that our decryption software works email to us 2 files from random computers. \r\nYou will receive further instructions after you send us the test files.\r\nWe will make sure you retrieve your data swiftly and securely and that your data is not leaked when our demands are met.\r\nIf we do not come to an agreement your data will be leaked on this website.\r\nTOR link: http://hxt254aygrsziejn.onion\r\n\r\nContact us via email:\r\nDeanlivermore@protonmail.com\r\nrobertatravels@mail.com\r\nBernardocarlos@tutanota.com", c=1371, psizl=0x20f73c | out: psizl=0x20f73c) returned 1 [0119.757] LoadLibraryA (lpLibFileName="gdi32.dll") returned 0x770a0000 [0119.758] GetProcAddress (hModule=0x770a0000, lpProcName="CreateCompatibleBitmap") returned 0x770b5f49 [0119.758] CreateCompatibleBitmap (hdc=0x470109f0, cx=1440, cy=900) returned 0x50509eb [0119.759] SelectObject (hdc=0x470109f0, h=0x50509eb) returned 0x185000f [0119.759] LoadLibraryA (lpLibFileName="gdi32.dll") returned 0x770a0000 [0119.759] GetProcAddress (hModule=0x770a0000, lpProcName="SetTextColor") returned 0x770b522d [0119.759] SetTextColor (hdc=0x470109f0, color=0xffffff) returned 0x0 [0119.759] LoadLibraryA (lpLibFileName="gdi32.dll") returned 0x770a0000 [0119.760] GetProcAddress (hModule=0x770a0000, lpProcName="SetBkMode") returned 0x770b51a2 [0119.760] SetBkMode (hdc=0x470109f0, mode=2) returned 2 [0119.760] LoadLibraryA (lpLibFileName="gdi32.dll") returned 0x770a0000 [0119.760] GetProcAddress (hModule=0x770a0000, lpProcName="SetBkColor") returned 0x770b52d8 [0119.760] SetBkColor (hdc=0x470109f0, color=0x0) returned 0xffffff [0119.760] lstrlenA (lpString="Two things have happened to your company.\r\n==========================================================================================================================\r\nAll of your files have been encrypted with military grade algorithms.\r\nThe only way to retrieve your data is with our software.\r\nRestoration of your data requires a private key which only we possess.\r\n==========================================================================================================================\r\nInformation that we deemed valuable or sensitive was downloaded from your network to a secure location.\r\nWe can provide proof that your files have been extracted.\r\nIf you do not contact us we will start leaking the data periodically in parts.\r\n==========================================================================================================================\r\nTo confirm that our decryption software works email to us 2 files from random computers. \r\nYou will receive further instructions after you send us the test files.\r\nWe will make sure you retrieve your data swiftly and securely and that your data is not leaked when our demands are met.\r\nIf we do not come to an agreement your data will be leaked on this website.\r\nTOR link: http://hxt254aygrsziejn.onion\r\n\r\nContact us via email:\r\nDeanlivermore@protonmail.com\r\nrobertatravels@mail.com\r\nBernardocarlos@tutanota.com") returned 1371 [0119.760] LoadLibraryA (lpLibFileName="user32.dll") returned 0x77130000 [0119.760] GetProcAddress (hModule=0x77130000, lpProcName="DrawTextA") returned 0x7715aea1 [0119.760] DrawTextA (in: hdc=0x470109f0, lpchText="Two things have happened to your company.\r\n==========================================================================================================================\r\nAll of your files have been encrypted with military grade algorithms.\r\nThe only way to retrieve your data is with our software.\r\nRestoration of your data requires a private key which only we possess.\r\n==========================================================================================================================\r\nInformation that we deemed valuable or sensitive was downloaded from your network to a secure location.\r\nWe can provide proof that your files have been extracted.\r\nIf you do not contact us we will start leaking the data periodically in parts.\r\n==========================================================================================================================\r\nTo confirm that our decryption software works email to us 2 files from random computers. \r\nYou will receive further instructions after you send us the test files.\r\nWe will make sure you retrieve your data swiftly and securely and that your data is not leaked when our demands are met.\r\nIf we do not come to an agreement your data will be leaked on this website.\r\nTOR link: http://hxt254aygrsziejn.onion\r\n\r\nContact us via email:\r\nDeanlivermore@protonmail.com\r\nrobertatravels@mail.com\r\nBernardocarlos@tutanota.com", cchText=1371, lprc=0x20f72c, format=0x211 | out: lpchText="Two things have happened to your company.\r\n==========================================================================================================================\r\nAll of your files have been encrypted with military grade algorithms.\r\nThe only way to retrieve your data is with our software.\r\nRestoration of your data requires a private key which only we possess.\r\n==========================================================================================================================\r\nInformation that we deemed valuable or sensitive was downloaded from your network to a secure location.\r\nWe can provide proof that your files have been extracted.\r\nIf you do not contact us we will start leaking the data periodically in parts.\r\n==========================================================================================================================\r\nTo confirm that our decryption software works email to us 2 files from random computers. \r\nYou will receive further instructions after you send us the test files.\r\nWe will make sure you retrieve your data swiftly and securely and that your data is not leaked when our demands are met.\r\nIf we do not come to an agreement your data will be leaked on this website.\r\nTOR link: http://hxt254aygrsziejn.onion\r\n\r\nContact us via email:\r\nDeanlivermore@protonmail.com\r\nrobertatravels@mail.com\r\nBernardocarlos@tutanota.com", lprc=0x20f72c) returned 560 [0120.029] CreateCompatibleDC (hdc=0x40109b7) returned 0x1501024a [0120.029] LoadLibraryA (lpLibFileName="gdi32.dll") returned 0x770a0000 [0120.030] GetProcAddress (hModule=0x770a0000, lpProcName="CreateDIBSection") returned 0x770bac46 [0120.030] CreateDIBSection (in: hdc=0x470109f0, lpbmi=0x20f6f0, usage=0x0, ppvBits=0x20f784, hSection=0x0, offset=0x0 | out: ppvBits=0x20f784) returned 0x4e0509b0 [0120.031] SelectObject (hdc=0x1501024a, h=0x4e0509b0) returned 0x185000f [0120.031] LoadLibraryA (lpLibFileName="gdi32.dll") returned 0x770a0000 [0120.031] GetProcAddress (hModule=0x770a0000, lpProcName="BitBlt") returned 0x770b5ea6 [0120.031] BitBlt (hdc=0x1501024a, x=0, y=0, cx=1440, cy=900, hdcSrc=0x470109f0, x1=0, y1=0, rop=0xcc0020) returned 1 [0120.066] LoadLibraryA (lpLibFileName="user32.dll") returned 0x77130000 [0120.066] GetProcAddress (hModule=0x77130000, lpProcName="ReleaseDC") returned 0x77147446 [0120.067] ReleaseDC (hWnd=0x0, hDC=0x40109b7) returned 1 [0120.067] CreateFileW (lpFileName="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\\\god.jpg" (normalized: "c:\\users\\5p5nrg~1\\appdata\\local\\temp\\god.jpg"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0120.071] WriteFile (in: hFile=0xb4, lpBuffer=0x20f744*, nNumberOfBytesToWrite=0xe, lpNumberOfBytesWritten=0x20f78c, lpOverlapped=0x0 | out: lpBuffer=0x20f744*, lpNumberOfBytesWritten=0x20f78c*=0xe, lpOverlapped=0x0) returned 1 [0120.072] WriteFile (in: hFile=0xb4, lpBuffer=0x20f754*, nNumberOfBytesToWrite=0x28, lpNumberOfBytesWritten=0x20f78c, lpOverlapped=0x0 | out: lpBuffer=0x20f754*, lpNumberOfBytesWritten=0x20f78c*=0x28, lpOverlapped=0x0) returned 1 [0120.072] WriteFile (in: hFile=0xb4, lpBuffer=0x3190000*, nNumberOfBytesToWrite=0x278d00, lpNumberOfBytesWritten=0x20f78c, lpOverlapped=0x0 | out: lpBuffer=0x3190000*, lpNumberOfBytesWritten=0x20f78c*=0x278d00, lpOverlapped=0x0) returned 1 [0120.151] CloseHandle (hObject=0xb4) returned 1 [0120.151] LoadLibraryA (lpLibFileName="gdi32.dll") returned 0x770a0000 [0120.151] GetProcAddress (hModule=0x770a0000, lpProcName="DeleteObject") returned 0x770b5689 [0120.151] DeleteObject (ho=0x50509eb) returned 1 [0120.151] LoadLibraryA (lpLibFileName="gdi32.dll") returned 0x770a0000 [0120.151] GetProcAddress (hModule=0x770a0000, lpProcName="DeleteDC") returned 0x770b58b3 [0120.151] DeleteDC (hdc=0x470109f0) returned 1 [0120.152] DeleteObject (ho=0x7e0a09ec) returned 1 [0120.152] LoadLibraryA (lpLibFileName="user32.dll") returned 0x77130000 [0120.152] GetProcAddress (hModule=0x77130000, lpProcName="SystemParametersInfoW") returned 0x771490d3 [0120.152] SystemParametersInfoW (in: uiAction=0x14, uiParam=0x0, pvParam="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\\\god.jpg" (normalized: "c:\\users\\5p5nrg~1\\appdata\\local\\temp\\god.jpg"), fWinIni=0x1 | out: pvParam=0x20f4e0) returned 1 [0124.347] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77710000 [0124.347] GetProcAddress (hModule=0x77710000, lpProcName="CryptReleaseContext") returned 0x7771e124 [0124.347] CryptReleaseContext (hProv=0x4fc640, dwFlags=0x0) returned 1 [0124.347] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77710000 [0124.348] GetProcAddress (hModule=0x77710000, lpProcName="CryptDestroyKey") returned 0x7771c51a [0124.348] CryptDestroyKey (hKey=0x4ff008) returned 0 [0124.348] ExitProcess (uExitCode=0x0) Thread: id = 2 os_tid = 0x500 Thread: id = 3 os_tid = 0x25c [0087.994] lstrcpyW (in: lpString1=0x24dfc60, lpString2="C:\\" | out: lpString1="C:\\") returned="C:\\" [0087.994] lstrcatW (in: lpString1="C:\\", lpString2="*.*" | out: lpString1="C:\\*.*") returned="C:\\*.*" [0087.995] FindFirstFileW (in: lpFileName="C:\\*.*", lpFindFileData=0x24df808 | out: lpFindFileData=0x24df808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0x4ff078 [0087.995] lstrcmpiW (lpString1="$Recycle.Bin", lpString2=".") returned -1 [0087.997] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="..") returned -1 [0087.997] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="...") returned -1 [0087.997] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="windows") returned -1 [0087.997] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="$RECYCLE.BIN") returned 0 [0087.997] FindNextFileW (in: hFindFile=0x4ff078, lpFindFileData=0x24df808 | out: lpFindFileData=0x24df808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0087.997] lstrcmpiW (lpString1="Boot", lpString2=".") returned 1 [0087.997] lstrcmpiW (lpString1="Boot", lpString2="..") returned 1 [0087.997] lstrcmpiW (lpString1="Boot", lpString2="...") returned 1 [0087.997] lstrcmpiW (lpString1="Boot", lpString2="windows") returned -1 [0087.997] lstrcmpiW (lpString1="Boot", lpString2="$RECYCLE.BIN") returned 1 [0087.997] lstrcmpiW (lpString1="Boot", lpString2="rsa") returned -1 [0087.998] lstrcmpiW (lpString1="Boot", lpString2="log") returned -1 [0087.998] lstrcmpiW (lpString1="Boot", lpString2="NTDETECT.COM") returned -1 [0087.998] lstrcmpiW (lpString1="Boot", lpString2="ntldr") returned -1 [0087.998] lstrcmpiW (lpString1="Boot", lpString2="MSDOS.SYS") returned -1 [0087.998] lstrcmpiW (lpString1="Boot", lpString2="IO.SYS") returned -1 [0087.998] lstrcmpiW (lpString1="Boot", lpString2="boot.ini") returned -1 [0087.998] lstrcmpiW (lpString1="Boot", lpString2="AUTOEXEC.BAT") returned 1 [0087.998] lstrcmpiW (lpString1="Boot", lpString2="ntuser.dat") returned -1 [0087.998] lstrcmpiW (lpString1="Boot", lpString2="desktop.ini") returned -1 [0087.998] lstrcmpiW (lpString1="Boot", lpString2="CONFIG.SYS") returned -1 [0087.998] lstrcmpiW (lpString1="Boot", lpString2="RECYCLER") returned -1 [0087.998] lstrcmpiW (lpString1="Boot", lpString2="BOOTSECT.BAK") returned -1 [0087.998] lstrcmpiW (lpString1="Boot", lpString2="bootmgr") returned -1 [0087.998] lstrcmpiW (lpString1="Boot", lpString2="programdata") returned -1 [0087.998] lstrcmpiW (lpString1="Boot", lpString2="appdata") returned 1 [0087.998] lstrcmpiW (lpString1="Boot", lpString2="program files") returned -1 [0087.998] lstrcmpiW (lpString1="Boot", lpString2="program files (x86)") returned -1 [0087.998] lstrcpyW (in: lpString1=0x24dfa58, lpString2="C:\\" | out: lpString1="C:\\") returned="C:\\" [0087.998] lstrcatW (in: lpString1="C:\\", lpString2="Boot" | out: lpString1="C:\\Boot") returned="C:\\Boot" [0087.998] lstrcatW (in: lpString1="C:\\Boot", lpString2="\\" | out: lpString1="C:\\Boot\\") returned="C:\\Boot\\" [0087.998] lstrcpyW (in: lpString1=0x24df5e0, lpString2="C:\\Boot\\" | out: lpString1="C:\\Boot\\") returned="C:\\Boot\\" [0087.998] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="*.*" | out: lpString1="C:\\Boot\\*.*") returned="C:\\Boot\\*.*" [0087.998] FindFirstFileW (in: lpFileName="C:\\Boot\\*.*", lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe0, dwReserved1=0x24df1d0, cFileName=".", cAlternateFileName="")) returned 0x4ff0b8 [0087.999] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0087.999] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe0, dwReserved1=0x24df1d0, cFileName="..", cAlternateFileName="")) returned 1 [0087.999] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0087.999] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0087.999] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac2e8a60, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x90cd45e0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x90cd45e0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0xe0, dwReserved1=0x24df1d0, cFileName="BCD", cAlternateFileName="")) returned 1 [0087.999] lstrcmpiW (lpString1="BCD", lpString2=".") returned 1 [0087.999] lstrcmpiW (lpString1="BCD", lpString2="..") returned 1 [0087.999] lstrcmpiW (lpString1="BCD", lpString2="...") returned 1 [0087.999] lstrcmpiW (lpString1="BCD", lpString2="windows") returned -1 [0087.999] lstrcmpiW (lpString1="BCD", lpString2="$RECYCLE.BIN") returned 1 [0087.999] lstrcmpiW (lpString1="BCD", lpString2="rsa") returned -1 [0087.999] lstrcmpiW (lpString1="BCD", lpString2="log") returned -1 [0087.999] lstrcmpiW (lpString1="BCD", lpString2="NTDETECT.COM") returned -1 [0087.999] lstrcmpiW (lpString1="BCD", lpString2="ntldr") returned -1 [0087.999] lstrcmpiW (lpString1="BCD", lpString2="MSDOS.SYS") returned -1 [0087.999] lstrcmpiW (lpString1="BCD", lpString2="IO.SYS") returned -1 [0087.999] lstrcmpiW (lpString1="BCD", lpString2="boot.ini") returned -1 [0087.999] lstrcmpiW (lpString1="BCD", lpString2="AUTOEXEC.BAT") returned 1 [0088.000] lstrcmpiW (lpString1="BCD", lpString2="ntuser.dat") returned -1 [0088.000] lstrcmpiW (lpString1="BCD", lpString2="desktop.ini") returned -1 [0088.000] lstrcmpiW (lpString1="BCD", lpString2="CONFIG.SYS") returned -1 [0088.000] lstrcmpiW (lpString1="BCD", lpString2="RECYCLER") returned -1 [0088.000] lstrcmpiW (lpString1="BCD", lpString2="BOOTSECT.BAK") returned -1 [0088.000] lstrcmpiW (lpString1="BCD", lpString2="bootmgr") returned -1 [0088.000] lstrcmpiW (lpString1="BCD", lpString2="programdata") returned -1 [0088.000] lstrcmpiW (lpString1="BCD", lpString2="appdata") returned 1 [0088.000] lstrcmpiW (lpString1="BCD", lpString2="program files") returned -1 [0088.000] lstrcmpiW (lpString1="BCD", lpString2="program files (x86)") returned -1 [0088.000] lstrcpyW (in: lpString1=0x24df3d8, lpString2="C:\\Boot\\" | out: lpString1="C:\\Boot\\") returned="C:\\Boot\\" [0088.000] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="BCD" | out: lpString1="C:\\Boot\\BCD") returned="C:\\Boot\\BCD" [0088.000] LoadLibraryA (lpLibFileName="shlwapi.dll") returned 0x772f0000 [0088.000] GetProcAddress (hModule=0x772f0000, lpProcName="PathFindExtensionW") returned 0x7730a1b9 [0088.000] PathFindExtensionW (pszPath="BCD") returned="" [0088.001] lstrcmpiW (lpString1="", lpString2=".exe") returned -1 [0088.001] lstrcmpiW (lpString1="", lpString2=".log") returned -1 [0088.001] lstrcmpiW (lpString1="", lpString2=".cab") returned -1 [0088.001] lstrcmpiW (lpString1="", lpString2=".cmd") returned -1 [0088.001] lstrcmpiW (lpString1="", lpString2=".com") returned -1 [0088.001] lstrcmpiW (lpString1="", lpString2=".cpl") returned -1 [0088.001] lstrcmpiW (lpString1="", lpString2=".ini") returned -1 [0088.001] lstrcmpiW (lpString1="", lpString2=".dll") returned -1 [0088.001] lstrcmpiW (lpString1="", lpString2=".url") returned -1 [0088.001] lstrcmpiW (lpString1="", lpString2=".ttf") returned -1 [0088.001] lstrcmpiW (lpString1="", lpString2=".mp3") returned -1 [0088.001] lstrcmpiW (lpString1="", lpString2=".pif") returned -1 [0088.001] lstrcmpiW (lpString1="", lpString2=".mp4") returned -1 [0088.001] lstrcmpiW (lpString1="", lpString2=".NEPHILIM") returned -1 [0088.001] lstrcmpiW (lpString1="", lpString2=".msi") returned -1 [0088.001] lstrcmpiW (lpString1="", lpString2=".lnk") returned -1 [0088.001] lstrcmpiW (lpString1="BCD", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0088.001] lstrlenA (lpString="NEPHILIM") returned 8 [0088.001] GetProcessHeap () returned 0x4e0000 [0088.001] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x4ff0f8 [0088.001] lstrlenA (lpString="NEPHILIM") returned 8 [0088.001] CreateFileW (lpFileName="C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0088.002] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24df148 | out: lpFileSize=0x24df148*=4294968320) returned 0 [0088.002] GetProcessHeap () returned 0x4e0000 [0088.002] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x4f3888 [0088.002] GetProcessHeap () returned 0x4e0000 [0088.002] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x4fc988 [0088.002] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77710000 [0088.002] GetProcAddress (hModule=0x77710000, lpProcName="SystemFunction036") returned 0x77711919 [0088.003] SystemFunction036 (in: RandomBuffer=0x4f3888, RandomBufferLength=0x10 | out: RandomBuffer=0x4f3888) returned 1 [0088.003] SystemFunction036 (in: RandomBuffer=0x4fc988, RandomBufferLength=0x10 | out: RandomBuffer=0x4fc988) returned 1 [0088.003] GetProcessHeap () returned 0x4e0000 [0088.003] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x4fc520 [0088.003] GetProcessHeap () returned 0x4e0000 [0088.003] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x502550 [0088.003] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77710000 [0088.003] GetProcAddress (hModule=0x77710000, lpProcName="CryptEncrypt") returned 0x7773779b [0088.003] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4fc520*, pdwDataLen=0x24def08*=0x10, dwBufLen=0x100 | out: pbData=0x4fc520*, pdwDataLen=0x24def08*=0x100) returned 1 [0088.004] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x502550*, pdwDataLen=0x24def04*=0x10, dwBufLen=0x100 | out: pbData=0x502550*, pdwDataLen=0x24def04*=0x100) returned 1 [0088.005] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0088.005] SetLastError (dwErrCode=0x0) [0088.005] WriteFile (in: hFile=0xffffffff, lpBuffer=0x4fc520, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24df13c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24df13c, lpOverlapped=0x0) returned 0 [0088.005] GetLastError () returned 0x6 [0088.005] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xac2e8a60, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac2e8a60, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x9098e7a0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x5400, dwReserved0=0xe0, dwReserved1=0x24df1d0, cFileName="BCD.LOG", cAlternateFileName="")) returned 1 [0088.005] lstrcmpiW (lpString1="BCD.LOG", lpString2=".") returned 1 [0088.005] lstrcmpiW (lpString1="BCD.LOG", lpString2="..") returned 1 [0088.005] lstrcmpiW (lpString1="BCD.LOG", lpString2="...") returned 1 [0088.005] lstrcmpiW (lpString1="BCD.LOG", lpString2="windows") returned -1 [0088.005] lstrcmpiW (lpString1="BCD.LOG", lpString2="$RECYCLE.BIN") returned 1 [0088.005] lstrcmpiW (lpString1="BCD.LOG", lpString2="rsa") returned -1 [0088.005] lstrcmpiW (lpString1="BCD.LOG", lpString2="log") returned -1 [0088.005] lstrcmpiW (lpString1="BCD.LOG", lpString2="NTDETECT.COM") returned -1 [0088.005] lstrcmpiW (lpString1="BCD.LOG", lpString2="ntldr") returned -1 [0088.005] lstrcmpiW (lpString1="BCD.LOG", lpString2="MSDOS.SYS") returned -1 [0088.005] lstrcmpiW (lpString1="BCD.LOG", lpString2="IO.SYS") returned -1 [0088.005] lstrcmpiW (lpString1="BCD.LOG", lpString2="boot.ini") returned -1 [0088.005] lstrcmpiW (lpString1="BCD.LOG", lpString2="AUTOEXEC.BAT") returned 1 [0088.005] lstrcmpiW (lpString1="BCD.LOG", lpString2="ntuser.dat") returned -1 [0088.005] lstrcmpiW (lpString1="BCD.LOG", lpString2="desktop.ini") returned -1 [0088.005] lstrcmpiW (lpString1="BCD.LOG", lpString2="CONFIG.SYS") returned -1 [0088.005] lstrcmpiW (lpString1="BCD.LOG", lpString2="RECYCLER") returned -1 [0088.005] lstrcmpiW (lpString1="BCD.LOG", lpString2="BOOTSECT.BAK") returned -1 [0088.005] lstrcmpiW (lpString1="BCD.LOG", lpString2="bootmgr") returned -1 [0088.006] lstrcmpiW (lpString1="BCD.LOG", lpString2="programdata") returned -1 [0088.006] lstrcmpiW (lpString1="BCD.LOG", lpString2="appdata") returned 1 [0088.006] lstrcmpiW (lpString1="BCD.LOG", lpString2="program files") returned -1 [0088.006] lstrcmpiW (lpString1="BCD.LOG", lpString2="program files (x86)") returned -1 [0088.006] lstrcpyW (in: lpString1=0x24df3d8, lpString2="C:\\Boot\\" | out: lpString1="C:\\Boot\\") returned="C:\\Boot\\" [0088.006] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="BCD.LOG" | out: lpString1="C:\\Boot\\BCD.LOG") returned="C:\\Boot\\BCD.LOG" [0088.006] PathFindExtensionW (pszPath="BCD.LOG") returned=".LOG" [0088.006] lstrcmpiW (lpString1=".LOG", lpString2=".exe") returned 1 [0088.006] lstrcmpiW (lpString1=".LOG", lpString2=".log") returned 0 [0088.006] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xac30ebc0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe0, dwReserved1=0x24df1d0, cFileName="BCD.LOG1", cAlternateFileName="BCD~1.LOG")) returned 1 [0088.006] lstrcmpiW (lpString1="BCD.LOG1", lpString2=".") returned 1 [0088.006] lstrcmpiW (lpString1="BCD.LOG1", lpString2="..") returned 1 [0088.006] lstrcmpiW (lpString1="BCD.LOG1", lpString2="...") returned 1 [0088.006] lstrcmpiW (lpString1="BCD.LOG1", lpString2="windows") returned -1 [0088.006] lstrcmpiW (lpString1="BCD.LOG1", lpString2="$RECYCLE.BIN") returned 1 [0088.006] lstrcmpiW (lpString1="BCD.LOG1", lpString2="rsa") returned -1 [0088.006] lstrcmpiW (lpString1="BCD.LOG1", lpString2="log") returned -1 [0088.006] lstrcmpiW (lpString1="BCD.LOG1", lpString2="NTDETECT.COM") returned -1 [0088.006] lstrcmpiW (lpString1="BCD.LOG1", lpString2="ntldr") returned -1 [0088.006] lstrcmpiW (lpString1="BCD.LOG1", lpString2="MSDOS.SYS") returned -1 [0088.006] lstrcmpiW (lpString1="BCD.LOG1", lpString2="IO.SYS") returned -1 [0088.006] lstrcmpiW (lpString1="BCD.LOG1", lpString2="boot.ini") returned -1 [0088.006] lstrcmpiW (lpString1="BCD.LOG1", lpString2="AUTOEXEC.BAT") returned 1 [0088.006] lstrcmpiW (lpString1="BCD.LOG1", lpString2="ntuser.dat") returned -1 [0088.006] lstrcmpiW (lpString1="BCD.LOG1", lpString2="desktop.ini") returned -1 [0088.006] lstrcmpiW (lpString1="BCD.LOG1", lpString2="CONFIG.SYS") returned -1 [0088.006] lstrcmpiW (lpString1="BCD.LOG1", lpString2="RECYCLER") returned -1 [0088.006] lstrcmpiW (lpString1="BCD.LOG1", lpString2="BOOTSECT.BAK") returned -1 [0088.006] lstrcmpiW (lpString1="BCD.LOG1", lpString2="bootmgr") returned -1 [0088.006] lstrcmpiW (lpString1="BCD.LOG1", lpString2="programdata") returned -1 [0088.006] lstrcmpiW (lpString1="BCD.LOG1", lpString2="appdata") returned 1 [0088.007] lstrcmpiW (lpString1="BCD.LOG1", lpString2="program files") returned -1 [0088.007] lstrcmpiW (lpString1="BCD.LOG1", lpString2="program files (x86)") returned -1 [0088.007] lstrcpyW (in: lpString1=0x24df3d8, lpString2="C:\\Boot\\" | out: lpString1="C:\\Boot\\") returned="C:\\Boot\\" [0088.007] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="BCD.LOG1" | out: lpString1="C:\\Boot\\BCD.LOG1") returned="C:\\Boot\\BCD.LOG1" [0088.007] PathFindExtensionW (pszPath="BCD.LOG1") returned=".LOG1" [0088.007] lstrcmpiW (lpString1=".LOG1", lpString2=".exe") returned 1 [0088.007] lstrcmpiW (lpString1=".LOG1", lpString2=".log") returned 1 [0088.007] lstrcmpiW (lpString1=".LOG1", lpString2=".cab") returned 1 [0088.007] lstrcmpiW (lpString1=".LOG1", lpString2=".cmd") returned 1 [0088.007] lstrcmpiW (lpString1=".LOG1", lpString2=".com") returned 1 [0088.007] lstrcmpiW (lpString1=".LOG1", lpString2=".cpl") returned 1 [0088.007] lstrcmpiW (lpString1=".LOG1", lpString2=".ini") returned 1 [0088.007] lstrcmpiW (lpString1=".LOG1", lpString2=".dll") returned 1 [0088.007] lstrcmpiW (lpString1=".LOG1", lpString2=".url") returned -1 [0088.007] lstrcmpiW (lpString1=".LOG1", lpString2=".ttf") returned -1 [0088.007] lstrcmpiW (lpString1=".LOG1", lpString2=".mp3") returned -1 [0088.007] lstrcmpiW (lpString1=".LOG1", lpString2=".pif") returned -1 [0088.007] lstrcmpiW (lpString1=".LOG1", lpString2=".mp4") returned -1 [0088.007] lstrcmpiW (lpString1=".LOG1", lpString2=".NEPHILIM") returned -1 [0088.007] lstrcmpiW (lpString1=".LOG1", lpString2=".msi") returned -1 [0088.012] lstrcmpiW (lpString1=".LOG1", lpString2=".lnk") returned 1 [0088.012] lstrcmpiW (lpString1="BCD.LOG1", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0088.012] lstrlenA (lpString="NEPHILIM") returned 8 [0088.012] GetProcessHeap () returned 0x4e0000 [0088.012] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x4fc628 [0088.012] lstrlenA (lpString="NEPHILIM") returned 8 [0088.012] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe4 [0088.013] GetFileSizeEx (in: hFile=0xe4, lpFileSize=0x24df148 | out: lpFileSize=0x24df148*=0) returned 1 [0088.013] GetProcessHeap () returned 0x4e0000 [0088.013] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x4fc9a0 [0088.013] GetProcessHeap () returned 0x4e0000 [0088.013] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x4fc9b8 [0088.013] SystemFunction036 (in: RandomBuffer=0x4fc9a0, RandomBufferLength=0x10 | out: RandomBuffer=0x4fc9a0) returned 1 [0088.013] SystemFunction036 (in: RandomBuffer=0x4fc9b8, RandomBufferLength=0x10 | out: RandomBuffer=0x4fc9b8) returned 1 [0088.013] GetProcessHeap () returned 0x4e0000 [0088.013] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5026e8 [0088.013] GetProcessHeap () returned 0x4e0000 [0088.013] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5027f0 [0088.013] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5026e8*, pdwDataLen=0x24def08*=0x10, dwBufLen=0x100 | out: pbData=0x5026e8*, pdwDataLen=0x24def08*=0x100) returned 1 [0088.014] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5027f0*, pdwDataLen=0x24def04*=0x10, dwBufLen=0x100 | out: pbData=0x5027f0*, pdwDataLen=0x24def04*=0x100) returned 1 [0088.014] SetFilePointerEx (in: hFile=0xe4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.014] SetLastError (dwErrCode=0x0) [0088.014] WriteFile (in: hFile=0xe4, lpBuffer=0x5026e8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24df13c, lpOverlapped=0x0 | out: lpBuffer=0x5026e8*, lpNumberOfBytesWritten=0x24df13c*=0x100, lpOverlapped=0x0) returned 1 [0088.015] GetLastError () returned 0x0 [0088.015] GetLastError () returned 0x0 [0088.015] SetFilePointerEx (in: hFile=0xe4, liDistanceToMove=0x100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.015] WriteFile (in: hFile=0xe4, lpBuffer=0x5027f0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24df13c, lpOverlapped=0x0 | out: lpBuffer=0x5027f0*, lpNumberOfBytesWritten=0x24df13c*=0x100, lpOverlapped=0x0) returned 1 [0088.016] SetFilePointerEx (in: hFile=0xe4, liDistanceToMove=0x200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.016] lstrlenA (lpString="NEPHILIM") returned 8 [0088.016] WriteFile (in: hFile=0xe4, lpBuffer=0x4fc628*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24df13c, lpOverlapped=0x0 | out: lpBuffer=0x4fc628*, lpNumberOfBytesWritten=0x24df13c*=0x8, lpOverlapped=0x0) returned 1 [0088.016] GetProcessHeap () returned 0x4e0000 [0088.016] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x0) returned 0x502910 [0088.016] SetFilePointerEx (in: hFile=0xe4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.016] ReadFile (in: hFile=0xe4, lpBuffer=0x502910, nNumberOfBytesToRead=0x0, lpNumberOfBytesRead=0x24df130, lpOverlapped=0x0 | out: lpBuffer=0x502910*, lpNumberOfBytesRead=0x24df130*=0x0, lpOverlapped=0x0) returned 1 [0088.016] SetFilePointerEx (in: hFile=0xe4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.016] WriteFile (in: hFile=0xe4, lpBuffer=0x502910*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x24df13c, lpOverlapped=0x0 | out: lpBuffer=0x502910*, lpNumberOfBytesWritten=0x24df13c*=0x0, lpOverlapped=0x0) returned 1 [0088.016] GetProcessHeap () returned 0x4e0000 [0088.016] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x502910 | out: hHeap=0x4e0000) returned 1 [0088.016] CloseHandle (hObject=0xe4) returned 1 [0088.017] GetProcessHeap () returned 0x4e0000 [0088.017] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5026e8 | out: hHeap=0x4e0000) returned 1 [0088.017] GetProcessHeap () returned 0x4e0000 [0088.017] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5027f0 | out: hHeap=0x4e0000) returned 1 [0088.017] GetProcessHeap () returned 0x4e0000 [0088.017] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x4fc9a0 | out: hHeap=0x4e0000) returned 1 [0088.017] GetProcessHeap () returned 0x4e0000 [0088.018] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x4fc9b8 | out: hHeap=0x4e0000) returned 1 [0088.018] lstrcpyW (in: lpString1=0x24def28, lpString2="C:\\Boot\\BCD.LOG1" | out: lpString1="C:\\Boot\\BCD.LOG1") returned="C:\\Boot\\BCD.LOG1" [0088.018] lstrcatW (in: lpString1="C:\\Boot\\BCD.LOG1", lpString2=".NEPHILIM" | out: lpString1="C:\\Boot\\BCD.LOG1.NEPHILIM") returned="C:\\Boot\\BCD.LOG1.NEPHILIM" [0088.018] MoveFileW (lpExistingFileName="C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), lpNewFileName="C:\\Boot\\BCD.LOG1.NEPHILIM" (normalized: "c:\\boot\\bcd.log1.nephilim")) returned 1 [0088.019] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xac30ebc0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe0, dwReserved1=0x24df1d0, cFileName="BCD.LOG2", cAlternateFileName="BCD~2.LOG")) returned 1 [0088.019] lstrcmpiW (lpString1="BCD.LOG2", lpString2=".") returned 1 [0088.019] lstrcmpiW (lpString1="BCD.LOG2", lpString2="..") returned 1 [0088.019] lstrcmpiW (lpString1="BCD.LOG2", lpString2="...") returned 1 [0088.019] lstrcmpiW (lpString1="BCD.LOG2", lpString2="windows") returned -1 [0088.019] lstrcmpiW (lpString1="BCD.LOG2", lpString2="$RECYCLE.BIN") returned 1 [0088.019] lstrcmpiW (lpString1="BCD.LOG2", lpString2="rsa") returned -1 [0088.019] lstrcmpiW (lpString1="BCD.LOG2", lpString2="log") returned -1 [0088.019] lstrcmpiW (lpString1="BCD.LOG2", lpString2="NTDETECT.COM") returned -1 [0088.019] lstrcmpiW (lpString1="BCD.LOG2", lpString2="ntldr") returned -1 [0088.019] lstrcmpiW (lpString1="BCD.LOG2", lpString2="MSDOS.SYS") returned -1 [0088.019] lstrcmpiW (lpString1="BCD.LOG2", lpString2="IO.SYS") returned -1 [0088.019] lstrcmpiW (lpString1="BCD.LOG2", lpString2="boot.ini") returned -1 [0088.019] lstrcmpiW (lpString1="BCD.LOG2", lpString2="AUTOEXEC.BAT") returned 1 [0088.019] lstrcmpiW (lpString1="BCD.LOG2", lpString2="ntuser.dat") returned -1 [0088.019] lstrcmpiW (lpString1="BCD.LOG2", lpString2="desktop.ini") returned -1 [0088.019] lstrcmpiW (lpString1="BCD.LOG2", lpString2="CONFIG.SYS") returned -1 [0088.019] lstrcmpiW (lpString1="BCD.LOG2", lpString2="RECYCLER") returned -1 [0088.019] lstrcmpiW (lpString1="BCD.LOG2", lpString2="BOOTSECT.BAK") returned -1 [0088.020] lstrcmpiW (lpString1="BCD.LOG2", lpString2="bootmgr") returned -1 [0088.020] lstrcmpiW (lpString1="BCD.LOG2", lpString2="programdata") returned -1 [0088.020] lstrcmpiW (lpString1="BCD.LOG2", lpString2="appdata") returned 1 [0088.020] lstrcmpiW (lpString1="BCD.LOG2", lpString2="program files") returned -1 [0088.020] lstrcmpiW (lpString1="BCD.LOG2", lpString2="program files (x86)") returned -1 [0088.020] lstrcpyW (in: lpString1=0x24df3d8, lpString2="C:\\Boot\\" | out: lpString1="C:\\Boot\\") returned="C:\\Boot\\" [0088.020] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="BCD.LOG2" | out: lpString1="C:\\Boot\\BCD.LOG2") returned="C:\\Boot\\BCD.LOG2" [0088.020] PathFindExtensionW (pszPath="BCD.LOG2") returned=".LOG2" [0088.020] lstrcmpiW (lpString1=".LOG2", lpString2=".exe") returned 1 [0088.020] lstrcmpiW (lpString1=".LOG2", lpString2=".log") returned 1 [0088.020] lstrcmpiW (lpString1=".LOG2", lpString2=".cab") returned 1 [0088.020] lstrcmpiW (lpString1=".LOG2", lpString2=".cmd") returned 1 [0088.020] lstrcmpiW (lpString1=".LOG2", lpString2=".com") returned 1 [0088.020] lstrcmpiW (lpString1=".LOG2", lpString2=".cpl") returned 1 [0088.020] lstrcmpiW (lpString1=".LOG2", lpString2=".ini") returned 1 [0088.020] lstrcmpiW (lpString1=".LOG2", lpString2=".dll") returned 1 [0088.020] lstrcmpiW (lpString1=".LOG2", lpString2=".url") returned -1 [0088.020] lstrcmpiW (lpString1=".LOG2", lpString2=".ttf") returned -1 [0088.020] lstrcmpiW (lpString1=".LOG2", lpString2=".mp3") returned -1 [0088.020] lstrcmpiW (lpString1=".LOG2", lpString2=".pif") returned -1 [0088.020] lstrcmpiW (lpString1=".LOG2", lpString2=".mp4") returned -1 [0088.020] lstrcmpiW (lpString1=".LOG2", lpString2=".NEPHILIM") returned -1 [0088.020] lstrcmpiW (lpString1=".LOG2", lpString2=".msi") returned -1 [0088.020] lstrcmpiW (lpString1=".LOG2", lpString2=".lnk") returned 1 [0088.020] lstrcmpiW (lpString1="BCD.LOG2", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0088.020] lstrlenA (lpString="NEPHILIM") returned 8 [0088.020] GetProcessHeap () returned 0x4e0000 [0088.021] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502910 [0088.021] lstrlenA (lpString="NEPHILIM") returned 8 [0088.021] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe4 [0088.021] GetFileSizeEx (in: hFile=0xe4, lpFileSize=0x24df148 | out: lpFileSize=0x24df148*=0) returned 1 [0088.021] GetProcessHeap () returned 0x4e0000 [0088.021] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x4fc9b8 [0088.021] GetProcessHeap () returned 0x4e0000 [0088.021] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x4fc9a0 [0088.021] SystemFunction036 (in: RandomBuffer=0x4fc9b8, RandomBufferLength=0x10 | out: RandomBuffer=0x4fc9b8) returned 1 [0088.021] SystemFunction036 (in: RandomBuffer=0x4fc9a0, RandomBufferLength=0x10 | out: RandomBuffer=0x4fc9a0) returned 1 [0088.021] GetProcessHeap () returned 0x4e0000 [0088.021] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5026e8 [0088.021] GetProcessHeap () returned 0x4e0000 [0088.021] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5027f0 [0088.022] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5026e8*, pdwDataLen=0x24def08*=0x10, dwBufLen=0x100 | out: pbData=0x5026e8*, pdwDataLen=0x24def08*=0x100) returned 1 [0088.022] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5027f0*, pdwDataLen=0x24def04*=0x10, dwBufLen=0x100 | out: pbData=0x5027f0*, pdwDataLen=0x24def04*=0x100) returned 1 [0088.022] SetFilePointerEx (in: hFile=0xe4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.022] SetLastError (dwErrCode=0x0) [0088.022] WriteFile (in: hFile=0xe4, lpBuffer=0x5026e8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24df13c, lpOverlapped=0x0 | out: lpBuffer=0x5026e8*, lpNumberOfBytesWritten=0x24df13c*=0x100, lpOverlapped=0x0) returned 1 [0088.023] GetLastError () returned 0x0 [0088.023] GetLastError () returned 0x0 [0088.023] SetFilePointerEx (in: hFile=0xe4, liDistanceToMove=0x100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.023] WriteFile (in: hFile=0xe4, lpBuffer=0x5027f0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24df13c, lpOverlapped=0x0 | out: lpBuffer=0x5027f0*, lpNumberOfBytesWritten=0x24df13c*=0x100, lpOverlapped=0x0) returned 1 [0088.024] SetFilePointerEx (in: hFile=0xe4, liDistanceToMove=0x200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.024] lstrlenA (lpString="NEPHILIM") returned 8 [0088.024] WriteFile (in: hFile=0xe4, lpBuffer=0x502910*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24df13c, lpOverlapped=0x0 | out: lpBuffer=0x502910*, lpNumberOfBytesWritten=0x24df13c*=0x8, lpOverlapped=0x0) returned 1 [0088.024] GetProcessHeap () returned 0x4e0000 [0088.024] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x0) returned 0x502920 [0088.024] SetFilePointerEx (in: hFile=0xe4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.024] ReadFile (in: hFile=0xe4, lpBuffer=0x502920, nNumberOfBytesToRead=0x0, lpNumberOfBytesRead=0x24df130, lpOverlapped=0x0 | out: lpBuffer=0x502920*, lpNumberOfBytesRead=0x24df130*=0x0, lpOverlapped=0x0) returned 1 [0088.024] SetFilePointerEx (in: hFile=0xe4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.024] WriteFile (in: hFile=0xe4, lpBuffer=0x502920*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x24df13c, lpOverlapped=0x0 | out: lpBuffer=0x502920*, lpNumberOfBytesWritten=0x24df13c*=0x0, lpOverlapped=0x0) returned 1 [0088.024] GetProcessHeap () returned 0x4e0000 [0088.024] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x502920 | out: hHeap=0x4e0000) returned 1 [0088.024] CloseHandle (hObject=0xe4) returned 1 [0088.032] GetProcessHeap () returned 0x4e0000 [0088.032] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5026e8 | out: hHeap=0x4e0000) returned 1 [0088.032] GetProcessHeap () returned 0x4e0000 [0088.032] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5027f0 | out: hHeap=0x4e0000) returned 1 [0088.032] GetProcessHeap () returned 0x4e0000 [0088.032] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x4fc9b8 | out: hHeap=0x4e0000) returned 1 [0088.032] GetProcessHeap () returned 0x4e0000 [0088.032] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x4fc9a0 | out: hHeap=0x4e0000) returned 1 [0088.032] lstrcpyW (in: lpString1=0x24def28, lpString2="C:\\Boot\\BCD.LOG2" | out: lpString1="C:\\Boot\\BCD.LOG2") returned="C:\\Boot\\BCD.LOG2" [0088.032] lstrcatW (in: lpString1="C:\\Boot\\BCD.LOG2", lpString2=".NEPHILIM" | out: lpString1="C:\\Boot\\BCD.LOG2.NEPHILIM") returned="C:\\Boot\\BCD.LOG2.NEPHILIM" [0088.032] MoveFileW (lpExistingFileName="C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), lpNewFileName="C:\\Boot\\BCD.LOG2.NEPHILIM" (normalized: "c:\\boot\\bcd.log2.nephilim")) returned 1 [0088.033] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xe0, dwReserved1=0x24df1d0, cFileName="BOOTSTAT.DAT", cAlternateFileName="")) returned 1 [0088.033] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2=".") returned 1 [0088.033] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="..") returned 1 [0088.033] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="...") returned 1 [0088.033] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="windows") returned -1 [0088.033] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="$RECYCLE.BIN") returned 1 [0088.033] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="rsa") returned -1 [0088.033] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="log") returned -1 [0088.033] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="NTDETECT.COM") returned -1 [0088.033] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="ntldr") returned -1 [0088.033] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="MSDOS.SYS") returned -1 [0088.033] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="IO.SYS") returned -1 [0088.033] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="boot.ini") returned 1 [0088.033] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="AUTOEXEC.BAT") returned 1 [0088.033] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="ntuser.dat") returned -1 [0088.033] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="desktop.ini") returned -1 [0088.033] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="CONFIG.SYS") returned -1 [0088.033] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="RECYCLER") returned -1 [0088.033] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="BOOTSECT.BAK") returned 1 [0088.034] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="bootmgr") returned 1 [0088.034] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="programdata") returned -1 [0088.034] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="appdata") returned 1 [0088.034] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="program files") returned -1 [0088.034] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="program files (x86)") returned -1 [0088.034] lstrcpyW (in: lpString1=0x24df3d8, lpString2="C:\\Boot\\" | out: lpString1="C:\\Boot\\") returned="C:\\Boot\\" [0088.034] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="BOOTSTAT.DAT" | out: lpString1="C:\\Boot\\BOOTSTAT.DAT") returned="C:\\Boot\\BOOTSTAT.DAT" [0088.034] PathFindExtensionW (pszPath="BOOTSTAT.DAT") returned=".DAT" [0088.034] lstrcmpiW (lpString1=".DAT", lpString2=".exe") returned -1 [0088.034] lstrcmpiW (lpString1=".DAT", lpString2=".log") returned -1 [0088.034] lstrcmpiW (lpString1=".DAT", lpString2=".cab") returned 1 [0088.034] lstrcmpiW (lpString1=".DAT", lpString2=".cmd") returned 1 [0088.034] lstrcmpiW (lpString1=".DAT", lpString2=".com") returned 1 [0088.034] lstrcmpiW (lpString1=".DAT", lpString2=".cpl") returned 1 [0088.034] lstrcmpiW (lpString1=".DAT", lpString2=".ini") returned -1 [0088.034] lstrcmpiW (lpString1=".DAT", lpString2=".dll") returned -1 [0088.034] lstrcmpiW (lpString1=".DAT", lpString2=".url") returned -1 [0088.034] lstrcmpiW (lpString1=".DAT", lpString2=".ttf") returned -1 [0088.034] lstrcmpiW (lpString1=".DAT", lpString2=".mp3") returned -1 [0088.034] lstrcmpiW (lpString1=".DAT", lpString2=".pif") returned -1 [0088.034] lstrcmpiW (lpString1=".DAT", lpString2=".mp4") returned -1 [0088.034] lstrcmpiW (lpString1=".DAT", lpString2=".NEPHILIM") returned -1 [0088.034] lstrcmpiW (lpString1=".DAT", lpString2=".msi") returned -1 [0088.034] lstrcmpiW (lpString1=".DAT", lpString2=".lnk") returned -1 [0088.034] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0088.035] lstrlenA (lpString="NEPHILIM") returned 8 [0088.035] GetProcessHeap () returned 0x4e0000 [0088.035] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502920 [0088.035] lstrlenA (lpString="NEPHILIM") returned 8 [0088.035] CreateFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe4 [0088.049] GetFileSizeEx (in: hFile=0xe4, lpFileSize=0x24df148 | out: lpFileSize=0x24df148*=65536) returned 1 [0088.050] GetProcessHeap () returned 0x4e0000 [0088.050] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x4fc9a0 [0088.050] GetProcessHeap () returned 0x4e0000 [0088.050] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x4fc9b8 [0088.050] SystemFunction036 (in: RandomBuffer=0x4fc9a0, RandomBufferLength=0x10 | out: RandomBuffer=0x4fc9a0) returned 1 [0088.050] SystemFunction036 (in: RandomBuffer=0x4fc9b8, RandomBufferLength=0x10 | out: RandomBuffer=0x4fc9b8) returned 1 [0088.050] GetProcessHeap () returned 0x4e0000 [0088.050] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5026e8 [0088.050] GetProcessHeap () returned 0x4e0000 [0088.050] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5027f0 [0088.050] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5026e8*, pdwDataLen=0x24def08*=0x10, dwBufLen=0x100 | out: pbData=0x5026e8*, pdwDataLen=0x24def08*=0x100) returned 1 [0088.050] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5027f0*, pdwDataLen=0x24def04*=0x10, dwBufLen=0x100 | out: pbData=0x5027f0*, pdwDataLen=0x24def04*=0x100) returned 1 [0088.050] SetFilePointerEx (in: hFile=0xe4, liDistanceToMove=0x10000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.050] SetLastError (dwErrCode=0x0) [0088.050] WriteFile (in: hFile=0xe4, lpBuffer=0x5026e8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24df13c, lpOverlapped=0x0 | out: lpBuffer=0x5026e8*, lpNumberOfBytesWritten=0x24df13c*=0x100, lpOverlapped=0x0) returned 1 [0088.052] GetLastError () returned 0x0 [0088.052] GetLastError () returned 0x0 [0088.052] SetFilePointerEx (in: hFile=0xe4, liDistanceToMove=0x10100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.052] WriteFile (in: hFile=0xe4, lpBuffer=0x5027f0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24df13c, lpOverlapped=0x0 | out: lpBuffer=0x5027f0*, lpNumberOfBytesWritten=0x24df13c*=0x100, lpOverlapped=0x0) returned 1 [0088.052] SetFilePointerEx (in: hFile=0xe4, liDistanceToMove=0x10200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.052] lstrlenA (lpString="NEPHILIM") returned 8 [0088.052] WriteFile (in: hFile=0xe4, lpBuffer=0x502920*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24df13c, lpOverlapped=0x0 | out: lpBuffer=0x502920*, lpNumberOfBytesWritten=0x24df13c*=0x8, lpOverlapped=0x0) returned 1 [0088.052] GetProcessHeap () returned 0x4e0000 [0088.052] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10000) returned 0x502cf8 [0088.053] SetFilePointerEx (in: hFile=0xe4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.053] ReadFile (in: hFile=0xe4, lpBuffer=0x502cf8, nNumberOfBytesToRead=0x10000, lpNumberOfBytesRead=0x24df130, lpOverlapped=0x0 | out: lpBuffer=0x502cf8*, lpNumberOfBytesRead=0x24df130*=0x10000, lpOverlapped=0x0) returned 1 [0088.059] SetFilePointerEx (in: hFile=0xe4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.059] WriteFile (in: hFile=0xe4, lpBuffer=0x502cf8*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x24df13c, lpOverlapped=0x0 | out: lpBuffer=0x502cf8*, lpNumberOfBytesWritten=0x24df13c*=0x10000, lpOverlapped=0x0) returned 1 [0088.060] GetProcessHeap () returned 0x4e0000 [0088.060] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x502cf8 | out: hHeap=0x4e0000) returned 1 [0088.060] CloseHandle (hObject=0xe4) returned 1 [0088.062] GetProcessHeap () returned 0x4e0000 [0088.062] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5026e8 | out: hHeap=0x4e0000) returned 1 [0088.062] GetProcessHeap () returned 0x4e0000 [0088.062] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5027f0 | out: hHeap=0x4e0000) returned 1 [0088.062] GetProcessHeap () returned 0x4e0000 [0088.062] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x4fc9a0 | out: hHeap=0x4e0000) returned 1 [0088.062] GetProcessHeap () returned 0x4e0000 [0088.062] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x4fc9b8 | out: hHeap=0x4e0000) returned 1 [0088.062] lstrcpyW (in: lpString1=0x24def28, lpString2="C:\\Boot\\BOOTSTAT.DAT" | out: lpString1="C:\\Boot\\BOOTSTAT.DAT") returned="C:\\Boot\\BOOTSTAT.DAT" [0088.062] lstrcatW (in: lpString1="C:\\Boot\\BOOTSTAT.DAT", lpString2=".NEPHILIM" | out: lpString1="C:\\Boot\\BOOTSTAT.DAT.NEPHILIM") returned="C:\\Boot\\BOOTSTAT.DAT.NEPHILIM" [0088.062] MoveFileW (lpExistingFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), lpNewFileName="C:\\Boot\\BOOTSTAT.DAT.NEPHILIM" (normalized: "c:\\boot\\bootstat.dat.nephilim")) returned 1 [0088.063] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe0, dwReserved1=0x24df1d0, cFileName="cs-CZ", cAlternateFileName="")) returned 1 [0088.063] lstrcmpiW (lpString1="cs-CZ", lpString2=".") returned 1 [0088.063] lstrcmpiW (lpString1="cs-CZ", lpString2="..") returned 1 [0088.063] lstrcmpiW (lpString1="cs-CZ", lpString2="...") returned 1 [0088.063] lstrcmpiW (lpString1="cs-CZ", lpString2="windows") returned -1 [0088.063] lstrcmpiW (lpString1="cs-CZ", lpString2="$RECYCLE.BIN") returned 1 [0088.063] lstrcmpiW (lpString1="cs-CZ", lpString2="rsa") returned -1 [0088.063] lstrcmpiW (lpString1="cs-CZ", lpString2="log") returned -1 [0088.063] lstrcmpiW (lpString1="cs-CZ", lpString2="NTDETECT.COM") returned -1 [0088.063] lstrcmpiW (lpString1="cs-CZ", lpString2="ntldr") returned -1 [0088.063] lstrcmpiW (lpString1="cs-CZ", lpString2="MSDOS.SYS") returned -1 [0088.063] lstrcmpiW (lpString1="cs-CZ", lpString2="IO.SYS") returned -1 [0088.063] lstrcmpiW (lpString1="cs-CZ", lpString2="boot.ini") returned 1 [0088.063] lstrcmpiW (lpString1="cs-CZ", lpString2="AUTOEXEC.BAT") returned 1 [0088.063] lstrcmpiW (lpString1="cs-CZ", lpString2="ntuser.dat") returned -1 [0088.064] lstrcmpiW (lpString1="cs-CZ", lpString2="desktop.ini") returned -1 [0088.064] lstrcmpiW (lpString1="cs-CZ", lpString2="CONFIG.SYS") returned 1 [0088.064] lstrcmpiW (lpString1="cs-CZ", lpString2="RECYCLER") returned -1 [0088.064] lstrcmpiW (lpString1="cs-CZ", lpString2="BOOTSECT.BAK") returned 1 [0088.064] lstrcmpiW (lpString1="cs-CZ", lpString2="bootmgr") returned 1 [0088.064] lstrcmpiW (lpString1="cs-CZ", lpString2="programdata") returned -1 [0088.064] lstrcmpiW (lpString1="cs-CZ", lpString2="appdata") returned 1 [0088.064] lstrcmpiW (lpString1="cs-CZ", lpString2="program files") returned -1 [0088.064] lstrcmpiW (lpString1="cs-CZ", lpString2="program files (x86)") returned -1 [0088.064] lstrcpyW (in: lpString1=0x24df3d8, lpString2="C:\\Boot\\" | out: lpString1="C:\\Boot\\") returned="C:\\Boot\\" [0088.064] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="cs-CZ" | out: lpString1="C:\\Boot\\cs-CZ") returned="C:\\Boot\\cs-CZ" [0088.064] lstrcatW (in: lpString1="C:\\Boot\\cs-CZ", lpString2="\\" | out: lpString1="C:\\Boot\\cs-CZ\\") returned="C:\\Boot\\cs-CZ\\" [0088.064] lstrcpyW (in: lpString1=0x24def60, lpString2="C:\\Boot\\cs-CZ\\" | out: lpString1="C:\\Boot\\cs-CZ\\") returned="C:\\Boot\\cs-CZ\\" [0088.064] lstrcatW (in: lpString1="C:\\Boot\\cs-CZ\\", lpString2="*.*" | out: lpString1="C:\\Boot\\cs-CZ\\*.*") returned="C:\\Boot\\cs-CZ\\*.*" [0088.064] FindFirstFileW (in: lpFileName="C:\\Boot\\cs-CZ\\*.*", lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName=".", cAlternateFileName="")) returned 0x5026e8 [0088.065] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0088.065] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="..", cAlternateFileName="")) returned 1 [0088.065] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0088.065] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0088.065] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c50, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0088.065] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0088.065] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0088.065] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0088.065] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0088.065] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0088.065] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0088.065] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="log") returned -1 [0088.065] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0088.065] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0088.065] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0088.065] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0088.065] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0088.065] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0088.065] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0088.065] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0088.065] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0088.065] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0088.065] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0088.065] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0088.065] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0088.065] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0088.066] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0088.066] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0088.066] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Boot\\cs-CZ\\" | out: lpString1="C:\\Boot\\cs-CZ\\") returned="C:\\Boot\\cs-CZ\\" [0088.066] lstrcatW (in: lpString1="C:\\Boot\\cs-CZ\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" [0088.066] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0088.066] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0088.066] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0088.066] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0088.066] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0088.066] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0088.066] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0088.066] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0088.066] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0088.066] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0088.066] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0088.066] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0088.066] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0088.066] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0088.066] lstrcmpiW (lpString1=".mui", lpString2=".NEPHILIM") returned -1 [0088.066] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0088.066] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0088.066] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0088.066] lstrlenA (lpString="NEPHILIM") returned 8 [0088.066] GetProcessHeap () returned 0x4e0000 [0088.066] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502930 [0088.066] lstrlenA (lpString="NEPHILIM") returned 8 [0088.066] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0088.067] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24deac8 | out: lpFileSize=0x24deac8*=4294968320) returned 0 [0088.067] GetProcessHeap () returned 0x4e0000 [0088.067] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x4fc9b8 [0088.067] GetProcessHeap () returned 0x4e0000 [0088.067] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x4fc9a0 [0088.067] SystemFunction036 (in: RandomBuffer=0x4fc9b8, RandomBufferLength=0x10 | out: RandomBuffer=0x4fc9b8) returned 1 [0088.067] SystemFunction036 (in: RandomBuffer=0x4fc9a0, RandomBufferLength=0x10 | out: RandomBuffer=0x4fc9a0) returned 1 [0088.067] GetProcessHeap () returned 0x4e0000 [0088.067] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x502728 [0088.067] GetProcessHeap () returned 0x4e0000 [0088.067] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x503d00 [0088.067] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x502728*, pdwDataLen=0x24de888*=0x10, dwBufLen=0x100 | out: pbData=0x502728*, pdwDataLen=0x24de888*=0x100) returned 1 [0088.067] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x503d00*, pdwDataLen=0x24de884*=0x10, dwBufLen=0x100 | out: pbData=0x503d00*, pdwDataLen=0x24de884*=0x100) returned 1 [0088.068] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0088.068] SetLastError (dwErrCode=0x0) [0088.068] WriteFile (in: hFile=0xffffffff, lpBuffer=0x502728, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0) returned 0 [0088.068] GetLastError () returned 0x6 [0088.068] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c50, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0088.068] FindClose (in: hFindFile=0x5026e8 | out: hFindFile=0x5026e8) returned 1 [0088.068] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe0, dwReserved1=0x24df1d0, cFileName="da-DK", cAlternateFileName="")) returned 1 [0088.068] lstrcmpiW (lpString1="da-DK", lpString2=".") returned 1 [0088.068] lstrcmpiW (lpString1="da-DK", lpString2="..") returned 1 [0088.068] lstrcmpiW (lpString1="da-DK", lpString2="...") returned 1 [0088.068] lstrcmpiW (lpString1="da-DK", lpString2="windows") returned -1 [0088.068] lstrcmpiW (lpString1="da-DK", lpString2="$RECYCLE.BIN") returned 1 [0088.068] lstrcmpiW (lpString1="da-DK", lpString2="rsa") returned -1 [0088.068] lstrcmpiW (lpString1="da-DK", lpString2="log") returned -1 [0088.068] lstrcmpiW (lpString1="da-DK", lpString2="NTDETECT.COM") returned -1 [0088.068] lstrcmpiW (lpString1="da-DK", lpString2="ntldr") returned -1 [0088.068] lstrcmpiW (lpString1="da-DK", lpString2="MSDOS.SYS") returned -1 [0088.068] lstrcmpiW (lpString1="da-DK", lpString2="IO.SYS") returned -1 [0088.069] lstrcmpiW (lpString1="da-DK", lpString2="boot.ini") returned 1 [0088.069] lstrcmpiW (lpString1="da-DK", lpString2="AUTOEXEC.BAT") returned 1 [0088.069] lstrcmpiW (lpString1="da-DK", lpString2="ntuser.dat") returned -1 [0088.069] lstrcmpiW (lpString1="da-DK", lpString2="desktop.ini") returned -1 [0088.069] lstrcmpiW (lpString1="da-DK", lpString2="CONFIG.SYS") returned 1 [0088.069] lstrcmpiW (lpString1="da-DK", lpString2="RECYCLER") returned -1 [0088.069] lstrcmpiW (lpString1="da-DK", lpString2="BOOTSECT.BAK") returned 1 [0088.069] lstrcmpiW (lpString1="da-DK", lpString2="bootmgr") returned 1 [0088.069] lstrcmpiW (lpString1="da-DK", lpString2="programdata") returned -1 [0088.069] lstrcmpiW (lpString1="da-DK", lpString2="appdata") returned 1 [0088.069] lstrcmpiW (lpString1="da-DK", lpString2="program files") returned -1 [0088.069] lstrcmpiW (lpString1="da-DK", lpString2="program files (x86)") returned -1 [0088.069] lstrcpyW (in: lpString1=0x24df3d8, lpString2="C:\\Boot\\" | out: lpString1="C:\\Boot\\") returned="C:\\Boot\\" [0088.069] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="da-DK" | out: lpString1="C:\\Boot\\da-DK") returned="C:\\Boot\\da-DK" [0088.069] lstrcatW (in: lpString1="C:\\Boot\\da-DK", lpString2="\\" | out: lpString1="C:\\Boot\\da-DK\\") returned="C:\\Boot\\da-DK\\" [0088.069] lstrcpyW (in: lpString1=0x24def60, lpString2="C:\\Boot\\da-DK\\" | out: lpString1="C:\\Boot\\da-DK\\") returned="C:\\Boot\\da-DK\\" [0088.069] lstrcatW (in: lpString1="C:\\Boot\\da-DK\\", lpString2="*.*" | out: lpString1="C:\\Boot\\da-DK\\*.*") returned="C:\\Boot\\da-DK\\*.*" [0088.069] FindFirstFileW (in: lpFileName="C:\\Boot\\da-DK\\*.*", lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName=".", cAlternateFileName="")) returned 0x5026e8 [0088.070] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0088.070] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="..", cAlternateFileName="")) returned 1 [0088.070] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0088.070] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0088.070] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0088.070] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0088.070] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0088.070] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0088.070] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0088.070] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0088.070] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0088.070] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="log") returned -1 [0088.070] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0088.070] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0088.070] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0088.070] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0088.070] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0088.070] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0088.070] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0088.070] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0088.070] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0088.070] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0088.070] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0088.070] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0088.070] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0088.071] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0088.071] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0088.071] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0088.071] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Boot\\da-DK\\" | out: lpString1="C:\\Boot\\da-DK\\") returned="C:\\Boot\\da-DK\\" [0088.071] lstrcatW (in: lpString1="C:\\Boot\\da-DK\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned="C:\\Boot\\da-DK\\bootmgr.exe.mui" [0088.071] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0088.071] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0088.071] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0088.071] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0088.071] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0088.071] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0088.071] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0088.071] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0088.071] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0088.071] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0088.071] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0088.071] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0088.071] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0088.071] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0088.071] lstrcmpiW (lpString1=".mui", lpString2=".NEPHILIM") returned -1 [0088.071] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0088.071] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0088.071] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0088.071] lstrlenA (lpString="NEPHILIM") returned 8 [0088.071] GetProcessHeap () returned 0x4e0000 [0088.072] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502940 [0088.072] lstrlenA (lpString="NEPHILIM") returned 8 [0088.072] CreateFileW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0088.074] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24deac8 | out: lpFileSize=0x24deac8*=4294968320) returned 0 [0088.074] GetProcessHeap () returned 0x4e0000 [0088.074] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x4fc9d0 [0088.074] GetProcessHeap () returned 0x4e0000 [0088.074] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x4fc9e8 [0088.074] SystemFunction036 (in: RandomBuffer=0x4fc9d0, RandomBufferLength=0x10 | out: RandomBuffer=0x4fc9d0) returned 1 [0088.074] SystemFunction036 (in: RandomBuffer=0x4fc9e8, RandomBufferLength=0x10 | out: RandomBuffer=0x4fc9e8) returned 1 [0088.074] GetProcessHeap () returned 0x4e0000 [0088.074] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x503e08 [0088.074] GetProcessHeap () returned 0x4e0000 [0088.074] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x503f10 [0088.074] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x503e08*, pdwDataLen=0x24de888*=0x10, dwBufLen=0x100 | out: pbData=0x503e08*, pdwDataLen=0x24de888*=0x100) returned 1 [0088.074] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x503f10*, pdwDataLen=0x24de884*=0x10, dwBufLen=0x100 | out: pbData=0x503f10*, pdwDataLen=0x24de884*=0x100) returned 1 [0088.074] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0088.075] SetLastError (dwErrCode=0x0) [0088.075] WriteFile (in: hFile=0xffffffff, lpBuffer=0x503e08, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0) returned 0 [0088.075] GetLastError () returned 0x6 [0088.075] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0088.075] FindClose (in: hFindFile=0x5026e8 | out: hFindFile=0x5026e8) returned 1 [0088.075] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe0, dwReserved1=0x24df1d0, cFileName="de-DE", cAlternateFileName="")) returned 1 [0088.075] lstrcmpiW (lpString1="de-DE", lpString2=".") returned 1 [0088.075] lstrcmpiW (lpString1="de-DE", lpString2="..") returned 1 [0088.075] lstrcmpiW (lpString1="de-DE", lpString2="...") returned 1 [0088.075] lstrcmpiW (lpString1="de-DE", lpString2="windows") returned -1 [0088.075] lstrcmpiW (lpString1="de-DE", lpString2="$RECYCLE.BIN") returned 1 [0088.075] lstrcmpiW (lpString1="de-DE", lpString2="rsa") returned -1 [0088.075] lstrcmpiW (lpString1="de-DE", lpString2="log") returned -1 [0088.075] lstrcmpiW (lpString1="de-DE", lpString2="NTDETECT.COM") returned -1 [0088.075] lstrcmpiW (lpString1="de-DE", lpString2="ntldr") returned -1 [0088.075] lstrcmpiW (lpString1="de-DE", lpString2="MSDOS.SYS") returned -1 [0088.075] lstrcmpiW (lpString1="de-DE", lpString2="IO.SYS") returned -1 [0088.075] lstrcmpiW (lpString1="de-DE", lpString2="boot.ini") returned 1 [0088.075] lstrcmpiW (lpString1="de-DE", lpString2="AUTOEXEC.BAT") returned 1 [0088.076] lstrcmpiW (lpString1="de-DE", lpString2="ntuser.dat") returned -1 [0088.076] lstrcmpiW (lpString1="de-DE", lpString2="desktop.ini") returned -1 [0088.076] lstrcmpiW (lpString1="de-DE", lpString2="CONFIG.SYS") returned 1 [0088.076] lstrcmpiW (lpString1="de-DE", lpString2="RECYCLER") returned -1 [0088.076] lstrcmpiW (lpString1="de-DE", lpString2="BOOTSECT.BAK") returned 1 [0088.076] lstrcmpiW (lpString1="de-DE", lpString2="bootmgr") returned 1 [0088.076] lstrcmpiW (lpString1="de-DE", lpString2="programdata") returned -1 [0088.076] lstrcmpiW (lpString1="de-DE", lpString2="appdata") returned 1 [0088.076] lstrcmpiW (lpString1="de-DE", lpString2="program files") returned -1 [0088.076] lstrcmpiW (lpString1="de-DE", lpString2="program files (x86)") returned -1 [0088.076] lstrcpyW (in: lpString1=0x24df3d8, lpString2="C:\\Boot\\" | out: lpString1="C:\\Boot\\") returned="C:\\Boot\\" [0088.076] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="de-DE" | out: lpString1="C:\\Boot\\de-DE") returned="C:\\Boot\\de-DE" [0088.076] lstrcatW (in: lpString1="C:\\Boot\\de-DE", lpString2="\\" | out: lpString1="C:\\Boot\\de-DE\\") returned="C:\\Boot\\de-DE\\" [0088.076] lstrcpyW (in: lpString1=0x24def60, lpString2="C:\\Boot\\de-DE\\" | out: lpString1="C:\\Boot\\de-DE\\") returned="C:\\Boot\\de-DE\\" [0088.076] lstrcatW (in: lpString1="C:\\Boot\\de-DE\\", lpString2="*.*" | out: lpString1="C:\\Boot\\de-DE\\*.*") returned="C:\\Boot\\de-DE\\*.*" [0088.076] FindFirstFileW (in: lpFileName="C:\\Boot\\de-DE\\*.*", lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName=".", cAlternateFileName="")) returned 0x5026e8 [0088.077] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0088.077] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="..", cAlternateFileName="")) returned 1 [0088.077] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0088.077] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0088.077] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8132526, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16640, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0088.077] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0088.077] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0088.077] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0088.077] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0088.077] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0088.077] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0088.077] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="log") returned -1 [0088.077] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0088.077] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0088.077] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0088.077] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0088.077] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0088.077] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0088.077] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0088.077] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0088.077] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0088.077] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0088.077] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0088.077] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0088.078] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0088.078] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0088.078] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0088.078] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0088.078] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Boot\\de-DE\\" | out: lpString1="C:\\Boot\\de-DE\\") returned="C:\\Boot\\de-DE\\" [0088.078] lstrcatW (in: lpString1="C:\\Boot\\de-DE\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned="C:\\Boot\\de-DE\\bootmgr.exe.mui" [0088.078] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0088.078] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0088.078] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0088.078] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0088.078] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0088.078] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0088.078] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0088.078] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0088.078] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0088.078] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0088.078] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0088.078] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0088.078] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0088.078] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0088.078] lstrcmpiW (lpString1=".mui", lpString2=".NEPHILIM") returned -1 [0088.078] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0088.078] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0088.078] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0088.079] lstrlenA (lpString="NEPHILIM") returned 8 [0088.079] GetProcessHeap () returned 0x4e0000 [0088.079] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502950 [0088.079] lstrlenA (lpString="NEPHILIM") returned 8 [0088.079] CreateFileW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0088.079] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24deac8 | out: lpFileSize=0x24deac8*=4294968320) returned 0 [0088.079] GetProcessHeap () returned 0x4e0000 [0088.079] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x4fca00 [0088.079] GetProcessHeap () returned 0x4e0000 [0088.079] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x4fca18 [0088.079] SystemFunction036 (in: RandomBuffer=0x4fca00, RandomBufferLength=0x10 | out: RandomBuffer=0x4fca00) returned 1 [0088.079] SystemFunction036 (in: RandomBuffer=0x4fca18, RandomBufferLength=0x10 | out: RandomBuffer=0x4fca18) returned 1 [0088.079] GetProcessHeap () returned 0x4e0000 [0088.079] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x504018 [0088.079] GetProcessHeap () returned 0x4e0000 [0088.079] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x504120 [0088.079] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x504018*, pdwDataLen=0x24de888*=0x10, dwBufLen=0x100 | out: pbData=0x504018*, pdwDataLen=0x24de888*=0x100) returned 1 [0088.080] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x504120*, pdwDataLen=0x24de884*=0x10, dwBufLen=0x100 | out: pbData=0x504120*, pdwDataLen=0x24de884*=0x100) returned 1 [0088.080] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0088.080] SetLastError (dwErrCode=0x0) [0088.080] WriteFile (in: hFile=0xffffffff, lpBuffer=0x504018, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0) returned 0 [0088.080] GetLastError () returned 0x6 [0088.080] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8132526, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16640, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0088.080] FindClose (in: hFindFile=0x5026e8 | out: hFindFile=0x5026e8) returned 1 [0088.080] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe0, dwReserved1=0x24df1d0, cFileName="el-GR", cAlternateFileName="")) returned 1 [0088.080] lstrcmpiW (lpString1="el-GR", lpString2=".") returned 1 [0088.080] lstrcmpiW (lpString1="el-GR", lpString2="..") returned 1 [0088.080] lstrcmpiW (lpString1="el-GR", lpString2="...") returned 1 [0088.080] lstrcmpiW (lpString1="el-GR", lpString2="windows") returned -1 [0088.080] lstrcmpiW (lpString1="el-GR", lpString2="$RECYCLE.BIN") returned 1 [0088.080] lstrcmpiW (lpString1="el-GR", lpString2="rsa") returned -1 [0088.080] lstrcmpiW (lpString1="el-GR", lpString2="log") returned -1 [0088.081] lstrcmpiW (lpString1="el-GR", lpString2="NTDETECT.COM") returned -1 [0088.081] lstrcmpiW (lpString1="el-GR", lpString2="ntldr") returned -1 [0088.081] lstrcmpiW (lpString1="el-GR", lpString2="MSDOS.SYS") returned -1 [0088.081] lstrcmpiW (lpString1="el-GR", lpString2="IO.SYS") returned -1 [0088.081] lstrcmpiW (lpString1="el-GR", lpString2="boot.ini") returned 1 [0088.081] lstrcmpiW (lpString1="el-GR", lpString2="AUTOEXEC.BAT") returned 1 [0088.081] lstrcmpiW (lpString1="el-GR", lpString2="ntuser.dat") returned -1 [0088.081] lstrcmpiW (lpString1="el-GR", lpString2="desktop.ini") returned 1 [0088.081] lstrcmpiW (lpString1="el-GR", lpString2="CONFIG.SYS") returned 1 [0088.081] lstrcmpiW (lpString1="el-GR", lpString2="RECYCLER") returned -1 [0088.081] lstrcmpiW (lpString1="el-GR", lpString2="BOOTSECT.BAK") returned 1 [0088.081] lstrcmpiW (lpString1="el-GR", lpString2="bootmgr") returned 1 [0088.081] lstrcmpiW (lpString1="el-GR", lpString2="programdata") returned -1 [0088.081] lstrcmpiW (lpString1="el-GR", lpString2="appdata") returned 1 [0088.081] lstrcmpiW (lpString1="el-GR", lpString2="program files") returned -1 [0088.081] lstrcmpiW (lpString1="el-GR", lpString2="program files (x86)") returned -1 [0088.081] lstrcpyW (in: lpString1=0x24df3d8, lpString2="C:\\Boot\\" | out: lpString1="C:\\Boot\\") returned="C:\\Boot\\" [0088.081] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="el-GR" | out: lpString1="C:\\Boot\\el-GR") returned="C:\\Boot\\el-GR" [0088.081] lstrcatW (in: lpString1="C:\\Boot\\el-GR", lpString2="\\" | out: lpString1="C:\\Boot\\el-GR\\") returned="C:\\Boot\\el-GR\\" [0088.081] lstrcpyW (in: lpString1=0x24def60, lpString2="C:\\Boot\\el-GR\\" | out: lpString1="C:\\Boot\\el-GR\\") returned="C:\\Boot\\el-GR\\" [0088.081] lstrcatW (in: lpString1="C:\\Boot\\el-GR\\", lpString2="*.*" | out: lpString1="C:\\Boot\\el-GR\\*.*") returned="C:\\Boot\\el-GR\\*.*" [0088.081] FindFirstFileW (in: lpFileName="C:\\Boot\\el-GR\\*.*", lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName=".", cAlternateFileName="")) returned 0x5026e8 [0088.082] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0088.082] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="..", cAlternateFileName="")) returned 1 [0088.082] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0088.082] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0088.082] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea239054, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x17250, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0088.082] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0088.082] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0088.082] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0088.082] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0088.082] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0088.082] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0088.082] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="log") returned -1 [0088.082] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0088.082] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0088.082] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0088.082] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0088.082] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0088.082] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0088.082] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0088.082] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0088.083] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0088.083] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0088.083] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0088.083] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0088.083] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0088.083] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0088.083] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0088.083] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0088.083] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Boot\\el-GR\\" | out: lpString1="C:\\Boot\\el-GR\\") returned="C:\\Boot\\el-GR\\" [0088.083] lstrcatW (in: lpString1="C:\\Boot\\el-GR\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned="C:\\Boot\\el-GR\\bootmgr.exe.mui" [0088.083] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0088.083] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0088.083] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0088.083] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0088.083] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0088.083] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0088.083] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0088.083] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0088.083] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0088.083] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0088.083] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0088.083] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0088.083] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0088.083] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0088.083] lstrcmpiW (lpString1=".mui", lpString2=".NEPHILIM") returned -1 [0088.083] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0088.084] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0088.084] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0088.084] lstrlenA (lpString="NEPHILIM") returned 8 [0088.084] GetProcessHeap () returned 0x4e0000 [0088.084] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502960 [0088.084] lstrlenA (lpString="NEPHILIM") returned 8 [0088.084] CreateFileW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0088.104] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24deac8 | out: lpFileSize=0x24deac8*=4294968320) returned 0 [0088.105] GetProcessHeap () returned 0x4e0000 [0088.105] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x4fca30 [0088.105] GetProcessHeap () returned 0x4e0000 [0088.105] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x4fca48 [0088.105] SystemFunction036 (in: RandomBuffer=0x4fca30, RandomBufferLength=0x10 | out: RandomBuffer=0x4fca30) returned 1 [0088.105] SystemFunction036 (in: RandomBuffer=0x4fca48, RandomBufferLength=0x10 | out: RandomBuffer=0x4fca48) returned 1 [0088.105] GetProcessHeap () returned 0x4e0000 [0088.105] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x504228 [0088.105] GetProcessHeap () returned 0x4e0000 [0088.105] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x504330 [0088.105] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x504228*, pdwDataLen=0x24de888*=0x10, dwBufLen=0x100 | out: pbData=0x504228*, pdwDataLen=0x24de888*=0x100) returned 1 [0088.105] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x504330*, pdwDataLen=0x24de884*=0x10, dwBufLen=0x100 | out: pbData=0x504330*, pdwDataLen=0x24de884*=0x100) returned 1 [0088.105] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0088.105] SetLastError (dwErrCode=0x0) [0088.105] WriteFile (in: hFile=0xffffffff, lpBuffer=0x504228, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0) returned 0 [0088.105] GetLastError () returned 0x6 [0088.105] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea239054, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x17250, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0088.105] FindClose (in: hFindFile=0x5026e8 | out: hFindFile=0x5026e8) returned 1 [0088.106] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe0, dwReserved1=0x24df1d0, cFileName="en-US", cAlternateFileName="")) returned 1 [0088.106] lstrcmpiW (lpString1="en-US", lpString2=".") returned 1 [0088.106] lstrcmpiW (lpString1="en-US", lpString2="..") returned 1 [0088.106] lstrcmpiW (lpString1="en-US", lpString2="...") returned 1 [0088.106] lstrcmpiW (lpString1="en-US", lpString2="windows") returned -1 [0088.106] lstrcmpiW (lpString1="en-US", lpString2="$RECYCLE.BIN") returned 1 [0088.106] lstrcmpiW (lpString1="en-US", lpString2="rsa") returned -1 [0088.106] lstrcmpiW (lpString1="en-US", lpString2="log") returned -1 [0088.106] lstrcmpiW (lpString1="en-US", lpString2="NTDETECT.COM") returned -1 [0088.106] lstrcmpiW (lpString1="en-US", lpString2="ntldr") returned -1 [0088.106] lstrcmpiW (lpString1="en-US", lpString2="MSDOS.SYS") returned -1 [0088.106] lstrcmpiW (lpString1="en-US", lpString2="IO.SYS") returned -1 [0088.106] lstrcmpiW (lpString1="en-US", lpString2="boot.ini") returned 1 [0088.106] lstrcmpiW (lpString1="en-US", lpString2="AUTOEXEC.BAT") returned 1 [0088.106] lstrcmpiW (lpString1="en-US", lpString2="ntuser.dat") returned -1 [0088.106] lstrcmpiW (lpString1="en-US", lpString2="desktop.ini") returned 1 [0088.106] lstrcmpiW (lpString1="en-US", lpString2="CONFIG.SYS") returned 1 [0088.106] lstrcmpiW (lpString1="en-US", lpString2="RECYCLER") returned -1 [0088.106] lstrcmpiW (lpString1="en-US", lpString2="BOOTSECT.BAK") returned 1 [0088.106] lstrcmpiW (lpString1="en-US", lpString2="bootmgr") returned 1 [0088.106] lstrcmpiW (lpString1="en-US", lpString2="programdata") returned -1 [0088.106] lstrcmpiW (lpString1="en-US", lpString2="appdata") returned 1 [0088.106] lstrcmpiW (lpString1="en-US", lpString2="program files") returned -1 [0088.106] lstrcmpiW (lpString1="en-US", lpString2="program files (x86)") returned -1 [0088.106] lstrcpyW (in: lpString1=0x24df3d8, lpString2="C:\\Boot\\" | out: lpString1="C:\\Boot\\") returned="C:\\Boot\\" [0088.106] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="en-US" | out: lpString1="C:\\Boot\\en-US") returned="C:\\Boot\\en-US" [0088.107] lstrcatW (in: lpString1="C:\\Boot\\en-US", lpString2="\\" | out: lpString1="C:\\Boot\\en-US\\") returned="C:\\Boot\\en-US\\" [0088.107] lstrcpyW (in: lpString1=0x24def60, lpString2="C:\\Boot\\en-US\\" | out: lpString1="C:\\Boot\\en-US\\") returned="C:\\Boot\\en-US\\" [0088.107] lstrcatW (in: lpString1="C:\\Boot\\en-US\\", lpString2="*.*" | out: lpString1="C:\\Boot\\en-US\\*.*") returned="C:\\Boot\\en-US\\*.*" [0088.107] FindFirstFileW (in: lpFileName="C:\\Boot\\en-US\\*.*", lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName=".", cAlternateFileName="")) returned 0x5026e8 [0088.107] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0088.107] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="..", cAlternateFileName="")) returned 1 [0088.107] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0088.107] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0088.107] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x14c40, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0088.107] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0088.107] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0088.107] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0088.108] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0088.108] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0088.108] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0088.108] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="log") returned -1 [0088.108] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0088.108] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0088.108] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0088.108] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0088.108] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0088.108] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0088.108] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0088.108] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0088.108] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0088.108] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0088.108] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0088.108] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0088.108] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0088.108] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0088.108] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0088.108] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0088.108] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Boot\\en-US\\" | out: lpString1="C:\\Boot\\en-US\\") returned="C:\\Boot\\en-US\\" [0088.108] lstrcatW (in: lpString1="C:\\Boot\\en-US\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:\\Boot\\en-US\\bootmgr.exe.mui") returned="C:\\Boot\\en-US\\bootmgr.exe.mui" [0088.108] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0088.108] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0088.108] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0088.108] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0088.108] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0088.109] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0088.109] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0088.109] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0088.109] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0088.109] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0088.109] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0088.109] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0088.109] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0088.109] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0088.109] lstrcmpiW (lpString1=".mui", lpString2=".NEPHILIM") returned -1 [0088.109] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0088.109] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0088.109] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0088.109] lstrlenA (lpString="NEPHILIM") returned 8 [0088.109] GetProcessHeap () returned 0x4e0000 [0088.109] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502970 [0088.109] lstrlenA (lpString="NEPHILIM") returned 8 [0088.109] CreateFileW (lpFileName="C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0088.109] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24deac8 | out: lpFileSize=0x24deac8*=4294968320) returned 0 [0088.109] GetProcessHeap () returned 0x4e0000 [0088.110] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x4fca60 [0088.110] GetProcessHeap () returned 0x4e0000 [0088.110] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x4fca78 [0088.110] SystemFunction036 (in: RandomBuffer=0x4fca60, RandomBufferLength=0x10 | out: RandomBuffer=0x4fca60) returned 1 [0088.110] SystemFunction036 (in: RandomBuffer=0x4fca78, RandomBufferLength=0x10 | out: RandomBuffer=0x4fca78) returned 1 [0088.110] GetProcessHeap () returned 0x4e0000 [0088.110] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x504438 [0088.110] GetProcessHeap () returned 0x4e0000 [0088.110] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x504540 [0088.110] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x504438*, pdwDataLen=0x24de888*=0x10, dwBufLen=0x100 | out: pbData=0x504438*, pdwDataLen=0x24de888*=0x100) returned 1 [0088.110] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x504540*, pdwDataLen=0x24de884*=0x10, dwBufLen=0x100 | out: pbData=0x504540*, pdwDataLen=0x24de884*=0x100) returned 1 [0088.110] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0088.110] SetLastError (dwErrCode=0x0) [0088.110] WriteFile (in: hFile=0xffffffff, lpBuffer=0x504438, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0) returned 0 [0088.111] GetLastError () returned 0x6 [0088.111] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xc3080a8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xaa50, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0088.111] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0088.111] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0088.111] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0088.111] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0088.111] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0088.111] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0088.111] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="log") returned 1 [0088.111] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0088.111] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0088.111] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0088.111] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0088.111] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0088.111] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0088.111] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0088.111] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0088.111] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0088.111] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0088.111] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0088.111] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0088.111] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0088.111] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0088.111] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0088.112] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0088.112] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Boot\\en-US\\" | out: lpString1="C:\\Boot\\en-US\\") returned="C:\\Boot\\en-US\\" [0088.112] lstrcatW (in: lpString1="C:\\Boot\\en-US\\", lpString2="memtest.exe.mui" | out: lpString1="C:\\Boot\\en-US\\memtest.exe.mui") returned="C:\\Boot\\en-US\\memtest.exe.mui" [0088.112] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0088.112] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0088.112] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0088.112] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0088.112] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0088.112] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0088.112] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0088.112] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0088.112] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0088.112] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0088.112] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0088.112] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0088.112] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0088.112] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0088.112] lstrcmpiW (lpString1=".mui", lpString2=".NEPHILIM") returned -1 [0088.112] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0088.112] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0088.112] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0088.112] lstrlenA (lpString="NEPHILIM") returned 8 [0088.112] GetProcessHeap () returned 0x4e0000 [0088.112] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502980 [0088.112] lstrlenA (lpString="NEPHILIM") returned 8 [0088.113] CreateFileW (lpFileName="C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0088.113] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24deac8 | out: lpFileSize=0x24deac8*=4294968320) returned 0 [0088.113] GetProcessHeap () returned 0x4e0000 [0088.113] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x4fca90 [0088.113] GetProcessHeap () returned 0x4e0000 [0088.113] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x4fcaa8 [0088.113] SystemFunction036 (in: RandomBuffer=0x4fca90, RandomBufferLength=0x10 | out: RandomBuffer=0x4fca90) returned 1 [0088.113] SystemFunction036 (in: RandomBuffer=0x4fcaa8, RandomBufferLength=0x10 | out: RandomBuffer=0x4fcaa8) returned 1 [0088.113] GetProcessHeap () returned 0x4e0000 [0088.113] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x504648 [0088.113] GetProcessHeap () returned 0x4e0000 [0088.113] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x504750 [0088.113] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x504648*, pdwDataLen=0x24de888*=0x10, dwBufLen=0x100 | out: pbData=0x504648*, pdwDataLen=0x24de888*=0x100) returned 1 [0088.113] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x504750*, pdwDataLen=0x24de884*=0x10, dwBufLen=0x100 | out: pbData=0x504750*, pdwDataLen=0x24de884*=0x100) returned 1 [0088.114] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0088.114] SetLastError (dwErrCode=0x0) [0088.114] WriteFile (in: hFile=0xffffffff, lpBuffer=0x504648, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0) returned 0 [0088.114] GetLastError () returned 0x6 [0088.114] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xc3080a8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xaa50, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0088.114] FindClose (in: hFindFile=0x5026e8 | out: hFindFile=0x5026e8) returned 1 [0088.114] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe0, dwReserved1=0x24df1d0, cFileName="es-ES", cAlternateFileName="")) returned 1 [0088.114] lstrcmpiW (lpString1="es-ES", lpString2=".") returned 1 [0088.114] lstrcmpiW (lpString1="es-ES", lpString2="..") returned 1 [0088.114] lstrcmpiW (lpString1="es-ES", lpString2="...") returned 1 [0088.114] lstrcmpiW (lpString1="es-ES", lpString2="windows") returned -1 [0088.114] lstrcmpiW (lpString1="es-ES", lpString2="$RECYCLE.BIN") returned 1 [0088.114] lstrcmpiW (lpString1="es-ES", lpString2="rsa") returned -1 [0088.114] lstrcmpiW (lpString1="es-ES", lpString2="log") returned -1 [0088.114] lstrcmpiW (lpString1="es-ES", lpString2="NTDETECT.COM") returned -1 [0088.114] lstrcmpiW (lpString1="es-ES", lpString2="ntldr") returned -1 [0088.114] lstrcmpiW (lpString1="es-ES", lpString2="MSDOS.SYS") returned -1 [0088.114] lstrcmpiW (lpString1="es-ES", lpString2="IO.SYS") returned -1 [0088.114] lstrcmpiW (lpString1="es-ES", lpString2="boot.ini") returned 1 [0088.115] lstrcmpiW (lpString1="es-ES", lpString2="AUTOEXEC.BAT") returned 1 [0088.115] lstrcmpiW (lpString1="es-ES", lpString2="ntuser.dat") returned -1 [0088.115] lstrcmpiW (lpString1="es-ES", lpString2="desktop.ini") returned 1 [0088.115] lstrcmpiW (lpString1="es-ES", lpString2="CONFIG.SYS") returned 1 [0088.115] lstrcmpiW (lpString1="es-ES", lpString2="RECYCLER") returned -1 [0088.115] lstrcmpiW (lpString1="es-ES", lpString2="BOOTSECT.BAK") returned 1 [0088.115] lstrcmpiW (lpString1="es-ES", lpString2="bootmgr") returned 1 [0088.115] lstrcmpiW (lpString1="es-ES", lpString2="programdata") returned -1 [0088.115] lstrcmpiW (lpString1="es-ES", lpString2="appdata") returned 1 [0088.115] lstrcmpiW (lpString1="es-ES", lpString2="program files") returned -1 [0088.115] lstrcmpiW (lpString1="es-ES", lpString2="program files (x86)") returned -1 [0088.115] lstrcpyW (in: lpString1=0x24df3d8, lpString2="C:\\Boot\\" | out: lpString1="C:\\Boot\\") returned="C:\\Boot\\" [0088.115] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="es-ES" | out: lpString1="C:\\Boot\\es-ES") returned="C:\\Boot\\es-ES" [0088.115] lstrcatW (in: lpString1="C:\\Boot\\es-ES", lpString2="\\" | out: lpString1="C:\\Boot\\es-ES\\") returned="C:\\Boot\\es-ES\\" [0088.115] lstrcpyW (in: lpString1=0x24def60, lpString2="C:\\Boot\\es-ES\\" | out: lpString1="C:\\Boot\\es-ES\\") returned="C:\\Boot\\es-ES\\" [0088.115] lstrcatW (in: lpString1="C:\\Boot\\es-ES\\", lpString2="*.*" | out: lpString1="C:\\Boot\\es-ES\\*.*") returned="C:\\Boot\\es-ES\\*.*" [0088.115] FindFirstFileW (in: lpFileName="C:\\Boot\\es-ES\\*.*", lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName=".", cAlternateFileName="")) returned 0x5026e8 [0088.121] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0088.121] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="..", cAlternateFileName="")) returned 1 [0088.121] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0088.121] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0088.121] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84ea6d7, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0088.121] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0088.121] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0088.121] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0088.121] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0088.121] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0088.121] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0088.121] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="log") returned -1 [0088.121] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0088.121] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0088.121] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0088.121] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0088.121] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0088.122] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0088.122] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0088.122] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0088.122] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0088.122] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0088.122] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0088.122] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0088.122] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0088.122] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0088.122] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0088.122] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0088.122] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Boot\\es-ES\\" | out: lpString1="C:\\Boot\\es-ES\\") returned="C:\\Boot\\es-ES\\" [0088.122] lstrcatW (in: lpString1="C:\\Boot\\es-ES\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:\\Boot\\es-ES\\bootmgr.exe.mui") returned="C:\\Boot\\es-ES\\bootmgr.exe.mui" [0088.122] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0088.122] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0088.122] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0088.122] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0088.122] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0088.122] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0088.122] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0088.122] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0088.122] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0088.122] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0088.122] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0088.122] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0088.122] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0088.123] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0088.123] lstrcmpiW (lpString1=".mui", lpString2=".NEPHILIM") returned -1 [0088.123] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0088.123] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0088.123] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0088.123] lstrlenA (lpString="NEPHILIM") returned 8 [0088.123] GetProcessHeap () returned 0x4e0000 [0088.123] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502990 [0088.123] lstrlenA (lpString="NEPHILIM") returned 8 [0088.123] CreateFileW (lpFileName="C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0088.123] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24deac8 | out: lpFileSize=0x24deac8*=4294968320) returned 0 [0088.123] GetProcessHeap () returned 0x4e0000 [0088.123] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x4fcac0 [0088.123] GetProcessHeap () returned 0x4e0000 [0088.123] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x4fcad8 [0088.123] SystemFunction036 (in: RandomBuffer=0x4fcac0, RandomBufferLength=0x10 | out: RandomBuffer=0x4fcac0) returned 1 [0088.123] SystemFunction036 (in: RandomBuffer=0x4fcad8, RandomBufferLength=0x10 | out: RandomBuffer=0x4fcad8) returned 1 [0088.123] GetProcessHeap () returned 0x4e0000 [0088.124] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x504858 [0088.124] GetProcessHeap () returned 0x4e0000 [0088.124] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x504960 [0088.124] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x504858*, pdwDataLen=0x24de888*=0x10, dwBufLen=0x100 | out: pbData=0x504858*, pdwDataLen=0x24de888*=0x100) returned 1 [0088.124] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x504960*, pdwDataLen=0x24de884*=0x10, dwBufLen=0x100 | out: pbData=0x504960*, pdwDataLen=0x24de884*=0x100) returned 1 [0088.124] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0088.124] SetLastError (dwErrCode=0x0) [0088.124] WriteFile (in: hFile=0xffffffff, lpBuffer=0x504858, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0) returned 0 [0088.124] GetLastError () returned 0x6 [0088.124] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84ea6d7, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0088.124] FindClose (in: hFindFile=0x5026e8 | out: hFindFile=0x5026e8) returned 1 [0088.125] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe0, dwReserved1=0x24df1d0, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0088.125] lstrcmpiW (lpString1="fi-FI", lpString2=".") returned 1 [0088.125] lstrcmpiW (lpString1="fi-FI", lpString2="..") returned 1 [0088.125] lstrcmpiW (lpString1="fi-FI", lpString2="...") returned 1 [0088.125] lstrcmpiW (lpString1="fi-FI", lpString2="windows") returned -1 [0088.125] lstrcmpiW (lpString1="fi-FI", lpString2="$RECYCLE.BIN") returned 1 [0088.125] lstrcmpiW (lpString1="fi-FI", lpString2="rsa") returned -1 [0088.125] lstrcmpiW (lpString1="fi-FI", lpString2="log") returned -1 [0088.125] lstrcmpiW (lpString1="fi-FI", lpString2="NTDETECT.COM") returned -1 [0088.125] lstrcmpiW (lpString1="fi-FI", lpString2="ntldr") returned -1 [0088.125] lstrcmpiW (lpString1="fi-FI", lpString2="MSDOS.SYS") returned -1 [0088.125] lstrcmpiW (lpString1="fi-FI", lpString2="IO.SYS") returned -1 [0088.125] lstrcmpiW (lpString1="fi-FI", lpString2="boot.ini") returned 1 [0088.125] lstrcmpiW (lpString1="fi-FI", lpString2="AUTOEXEC.BAT") returned 1 [0088.125] lstrcmpiW (lpString1="fi-FI", lpString2="ntuser.dat") returned -1 [0088.125] lstrcmpiW (lpString1="fi-FI", lpString2="desktop.ini") returned 1 [0088.125] lstrcmpiW (lpString1="fi-FI", lpString2="CONFIG.SYS") returned 1 [0088.125] lstrcmpiW (lpString1="fi-FI", lpString2="RECYCLER") returned -1 [0088.125] lstrcmpiW (lpString1="fi-FI", lpString2="BOOTSECT.BAK") returned 1 [0088.125] lstrcmpiW (lpString1="fi-FI", lpString2="bootmgr") returned 1 [0088.125] lstrcmpiW (lpString1="fi-FI", lpString2="programdata") returned -1 [0088.125] lstrcmpiW (lpString1="fi-FI", lpString2="appdata") returned 1 [0088.125] lstrcmpiW (lpString1="fi-FI", lpString2="program files") returned -1 [0088.125] lstrcmpiW (lpString1="fi-FI", lpString2="program files (x86)") returned -1 [0088.125] lstrcpyW (in: lpString1=0x24df3d8, lpString2="C:\\Boot\\" | out: lpString1="C:\\Boot\\") returned="C:\\Boot\\" [0088.125] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="fi-FI" | out: lpString1="C:\\Boot\\fi-FI") returned="C:\\Boot\\fi-FI" [0088.125] lstrcatW (in: lpString1="C:\\Boot\\fi-FI", lpString2="\\" | out: lpString1="C:\\Boot\\fi-FI\\") returned="C:\\Boot\\fi-FI\\" [0088.126] lstrcpyW (in: lpString1=0x24def60, lpString2="C:\\Boot\\fi-FI\\" | out: lpString1="C:\\Boot\\fi-FI\\") returned="C:\\Boot\\fi-FI\\" [0088.126] lstrcatW (in: lpString1="C:\\Boot\\fi-FI\\", lpString2="*.*" | out: lpString1="C:\\Boot\\fi-FI\\*.*") returned="C:\\Boot\\fi-FI\\*.*" [0088.126] FindFirstFileW (in: lpFileName="C:\\Boot\\fi-FI\\*.*", lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName=".", cAlternateFileName="")) returned 0x5026e8 [0088.126] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0088.126] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="..", cAlternateFileName="")) returned 1 [0088.126] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0088.126] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0088.126] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe836d95d, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c40, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0088.126] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0088.126] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0088.126] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0088.126] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0088.126] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0088.126] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0088.127] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="log") returned -1 [0088.127] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0088.127] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0088.127] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0088.127] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0088.127] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0088.127] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0088.127] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0088.127] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0088.127] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0088.127] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0088.127] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0088.127] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0088.127] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0088.127] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0088.127] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0088.127] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0088.127] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Boot\\fi-FI\\" | out: lpString1="C:\\Boot\\fi-FI\\") returned="C:\\Boot\\fi-FI\\" [0088.127] lstrcatW (in: lpString1="C:\\Boot\\fi-FI\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:\\Boot\\fi-FI\\bootmgr.exe.mui") returned="C:\\Boot\\fi-FI\\bootmgr.exe.mui" [0088.127] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0088.127] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0088.127] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0088.127] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0088.127] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0088.127] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0088.128] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0088.128] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0088.128] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0088.128] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0088.128] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0088.128] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0088.128] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0088.128] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0088.128] lstrcmpiW (lpString1=".mui", lpString2=".NEPHILIM") returned -1 [0088.128] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0088.128] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0088.128] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0088.128] lstrlenA (lpString="NEPHILIM") returned 8 [0088.128] GetProcessHeap () returned 0x4e0000 [0088.128] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x5029a0 [0088.128] lstrlenA (lpString="NEPHILIM") returned 8 [0088.128] CreateFileW (lpFileName="C:\\Boot\\fi-FI\\bootmgr.exe.mui" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0088.128] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24deac8 | out: lpFileSize=0x24deac8*=4294968320) returned 0 [0088.128] GetProcessHeap () returned 0x4e0000 [0088.128] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x4fcaf0 [0088.128] GetProcessHeap () returned 0x4e0000 [0088.129] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x4fcb08 [0088.129] SystemFunction036 (in: RandomBuffer=0x4fcaf0, RandomBufferLength=0x10 | out: RandomBuffer=0x4fcaf0) returned 1 [0088.129] SystemFunction036 (in: RandomBuffer=0x4fcb08, RandomBufferLength=0x10 | out: RandomBuffer=0x4fcb08) returned 1 [0088.129] GetProcessHeap () returned 0x4e0000 [0088.129] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5053a8 [0088.129] GetProcessHeap () returned 0x4e0000 [0088.129] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5054b0 [0088.129] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5053a8*, pdwDataLen=0x24de888*=0x10, dwBufLen=0x100 | out: pbData=0x5053a8*, pdwDataLen=0x24de888*=0x100) returned 1 [0088.129] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5054b0*, pdwDataLen=0x24de884*=0x10, dwBufLen=0x100 | out: pbData=0x5054b0*, pdwDataLen=0x24de884*=0x100) returned 1 [0088.129] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0088.129] SetLastError (dwErrCode=0x0) [0088.129] WriteFile (in: hFile=0xffffffff, lpBuffer=0x5053a8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0) returned 0 [0088.129] GetLastError () returned 0x6 [0088.129] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe836d95d, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c40, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0088.130] FindClose (in: hFindFile=0x5026e8 | out: hFindFile=0x5026e8) returned 1 [0088.130] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe0, dwReserved1=0x24df1d0, cFileName="Fonts", cAlternateFileName="")) returned 1 [0088.130] lstrcmpiW (lpString1="Fonts", lpString2=".") returned 1 [0088.130] lstrcmpiW (lpString1="Fonts", lpString2="..") returned 1 [0088.130] lstrcmpiW (lpString1="Fonts", lpString2="...") returned 1 [0088.130] lstrcmpiW (lpString1="Fonts", lpString2="windows") returned -1 [0088.130] lstrcmpiW (lpString1="Fonts", lpString2="$RECYCLE.BIN") returned 1 [0088.130] lstrcmpiW (lpString1="Fonts", lpString2="rsa") returned -1 [0088.130] lstrcmpiW (lpString1="Fonts", lpString2="log") returned -1 [0088.130] lstrcmpiW (lpString1="Fonts", lpString2="NTDETECT.COM") returned -1 [0088.130] lstrcmpiW (lpString1="Fonts", lpString2="ntldr") returned -1 [0088.130] lstrcmpiW (lpString1="Fonts", lpString2="MSDOS.SYS") returned -1 [0088.130] lstrcmpiW (lpString1="Fonts", lpString2="IO.SYS") returned -1 [0088.130] lstrcmpiW (lpString1="Fonts", lpString2="boot.ini") returned 1 [0088.130] lstrcmpiW (lpString1="Fonts", lpString2="AUTOEXEC.BAT") returned 1 [0088.130] lstrcmpiW (lpString1="Fonts", lpString2="ntuser.dat") returned -1 [0088.130] lstrcmpiW (lpString1="Fonts", lpString2="desktop.ini") returned 1 [0088.130] lstrcmpiW (lpString1="Fonts", lpString2="CONFIG.SYS") returned 1 [0088.130] lstrcmpiW (lpString1="Fonts", lpString2="RECYCLER") returned -1 [0088.130] lstrcmpiW (lpString1="Fonts", lpString2="BOOTSECT.BAK") returned 1 [0088.130] lstrcmpiW (lpString1="Fonts", lpString2="bootmgr") returned 1 [0088.130] lstrcmpiW (lpString1="Fonts", lpString2="programdata") returned -1 [0088.130] lstrcmpiW (lpString1="Fonts", lpString2="appdata") returned 1 [0088.131] lstrcmpiW (lpString1="Fonts", lpString2="program files") returned -1 [0088.131] lstrcmpiW (lpString1="Fonts", lpString2="program files (x86)") returned -1 [0088.131] lstrcpyW (in: lpString1=0x24df3d8, lpString2="C:\\Boot\\" | out: lpString1="C:\\Boot\\") returned="C:\\Boot\\" [0088.131] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="Fonts" | out: lpString1="C:\\Boot\\Fonts") returned="C:\\Boot\\Fonts" [0088.131] lstrcatW (in: lpString1="C:\\Boot\\Fonts", lpString2="\\" | out: lpString1="C:\\Boot\\Fonts\\") returned="C:\\Boot\\Fonts\\" [0088.131] lstrcpyW (in: lpString1=0x24def60, lpString2="C:\\Boot\\Fonts\\" | out: lpString1="C:\\Boot\\Fonts\\") returned="C:\\Boot\\Fonts\\" [0088.131] lstrcatW (in: lpString1="C:\\Boot\\Fonts\\", lpString2="*.*" | out: lpString1="C:\\Boot\\Fonts\\*.*") returned="C:\\Boot\\Fonts\\*.*" [0088.131] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\*.*", lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName=".", cAlternateFileName="")) returned 0x5026e8 [0088.139] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0088.139] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="..", cAlternateFileName="")) returned 1 [0088.139] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0088.139] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0088.139] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x64c5ad69, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x385e00, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="chs_boot.ttf", cAlternateFileName="")) returned 1 [0088.140] lstrcmpiW (lpString1="chs_boot.ttf", lpString2=".") returned 1 [0088.140] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="..") returned 1 [0088.140] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="...") returned 1 [0088.140] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="windows") returned -1 [0088.140] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0088.140] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="rsa") returned -1 [0088.140] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="log") returned -1 [0088.140] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="NTDETECT.COM") returned -1 [0088.140] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="ntldr") returned -1 [0088.140] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="MSDOS.SYS") returned -1 [0088.140] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="IO.SYS") returned -1 [0088.140] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="boot.ini") returned 1 [0088.140] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="AUTOEXEC.BAT") returned 1 [0088.140] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="ntuser.dat") returned -1 [0088.140] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="desktop.ini") returned -1 [0088.140] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="CONFIG.SYS") returned -1 [0088.140] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="RECYCLER") returned -1 [0088.140] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="BOOTSECT.BAK") returned 1 [0088.140] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="bootmgr") returned 1 [0088.140] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="programdata") returned -1 [0088.140] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="appdata") returned 1 [0088.140] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="program files") returned -1 [0088.140] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="program files (x86)") returned -1 [0088.140] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Boot\\Fonts\\" | out: lpString1="C:\\Boot\\Fonts\\") returned="C:\\Boot\\Fonts\\" [0088.140] lstrcatW (in: lpString1="C:\\Boot\\Fonts\\", lpString2="chs_boot.ttf" | out: lpString1="C:\\Boot\\Fonts\\chs_boot.ttf") returned="C:\\Boot\\Fonts\\chs_boot.ttf" [0088.140] PathFindExtensionW (pszPath="chs_boot.ttf") returned=".ttf" [0088.141] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0088.141] lstrcmpiW (lpString1=".ttf", lpString2=".log") returned 1 [0088.141] lstrcmpiW (lpString1=".ttf", lpString2=".cab") returned 1 [0088.141] lstrcmpiW (lpString1=".ttf", lpString2=".cmd") returned 1 [0088.141] lstrcmpiW (lpString1=".ttf", lpString2=".com") returned 1 [0088.141] lstrcmpiW (lpString1=".ttf", lpString2=".cpl") returned 1 [0088.141] lstrcmpiW (lpString1=".ttf", lpString2=".ini") returned 1 [0088.141] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0088.141] lstrcmpiW (lpString1=".ttf", lpString2=".url") returned -1 [0088.141] lstrcmpiW (lpString1=".ttf", lpString2=".ttf") returned 0 [0088.141] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac191e00, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac191e00, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x6505f253, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x3b27a4, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="cht_boot.ttf", cAlternateFileName="")) returned 1 [0088.141] lstrcmpiW (lpString1="cht_boot.ttf", lpString2=".") returned 1 [0088.141] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="..") returned 1 [0088.141] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="...") returned 1 [0088.141] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="windows") returned -1 [0088.141] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0088.141] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="rsa") returned -1 [0088.141] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="log") returned -1 [0088.141] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="NTDETECT.COM") returned -1 [0088.141] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="ntldr") returned -1 [0088.141] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="MSDOS.SYS") returned -1 [0088.141] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="IO.SYS") returned -1 [0088.141] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="boot.ini") returned 1 [0088.141] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="AUTOEXEC.BAT") returned 1 [0088.141] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="ntuser.dat") returned -1 [0088.142] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="desktop.ini") returned -1 [0088.142] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="CONFIG.SYS") returned -1 [0088.142] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="RECYCLER") returned -1 [0088.142] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="BOOTSECT.BAK") returned 1 [0088.142] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="bootmgr") returned 1 [0088.142] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="programdata") returned -1 [0088.142] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="appdata") returned 1 [0088.142] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="program files") returned -1 [0088.142] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="program files (x86)") returned -1 [0088.142] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Boot\\Fonts\\" | out: lpString1="C:\\Boot\\Fonts\\") returned="C:\\Boot\\Fonts\\" [0088.142] lstrcatW (in: lpString1="C:\\Boot\\Fonts\\", lpString2="cht_boot.ttf" | out: lpString1="C:\\Boot\\Fonts\\cht_boot.ttf") returned="C:\\Boot\\Fonts\\cht_boot.ttf" [0088.142] PathFindExtensionW (pszPath="cht_boot.ttf") returned=".ttf" [0088.142] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0088.142] lstrcmpiW (lpString1=".ttf", lpString2=".log") returned 1 [0088.142] lstrcmpiW (lpString1=".ttf", lpString2=".cab") returned 1 [0088.142] lstrcmpiW (lpString1=".ttf", lpString2=".cmd") returned 1 [0088.142] lstrcmpiW (lpString1=".ttf", lpString2=".com") returned 1 [0088.142] lstrcmpiW (lpString1=".ttf", lpString2=".cpl") returned 1 [0088.142] lstrcmpiW (lpString1=".ttf", lpString2=".ini") returned 1 [0088.142] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0088.142] lstrcmpiW (lpString1=".ttf", lpString2=".url") returned -1 [0088.142] lstrcmpiW (lpString1=".ttf", lpString2=".ttf") returned 0 [0088.142] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac204220, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac204220, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x65274577, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x1e46e4, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="jpn_boot.ttf", cAlternateFileName="")) returned 1 [0088.142] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2=".") returned 1 [0088.142] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="..") returned 1 [0088.142] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="...") returned 1 [0088.143] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="windows") returned -1 [0088.143] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0088.143] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="rsa") returned -1 [0088.143] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="log") returned -1 [0088.143] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="NTDETECT.COM") returned -1 [0088.143] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="ntldr") returned -1 [0088.143] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="MSDOS.SYS") returned -1 [0088.143] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="IO.SYS") returned 1 [0088.143] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="boot.ini") returned 1 [0088.143] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="AUTOEXEC.BAT") returned 1 [0088.143] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="ntuser.dat") returned -1 [0088.143] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="desktop.ini") returned 1 [0088.143] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="CONFIG.SYS") returned 1 [0088.143] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="RECYCLER") returned -1 [0088.143] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="BOOTSECT.BAK") returned 1 [0088.143] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="bootmgr") returned 1 [0088.143] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="programdata") returned -1 [0088.143] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="appdata") returned 1 [0088.143] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="program files") returned -1 [0088.143] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="program files (x86)") returned -1 [0088.143] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Boot\\Fonts\\" | out: lpString1="C:\\Boot\\Fonts\\") returned="C:\\Boot\\Fonts\\" [0088.143] lstrcatW (in: lpString1="C:\\Boot\\Fonts\\", lpString2="jpn_boot.ttf" | out: lpString1="C:\\Boot\\Fonts\\jpn_boot.ttf") returned="C:\\Boot\\Fonts\\jpn_boot.ttf" [0088.143] PathFindExtensionW (pszPath="jpn_boot.ttf") returned=".ttf" [0088.143] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0088.143] lstrcmpiW (lpString1=".ttf", lpString2=".log") returned 1 [0088.144] lstrcmpiW (lpString1=".ttf", lpString2=".cab") returned 1 [0088.144] lstrcmpiW (lpString1=".ttf", lpString2=".cmd") returned 1 [0088.144] lstrcmpiW (lpString1=".ttf", lpString2=".com") returned 1 [0088.144] lstrcmpiW (lpString1=".ttf", lpString2=".cpl") returned 1 [0088.144] lstrcmpiW (lpString1=".ttf", lpString2=".ini") returned 1 [0088.144] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0088.144] lstrcmpiW (lpString1=".ttf", lpString2=".url") returned -1 [0088.144] lstrcmpiW (lpString1=".ttf", lpString2=".ttf") returned 0 [0088.144] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac22a380, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac22a380, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x6530caef, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x242f20, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="kor_boot.ttf", cAlternateFileName="")) returned 1 [0088.144] lstrcmpiW (lpString1="kor_boot.ttf", lpString2=".") returned 1 [0088.144] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="..") returned 1 [0088.144] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="...") returned 1 [0088.144] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="windows") returned -1 [0088.144] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0088.144] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="rsa") returned -1 [0088.144] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="log") returned -1 [0088.144] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="NTDETECT.COM") returned -1 [0088.144] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="ntldr") returned -1 [0088.144] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="MSDOS.SYS") returned -1 [0088.144] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="IO.SYS") returned 1 [0088.144] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="boot.ini") returned 1 [0088.144] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="AUTOEXEC.BAT") returned 1 [0088.144] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="ntuser.dat") returned -1 [0088.144] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="desktop.ini") returned 1 [0088.144] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="CONFIG.SYS") returned 1 [0088.144] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="RECYCLER") returned -1 [0088.145] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="BOOTSECT.BAK") returned 1 [0088.145] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="bootmgr") returned 1 [0088.145] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="programdata") returned -1 [0088.145] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="appdata") returned 1 [0088.145] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="program files") returned -1 [0088.145] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="program files (x86)") returned -1 [0088.145] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Boot\\Fonts\\" | out: lpString1="C:\\Boot\\Fonts\\") returned="C:\\Boot\\Fonts\\" [0088.145] lstrcatW (in: lpString1="C:\\Boot\\Fonts\\", lpString2="kor_boot.ttf" | out: lpString1="C:\\Boot\\Fonts\\kor_boot.ttf") returned="C:\\Boot\\Fonts\\kor_boot.ttf" [0088.145] PathFindExtensionW (pszPath="kor_boot.ttf") returned=".ttf" [0088.145] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0088.145] lstrcmpiW (lpString1=".ttf", lpString2=".log") returned 1 [0088.145] lstrcmpiW (lpString1=".ttf", lpString2=".cab") returned 1 [0088.145] lstrcmpiW (lpString1=".ttf", lpString2=".cmd") returned 1 [0088.145] lstrcmpiW (lpString1=".ttf", lpString2=".com") returned 1 [0088.145] lstrcmpiW (lpString1=".ttf", lpString2=".cpl") returned 1 [0088.145] lstrcmpiW (lpString1=".ttf", lpString2=".ini") returned 1 [0088.145] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0088.145] lstrcmpiW (lpString1=".ttf", lpString2=".url") returned -1 [0088.145] lstrcmpiW (lpString1=".ttf", lpString2=".ttf") returned 0 [0088.145] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac276640, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x65332c4d, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xb95c, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 1 [0088.145] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2=".") returned 1 [0088.145] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="..") returned 1 [0088.145] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="...") returned 1 [0088.145] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="windows") returned -1 [0088.146] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0088.146] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="rsa") returned 1 [0088.146] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="log") returned 1 [0088.146] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="NTDETECT.COM") returned 1 [0088.146] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="ntldr") returned 1 [0088.146] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="MSDOS.SYS") returned 1 [0088.146] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="IO.SYS") returned 1 [0088.146] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="boot.ini") returned 1 [0088.146] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="AUTOEXEC.BAT") returned 1 [0088.146] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="ntuser.dat") returned 1 [0088.146] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="desktop.ini") returned 1 [0088.146] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="CONFIG.SYS") returned 1 [0088.146] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="RECYCLER") returned 1 [0088.146] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="BOOTSECT.BAK") returned 1 [0088.146] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="bootmgr") returned 1 [0088.146] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="programdata") returned 1 [0088.146] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="appdata") returned 1 [0088.146] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="program files") returned 1 [0088.146] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="program files (x86)") returned 1 [0088.146] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Boot\\Fonts\\" | out: lpString1="C:\\Boot\\Fonts\\") returned="C:\\Boot\\Fonts\\" [0088.146] lstrcatW (in: lpString1="C:\\Boot\\Fonts\\", lpString2="wgl4_boot.ttf" | out: lpString1="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned="C:\\Boot\\Fonts\\wgl4_boot.ttf" [0088.146] PathFindExtensionW (pszPath="wgl4_boot.ttf") returned=".ttf" [0088.146] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0088.146] lstrcmpiW (lpString1=".ttf", lpString2=".log") returned 1 [0088.146] lstrcmpiW (lpString1=".ttf", lpString2=".cab") returned 1 [0088.146] lstrcmpiW (lpString1=".ttf", lpString2=".cmd") returned 1 [0088.146] lstrcmpiW (lpString1=".ttf", lpString2=".com") returned 1 [0088.147] lstrcmpiW (lpString1=".ttf", lpString2=".cpl") returned 1 [0088.147] lstrcmpiW (lpString1=".ttf", lpString2=".ini") returned 1 [0088.147] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0088.147] lstrcmpiW (lpString1=".ttf", lpString2=".url") returned -1 [0088.147] lstrcmpiW (lpString1=".ttf", lpString2=".ttf") returned 0 [0088.147] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac276640, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x65332c4d, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xb95c, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 0 [0088.147] FindClose (in: hFindFile=0x5026e8 | out: hFindFile=0x5026e8) returned 1 [0088.147] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe0, dwReserved1=0x24df1d0, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0088.147] lstrcmpiW (lpString1="fr-FR", lpString2=".") returned 1 [0088.147] lstrcmpiW (lpString1="fr-FR", lpString2="..") returned 1 [0088.147] lstrcmpiW (lpString1="fr-FR", lpString2="...") returned 1 [0088.147] lstrcmpiW (lpString1="fr-FR", lpString2="windows") returned -1 [0088.147] lstrcmpiW (lpString1="fr-FR", lpString2="$RECYCLE.BIN") returned 1 [0088.147] lstrcmpiW (lpString1="fr-FR", lpString2="rsa") returned -1 [0088.147] lstrcmpiW (lpString1="fr-FR", lpString2="log") returned -1 [0088.147] lstrcmpiW (lpString1="fr-FR", lpString2="NTDETECT.COM") returned -1 [0088.147] lstrcmpiW (lpString1="fr-FR", lpString2="ntldr") returned -1 [0088.147] lstrcmpiW (lpString1="fr-FR", lpString2="MSDOS.SYS") returned -1 [0088.147] lstrcmpiW (lpString1="fr-FR", lpString2="IO.SYS") returned -1 [0088.147] lstrcmpiW (lpString1="fr-FR", lpString2="boot.ini") returned 1 [0088.147] lstrcmpiW (lpString1="fr-FR", lpString2="AUTOEXEC.BAT") returned 1 [0088.147] lstrcmpiW (lpString1="fr-FR", lpString2="ntuser.dat") returned -1 [0088.148] lstrcmpiW (lpString1="fr-FR", lpString2="desktop.ini") returned 1 [0088.148] lstrcmpiW (lpString1="fr-FR", lpString2="CONFIG.SYS") returned 1 [0088.148] lstrcmpiW (lpString1="fr-FR", lpString2="RECYCLER") returned -1 [0088.148] lstrcmpiW (lpString1="fr-FR", lpString2="BOOTSECT.BAK") returned 1 [0088.148] lstrcmpiW (lpString1="fr-FR", lpString2="bootmgr") returned 1 [0088.148] lstrcmpiW (lpString1="fr-FR", lpString2="programdata") returned -1 [0088.148] lstrcmpiW (lpString1="fr-FR", lpString2="appdata") returned 1 [0088.148] lstrcmpiW (lpString1="fr-FR", lpString2="program files") returned -1 [0088.148] lstrcmpiW (lpString1="fr-FR", lpString2="program files (x86)") returned -1 [0088.148] lstrcpyW (in: lpString1=0x24df3d8, lpString2="C:\\Boot\\" | out: lpString1="C:\\Boot\\") returned="C:\\Boot\\" [0088.148] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="fr-FR" | out: lpString1="C:\\Boot\\fr-FR") returned="C:\\Boot\\fr-FR" [0088.148] lstrcatW (in: lpString1="C:\\Boot\\fr-FR", lpString2="\\" | out: lpString1="C:\\Boot\\fr-FR\\") returned="C:\\Boot\\fr-FR\\" [0088.148] lstrcpyW (in: lpString1=0x24def60, lpString2="C:\\Boot\\fr-FR\\" | out: lpString1="C:\\Boot\\fr-FR\\") returned="C:\\Boot\\fr-FR\\" [0088.148] lstrcatW (in: lpString1="C:\\Boot\\fr-FR\\", lpString2="*.*" | out: lpString1="C:\\Boot\\fr-FR\\*.*") returned="C:\\Boot\\fr-FR\\*.*" [0088.148] FindFirstFileW (in: lpFileName="C:\\Boot\\fr-FR\\*.*", lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName=".", cAlternateFileName="")) returned 0x5026e8 [0088.150] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0088.150] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="..", cAlternateFileName="")) returned 1 [0088.151] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0088.151] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0088.151] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe86b3703, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16c40, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0088.151] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0088.151] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0088.151] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0088.151] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0088.151] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0088.151] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0088.151] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="log") returned -1 [0088.151] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0088.151] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0088.151] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0088.151] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0088.151] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0088.151] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0088.151] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0088.151] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0088.151] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0088.151] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0088.151] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0088.151] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0088.151] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0088.151] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0088.152] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0088.152] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0088.152] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Boot\\fr-FR\\" | out: lpString1="C:\\Boot\\fr-FR\\") returned="C:\\Boot\\fr-FR\\" [0088.152] lstrcatW (in: lpString1="C:\\Boot\\fr-FR\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned="C:\\Boot\\fr-FR\\bootmgr.exe.mui" [0088.152] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0088.152] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0088.152] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0088.152] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0088.152] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0088.152] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0088.152] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0088.152] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0088.152] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0088.152] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0088.152] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0088.152] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0088.152] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0088.152] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0088.152] lstrcmpiW (lpString1=".mui", lpString2=".NEPHILIM") returned -1 [0088.152] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0088.152] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0088.152] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0088.152] lstrlenA (lpString="NEPHILIM") returned 8 [0088.152] GetProcessHeap () returned 0x4e0000 [0088.152] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x5029b0 [0088.152] lstrlenA (lpString="NEPHILIM") returned 8 [0088.153] CreateFileW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0088.153] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24deac8 | out: lpFileSize=0x24deac8*=4294968320) returned 0 [0088.153] GetProcessHeap () returned 0x4e0000 [0088.153] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x4fcb20 [0088.153] GetProcessHeap () returned 0x4e0000 [0088.153] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x4fcb38 [0088.153] SystemFunction036 (in: RandomBuffer=0x4fcb20, RandomBufferLength=0x10 | out: RandomBuffer=0x4fcb20) returned 1 [0088.153] SystemFunction036 (in: RandomBuffer=0x4fcb38, RandomBufferLength=0x10 | out: RandomBuffer=0x4fcb38) returned 1 [0088.153] GetProcessHeap () returned 0x4e0000 [0088.153] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5055b8 [0088.153] GetProcessHeap () returned 0x4e0000 [0088.153] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5056c0 [0088.153] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5055b8*, pdwDataLen=0x24de888*=0x10, dwBufLen=0x100 | out: pbData=0x5055b8*, pdwDataLen=0x24de888*=0x100) returned 1 [0088.153] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5056c0*, pdwDataLen=0x24de884*=0x10, dwBufLen=0x100 | out: pbData=0x5056c0*, pdwDataLen=0x24de884*=0x100) returned 1 [0088.154] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0088.154] SetLastError (dwErrCode=0x0) [0088.154] WriteFile (in: hFile=0xffffffff, lpBuffer=0x5055b8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0) returned 0 [0088.154] GetLastError () returned 0x6 [0088.154] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe86b3703, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16c40, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0088.154] FindClose (in: hFindFile=0x5026e8 | out: hFindFile=0x5026e8) returned 1 [0088.154] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe0, dwReserved1=0x24df1d0, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0088.154] lstrcmpiW (lpString1="hu-HU", lpString2=".") returned 1 [0088.154] lstrcmpiW (lpString1="hu-HU", lpString2="..") returned 1 [0088.154] lstrcmpiW (lpString1="hu-HU", lpString2="...") returned 1 [0088.154] lstrcmpiW (lpString1="hu-HU", lpString2="windows") returned -1 [0088.154] lstrcmpiW (lpString1="hu-HU", lpString2="$RECYCLE.BIN") returned 1 [0088.154] lstrcmpiW (lpString1="hu-HU", lpString2="rsa") returned -1 [0088.154] lstrcmpiW (lpString1="hu-HU", lpString2="log") returned -1 [0088.154] lstrcmpiW (lpString1="hu-HU", lpString2="NTDETECT.COM") returned -1 [0088.154] lstrcmpiW (lpString1="hu-HU", lpString2="ntldr") returned -1 [0088.154] lstrcmpiW (lpString1="hu-HU", lpString2="MSDOS.SYS") returned -1 [0088.154] lstrcmpiW (lpString1="hu-HU", lpString2="IO.SYS") returned -1 [0088.154] lstrcmpiW (lpString1="hu-HU", lpString2="boot.ini") returned 1 [0088.155] lstrcmpiW (lpString1="hu-HU", lpString2="AUTOEXEC.BAT") returned 1 [0088.155] lstrcmpiW (lpString1="hu-HU", lpString2="ntuser.dat") returned -1 [0088.155] lstrcmpiW (lpString1="hu-HU", lpString2="desktop.ini") returned 1 [0088.155] lstrcmpiW (lpString1="hu-HU", lpString2="CONFIG.SYS") returned 1 [0088.155] lstrcmpiW (lpString1="hu-HU", lpString2="RECYCLER") returned -1 [0088.155] lstrcmpiW (lpString1="hu-HU", lpString2="BOOTSECT.BAK") returned 1 [0088.155] lstrcmpiW (lpString1="hu-HU", lpString2="bootmgr") returned 1 [0088.155] lstrcmpiW (lpString1="hu-HU", lpString2="programdata") returned -1 [0088.155] lstrcmpiW (lpString1="hu-HU", lpString2="appdata") returned 1 [0088.155] lstrcmpiW (lpString1="hu-HU", lpString2="program files") returned -1 [0088.155] lstrcmpiW (lpString1="hu-HU", lpString2="program files (x86)") returned -1 [0088.155] lstrcpyW (in: lpString1=0x24df3d8, lpString2="C:\\Boot\\" | out: lpString1="C:\\Boot\\") returned="C:\\Boot\\" [0088.155] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="hu-HU" | out: lpString1="C:\\Boot\\hu-HU") returned="C:\\Boot\\hu-HU" [0088.155] lstrcatW (in: lpString1="C:\\Boot\\hu-HU", lpString2="\\" | out: lpString1="C:\\Boot\\hu-HU\\") returned="C:\\Boot\\hu-HU\\" [0088.155] lstrcpyW (in: lpString1=0x24def60, lpString2="C:\\Boot\\hu-HU\\" | out: lpString1="C:\\Boot\\hu-HU\\") returned="C:\\Boot\\hu-HU\\" [0088.155] lstrcatW (in: lpString1="C:\\Boot\\hu-HU\\", lpString2="*.*" | out: lpString1="C:\\Boot\\hu-HU\\*.*") returned="C:\\Boot\\hu-HU\\*.*" [0088.155] FindFirstFileW (in: lpFileName="C:\\Boot\\hu-HU\\*.*", lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName=".", cAlternateFileName="")) returned 0x5026e8 [0088.156] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0088.156] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="..", cAlternateFileName="")) returned 1 [0088.156] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0088.156] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0088.156] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe817e7d8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16240, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0088.156] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0088.156] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0088.156] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0088.156] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0088.156] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0088.156] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0088.156] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="log") returned -1 [0088.156] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0088.156] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0088.156] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0088.156] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0088.156] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0088.156] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0088.156] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0088.156] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0088.156] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0088.156] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0088.156] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0088.156] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0088.157] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0088.157] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0088.157] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0088.157] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0088.157] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Boot\\hu-HU\\" | out: lpString1="C:\\Boot\\hu-HU\\") returned="C:\\Boot\\hu-HU\\" [0088.157] lstrcatW (in: lpString1="C:\\Boot\\hu-HU\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned="C:\\Boot\\hu-HU\\bootmgr.exe.mui" [0088.157] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0088.157] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0088.157] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0088.157] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0088.157] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0088.157] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0088.157] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0088.157] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0088.157] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0088.157] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0088.157] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0088.157] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0088.157] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0088.157] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0088.157] lstrcmpiW (lpString1=".mui", lpString2=".NEPHILIM") returned -1 [0088.157] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0088.157] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0088.157] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0088.157] lstrlenA (lpString="NEPHILIM") returned 8 [0088.157] GetProcessHeap () returned 0x4e0000 [0088.157] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x5029c0 [0088.158] lstrlenA (lpString="NEPHILIM") returned 8 [0088.158] CreateFileW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0088.158] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24deac8 | out: lpFileSize=0x24deac8*=4294968320) returned 0 [0088.158] GetProcessHeap () returned 0x4e0000 [0088.158] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x4fcb50 [0088.158] GetProcessHeap () returned 0x4e0000 [0088.158] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x4fcb68 [0088.158] SystemFunction036 (in: RandomBuffer=0x4fcb50, RandomBufferLength=0x10 | out: RandomBuffer=0x4fcb50) returned 1 [0088.158] SystemFunction036 (in: RandomBuffer=0x4fcb68, RandomBufferLength=0x10 | out: RandomBuffer=0x4fcb68) returned 1 [0088.158] GetProcessHeap () returned 0x4e0000 [0088.158] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5057c8 [0088.158] GetProcessHeap () returned 0x4e0000 [0088.158] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5058d0 [0088.158] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5057c8*, pdwDataLen=0x24de888*=0x10, dwBufLen=0x100 | out: pbData=0x5057c8*, pdwDataLen=0x24de888*=0x100) returned 1 [0088.158] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5058d0*, pdwDataLen=0x24de884*=0x10, dwBufLen=0x100 | out: pbData=0x5058d0*, pdwDataLen=0x24de884*=0x100) returned 1 [0088.158] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0088.159] SetLastError (dwErrCode=0x0) [0088.159] WriteFile (in: hFile=0xffffffff, lpBuffer=0x5057c8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0) returned 0 [0088.159] GetLastError () returned 0x6 [0088.159] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe817e7d8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16240, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0088.159] FindClose (in: hFindFile=0x5026e8 | out: hFindFile=0x5026e8) returned 1 [0088.159] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe0, dwReserved1=0x24df1d0, cFileName="it-IT", cAlternateFileName="")) returned 1 [0088.159] lstrcmpiW (lpString1="it-IT", lpString2=".") returned 1 [0088.159] lstrcmpiW (lpString1="it-IT", lpString2="..") returned 1 [0088.159] lstrcmpiW (lpString1="it-IT", lpString2="...") returned 1 [0088.159] lstrcmpiW (lpString1="it-IT", lpString2="windows") returned -1 [0088.159] lstrcmpiW (lpString1="it-IT", lpString2="$RECYCLE.BIN") returned 1 [0088.159] lstrcmpiW (lpString1="it-IT", lpString2="rsa") returned -1 [0088.159] lstrcmpiW (lpString1="it-IT", lpString2="log") returned -1 [0088.159] lstrcmpiW (lpString1="it-IT", lpString2="NTDETECT.COM") returned -1 [0088.159] lstrcmpiW (lpString1="it-IT", lpString2="ntldr") returned -1 [0088.159] lstrcmpiW (lpString1="it-IT", lpString2="MSDOS.SYS") returned -1 [0088.159] lstrcmpiW (lpString1="it-IT", lpString2="IO.SYS") returned 1 [0088.159] lstrcmpiW (lpString1="it-IT", lpString2="boot.ini") returned 1 [0088.159] lstrcmpiW (lpString1="it-IT", lpString2="AUTOEXEC.BAT") returned 1 [0088.159] lstrcmpiW (lpString1="it-IT", lpString2="ntuser.dat") returned -1 [0088.159] lstrcmpiW (lpString1="it-IT", lpString2="desktop.ini") returned 1 [0088.159] lstrcmpiW (lpString1="it-IT", lpString2="CONFIG.SYS") returned 1 [0088.159] lstrcmpiW (lpString1="it-IT", lpString2="RECYCLER") returned -1 [0088.159] lstrcmpiW (lpString1="it-IT", lpString2="BOOTSECT.BAK") returned 1 [0088.159] lstrcmpiW (lpString1="it-IT", lpString2="bootmgr") returned 1 [0088.160] lstrcmpiW (lpString1="it-IT", lpString2="programdata") returned -1 [0088.160] lstrcmpiW (lpString1="it-IT", lpString2="appdata") returned 1 [0088.160] lstrcmpiW (lpString1="it-IT", lpString2="program files") returned -1 [0088.160] lstrcmpiW (lpString1="it-IT", lpString2="program files (x86)") returned -1 [0088.160] lstrcpyW (in: lpString1=0x24df3d8, lpString2="C:\\Boot\\" | out: lpString1="C:\\Boot\\") returned="C:\\Boot\\" [0088.160] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="it-IT" | out: lpString1="C:\\Boot\\it-IT") returned="C:\\Boot\\it-IT" [0088.160] lstrcatW (in: lpString1="C:\\Boot\\it-IT", lpString2="\\" | out: lpString1="C:\\Boot\\it-IT\\") returned="C:\\Boot\\it-IT\\" [0088.160] lstrcpyW (in: lpString1=0x24def60, lpString2="C:\\Boot\\it-IT\\" | out: lpString1="C:\\Boot\\it-IT\\") returned="C:\\Boot\\it-IT\\" [0088.160] lstrcatW (in: lpString1="C:\\Boot\\it-IT\\", lpString2="*.*" | out: lpString1="C:\\Boot\\it-IT\\*.*") returned="C:\\Boot\\it-IT\\*.*" [0088.160] FindFirstFileW (in: lpFileName="C:\\Boot\\it-IT\\*.*", lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName=".", cAlternateFileName="")) returned 0x5026e8 [0088.162] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0088.162] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="..", cAlternateFileName="")) returned 1 [0088.162] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0088.162] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0088.162] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e80ea3, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0088.162] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0088.162] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0088.163] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0088.163] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0088.163] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0088.163] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0088.163] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="log") returned -1 [0088.163] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0088.163] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0088.163] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0088.163] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0088.163] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0088.163] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0088.163] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0088.163] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0088.163] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0088.163] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0088.163] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0088.163] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0088.163] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0088.163] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0088.163] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0088.163] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0088.163] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Boot\\it-IT\\" | out: lpString1="C:\\Boot\\it-IT\\") returned="C:\\Boot\\it-IT\\" [0088.163] lstrcatW (in: lpString1="C:\\Boot\\it-IT\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned="C:\\Boot\\it-IT\\bootmgr.exe.mui" [0088.163] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0088.163] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0088.164] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0088.164] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0088.164] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0088.164] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0088.164] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0088.164] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0088.164] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0088.164] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0088.164] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0088.164] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0088.164] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0088.164] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0088.164] lstrcmpiW (lpString1=".mui", lpString2=".NEPHILIM") returned -1 [0088.164] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0088.164] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0088.164] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0088.164] lstrlenA (lpString="NEPHILIM") returned 8 [0088.164] GetProcessHeap () returned 0x4e0000 [0088.164] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x5029d0 [0088.164] lstrlenA (lpString="NEPHILIM") returned 8 [0088.164] CreateFileW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0088.165] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24deac8 | out: lpFileSize=0x24deac8*=4294968320) returned 0 [0088.165] GetProcessHeap () returned 0x4e0000 [0088.165] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x4fcb80 [0088.165] GetProcessHeap () returned 0x4e0000 [0088.165] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x4fcb98 [0088.165] SystemFunction036 (in: RandomBuffer=0x4fcb80, RandomBufferLength=0x10 | out: RandomBuffer=0x4fcb80) returned 1 [0088.165] SystemFunction036 (in: RandomBuffer=0x4fcb98, RandomBufferLength=0x10 | out: RandomBuffer=0x4fcb98) returned 1 [0088.165] GetProcessHeap () returned 0x4e0000 [0088.165] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5059d8 [0088.165] GetProcessHeap () returned 0x4e0000 [0088.165] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x505ae0 [0088.165] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5059d8*, pdwDataLen=0x24de888*=0x10, dwBufLen=0x100 | out: pbData=0x5059d8*, pdwDataLen=0x24de888*=0x100) returned 1 [0088.165] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x505ae0*, pdwDataLen=0x24de884*=0x10, dwBufLen=0x100 | out: pbData=0x505ae0*, pdwDataLen=0x24de884*=0x100) returned 1 [0088.165] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0088.166] SetLastError (dwErrCode=0x0) [0088.166] WriteFile (in: hFile=0xffffffff, lpBuffer=0x5059d8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0) returned 0 [0088.166] GetLastError () returned 0x6 [0088.166] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e80ea3, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0088.166] FindClose (in: hFindFile=0x5026e8 | out: hFindFile=0x5026e8) returned 1 [0088.166] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe0, dwReserved1=0x24df1d0, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0088.166] lstrcmpiW (lpString1="ja-JP", lpString2=".") returned 1 [0088.166] lstrcmpiW (lpString1="ja-JP", lpString2="..") returned 1 [0088.166] lstrcmpiW (lpString1="ja-JP", lpString2="...") returned 1 [0088.166] lstrcmpiW (lpString1="ja-JP", lpString2="windows") returned -1 [0088.166] lstrcmpiW (lpString1="ja-JP", lpString2="$RECYCLE.BIN") returned 1 [0088.166] lstrcmpiW (lpString1="ja-JP", lpString2="rsa") returned -1 [0088.166] lstrcmpiW (lpString1="ja-JP", lpString2="log") returned -1 [0088.166] lstrcmpiW (lpString1="ja-JP", lpString2="NTDETECT.COM") returned -1 [0088.166] lstrcmpiW (lpString1="ja-JP", lpString2="ntldr") returned -1 [0088.166] lstrcmpiW (lpString1="ja-JP", lpString2="MSDOS.SYS") returned -1 [0088.166] lstrcmpiW (lpString1="ja-JP", lpString2="IO.SYS") returned 1 [0088.166] lstrcmpiW (lpString1="ja-JP", lpString2="boot.ini") returned 1 [0088.166] lstrcmpiW (lpString1="ja-JP", lpString2="AUTOEXEC.BAT") returned 1 [0088.166] lstrcmpiW (lpString1="ja-JP", lpString2="ntuser.dat") returned -1 [0088.166] lstrcmpiW (lpString1="ja-JP", lpString2="desktop.ini") returned 1 [0088.167] lstrcmpiW (lpString1="ja-JP", lpString2="CONFIG.SYS") returned 1 [0088.167] lstrcmpiW (lpString1="ja-JP", lpString2="RECYCLER") returned -1 [0088.167] lstrcmpiW (lpString1="ja-JP", lpString2="BOOTSECT.BAK") returned 1 [0088.167] lstrcmpiW (lpString1="ja-JP", lpString2="bootmgr") returned 1 [0088.167] lstrcmpiW (lpString1="ja-JP", lpString2="programdata") returned -1 [0088.167] lstrcmpiW (lpString1="ja-JP", lpString2="appdata") returned 1 [0088.167] lstrcmpiW (lpString1="ja-JP", lpString2="program files") returned -1 [0088.167] lstrcmpiW (lpString1="ja-JP", lpString2="program files (x86)") returned -1 [0088.167] lstrcpyW (in: lpString1=0x24df3d8, lpString2="C:\\Boot\\" | out: lpString1="C:\\Boot\\") returned="C:\\Boot\\" [0088.167] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="ja-JP" | out: lpString1="C:\\Boot\\ja-JP") returned="C:\\Boot\\ja-JP" [0088.167] lstrcatW (in: lpString1="C:\\Boot\\ja-JP", lpString2="\\" | out: lpString1="C:\\Boot\\ja-JP\\") returned="C:\\Boot\\ja-JP\\" [0088.167] lstrcpyW (in: lpString1=0x24def60, lpString2="C:\\Boot\\ja-JP\\" | out: lpString1="C:\\Boot\\ja-JP\\") returned="C:\\Boot\\ja-JP\\" [0088.167] lstrcatW (in: lpString1="C:\\Boot\\ja-JP\\", lpString2="*.*" | out: lpString1="C:\\Boot\\ja-JP\\*.*") returned="C:\\Boot\\ja-JP\\*.*" [0088.167] FindFirstFileW (in: lpFileName="C:\\Boot\\ja-JP\\*.*", lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName=".", cAlternateFileName="")) returned 0x5026e8 [0088.168] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0088.168] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="..", cAlternateFileName="")) returned 1 [0088.168] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0088.168] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0088.168] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12a40, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0088.168] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0088.168] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0088.168] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0088.168] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0088.168] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0088.168] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0088.168] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="log") returned -1 [0088.168] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0088.168] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0088.168] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0088.168] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0088.168] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0088.168] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0088.168] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0088.168] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0088.168] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0088.168] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0088.168] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0088.169] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0088.169] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0088.169] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0088.169] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0088.169] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0088.169] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Boot\\ja-JP\\" | out: lpString1="C:\\Boot\\ja-JP\\") returned="C:\\Boot\\ja-JP\\" [0088.169] lstrcatW (in: lpString1="C:\\Boot\\ja-JP\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned="C:\\Boot\\ja-JP\\bootmgr.exe.mui" [0088.169] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0088.169] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0088.169] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0088.169] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0088.169] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0088.169] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0088.169] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0088.169] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0088.169] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0088.169] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0088.169] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0088.169] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0088.169] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0088.169] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0088.169] lstrcmpiW (lpString1=".mui", lpString2=".NEPHILIM") returned -1 [0088.169] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0088.169] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0088.169] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0088.170] lstrlenA (lpString="NEPHILIM") returned 8 [0088.170] GetProcessHeap () returned 0x4e0000 [0088.170] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x5029e0 [0088.170] lstrlenA (lpString="NEPHILIM") returned 8 [0088.170] CreateFileW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0088.170] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24deac8 | out: lpFileSize=0x24deac8*=4294968320) returned 0 [0088.170] GetProcessHeap () returned 0x4e0000 [0088.170] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x4fcbb0 [0088.170] GetProcessHeap () returned 0x4e0000 [0088.170] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x4fcbc8 [0088.170] SystemFunction036 (in: RandomBuffer=0x4fcbb0, RandomBufferLength=0x10 | out: RandomBuffer=0x4fcbb0) returned 1 [0088.170] SystemFunction036 (in: RandomBuffer=0x4fcbc8, RandomBufferLength=0x10 | out: RandomBuffer=0x4fcbc8) returned 1 [0088.170] GetProcessHeap () returned 0x4e0000 [0088.170] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x505be8 [0088.170] GetProcessHeap () returned 0x4e0000 [0088.170] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x505cf0 [0088.170] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x505be8*, pdwDataLen=0x24de888*=0x10, dwBufLen=0x100 | out: pbData=0x505be8*, pdwDataLen=0x24de888*=0x100) returned 1 [0088.171] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x505cf0*, pdwDataLen=0x24de884*=0x10, dwBufLen=0x100 | out: pbData=0x505cf0*, pdwDataLen=0x24de884*=0x100) returned 1 [0088.171] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0088.171] SetLastError (dwErrCode=0x0) [0088.171] WriteFile (in: hFile=0xffffffff, lpBuffer=0x505be8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0) returned 0 [0088.171] GetLastError () returned 0x6 [0088.171] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12a40, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0088.171] FindClose (in: hFindFile=0x5026e8 | out: hFindFile=0x5026e8) returned 1 [0088.171] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe0, dwReserved1=0x24df1d0, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0088.171] lstrcmpiW (lpString1="ko-KR", lpString2=".") returned 1 [0088.171] lstrcmpiW (lpString1="ko-KR", lpString2="..") returned 1 [0088.171] lstrcmpiW (lpString1="ko-KR", lpString2="...") returned 1 [0088.171] lstrcmpiW (lpString1="ko-KR", lpString2="windows") returned -1 [0088.171] lstrcmpiW (lpString1="ko-KR", lpString2="$RECYCLE.BIN") returned 1 [0088.172] lstrcmpiW (lpString1="ko-KR", lpString2="rsa") returned -1 [0088.172] lstrcmpiW (lpString1="ko-KR", lpString2="log") returned -1 [0088.172] lstrcmpiW (lpString1="ko-KR", lpString2="NTDETECT.COM") returned -1 [0088.172] lstrcmpiW (lpString1="ko-KR", lpString2="ntldr") returned -1 [0088.172] lstrcmpiW (lpString1="ko-KR", lpString2="MSDOS.SYS") returned -1 [0088.172] lstrcmpiW (lpString1="ko-KR", lpString2="IO.SYS") returned 1 [0088.172] lstrcmpiW (lpString1="ko-KR", lpString2="boot.ini") returned 1 [0088.172] lstrcmpiW (lpString1="ko-KR", lpString2="AUTOEXEC.BAT") returned 1 [0088.172] lstrcmpiW (lpString1="ko-KR", lpString2="ntuser.dat") returned -1 [0088.172] lstrcmpiW (lpString1="ko-KR", lpString2="desktop.ini") returned 1 [0088.172] lstrcmpiW (lpString1="ko-KR", lpString2="CONFIG.SYS") returned 1 [0088.172] lstrcmpiW (lpString1="ko-KR", lpString2="RECYCLER") returned -1 [0088.172] lstrcmpiW (lpString1="ko-KR", lpString2="BOOTSECT.BAK") returned 1 [0088.172] lstrcmpiW (lpString1="ko-KR", lpString2="bootmgr") returned 1 [0088.172] lstrcmpiW (lpString1="ko-KR", lpString2="programdata") returned -1 [0088.172] lstrcmpiW (lpString1="ko-KR", lpString2="appdata") returned 1 [0088.172] lstrcmpiW (lpString1="ko-KR", lpString2="program files") returned -1 [0088.172] lstrcmpiW (lpString1="ko-KR", lpString2="program files (x86)") returned -1 [0088.172] lstrcpyW (in: lpString1=0x24df3d8, lpString2="C:\\Boot\\" | out: lpString1="C:\\Boot\\") returned="C:\\Boot\\" [0088.172] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="ko-KR" | out: lpString1="C:\\Boot\\ko-KR") returned="C:\\Boot\\ko-KR" [0088.172] lstrcatW (in: lpString1="C:\\Boot\\ko-KR", lpString2="\\" | out: lpString1="C:\\Boot\\ko-KR\\") returned="C:\\Boot\\ko-KR\\" [0088.172] lstrcpyW (in: lpString1=0x24def60, lpString2="C:\\Boot\\ko-KR\\" | out: lpString1="C:\\Boot\\ko-KR\\") returned="C:\\Boot\\ko-KR\\" [0088.172] lstrcatW (in: lpString1="C:\\Boot\\ko-KR\\", lpString2="*.*" | out: lpString1="C:\\Boot\\ko-KR\\*.*") returned="C:\\Boot\\ko-KR\\*.*" [0088.172] FindFirstFileW (in: lpFileName="C:\\Boot\\ko-KR\\*.*", lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName=".", cAlternateFileName="")) returned 0x5026e8 [0088.174] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0088.174] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="..", cAlternateFileName="")) returned 1 [0088.174] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0088.174] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0088.174] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8510830, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12650, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0088.174] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0088.174] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0088.174] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0088.174] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0088.174] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0088.175] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0088.175] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="log") returned -1 [0088.175] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0088.175] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0088.175] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0088.175] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0088.175] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0088.175] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0088.175] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0088.175] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0088.175] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0088.175] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0088.175] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0088.175] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0088.175] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0088.175] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0088.175] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0088.175] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0088.175] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Boot\\ko-KR\\" | out: lpString1="C:\\Boot\\ko-KR\\") returned="C:\\Boot\\ko-KR\\" [0088.175] lstrcatW (in: lpString1="C:\\Boot\\ko-KR\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned="C:\\Boot\\ko-KR\\bootmgr.exe.mui" [0088.175] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0088.175] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0088.175] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0088.175] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0088.176] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0088.176] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0088.176] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0088.176] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0088.176] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0088.176] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0088.176] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0088.176] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0088.176] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0088.176] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0088.176] lstrcmpiW (lpString1=".mui", lpString2=".NEPHILIM") returned -1 [0088.176] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0088.176] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0088.176] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0088.176] lstrlenA (lpString="NEPHILIM") returned 8 [0088.176] GetProcessHeap () returned 0x4e0000 [0088.176] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x5029f0 [0088.176] lstrlenA (lpString="NEPHILIM") returned 8 [0088.176] CreateFileW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0088.176] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24deac8 | out: lpFileSize=0x24deac8*=4294968320) returned 0 [0088.177] GetProcessHeap () returned 0x4e0000 [0088.177] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x4fcbe0 [0088.177] GetProcessHeap () returned 0x4e0000 [0088.177] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x4fcbf8 [0088.177] SystemFunction036 (in: RandomBuffer=0x4fcbe0, RandomBufferLength=0x10 | out: RandomBuffer=0x4fcbe0) returned 1 [0088.177] SystemFunction036 (in: RandomBuffer=0x4fcbf8, RandomBufferLength=0x10 | out: RandomBuffer=0x4fcbf8) returned 1 [0088.177] GetProcessHeap () returned 0x4e0000 [0088.177] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x505df8 [0088.177] GetProcessHeap () returned 0x4e0000 [0088.177] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x505f00 [0088.177] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x505df8*, pdwDataLen=0x24de888*=0x10, dwBufLen=0x100 | out: pbData=0x505df8*, pdwDataLen=0x24de888*=0x100) returned 1 [0088.177] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x505f00*, pdwDataLen=0x24de884*=0x10, dwBufLen=0x100 | out: pbData=0x505f00*, pdwDataLen=0x24de884*=0x100) returned 1 [0088.177] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0088.177] SetLastError (dwErrCode=0x0) [0088.177] WriteFile (in: hFile=0xffffffff, lpBuffer=0x505df8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0) returned 0 [0088.177] GetLastError () returned 0x6 [0088.178] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8510830, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12650, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0088.178] FindClose (in: hFindFile=0x5026e8 | out: hFindFile=0x5026e8) returned 1 [0088.178] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x8bc7dbfe, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x76980, dwReserved0=0xe0, dwReserved1=0x24df1d0, cFileName="memtest.exe", cAlternateFileName="")) returned 1 [0088.178] lstrcmpiW (lpString1="memtest.exe", lpString2=".") returned 1 [0088.178] lstrcmpiW (lpString1="memtest.exe", lpString2="..") returned 1 [0088.178] lstrcmpiW (lpString1="memtest.exe", lpString2="...") returned 1 [0088.178] lstrcmpiW (lpString1="memtest.exe", lpString2="windows") returned -1 [0088.178] lstrcmpiW (lpString1="memtest.exe", lpString2="$RECYCLE.BIN") returned 1 [0088.178] lstrcmpiW (lpString1="memtest.exe", lpString2="rsa") returned -1 [0088.178] lstrcmpiW (lpString1="memtest.exe", lpString2="log") returned 1 [0088.178] lstrcmpiW (lpString1="memtest.exe", lpString2="NTDETECT.COM") returned -1 [0088.178] lstrcmpiW (lpString1="memtest.exe", lpString2="ntldr") returned -1 [0088.178] lstrcmpiW (lpString1="memtest.exe", lpString2="MSDOS.SYS") returned -1 [0088.178] lstrcmpiW (lpString1="memtest.exe", lpString2="IO.SYS") returned 1 [0088.178] lstrcmpiW (lpString1="memtest.exe", lpString2="boot.ini") returned 1 [0088.178] lstrcmpiW (lpString1="memtest.exe", lpString2="AUTOEXEC.BAT") returned 1 [0088.178] lstrcmpiW (lpString1="memtest.exe", lpString2="ntuser.dat") returned -1 [0088.178] lstrcmpiW (lpString1="memtest.exe", lpString2="desktop.ini") returned 1 [0088.178] lstrcmpiW (lpString1="memtest.exe", lpString2="CONFIG.SYS") returned 1 [0088.178] lstrcmpiW (lpString1="memtest.exe", lpString2="RECYCLER") returned -1 [0088.178] lstrcmpiW (lpString1="memtest.exe", lpString2="BOOTSECT.BAK") returned 1 [0088.179] lstrcmpiW (lpString1="memtest.exe", lpString2="bootmgr") returned 1 [0088.179] lstrcmpiW (lpString1="memtest.exe", lpString2="programdata") returned -1 [0088.179] lstrcmpiW (lpString1="memtest.exe", lpString2="appdata") returned 1 [0088.179] lstrcmpiW (lpString1="memtest.exe", lpString2="program files") returned -1 [0088.179] lstrcmpiW (lpString1="memtest.exe", lpString2="program files (x86)") returned -1 [0088.179] lstrcpyW (in: lpString1=0x24df3d8, lpString2="C:\\Boot\\" | out: lpString1="C:\\Boot\\") returned="C:\\Boot\\" [0088.179] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="memtest.exe" | out: lpString1="C:\\Boot\\memtest.exe") returned="C:\\Boot\\memtest.exe" [0088.179] PathFindExtensionW (pszPath="memtest.exe") returned=".exe" [0088.179] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0088.179] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe0, dwReserved1=0x24df1d0, cFileName="nb-NO", cAlternateFileName="")) returned 1 [0088.179] lstrcmpiW (lpString1="nb-NO", lpString2=".") returned 1 [0088.179] lstrcmpiW (lpString1="nb-NO", lpString2="..") returned 1 [0088.179] lstrcmpiW (lpString1="nb-NO", lpString2="...") returned 1 [0088.179] lstrcmpiW (lpString1="nb-NO", lpString2="windows") returned -1 [0088.179] lstrcmpiW (lpString1="nb-NO", lpString2="$RECYCLE.BIN") returned 1 [0088.179] lstrcmpiW (lpString1="nb-NO", lpString2="rsa") returned -1 [0088.179] lstrcmpiW (lpString1="nb-NO", lpString2="log") returned 1 [0088.179] lstrcmpiW (lpString1="nb-NO", lpString2="NTDETECT.COM") returned -1 [0088.179] lstrcmpiW (lpString1="nb-NO", lpString2="ntldr") returned -1 [0088.179] lstrcmpiW (lpString1="nb-NO", lpString2="MSDOS.SYS") returned 1 [0088.179] lstrcmpiW (lpString1="nb-NO", lpString2="IO.SYS") returned 1 [0088.179] lstrcmpiW (lpString1="nb-NO", lpString2="boot.ini") returned 1 [0088.179] lstrcmpiW (lpString1="nb-NO", lpString2="AUTOEXEC.BAT") returned 1 [0088.179] lstrcmpiW (lpString1="nb-NO", lpString2="ntuser.dat") returned -1 [0088.179] lstrcmpiW (lpString1="nb-NO", lpString2="desktop.ini") returned 1 [0088.180] lstrcmpiW (lpString1="nb-NO", lpString2="CONFIG.SYS") returned 1 [0088.180] lstrcmpiW (lpString1="nb-NO", lpString2="RECYCLER") returned -1 [0088.180] lstrcmpiW (lpString1="nb-NO", lpString2="BOOTSECT.BAK") returned 1 [0088.180] lstrcmpiW (lpString1="nb-NO", lpString2="bootmgr") returned 1 [0088.180] lstrcmpiW (lpString1="nb-NO", lpString2="programdata") returned -1 [0088.180] lstrcmpiW (lpString1="nb-NO", lpString2="appdata") returned 1 [0088.180] lstrcmpiW (lpString1="nb-NO", lpString2="program files") returned -1 [0088.180] lstrcmpiW (lpString1="nb-NO", lpString2="program files (x86)") returned -1 [0088.180] lstrcpyW (in: lpString1=0x24df3d8, lpString2="C:\\Boot\\" | out: lpString1="C:\\Boot\\") returned="C:\\Boot\\" [0088.180] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="nb-NO" | out: lpString1="C:\\Boot\\nb-NO") returned="C:\\Boot\\nb-NO" [0088.180] lstrcatW (in: lpString1="C:\\Boot\\nb-NO", lpString2="\\" | out: lpString1="C:\\Boot\\nb-NO\\") returned="C:\\Boot\\nb-NO\\" [0088.180] lstrcpyW (in: lpString1=0x24def60, lpString2="C:\\Boot\\nb-NO\\" | out: lpString1="C:\\Boot\\nb-NO\\") returned="C:\\Boot\\nb-NO\\" [0088.180] lstrcatW (in: lpString1="C:\\Boot\\nb-NO\\", lpString2="*.*" | out: lpString1="C:\\Boot\\nb-NO\\*.*") returned="C:\\Boot\\nb-NO\\*.*" [0088.180] FindFirstFileW (in: lpFileName="C:\\Boot\\nb-NO\\*.*", lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName=".", cAlternateFileName="")) returned 0x5026e8 [0088.181] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0088.181] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="..", cAlternateFileName="")) returned 1 [0088.181] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0088.181] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0088.181] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea212efb, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15850, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0088.181] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0088.181] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0088.181] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0088.181] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0088.181] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0088.181] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0088.181] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="log") returned -1 [0088.181] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0088.181] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0088.181] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0088.181] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0088.182] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0088.182] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0088.182] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0088.182] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0088.182] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0088.182] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0088.182] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0088.182] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0088.182] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0088.182] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0088.182] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0088.182] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0088.182] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Boot\\nb-NO\\" | out: lpString1="C:\\Boot\\nb-NO\\") returned="C:\\Boot\\nb-NO\\" [0088.182] lstrcatW (in: lpString1="C:\\Boot\\nb-NO\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:\\Boot\\nb-NO\\bootmgr.exe.mui") returned="C:\\Boot\\nb-NO\\bootmgr.exe.mui" [0088.182] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0088.182] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0088.182] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0088.182] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0088.182] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0088.182] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0088.182] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0088.182] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0088.182] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0088.182] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0088.182] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0088.182] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0088.182] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0088.183] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0088.183] lstrcmpiW (lpString1=".mui", lpString2=".NEPHILIM") returned -1 [0088.183] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0088.183] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0088.183] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0088.183] lstrlenA (lpString="NEPHILIM") returned 8 [0088.183] GetProcessHeap () returned 0x4e0000 [0088.183] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502a00 [0088.183] lstrlenA (lpString="NEPHILIM") returned 8 [0088.183] CreateFileW (lpFileName="C:\\Boot\\nb-NO\\bootmgr.exe.mui" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0088.184] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24deac8 | out: lpFileSize=0x24deac8*=4294968320) returned 0 [0088.184] GetProcessHeap () returned 0x4e0000 [0088.184] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x4fcc10 [0088.184] GetProcessHeap () returned 0x4e0000 [0088.184] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x4fcc28 [0088.184] SystemFunction036 (in: RandomBuffer=0x4fcc10, RandomBufferLength=0x10 | out: RandomBuffer=0x4fcc10) returned 1 [0088.184] SystemFunction036 (in: RandomBuffer=0x4fcc28, RandomBufferLength=0x10 | out: RandomBuffer=0x4fcc28) returned 1 [0088.184] GetProcessHeap () returned 0x4e0000 [0088.184] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x506008 [0088.184] GetProcessHeap () returned 0x4e0000 [0088.184] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x506110 [0088.184] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x506008*, pdwDataLen=0x24de888*=0x10, dwBufLen=0x100 | out: pbData=0x506008*, pdwDataLen=0x24de888*=0x100) returned 1 [0088.185] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x506110*, pdwDataLen=0x24de884*=0x10, dwBufLen=0x100 | out: pbData=0x506110*, pdwDataLen=0x24de884*=0x100) returned 1 [0088.185] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0088.185] SetLastError (dwErrCode=0x0) [0088.185] WriteFile (in: hFile=0xffffffff, lpBuffer=0x506008, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0) returned 0 [0088.185] GetLastError () returned 0x6 [0088.185] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea212efb, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15850, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0088.185] FindClose (in: hFindFile=0x5026e8 | out: hFindFile=0x5026e8) returned 1 [0088.185] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe0, dwReserved1=0x24df1d0, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0088.185] lstrcmpiW (lpString1="nl-NL", lpString2=".") returned 1 [0088.185] lstrcmpiW (lpString1="nl-NL", lpString2="..") returned 1 [0088.185] lstrcmpiW (lpString1="nl-NL", lpString2="...") returned 1 [0088.185] lstrcmpiW (lpString1="nl-NL", lpString2="windows") returned -1 [0088.185] lstrcmpiW (lpString1="nl-NL", lpString2="$RECYCLE.BIN") returned 1 [0088.185] lstrcmpiW (lpString1="nl-NL", lpString2="rsa") returned -1 [0088.185] lstrcmpiW (lpString1="nl-NL", lpString2="log") returned 1 [0088.185] lstrcmpiW (lpString1="nl-NL", lpString2="NTDETECT.COM") returned -1 [0088.185] lstrcmpiW (lpString1="nl-NL", lpString2="ntldr") returned -1 [0088.186] lstrcmpiW (lpString1="nl-NL", lpString2="MSDOS.SYS") returned 1 [0088.186] lstrcmpiW (lpString1="nl-NL", lpString2="IO.SYS") returned 1 [0088.186] lstrcmpiW (lpString1="nl-NL", lpString2="boot.ini") returned 1 [0088.186] lstrcmpiW (lpString1="nl-NL", lpString2="AUTOEXEC.BAT") returned 1 [0088.186] lstrcmpiW (lpString1="nl-NL", lpString2="ntuser.dat") returned -1 [0088.186] lstrcmpiW (lpString1="nl-NL", lpString2="desktop.ini") returned 1 [0088.186] lstrcmpiW (lpString1="nl-NL", lpString2="CONFIG.SYS") returned 1 [0088.186] lstrcmpiW (lpString1="nl-NL", lpString2="RECYCLER") returned -1 [0088.186] lstrcmpiW (lpString1="nl-NL", lpString2="BOOTSECT.BAK") returned 1 [0088.186] lstrcmpiW (lpString1="nl-NL", lpString2="bootmgr") returned 1 [0088.186] lstrcmpiW (lpString1="nl-NL", lpString2="programdata") returned -1 [0088.186] lstrcmpiW (lpString1="nl-NL", lpString2="appdata") returned 1 [0088.186] lstrcmpiW (lpString1="nl-NL", lpString2="program files") returned -1 [0088.186] lstrcmpiW (lpString1="nl-NL", lpString2="program files (x86)") returned -1 [0088.186] lstrcpyW (in: lpString1=0x24df3d8, lpString2="C:\\Boot\\" | out: lpString1="C:\\Boot\\") returned="C:\\Boot\\" [0088.186] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="nl-NL" | out: lpString1="C:\\Boot\\nl-NL") returned="C:\\Boot\\nl-NL" [0088.186] lstrcatW (in: lpString1="C:\\Boot\\nl-NL", lpString2="\\" | out: lpString1="C:\\Boot\\nl-NL\\") returned="C:\\Boot\\nl-NL\\" [0088.186] lstrcpyW (in: lpString1=0x24def60, lpString2="C:\\Boot\\nl-NL\\" | out: lpString1="C:\\Boot\\nl-NL\\") returned="C:\\Boot\\nl-NL\\" [0088.186] lstrcatW (in: lpString1="C:\\Boot\\nl-NL\\", lpString2="*.*" | out: lpString1="C:\\Boot\\nl-NL\\*.*") returned="C:\\Boot\\nl-NL\\*.*" [0088.186] FindFirstFileW (in: lpFileName="C:\\Boot\\nl-NL\\*.*", lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName=".", cAlternateFileName="")) returned 0x5026e8 [0088.187] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0088.187] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="..", cAlternateFileName="")) returned 1 [0088.187] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0088.187] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0088.187] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84c457e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0088.187] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0088.187] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0088.187] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0088.187] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0088.187] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0088.187] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0088.187] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="log") returned -1 [0088.187] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0088.187] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0088.187] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0088.187] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0088.187] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0088.187] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0088.187] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0088.187] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0088.188] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0088.188] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0088.188] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0088.188] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0088.188] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0088.188] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0088.188] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0088.188] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0088.188] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Boot\\nl-NL\\" | out: lpString1="C:\\Boot\\nl-NL\\") returned="C:\\Boot\\nl-NL\\" [0088.188] lstrcatW (in: lpString1="C:\\Boot\\nl-NL\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:\\Boot\\nl-NL\\bootmgr.exe.mui") returned="C:\\Boot\\nl-NL\\bootmgr.exe.mui" [0088.188] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0088.188] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0088.188] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0088.188] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0088.188] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0088.188] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0088.188] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0088.188] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0088.188] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0088.188] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0088.188] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0088.188] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0088.188] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0088.189] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0088.189] lstrcmpiW (lpString1=".mui", lpString2=".NEPHILIM") returned -1 [0088.189] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0088.189] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0088.189] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0088.189] lstrlenA (lpString="NEPHILIM") returned 8 [0088.189] GetProcessHeap () returned 0x4e0000 [0088.189] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502a10 [0088.189] lstrlenA (lpString="NEPHILIM") returned 8 [0088.189] CreateFileW (lpFileName="C:\\Boot\\nl-NL\\bootmgr.exe.mui" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0088.189] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24deac8 | out: lpFileSize=0x24deac8*=4294968320) returned 0 [0088.189] GetProcessHeap () returned 0x4e0000 [0088.189] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504a80 [0088.189] GetProcessHeap () returned 0x4e0000 [0088.189] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504a98 [0088.189] SystemFunction036 (in: RandomBuffer=0x504a80, RandomBufferLength=0x10 | out: RandomBuffer=0x504a80) returned 1 [0088.189] SystemFunction036 (in: RandomBuffer=0x504a98, RandomBufferLength=0x10 | out: RandomBuffer=0x504a98) returned 1 [0088.190] GetProcessHeap () returned 0x4e0000 [0088.190] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x506218 [0088.190] GetProcessHeap () returned 0x4e0000 [0088.190] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x506320 [0088.190] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x506218*, pdwDataLen=0x24de888*=0x10, dwBufLen=0x100 | out: pbData=0x506218*, pdwDataLen=0x24de888*=0x100) returned 1 [0088.190] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x506320*, pdwDataLen=0x24de884*=0x10, dwBufLen=0x100 | out: pbData=0x506320*, pdwDataLen=0x24de884*=0x100) returned 1 [0088.190] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0088.190] SetLastError (dwErrCode=0x0) [0088.190] WriteFile (in: hFile=0xffffffff, lpBuffer=0x506218, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0) returned 0 [0088.190] GetLastError () returned 0x6 [0088.190] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84c457e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0088.191] FindClose (in: hFindFile=0x5026e8 | out: hFindFile=0x5026e8) returned 1 [0088.191] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe0, dwReserved1=0x24df1d0, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0088.191] lstrcmpiW (lpString1="pl-PL", lpString2=".") returned 1 [0088.191] lstrcmpiW (lpString1="pl-PL", lpString2="..") returned 1 [0088.191] lstrcmpiW (lpString1="pl-PL", lpString2="...") returned 1 [0088.191] lstrcmpiW (lpString1="pl-PL", lpString2="windows") returned -1 [0088.191] lstrcmpiW (lpString1="pl-PL", lpString2="$RECYCLE.BIN") returned 1 [0088.191] lstrcmpiW (lpString1="pl-PL", lpString2="rsa") returned -1 [0088.191] lstrcmpiW (lpString1="pl-PL", lpString2="log") returned 1 [0088.191] lstrcmpiW (lpString1="pl-PL", lpString2="NTDETECT.COM") returned 1 [0088.191] lstrcmpiW (lpString1="pl-PL", lpString2="ntldr") returned 1 [0088.191] lstrcmpiW (lpString1="pl-PL", lpString2="MSDOS.SYS") returned 1 [0088.191] lstrcmpiW (lpString1="pl-PL", lpString2="IO.SYS") returned 1 [0088.191] lstrcmpiW (lpString1="pl-PL", lpString2="boot.ini") returned 1 [0088.191] lstrcmpiW (lpString1="pl-PL", lpString2="AUTOEXEC.BAT") returned 1 [0088.191] lstrcmpiW (lpString1="pl-PL", lpString2="ntuser.dat") returned 1 [0088.191] lstrcmpiW (lpString1="pl-PL", lpString2="desktop.ini") returned 1 [0088.191] lstrcmpiW (lpString1="pl-PL", lpString2="CONFIG.SYS") returned 1 [0088.191] lstrcmpiW (lpString1="pl-PL", lpString2="RECYCLER") returned -1 [0088.191] lstrcmpiW (lpString1="pl-PL", lpString2="BOOTSECT.BAK") returned 1 [0088.191] lstrcmpiW (lpString1="pl-PL", lpString2="bootmgr") returned 1 [0088.191] lstrcmpiW (lpString1="pl-PL", lpString2="programdata") returned -1 [0088.191] lstrcmpiW (lpString1="pl-PL", lpString2="appdata") returned 1 [0088.192] lstrcmpiW (lpString1="pl-PL", lpString2="program files") returned -1 [0088.192] lstrcmpiW (lpString1="pl-PL", lpString2="program files (x86)") returned -1 [0088.192] lstrcpyW (in: lpString1=0x24df3d8, lpString2="C:\\Boot\\" | out: lpString1="C:\\Boot\\") returned="C:\\Boot\\" [0088.192] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="pl-PL" | out: lpString1="C:\\Boot\\pl-PL") returned="C:\\Boot\\pl-PL" [0088.192] lstrcatW (in: lpString1="C:\\Boot\\pl-PL", lpString2="\\" | out: lpString1="C:\\Boot\\pl-PL\\") returned="C:\\Boot\\pl-PL\\" [0088.192] lstrcpyW (in: lpString1=0x24def60, lpString2="C:\\Boot\\pl-PL\\" | out: lpString1="C:\\Boot\\pl-PL\\") returned="C:\\Boot\\pl-PL\\" [0088.192] lstrcatW (in: lpString1="C:\\Boot\\pl-PL\\", lpString2="*.*" | out: lpString1="C:\\Boot\\pl-PL\\*.*") returned="C:\\Boot\\pl-PL\\*.*" [0088.192] FindFirstFileW (in: lpFileName="C:\\Boot\\pl-PL\\*.*", lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName=".", cAlternateFileName="")) returned 0x5026e8 [0088.192] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0088.192] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="..", cAlternateFileName="")) returned 1 [0088.192] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0088.192] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0088.192] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e5ad4a, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0088.193] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0088.193] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0088.193] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0088.193] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0088.193] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0088.193] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0088.193] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="log") returned -1 [0088.193] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0088.193] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0088.193] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0088.193] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0088.193] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0088.193] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0088.193] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0088.193] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0088.193] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0088.193] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0088.193] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0088.193] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0088.193] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0088.193] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0088.193] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0088.193] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0088.193] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Boot\\pl-PL\\" | out: lpString1="C:\\Boot\\pl-PL\\") returned="C:\\Boot\\pl-PL\\" [0088.194] lstrcatW (in: lpString1="C:\\Boot\\pl-PL\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:\\Boot\\pl-PL\\bootmgr.exe.mui") returned="C:\\Boot\\pl-PL\\bootmgr.exe.mui" [0088.194] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0088.194] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0088.194] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0088.194] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0088.194] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0088.194] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0088.194] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0088.194] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0088.194] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0088.194] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0088.194] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0088.194] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0088.194] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0088.194] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0088.194] lstrcmpiW (lpString1=".mui", lpString2=".NEPHILIM") returned -1 [0088.194] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0088.194] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0088.194] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0088.194] lstrlenA (lpString="NEPHILIM") returned 8 [0088.194] GetProcessHeap () returned 0x4e0000 [0088.194] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502a20 [0088.194] lstrlenA (lpString="NEPHILIM") returned 8 [0088.194] CreateFileW (lpFileName="C:\\Boot\\pl-PL\\bootmgr.exe.mui" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0088.195] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24deac8 | out: lpFileSize=0x24deac8*=4294968320) returned 0 [0088.196] GetProcessHeap () returned 0x4e0000 [0088.196] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ab0 [0088.196] GetProcessHeap () returned 0x4e0000 [0088.196] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ac8 [0088.196] SystemFunction036 (in: RandomBuffer=0x504ab0, RandomBufferLength=0x10 | out: RandomBuffer=0x504ab0) returned 1 [0088.196] SystemFunction036 (in: RandomBuffer=0x504ac8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ac8) returned 1 [0088.196] GetProcessHeap () returned 0x4e0000 [0088.196] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x506428 [0088.196] GetProcessHeap () returned 0x4e0000 [0088.196] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x506530 [0088.196] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x506428*, pdwDataLen=0x24de888*=0x10, dwBufLen=0x100 | out: pbData=0x506428*, pdwDataLen=0x24de888*=0x100) returned 1 [0088.196] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x506530*, pdwDataLen=0x24de884*=0x10, dwBufLen=0x100 | out: pbData=0x506530*, pdwDataLen=0x24de884*=0x100) returned 1 [0088.196] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0088.196] SetLastError (dwErrCode=0x0) [0088.196] WriteFile (in: hFile=0xffffffff, lpBuffer=0x506428, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0) returned 0 [0088.197] GetLastError () returned 0x6 [0088.197] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e5ad4a, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0088.197] FindClose (in: hFindFile=0x5026e8 | out: hFindFile=0x5026e8) returned 1 [0088.197] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe0, dwReserved1=0x24df1d0, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0088.197] lstrcmpiW (lpString1="pt-BR", lpString2=".") returned 1 [0088.197] lstrcmpiW (lpString1="pt-BR", lpString2="..") returned 1 [0088.197] lstrcmpiW (lpString1="pt-BR", lpString2="...") returned 1 [0088.197] lstrcmpiW (lpString1="pt-BR", lpString2="windows") returned -1 [0088.197] lstrcmpiW (lpString1="pt-BR", lpString2="$RECYCLE.BIN") returned 1 [0088.197] lstrcmpiW (lpString1="pt-BR", lpString2="rsa") returned -1 [0088.197] lstrcmpiW (lpString1="pt-BR", lpString2="log") returned 1 [0088.197] lstrcmpiW (lpString1="pt-BR", lpString2="NTDETECT.COM") returned 1 [0088.197] lstrcmpiW (lpString1="pt-BR", lpString2="ntldr") returned 1 [0088.197] lstrcmpiW (lpString1="pt-BR", lpString2="MSDOS.SYS") returned 1 [0088.197] lstrcmpiW (lpString1="pt-BR", lpString2="IO.SYS") returned 1 [0088.197] lstrcmpiW (lpString1="pt-BR", lpString2="boot.ini") returned 1 [0088.197] lstrcmpiW (lpString1="pt-BR", lpString2="AUTOEXEC.BAT") returned 1 [0088.197] lstrcmpiW (lpString1="pt-BR", lpString2="ntuser.dat") returned 1 [0088.197] lstrcmpiW (lpString1="pt-BR", lpString2="desktop.ini") returned 1 [0088.197] lstrcmpiW (lpString1="pt-BR", lpString2="CONFIG.SYS") returned 1 [0088.197] lstrcmpiW (lpString1="pt-BR", lpString2="RECYCLER") returned -1 [0088.197] lstrcmpiW (lpString1="pt-BR", lpString2="BOOTSECT.BAK") returned 1 [0088.198] lstrcmpiW (lpString1="pt-BR", lpString2="bootmgr") returned 1 [0088.198] lstrcmpiW (lpString1="pt-BR", lpString2="programdata") returned 1 [0088.198] lstrcmpiW (lpString1="pt-BR", lpString2="appdata") returned 1 [0088.198] lstrcmpiW (lpString1="pt-BR", lpString2="program files") returned 1 [0088.198] lstrcmpiW (lpString1="pt-BR", lpString2="program files (x86)") returned 1 [0088.198] lstrcpyW (in: lpString1=0x24df3d8, lpString2="C:\\Boot\\" | out: lpString1="C:\\Boot\\") returned="C:\\Boot\\" [0088.198] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="pt-BR" | out: lpString1="C:\\Boot\\pt-BR") returned="C:\\Boot\\pt-BR" [0088.198] lstrcatW (in: lpString1="C:\\Boot\\pt-BR", lpString2="\\" | out: lpString1="C:\\Boot\\pt-BR\\") returned="C:\\Boot\\pt-BR\\" [0088.198] lstrcpyW (in: lpString1=0x24def60, lpString2="C:\\Boot\\pt-BR\\" | out: lpString1="C:\\Boot\\pt-BR\\") returned="C:\\Boot\\pt-BR\\" [0088.198] lstrcatW (in: lpString1="C:\\Boot\\pt-BR\\", lpString2="*.*" | out: lpString1="C:\\Boot\\pt-BR\\*.*") returned="C:\\Boot\\pt-BR\\*.*" [0088.198] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-BR\\*.*", lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName=".", cAlternateFileName="")) returned 0x5026e8 [0088.198] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0088.198] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="..", cAlternateFileName="")) returned 1 [0088.198] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0088.198] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0088.198] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83b9c0f, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16040, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0088.199] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0088.199] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0088.199] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0088.199] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0088.199] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0088.199] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0088.199] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="log") returned -1 [0088.199] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0088.199] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0088.199] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0088.199] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0088.199] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0088.199] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0088.199] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0088.199] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0088.199] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0088.199] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0088.199] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0088.199] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0088.199] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0088.199] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0088.199] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0088.199] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0088.199] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Boot\\pt-BR\\" | out: lpString1="C:\\Boot\\pt-BR\\") returned="C:\\Boot\\pt-BR\\" [0088.199] lstrcatW (in: lpString1="C:\\Boot\\pt-BR\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:\\Boot\\pt-BR\\bootmgr.exe.mui") returned="C:\\Boot\\pt-BR\\bootmgr.exe.mui" [0088.200] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0088.200] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0088.200] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0088.200] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0088.200] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0088.200] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0088.200] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0088.200] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0088.200] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0088.200] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0088.200] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0088.200] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0088.200] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0088.200] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0088.200] lstrcmpiW (lpString1=".mui", lpString2=".NEPHILIM") returned -1 [0088.200] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0088.200] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0088.200] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0088.200] lstrlenA (lpString="NEPHILIM") returned 8 [0088.200] GetProcessHeap () returned 0x4e0000 [0088.200] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502a30 [0088.200] lstrlenA (lpString="NEPHILIM") returned 8 [0088.200] CreateFileW (lpFileName="C:\\Boot\\pt-BR\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0088.201] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24deac8 | out: lpFileSize=0x24deac8*=4294968320) returned 0 [0088.201] GetProcessHeap () returned 0x4e0000 [0088.201] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ae0 [0088.201] GetProcessHeap () returned 0x4e0000 [0088.201] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504af8 [0088.201] SystemFunction036 (in: RandomBuffer=0x504ae0, RandomBufferLength=0x10 | out: RandomBuffer=0x504ae0) returned 1 [0088.201] SystemFunction036 (in: RandomBuffer=0x504af8, RandomBufferLength=0x10 | out: RandomBuffer=0x504af8) returned 1 [0088.201] GetProcessHeap () returned 0x4e0000 [0088.201] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x506638 [0088.201] GetProcessHeap () returned 0x4e0000 [0088.201] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x506740 [0088.201] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x506638*, pdwDataLen=0x24de888*=0x10, dwBufLen=0x100 | out: pbData=0x506638*, pdwDataLen=0x24de888*=0x100) returned 1 [0088.201] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x506740*, pdwDataLen=0x24de884*=0x10, dwBufLen=0x100 | out: pbData=0x506740*, pdwDataLen=0x24de884*=0x100) returned 1 [0088.201] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0088.202] SetLastError (dwErrCode=0x0) [0088.202] WriteFile (in: hFile=0xffffffff, lpBuffer=0x506638, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0) returned 0 [0088.202] GetLastError () returned 0x6 [0088.202] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83b9c0f, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16040, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0088.202] FindClose (in: hFindFile=0x5026e8 | out: hFindFile=0x5026e8) returned 1 [0088.202] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe0, dwReserved1=0x24df1d0, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0088.202] lstrcmpiW (lpString1="pt-PT", lpString2=".") returned 1 [0088.202] lstrcmpiW (lpString1="pt-PT", lpString2="..") returned 1 [0088.202] lstrcmpiW (lpString1="pt-PT", lpString2="...") returned 1 [0088.202] lstrcmpiW (lpString1="pt-PT", lpString2="windows") returned -1 [0088.202] lstrcmpiW (lpString1="pt-PT", lpString2="$RECYCLE.BIN") returned 1 [0088.202] lstrcmpiW (lpString1="pt-PT", lpString2="rsa") returned -1 [0088.202] lstrcmpiW (lpString1="pt-PT", lpString2="log") returned 1 [0088.202] lstrcmpiW (lpString1="pt-PT", lpString2="NTDETECT.COM") returned 1 [0088.202] lstrcmpiW (lpString1="pt-PT", lpString2="ntldr") returned 1 [0088.202] lstrcmpiW (lpString1="pt-PT", lpString2="MSDOS.SYS") returned 1 [0088.202] lstrcmpiW (lpString1="pt-PT", lpString2="IO.SYS") returned 1 [0088.202] lstrcmpiW (lpString1="pt-PT", lpString2="boot.ini") returned 1 [0088.202] lstrcmpiW (lpString1="pt-PT", lpString2="AUTOEXEC.BAT") returned 1 [0088.202] lstrcmpiW (lpString1="pt-PT", lpString2="ntuser.dat") returned 1 [0088.202] lstrcmpiW (lpString1="pt-PT", lpString2="desktop.ini") returned 1 [0088.202] lstrcmpiW (lpString1="pt-PT", lpString2="CONFIG.SYS") returned 1 [0088.203] lstrcmpiW (lpString1="pt-PT", lpString2="RECYCLER") returned -1 [0088.203] lstrcmpiW (lpString1="pt-PT", lpString2="BOOTSECT.BAK") returned 1 [0088.203] lstrcmpiW (lpString1="pt-PT", lpString2="bootmgr") returned 1 [0088.203] lstrcmpiW (lpString1="pt-PT", lpString2="programdata") returned 1 [0088.203] lstrcmpiW (lpString1="pt-PT", lpString2="appdata") returned 1 [0088.203] lstrcmpiW (lpString1="pt-PT", lpString2="program files") returned 1 [0088.203] lstrcmpiW (lpString1="pt-PT", lpString2="program files (x86)") returned 1 [0088.203] lstrcpyW (in: lpString1=0x24df3d8, lpString2="C:\\Boot\\" | out: lpString1="C:\\Boot\\") returned="C:\\Boot\\" [0088.203] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="pt-PT" | out: lpString1="C:\\Boot\\pt-PT") returned="C:\\Boot\\pt-PT" [0088.203] lstrcatW (in: lpString1="C:\\Boot\\pt-PT", lpString2="\\" | out: lpString1="C:\\Boot\\pt-PT\\") returned="C:\\Boot\\pt-PT\\" [0088.203] lstrcpyW (in: lpString1=0x24def60, lpString2="C:\\Boot\\pt-PT\\" | out: lpString1="C:\\Boot\\pt-PT\\") returned="C:\\Boot\\pt-PT\\" [0088.203] lstrcatW (in: lpString1="C:\\Boot\\pt-PT\\", lpString2="*.*" | out: lpString1="C:\\Boot\\pt-PT\\*.*") returned="C:\\Boot\\pt-PT\\*.*" [0088.203] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-PT\\*.*", lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName=".", cAlternateFileName="")) returned 0x5026e8 [0088.203] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0088.203] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="..", cAlternateFileName="")) returned 1 [0088.204] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0088.204] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0088.204] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe823ce95, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15e40, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0088.204] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0088.204] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0088.204] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0088.204] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0088.204] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0088.204] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0088.204] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="log") returned -1 [0088.204] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0088.204] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0088.204] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0088.204] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0088.204] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0088.204] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0088.204] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0088.204] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0088.204] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0088.204] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0088.204] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0088.204] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0088.204] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0088.204] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0088.204] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0088.205] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0088.205] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Boot\\pt-PT\\" | out: lpString1="C:\\Boot\\pt-PT\\") returned="C:\\Boot\\pt-PT\\" [0088.205] lstrcatW (in: lpString1="C:\\Boot\\pt-PT\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:\\Boot\\pt-PT\\bootmgr.exe.mui") returned="C:\\Boot\\pt-PT\\bootmgr.exe.mui" [0088.205] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0088.205] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0088.205] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0088.205] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0088.205] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0088.205] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0088.205] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0088.205] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0088.205] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0088.205] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0088.205] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0088.205] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0088.205] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0088.205] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0088.205] lstrcmpiW (lpString1=".mui", lpString2=".NEPHILIM") returned -1 [0088.205] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0088.205] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0088.205] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0088.205] lstrlenA (lpString="NEPHILIM") returned 8 [0088.205] GetProcessHeap () returned 0x4e0000 [0088.205] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502a40 [0088.205] lstrlenA (lpString="NEPHILIM") returned 8 [0088.205] CreateFileW (lpFileName="C:\\Boot\\pt-PT\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0088.207] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24deac8 | out: lpFileSize=0x24deac8*=4294968320) returned 0 [0088.207] GetProcessHeap () returned 0x4e0000 [0088.207] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504b10 [0088.207] GetProcessHeap () returned 0x4e0000 [0088.207] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504b28 [0088.207] SystemFunction036 (in: RandomBuffer=0x504b10, RandomBufferLength=0x10 | out: RandomBuffer=0x504b10) returned 1 [0088.207] SystemFunction036 (in: RandomBuffer=0x504b28, RandomBufferLength=0x10 | out: RandomBuffer=0x504b28) returned 1 [0088.207] GetProcessHeap () returned 0x4e0000 [0088.207] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x506848 [0088.207] GetProcessHeap () returned 0x4e0000 [0088.207] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x506950 [0088.207] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x506848*, pdwDataLen=0x24de888*=0x10, dwBufLen=0x100 | out: pbData=0x506848*, pdwDataLen=0x24de888*=0x100) returned 1 [0088.207] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x506950*, pdwDataLen=0x24de884*=0x10, dwBufLen=0x100 | out: pbData=0x506950*, pdwDataLen=0x24de884*=0x100) returned 1 [0088.207] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0088.207] SetLastError (dwErrCode=0x0) [0088.208] WriteFile (in: hFile=0xffffffff, lpBuffer=0x506848, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0) returned 0 [0088.208] GetLastError () returned 0x6 [0088.208] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe823ce95, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15e40, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0088.208] FindClose (in: hFindFile=0x5026e8 | out: hFindFile=0x5026e8) returned 1 [0088.208] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe0, dwReserved1=0x24df1d0, cFileName="ru-RU", cAlternateFileName="")) returned 1 [0088.208] lstrcmpiW (lpString1="ru-RU", lpString2=".") returned 1 [0088.208] lstrcmpiW (lpString1="ru-RU", lpString2="..") returned 1 [0088.208] lstrcmpiW (lpString1="ru-RU", lpString2="...") returned 1 [0088.208] lstrcmpiW (lpString1="ru-RU", lpString2="windows") returned -1 [0088.208] lstrcmpiW (lpString1="ru-RU", lpString2="$RECYCLE.BIN") returned 1 [0088.208] lstrcmpiW (lpString1="ru-RU", lpString2="rsa") returned 1 [0088.208] lstrcmpiW (lpString1="ru-RU", lpString2="log") returned 1 [0088.208] lstrcmpiW (lpString1="ru-RU", lpString2="NTDETECT.COM") returned 1 [0088.208] lstrcmpiW (lpString1="ru-RU", lpString2="ntldr") returned 1 [0088.208] lstrcmpiW (lpString1="ru-RU", lpString2="MSDOS.SYS") returned 1 [0088.208] lstrcmpiW (lpString1="ru-RU", lpString2="IO.SYS") returned 1 [0088.208] lstrcmpiW (lpString1="ru-RU", lpString2="boot.ini") returned 1 [0088.208] lstrcmpiW (lpString1="ru-RU", lpString2="AUTOEXEC.BAT") returned 1 [0088.208] lstrcmpiW (lpString1="ru-RU", lpString2="ntuser.dat") returned 1 [0088.208] lstrcmpiW (lpString1="ru-RU", lpString2="desktop.ini") returned 1 [0088.209] lstrcmpiW (lpString1="ru-RU", lpString2="CONFIG.SYS") returned 1 [0088.209] lstrcmpiW (lpString1="ru-RU", lpString2="RECYCLER") returned 1 [0088.209] lstrcmpiW (lpString1="ru-RU", lpString2="BOOTSECT.BAK") returned 1 [0088.209] lstrcmpiW (lpString1="ru-RU", lpString2="bootmgr") returned 1 [0088.209] lstrcmpiW (lpString1="ru-RU", lpString2="programdata") returned 1 [0088.209] lstrcmpiW (lpString1="ru-RU", lpString2="appdata") returned 1 [0088.209] lstrcmpiW (lpString1="ru-RU", lpString2="program files") returned 1 [0088.209] lstrcmpiW (lpString1="ru-RU", lpString2="program files (x86)") returned 1 [0088.209] lstrcpyW (in: lpString1=0x24df3d8, lpString2="C:\\Boot\\" | out: lpString1="C:\\Boot\\") returned="C:\\Boot\\" [0088.209] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="ru-RU" | out: lpString1="C:\\Boot\\ru-RU") returned="C:\\Boot\\ru-RU" [0088.209] lstrcatW (in: lpString1="C:\\Boot\\ru-RU", lpString2="\\" | out: lpString1="C:\\Boot\\ru-RU\\") returned="C:\\Boot\\ru-RU\\" [0088.209] lstrcpyW (in: lpString1=0x24def60, lpString2="C:\\Boot\\ru-RU\\" | out: lpString1="C:\\Boot\\ru-RU\\") returned="C:\\Boot\\ru-RU\\" [0088.209] lstrcatW (in: lpString1="C:\\Boot\\ru-RU\\", lpString2="*.*" | out: lpString1="C:\\Boot\\ru-RU\\*.*") returned="C:\\Boot\\ru-RU\\*.*" [0088.209] FindFirstFileW (in: lpFileName="C:\\Boot\\ru-RU\\*.*", lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName=".", cAlternateFileName="")) returned 0x5026e8 [0088.209] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0088.210] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="..", cAlternateFileName="")) returned 1 [0088.210] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0088.210] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0088.210] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0088.210] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0088.210] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0088.210] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0088.210] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0088.210] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0088.210] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0088.210] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="log") returned -1 [0088.210] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0088.210] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0088.210] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0088.210] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0088.210] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0088.210] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0088.210] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0088.210] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0088.210] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0088.210] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0088.210] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0088.210] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0088.210] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0088.210] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0088.211] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0088.211] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0088.211] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Boot\\ru-RU\\" | out: lpString1="C:\\Boot\\ru-RU\\") returned="C:\\Boot\\ru-RU\\" [0088.211] lstrcatW (in: lpString1="C:\\Boot\\ru-RU\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:\\Boot\\ru-RU\\bootmgr.exe.mui") returned="C:\\Boot\\ru-RU\\bootmgr.exe.mui" [0088.211] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0088.211] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0088.211] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0088.211] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0088.211] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0088.211] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0088.211] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0088.211] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0088.211] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0088.211] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0088.211] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0088.211] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0088.211] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0088.211] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0088.211] lstrcmpiW (lpString1=".mui", lpString2=".NEPHILIM") returned -1 [0088.211] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0088.211] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0088.211] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0088.211] lstrlenA (lpString="NEPHILIM") returned 8 [0088.211] GetProcessHeap () returned 0x4e0000 [0088.211] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502a50 [0088.212] lstrlenA (lpString="NEPHILIM") returned 8 [0088.212] CreateFileW (lpFileName="C:\\Boot\\ru-RU\\bootmgr.exe.mui" (normalized: "c:\\boot\\ru-ru\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0088.212] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24deac8 | out: lpFileSize=0x24deac8*=4294968320) returned 0 [0088.212] GetProcessHeap () returned 0x4e0000 [0088.212] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504b40 [0088.212] GetProcessHeap () returned 0x4e0000 [0088.212] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504b58 [0088.212] SystemFunction036 (in: RandomBuffer=0x504b40, RandomBufferLength=0x10 | out: RandomBuffer=0x504b40) returned 1 [0088.212] SystemFunction036 (in: RandomBuffer=0x504b58, RandomBufferLength=0x10 | out: RandomBuffer=0x504b58) returned 1 [0088.212] GetProcessHeap () returned 0x4e0000 [0088.212] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x506a58 [0088.213] GetProcessHeap () returned 0x4e0000 [0088.213] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x506b60 [0088.213] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x506a58*, pdwDataLen=0x24de888*=0x10, dwBufLen=0x100 | out: pbData=0x506a58*, pdwDataLen=0x24de888*=0x100) returned 1 [0088.213] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x506b60*, pdwDataLen=0x24de884*=0x10, dwBufLen=0x100 | out: pbData=0x506b60*, pdwDataLen=0x24de884*=0x100) returned 1 [0088.213] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0088.213] SetLastError (dwErrCode=0x0) [0088.213] WriteFile (in: hFile=0xffffffff, lpBuffer=0x506a58, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0) returned 0 [0088.213] GetLastError () returned 0x6 [0088.213] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0088.213] FindClose (in: hFindFile=0x5026e8 | out: hFindFile=0x5026e8) returned 1 [0088.213] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe0, dwReserved1=0x24df1d0, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0088.214] lstrcmpiW (lpString1="sv-SE", lpString2=".") returned 1 [0088.214] lstrcmpiW (lpString1="sv-SE", lpString2="..") returned 1 [0088.214] lstrcmpiW (lpString1="sv-SE", lpString2="...") returned 1 [0088.214] lstrcmpiW (lpString1="sv-SE", lpString2="windows") returned -1 [0088.214] lstrcmpiW (lpString1="sv-SE", lpString2="$RECYCLE.BIN") returned 1 [0088.214] lstrcmpiW (lpString1="sv-SE", lpString2="rsa") returned 1 [0088.214] lstrcmpiW (lpString1="sv-SE", lpString2="log") returned 1 [0088.214] lstrcmpiW (lpString1="sv-SE", lpString2="NTDETECT.COM") returned 1 [0088.214] lstrcmpiW (lpString1="sv-SE", lpString2="ntldr") returned 1 [0088.214] lstrcmpiW (lpString1="sv-SE", lpString2="MSDOS.SYS") returned 1 [0088.214] lstrcmpiW (lpString1="sv-SE", lpString2="IO.SYS") returned 1 [0088.214] lstrcmpiW (lpString1="sv-SE", lpString2="boot.ini") returned 1 [0088.214] lstrcmpiW (lpString1="sv-SE", lpString2="AUTOEXEC.BAT") returned 1 [0088.214] lstrcmpiW (lpString1="sv-SE", lpString2="ntuser.dat") returned 1 [0088.214] lstrcmpiW (lpString1="sv-SE", lpString2="desktop.ini") returned 1 [0088.214] lstrcmpiW (lpString1="sv-SE", lpString2="CONFIG.SYS") returned 1 [0088.214] lstrcmpiW (lpString1="sv-SE", lpString2="RECYCLER") returned 1 [0088.214] lstrcmpiW (lpString1="sv-SE", lpString2="BOOTSECT.BAK") returned 1 [0088.214] lstrcmpiW (lpString1="sv-SE", lpString2="bootmgr") returned 1 [0088.214] lstrcmpiW (lpString1="sv-SE", lpString2="programdata") returned 1 [0088.214] lstrcmpiW (lpString1="sv-SE", lpString2="appdata") returned 1 [0088.214] lstrcmpiW (lpString1="sv-SE", lpString2="program files") returned 1 [0088.214] lstrcmpiW (lpString1="sv-SE", lpString2="program files (x86)") returned 1 [0088.214] lstrcpyW (in: lpString1=0x24df3d8, lpString2="C:\\Boot\\" | out: lpString1="C:\\Boot\\") returned="C:\\Boot\\" [0088.215] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="sv-SE" | out: lpString1="C:\\Boot\\sv-SE") returned="C:\\Boot\\sv-SE" [0088.215] lstrcatW (in: lpString1="C:\\Boot\\sv-SE", lpString2="\\" | out: lpString1="C:\\Boot\\sv-SE\\") returned="C:\\Boot\\sv-SE\\" [0088.215] lstrcpyW (in: lpString1=0x24def60, lpString2="C:\\Boot\\sv-SE\\" | out: lpString1="C:\\Boot\\sv-SE\\") returned="C:\\Boot\\sv-SE\\" [0088.215] lstrcatW (in: lpString1="C:\\Boot\\sv-SE\\", lpString2="*.*" | out: lpString1="C:\\Boot\\sv-SE\\*.*") returned="C:\\Boot\\sv-SE\\*.*" [0088.215] FindFirstFileW (in: lpFileName="C:\\Boot\\sv-SE\\*.*", lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName=".", cAlternateFileName="")) returned 0x5026e8 [0088.215] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0088.215] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="..", cAlternateFileName="")) returned 1 [0088.215] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0088.215] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0088.215] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0088.215] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0088.216] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0088.216] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0088.216] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0088.216] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0088.216] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0088.216] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="log") returned -1 [0088.216] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0088.216] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0088.216] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0088.216] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0088.216] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0088.216] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0088.216] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0088.216] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0088.216] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0088.216] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0088.216] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0088.216] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0088.216] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0088.216] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0088.216] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0088.216] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0088.216] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Boot\\sv-SE\\" | out: lpString1="C:\\Boot\\sv-SE\\") returned="C:\\Boot\\sv-SE\\" [0088.216] lstrcatW (in: lpString1="C:\\Boot\\sv-SE\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:\\Boot\\sv-SE\\bootmgr.exe.mui") returned="C:\\Boot\\sv-SE\\bootmgr.exe.mui" [0088.216] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0088.216] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0088.216] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0088.217] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0088.217] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0088.217] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0088.217] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0088.217] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0088.217] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0088.217] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0088.217] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0088.217] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0088.217] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0088.217] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0088.217] lstrcmpiW (lpString1=".mui", lpString2=".NEPHILIM") returned -1 [0088.217] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0088.217] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0088.217] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0088.217] lstrlenA (lpString="NEPHILIM") returned 8 [0088.217] GetProcessHeap () returned 0x4e0000 [0088.217] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502a60 [0088.217] lstrlenA (lpString="NEPHILIM") returned 8 [0088.217] CreateFileW (lpFileName="C:\\Boot\\sv-SE\\bootmgr.exe.mui" (normalized: "c:\\boot\\sv-se\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0088.220] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24deac8 | out: lpFileSize=0x24deac8*=4294968320) returned 0 [0088.220] GetProcessHeap () returned 0x4e0000 [0088.220] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504b70 [0088.220] GetProcessHeap () returned 0x4e0000 [0088.220] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504b88 [0088.220] SystemFunction036 (in: RandomBuffer=0x504b70, RandomBufferLength=0x10 | out: RandomBuffer=0x504b70) returned 1 [0088.220] SystemFunction036 (in: RandomBuffer=0x504b88, RandomBufferLength=0x10 | out: RandomBuffer=0x504b88) returned 1 [0088.220] GetProcessHeap () returned 0x4e0000 [0088.220] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x506c68 [0088.220] GetProcessHeap () returned 0x4e0000 [0088.220] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x506d70 [0088.220] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x506c68*, pdwDataLen=0x24de888*=0x10, dwBufLen=0x100 | out: pbData=0x506c68*, pdwDataLen=0x24de888*=0x100) returned 1 [0088.220] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x506d70*, pdwDataLen=0x24de884*=0x10, dwBufLen=0x100 | out: pbData=0x506d70*, pdwDataLen=0x24de884*=0x100) returned 1 [0088.220] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0088.220] SetLastError (dwErrCode=0x0) [0088.220] WriteFile (in: hFile=0xffffffff, lpBuffer=0x506c68, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0) returned 0 [0088.220] GetLastError () returned 0x6 [0088.221] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0088.221] FindClose (in: hFindFile=0x5026e8 | out: hFindFile=0x5026e8) returned 1 [0088.221] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe0, dwReserved1=0x24df1d0, cFileName="tr-TR", cAlternateFileName="")) returned 1 [0088.221] lstrcmpiW (lpString1="tr-TR", lpString2=".") returned 1 [0088.221] lstrcmpiW (lpString1="tr-TR", lpString2="..") returned 1 [0088.221] lstrcmpiW (lpString1="tr-TR", lpString2="...") returned 1 [0088.221] lstrcmpiW (lpString1="tr-TR", lpString2="windows") returned -1 [0088.221] lstrcmpiW (lpString1="tr-TR", lpString2="$RECYCLE.BIN") returned 1 [0088.221] lstrcmpiW (lpString1="tr-TR", lpString2="rsa") returned 1 [0088.221] lstrcmpiW (lpString1="tr-TR", lpString2="log") returned 1 [0088.221] lstrcmpiW (lpString1="tr-TR", lpString2="NTDETECT.COM") returned 1 [0088.221] lstrcmpiW (lpString1="tr-TR", lpString2="ntldr") returned 1 [0088.221] lstrcmpiW (lpString1="tr-TR", lpString2="MSDOS.SYS") returned 1 [0088.221] lstrcmpiW (lpString1="tr-TR", lpString2="IO.SYS") returned 1 [0088.221] lstrcmpiW (lpString1="tr-TR", lpString2="boot.ini") returned 1 [0088.221] lstrcmpiW (lpString1="tr-TR", lpString2="AUTOEXEC.BAT") returned 1 [0088.221] lstrcmpiW (lpString1="tr-TR", lpString2="ntuser.dat") returned 1 [0088.221] lstrcmpiW (lpString1="tr-TR", lpString2="desktop.ini") returned 1 [0088.221] lstrcmpiW (lpString1="tr-TR", lpString2="CONFIG.SYS") returned 1 [0088.221] lstrcmpiW (lpString1="tr-TR", lpString2="RECYCLER") returned 1 [0088.221] lstrcmpiW (lpString1="tr-TR", lpString2="BOOTSECT.BAK") returned 1 [0088.221] lstrcmpiW (lpString1="tr-TR", lpString2="bootmgr") returned 1 [0088.221] lstrcmpiW (lpString1="tr-TR", lpString2="programdata") returned 1 [0088.221] lstrcmpiW (lpString1="tr-TR", lpString2="appdata") returned 1 [0088.222] lstrcmpiW (lpString1="tr-TR", lpString2="program files") returned 1 [0088.222] lstrcmpiW (lpString1="tr-TR", lpString2="program files (x86)") returned 1 [0088.222] lstrcpyW (in: lpString1=0x24df3d8, lpString2="C:\\Boot\\" | out: lpString1="C:\\Boot\\") returned="C:\\Boot\\" [0088.222] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="tr-TR" | out: lpString1="C:\\Boot\\tr-TR") returned="C:\\Boot\\tr-TR" [0088.222] lstrcatW (in: lpString1="C:\\Boot\\tr-TR", lpString2="\\" | out: lpString1="C:\\Boot\\tr-TR\\") returned="C:\\Boot\\tr-TR\\" [0088.222] lstrcpyW (in: lpString1=0x24def60, lpString2="C:\\Boot\\tr-TR\\" | out: lpString1="C:\\Boot\\tr-TR\\") returned="C:\\Boot\\tr-TR\\" [0088.222] lstrcatW (in: lpString1="C:\\Boot\\tr-TR\\", lpString2="*.*" | out: lpString1="C:\\Boot\\tr-TR\\*.*") returned="C:\\Boot\\tr-TR\\*.*" [0088.222] FindFirstFileW (in: lpFileName="C:\\Boot\\tr-TR\\*.*", lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName=".", cAlternateFileName="")) returned 0x5026e8 [0088.222] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0088.222] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="..", cAlternateFileName="")) returned 1 [0088.222] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0088.222] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0088.222] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8393ab6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15440, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0088.222] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0088.223] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0088.223] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0088.223] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0088.223] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0088.223] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0088.223] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="log") returned -1 [0088.223] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0088.223] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0088.223] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0088.223] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0088.223] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0088.223] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0088.223] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0088.223] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0088.223] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0088.223] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0088.223] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0088.223] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0088.223] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0088.223] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0088.223] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0088.223] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0088.223] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Boot\\tr-TR\\" | out: lpString1="C:\\Boot\\tr-TR\\") returned="C:\\Boot\\tr-TR\\" [0088.223] lstrcatW (in: lpString1="C:\\Boot\\tr-TR\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:\\Boot\\tr-TR\\bootmgr.exe.mui") returned="C:\\Boot\\tr-TR\\bootmgr.exe.mui" [0088.223] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0088.223] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0088.223] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0088.224] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0088.224] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0088.224] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0088.224] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0088.224] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0088.224] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0088.224] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0088.224] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0088.224] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0088.224] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0088.224] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0088.224] lstrcmpiW (lpString1=".mui", lpString2=".NEPHILIM") returned -1 [0088.224] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0088.224] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0088.224] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0088.224] lstrlenA (lpString="NEPHILIM") returned 8 [0088.224] GetProcessHeap () returned 0x4e0000 [0088.224] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502a70 [0088.224] lstrlenA (lpString="NEPHILIM") returned 8 [0088.224] CreateFileW (lpFileName="C:\\Boot\\tr-TR\\bootmgr.exe.mui" (normalized: "c:\\boot\\tr-tr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0088.224] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24deac8 | out: lpFileSize=0x24deac8*=4294968320) returned 0 [0088.224] GetProcessHeap () returned 0x4e0000 [0088.224] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ba0 [0088.225] GetProcessHeap () returned 0x4e0000 [0088.225] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504bb8 [0088.225] SystemFunction036 (in: RandomBuffer=0x504ba0, RandomBufferLength=0x10 | out: RandomBuffer=0x504ba0) returned 1 [0088.225] SystemFunction036 (in: RandomBuffer=0x504bb8, RandomBufferLength=0x10 | out: RandomBuffer=0x504bb8) returned 1 [0088.225] GetProcessHeap () returned 0x4e0000 [0088.225] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x506e78 [0088.225] GetProcessHeap () returned 0x4e0000 [0088.225] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x506f80 [0088.225] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x506e78*, pdwDataLen=0x24de888*=0x10, dwBufLen=0x100 | out: pbData=0x506e78*, pdwDataLen=0x24de888*=0x100) returned 1 [0088.225] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x506f80*, pdwDataLen=0x24de884*=0x10, dwBufLen=0x100 | out: pbData=0x506f80*, pdwDataLen=0x24de884*=0x100) returned 1 [0088.225] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0088.225] SetLastError (dwErrCode=0x0) [0088.225] WriteFile (in: hFile=0xffffffff, lpBuffer=0x506e78, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0) returned 0 [0088.225] GetLastError () returned 0x6 [0088.225] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8393ab6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15440, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0088.225] FindClose (in: hFindFile=0x5026e8 | out: hFindFile=0x5026e8) returned 1 [0088.226] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe0, dwReserved1=0x24df1d0, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0088.226] lstrcmpiW (lpString1="zh-CN", lpString2=".") returned 1 [0088.226] lstrcmpiW (lpString1="zh-CN", lpString2="..") returned 1 [0088.226] lstrcmpiW (lpString1="zh-CN", lpString2="...") returned 1 [0088.226] lstrcmpiW (lpString1="zh-CN", lpString2="windows") returned 1 [0088.226] lstrcmpiW (lpString1="zh-CN", lpString2="$RECYCLE.BIN") returned 1 [0088.226] lstrcmpiW (lpString1="zh-CN", lpString2="rsa") returned 1 [0088.226] lstrcmpiW (lpString1="zh-CN", lpString2="log") returned 1 [0088.226] lstrcmpiW (lpString1="zh-CN", lpString2="NTDETECT.COM") returned 1 [0088.226] lstrcmpiW (lpString1="zh-CN", lpString2="ntldr") returned 1 [0088.226] lstrcmpiW (lpString1="zh-CN", lpString2="MSDOS.SYS") returned 1 [0088.226] lstrcmpiW (lpString1="zh-CN", lpString2="IO.SYS") returned 1 [0088.226] lstrcmpiW (lpString1="zh-CN", lpString2="boot.ini") returned 1 [0088.226] lstrcmpiW (lpString1="zh-CN", lpString2="AUTOEXEC.BAT") returned 1 [0088.226] lstrcmpiW (lpString1="zh-CN", lpString2="ntuser.dat") returned 1 [0088.226] lstrcmpiW (lpString1="zh-CN", lpString2="desktop.ini") returned 1 [0088.226] lstrcmpiW (lpString1="zh-CN", lpString2="CONFIG.SYS") returned 1 [0088.226] lstrcmpiW (lpString1="zh-CN", lpString2="RECYCLER") returned 1 [0088.226] lstrcmpiW (lpString1="zh-CN", lpString2="BOOTSECT.BAK") returned 1 [0088.226] lstrcmpiW (lpString1="zh-CN", lpString2="bootmgr") returned 1 [0088.226] lstrcmpiW (lpString1="zh-CN", lpString2="programdata") returned 1 [0088.226] lstrcmpiW (lpString1="zh-CN", lpString2="appdata") returned 1 [0088.226] lstrcmpiW (lpString1="zh-CN", lpString2="program files") returned 1 [0088.226] lstrcmpiW (lpString1="zh-CN", lpString2="program files (x86)") returned 1 [0088.226] lstrcpyW (in: lpString1=0x24df3d8, lpString2="C:\\Boot\\" | out: lpString1="C:\\Boot\\") returned="C:\\Boot\\" [0088.226] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="zh-CN" | out: lpString1="C:\\Boot\\zh-CN") returned="C:\\Boot\\zh-CN" [0088.226] lstrcatW (in: lpString1="C:\\Boot\\zh-CN", lpString2="\\" | out: lpString1="C:\\Boot\\zh-CN\\") returned="C:\\Boot\\zh-CN\\" [0088.226] lstrcpyW (in: lpString1=0x24def60, lpString2="C:\\Boot\\zh-CN\\" | out: lpString1="C:\\Boot\\zh-CN\\") returned="C:\\Boot\\zh-CN\\" [0088.226] lstrcatW (in: lpString1="C:\\Boot\\zh-CN\\", lpString2="*.*" | out: lpString1="C:\\Boot\\zh-CN\\*.*") returned="C:\\Boot\\zh-CN\\*.*" [0088.227] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-CN\\*.*", lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName=".", cAlternateFileName="")) returned 0x5026e8 [0088.227] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0088.227] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="..", cAlternateFileName="")) returned 1 [0088.227] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0088.227] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0088.227] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8725b0e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11440, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0088.227] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0088.227] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0088.227] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0088.227] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0088.227] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0088.227] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0088.227] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="log") returned -1 [0088.227] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0088.227] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0088.227] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0088.227] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0088.228] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0088.228] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0088.228] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0088.228] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0088.228] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0088.228] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0088.228] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0088.228] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0088.228] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0088.228] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0088.228] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0088.228] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0088.228] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Boot\\zh-CN\\" | out: lpString1="C:\\Boot\\zh-CN\\") returned="C:\\Boot\\zh-CN\\" [0088.228] lstrcatW (in: lpString1="C:\\Boot\\zh-CN\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:\\Boot\\zh-CN\\bootmgr.exe.mui") returned="C:\\Boot\\zh-CN\\bootmgr.exe.mui" [0088.228] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0088.228] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0088.228] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0088.228] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0088.228] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0088.228] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0088.228] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0088.228] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0088.228] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0088.228] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0088.228] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0088.229] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0088.229] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0088.229] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0088.229] lstrcmpiW (lpString1=".mui", lpString2=".NEPHILIM") returned -1 [0088.229] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0088.229] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0088.229] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0088.229] lstrlenA (lpString="NEPHILIM") returned 8 [0088.229] GetProcessHeap () returned 0x4e0000 [0088.229] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502a80 [0088.229] lstrlenA (lpString="NEPHILIM") returned 8 [0088.229] CreateFileW (lpFileName="C:\\Boot\\zh-CN\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-cn\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0088.230] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24deac8 | out: lpFileSize=0x24deac8*=4294968320) returned 0 [0088.230] GetProcessHeap () returned 0x4e0000 [0088.230] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504bd0 [0088.230] GetProcessHeap () returned 0x4e0000 [0088.230] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504be8 [0088.230] SystemFunction036 (in: RandomBuffer=0x504bd0, RandomBufferLength=0x10 | out: RandomBuffer=0x504bd0) returned 1 [0088.230] SystemFunction036 (in: RandomBuffer=0x504be8, RandomBufferLength=0x10 | out: RandomBuffer=0x504be8) returned 1 [0088.230] GetProcessHeap () returned 0x4e0000 [0088.230] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507088 [0088.230] GetProcessHeap () returned 0x4e0000 [0088.230] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507190 [0088.230] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507088*, pdwDataLen=0x24de888*=0x10, dwBufLen=0x100 | out: pbData=0x507088*, pdwDataLen=0x24de888*=0x100) returned 1 [0088.231] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507190*, pdwDataLen=0x24de884*=0x10, dwBufLen=0x100 | out: pbData=0x507190*, pdwDataLen=0x24de884*=0x100) returned 1 [0088.231] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0088.231] SetLastError (dwErrCode=0x0) [0088.231] WriteFile (in: hFile=0xffffffff, lpBuffer=0x507088, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0) returned 0 [0088.231] GetLastError () returned 0x6 [0088.231] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8725b0e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11440, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0088.231] FindClose (in: hFindFile=0x5026e8 | out: hFindFile=0x5026e8) returned 1 [0088.231] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe0, dwReserved1=0x24df1d0, cFileName="zh-HK", cAlternateFileName="")) returned 1 [0088.231] lstrcmpiW (lpString1="zh-HK", lpString2=".") returned 1 [0088.231] lstrcmpiW (lpString1="zh-HK", lpString2="..") returned 1 [0088.231] lstrcmpiW (lpString1="zh-HK", lpString2="...") returned 1 [0088.232] lstrcmpiW (lpString1="zh-HK", lpString2="windows") returned 1 [0088.232] lstrcmpiW (lpString1="zh-HK", lpString2="$RECYCLE.BIN") returned 1 [0088.232] lstrcmpiW (lpString1="zh-HK", lpString2="rsa") returned 1 [0088.232] lstrcmpiW (lpString1="zh-HK", lpString2="log") returned 1 [0088.232] lstrcmpiW (lpString1="zh-HK", lpString2="NTDETECT.COM") returned 1 [0088.232] lstrcmpiW (lpString1="zh-HK", lpString2="ntldr") returned 1 [0088.232] lstrcmpiW (lpString1="zh-HK", lpString2="MSDOS.SYS") returned 1 [0088.232] lstrcmpiW (lpString1="zh-HK", lpString2="IO.SYS") returned 1 [0088.232] lstrcmpiW (lpString1="zh-HK", lpString2="boot.ini") returned 1 [0088.232] lstrcmpiW (lpString1="zh-HK", lpString2="AUTOEXEC.BAT") returned 1 [0088.232] lstrcmpiW (lpString1="zh-HK", lpString2="ntuser.dat") returned 1 [0088.232] lstrcmpiW (lpString1="zh-HK", lpString2="desktop.ini") returned 1 [0088.232] lstrcmpiW (lpString1="zh-HK", lpString2="CONFIG.SYS") returned 1 [0088.232] lstrcmpiW (lpString1="zh-HK", lpString2="RECYCLER") returned 1 [0088.232] lstrcmpiW (lpString1="zh-HK", lpString2="BOOTSECT.BAK") returned 1 [0088.232] lstrcmpiW (lpString1="zh-HK", lpString2="bootmgr") returned 1 [0088.232] lstrcmpiW (lpString1="zh-HK", lpString2="programdata") returned 1 [0088.232] lstrcmpiW (lpString1="zh-HK", lpString2="appdata") returned 1 [0088.232] lstrcmpiW (lpString1="zh-HK", lpString2="program files") returned 1 [0088.232] lstrcmpiW (lpString1="zh-HK", lpString2="program files (x86)") returned 1 [0088.232] lstrcpyW (in: lpString1=0x24df3d8, lpString2="C:\\Boot\\" | out: lpString1="C:\\Boot\\") returned="C:\\Boot\\" [0088.232] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="zh-HK" | out: lpString1="C:\\Boot\\zh-HK") returned="C:\\Boot\\zh-HK" [0088.232] lstrcatW (in: lpString1="C:\\Boot\\zh-HK", lpString2="\\" | out: lpString1="C:\\Boot\\zh-HK\\") returned="C:\\Boot\\zh-HK\\" [0088.232] lstrcpyW (in: lpString1=0x24def60, lpString2="C:\\Boot\\zh-HK\\" | out: lpString1="C:\\Boot\\zh-HK\\") returned="C:\\Boot\\zh-HK\\" [0088.232] lstrcatW (in: lpString1="C:\\Boot\\zh-HK\\", lpString2="*.*" | out: lpString1="C:\\Boot\\zh-HK\\*.*") returned="C:\\Boot\\zh-HK\\*.*" [0088.232] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-HK\\*.*", lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName=".", cAlternateFileName="")) returned 0x5026e8 [0088.233] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0088.233] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="..", cAlternateFileName="")) returned 1 [0088.233] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0088.233] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0088.233] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11250, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0088.233] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0088.233] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0088.233] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0088.233] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0088.233] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0088.233] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0088.233] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="log") returned -1 [0088.233] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0088.233] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0088.233] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0088.233] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0088.233] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0088.233] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0088.233] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0088.234] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0088.234] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0088.234] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0088.234] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0088.234] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0088.234] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0088.234] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0088.234] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0088.234] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0088.234] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Boot\\zh-HK\\" | out: lpString1="C:\\Boot\\zh-HK\\") returned="C:\\Boot\\zh-HK\\" [0088.234] lstrcatW (in: lpString1="C:\\Boot\\zh-HK\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:\\Boot\\zh-HK\\bootmgr.exe.mui") returned="C:\\Boot\\zh-HK\\bootmgr.exe.mui" [0088.234] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0088.234] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0088.234] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0088.234] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0088.234] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0088.234] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0088.234] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0088.234] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0088.234] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0088.234] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0088.234] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0088.234] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0088.234] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0088.234] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0088.234] lstrcmpiW (lpString1=".mui", lpString2=".NEPHILIM") returned -1 [0088.234] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0088.235] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0088.235] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0088.235] lstrlenA (lpString="NEPHILIM") returned 8 [0088.235] GetProcessHeap () returned 0x4e0000 [0088.235] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502a90 [0088.235] lstrlenA (lpString="NEPHILIM") returned 8 [0088.235] CreateFileW (lpFileName="C:\\Boot\\zh-HK\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-hk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0088.235] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24deac8 | out: lpFileSize=0x24deac8*=4294968320) returned 0 [0088.235] GetProcessHeap () returned 0x4e0000 [0088.235] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c00 [0088.235] GetProcessHeap () returned 0x4e0000 [0088.235] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c18 [0088.235] SystemFunction036 (in: RandomBuffer=0x504c00, RandomBufferLength=0x10 | out: RandomBuffer=0x504c00) returned 1 [0088.235] SystemFunction036 (in: RandomBuffer=0x504c18, RandomBufferLength=0x10 | out: RandomBuffer=0x504c18) returned 1 [0088.235] GetProcessHeap () returned 0x4e0000 [0088.235] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5078b8 [0088.235] GetProcessHeap () returned 0x4e0000 [0088.235] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5079c0 [0088.235] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5078b8*, pdwDataLen=0x24de888*=0x10, dwBufLen=0x100 | out: pbData=0x5078b8*, pdwDataLen=0x24de888*=0x100) returned 1 [0088.236] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5079c0*, pdwDataLen=0x24de884*=0x10, dwBufLen=0x100 | out: pbData=0x5079c0*, pdwDataLen=0x24de884*=0x100) returned 1 [0088.236] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0088.236] SetLastError (dwErrCode=0x0) [0088.236] WriteFile (in: hFile=0xffffffff, lpBuffer=0x5078b8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0) returned 0 [0088.236] GetLastError () returned 0x6 [0088.236] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11250, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0088.236] FindClose (in: hFindFile=0x5026e8 | out: hFindFile=0x5026e8) returned 1 [0088.236] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe0, dwReserved1=0x24df1d0, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0088.236] lstrcmpiW (lpString1="zh-TW", lpString2=".") returned 1 [0088.236] lstrcmpiW (lpString1="zh-TW", lpString2="..") returned 1 [0088.236] lstrcmpiW (lpString1="zh-TW", lpString2="...") returned 1 [0088.236] lstrcmpiW (lpString1="zh-TW", lpString2="windows") returned 1 [0088.236] lstrcmpiW (lpString1="zh-TW", lpString2="$RECYCLE.BIN") returned 1 [0088.237] lstrcmpiW (lpString1="zh-TW", lpString2="rsa") returned 1 [0088.237] lstrcmpiW (lpString1="zh-TW", lpString2="log") returned 1 [0088.237] lstrcmpiW (lpString1="zh-TW", lpString2="NTDETECT.COM") returned 1 [0088.237] lstrcmpiW (lpString1="zh-TW", lpString2="ntldr") returned 1 [0088.237] lstrcmpiW (lpString1="zh-TW", lpString2="MSDOS.SYS") returned 1 [0088.237] lstrcmpiW (lpString1="zh-TW", lpString2="IO.SYS") returned 1 [0088.237] lstrcmpiW (lpString1="zh-TW", lpString2="boot.ini") returned 1 [0088.237] lstrcmpiW (lpString1="zh-TW", lpString2="AUTOEXEC.BAT") returned 1 [0088.237] lstrcmpiW (lpString1="zh-TW", lpString2="ntuser.dat") returned 1 [0088.237] lstrcmpiW (lpString1="zh-TW", lpString2="desktop.ini") returned 1 [0088.237] lstrcmpiW (lpString1="zh-TW", lpString2="CONFIG.SYS") returned 1 [0088.237] lstrcmpiW (lpString1="zh-TW", lpString2="RECYCLER") returned 1 [0088.237] lstrcmpiW (lpString1="zh-TW", lpString2="BOOTSECT.BAK") returned 1 [0088.237] lstrcmpiW (lpString1="zh-TW", lpString2="bootmgr") returned 1 [0088.237] lstrcmpiW (lpString1="zh-TW", lpString2="programdata") returned 1 [0088.237] lstrcmpiW (lpString1="zh-TW", lpString2="appdata") returned 1 [0088.237] lstrcmpiW (lpString1="zh-TW", lpString2="program files") returned 1 [0088.237] lstrcmpiW (lpString1="zh-TW", lpString2="program files (x86)") returned 1 [0088.237] lstrcpyW (in: lpString1=0x24df3d8, lpString2="C:\\Boot\\" | out: lpString1="C:\\Boot\\") returned="C:\\Boot\\" [0088.237] lstrcatW (in: lpString1="C:\\Boot\\", lpString2="zh-TW" | out: lpString1="C:\\Boot\\zh-TW") returned="C:\\Boot\\zh-TW" [0088.237] lstrcatW (in: lpString1="C:\\Boot\\zh-TW", lpString2="\\" | out: lpString1="C:\\Boot\\zh-TW\\") returned="C:\\Boot\\zh-TW\\" [0088.237] lstrcpyW (in: lpString1=0x24def60, lpString2="C:\\Boot\\zh-TW\\" | out: lpString1="C:\\Boot\\zh-TW\\") returned="C:\\Boot\\zh-TW\\" [0088.237] lstrcatW (in: lpString1="C:\\Boot\\zh-TW\\", lpString2="*.*" | out: lpString1="C:\\Boot\\zh-TW\\*.*") returned="C:\\Boot\\zh-TW\\*.*" [0088.237] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-TW\\*.*", lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName=".", cAlternateFileName="")) returned 0x5026e8 [0088.238] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0088.238] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="..", cAlternateFileName="")) returned 1 [0088.238] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0088.238] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0088.238] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83216ab, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11240, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0088.238] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0088.238] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0088.238] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0088.238] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0088.238] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0088.238] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0088.238] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="log") returned -1 [0088.238] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0088.238] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0088.238] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0088.238] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0088.238] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0088.238] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0088.238] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0088.238] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0088.238] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0088.239] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0088.239] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0088.239] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0088.239] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0088.239] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0088.239] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0088.239] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0088.239] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Boot\\zh-TW\\" | out: lpString1="C:\\Boot\\zh-TW\\") returned="C:\\Boot\\zh-TW\\" [0088.239] lstrcatW (in: lpString1="C:\\Boot\\zh-TW\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:\\Boot\\zh-TW\\bootmgr.exe.mui") returned="C:\\Boot\\zh-TW\\bootmgr.exe.mui" [0088.239] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0088.239] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0088.239] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0088.239] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0088.239] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0088.239] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0088.239] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0088.239] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0088.239] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0088.239] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0088.239] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0088.239] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0088.239] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0088.239] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0088.239] lstrcmpiW (lpString1=".mui", lpString2=".NEPHILIM") returned -1 [0088.239] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0088.239] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0088.239] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0088.239] lstrlenA (lpString="NEPHILIM") returned 8 [0088.239] GetProcessHeap () returned 0x4e0000 [0088.240] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502aa0 [0088.240] lstrlenA (lpString="NEPHILIM") returned 8 [0088.240] CreateFileW (lpFileName="C:\\Boot\\zh-TW\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-tw\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0088.240] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24deac8 | out: lpFileSize=0x24deac8*=4294968320) returned 0 [0088.240] GetProcessHeap () returned 0x4e0000 [0088.240] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c30 [0088.240] GetProcessHeap () returned 0x4e0000 [0088.240] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c48 [0088.240] SystemFunction036 (in: RandomBuffer=0x504c30, RandomBufferLength=0x10 | out: RandomBuffer=0x504c30) returned 1 [0088.240] SystemFunction036 (in: RandomBuffer=0x504c48, RandomBufferLength=0x10 | out: RandomBuffer=0x504c48) returned 1 [0088.240] GetProcessHeap () returned 0x4e0000 [0088.240] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ac8 [0088.240] GetProcessHeap () returned 0x4e0000 [0088.240] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507bd0 [0088.240] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ac8*, pdwDataLen=0x24de888*=0x10, dwBufLen=0x100 | out: pbData=0x507ac8*, pdwDataLen=0x24de888*=0x100) returned 1 [0088.240] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507bd0*, pdwDataLen=0x24de884*=0x10, dwBufLen=0x100 | out: pbData=0x507bd0*, pdwDataLen=0x24de884*=0x100) returned 1 [0088.241] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0088.241] SetLastError (dwErrCode=0x0) [0088.241] WriteFile (in: hFile=0xffffffff, lpBuffer=0x507ac8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0) returned 0 [0088.241] GetLastError () returned 0x6 [0088.241] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83216ab, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11240, dwReserved0=0x24deaac, dwReserved1=0xb1577724, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0088.241] FindClose (in: hFindFile=0x5026e8 | out: hFindFile=0x5026e8) returned 1 [0088.241] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe0, dwReserved1=0x24df1d0, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0088.241] FindClose (in: hFindFile=0x4ff0b8 | out: hFindFile=0x4ff0b8) returned 1 [0088.241] FindNextFileW (in: hFindFile=0x4ff078, lpFindFileData=0x24df808 | out: lpFindFileData=0x24df808*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x84a3bb2c, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5db2a, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0088.241] lstrcmpiW (lpString1="bootmgr", lpString2=".") returned 1 [0088.241] lstrcmpiW (lpString1="bootmgr", lpString2="..") returned 1 [0088.241] lstrcmpiW (lpString1="bootmgr", lpString2="...") returned 1 [0088.241] lstrcmpiW (lpString1="bootmgr", lpString2="windows") returned -1 [0088.241] lstrcmpiW (lpString1="bootmgr", lpString2="$RECYCLE.BIN") returned 1 [0088.241] lstrcmpiW (lpString1="bootmgr", lpString2="rsa") returned -1 [0088.241] lstrcmpiW (lpString1="bootmgr", lpString2="log") returned -1 [0088.242] lstrcmpiW (lpString1="bootmgr", lpString2="NTDETECT.COM") returned -1 [0088.242] lstrcmpiW (lpString1="bootmgr", lpString2="ntldr") returned -1 [0088.242] lstrcmpiW (lpString1="bootmgr", lpString2="MSDOS.SYS") returned -1 [0088.242] lstrcmpiW (lpString1="bootmgr", lpString2="IO.SYS") returned -1 [0088.242] lstrcmpiW (lpString1="bootmgr", lpString2="boot.ini") returned 1 [0088.242] lstrcmpiW (lpString1="bootmgr", lpString2="AUTOEXEC.BAT") returned 1 [0088.242] lstrcmpiW (lpString1="bootmgr", lpString2="ntuser.dat") returned -1 [0088.242] lstrcmpiW (lpString1="bootmgr", lpString2="desktop.ini") returned -1 [0088.242] lstrcmpiW (lpString1="bootmgr", lpString2="CONFIG.SYS") returned -1 [0088.242] lstrcmpiW (lpString1="bootmgr", lpString2="RECYCLER") returned -1 [0088.242] lstrcmpiW (lpString1="bootmgr", lpString2="BOOTSECT.BAK") returned -1 [0088.242] lstrcmpiW (lpString1="bootmgr", lpString2="bootmgr") returned 0 [0088.242] FindNextFileW (in: hFindFile=0x4ff078, lpFindFileData=0x24df808 | out: lpFindFileData=0x24df808*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac54a060, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac54a060, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac54a060, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 1 [0088.242] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2=".") returned 1 [0088.242] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="..") returned 1 [0088.242] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="...") returned 1 [0088.242] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="windows") returned -1 [0088.242] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="$RECYCLE.BIN") returned 1 [0088.242] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="rsa") returned -1 [0088.242] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="log") returned -1 [0088.242] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="NTDETECT.COM") returned -1 [0088.242] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="ntldr") returned -1 [0088.242] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="MSDOS.SYS") returned -1 [0088.242] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="IO.SYS") returned -1 [0088.243] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="boot.ini") returned 1 [0088.243] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="AUTOEXEC.BAT") returned 1 [0088.243] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="ntuser.dat") returned -1 [0088.243] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="desktop.ini") returned -1 [0088.243] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="CONFIG.SYS") returned -1 [0088.243] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="RECYCLER") returned -1 [0088.243] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="BOOTSECT.BAK") returned 0 [0088.243] FindNextFileW (in: hFindFile=0x4ff078, lpFindFileData=0x24df808 | out: lpFindFileData=0x24df808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Config.Msi", cAlternateFileName="")) returned 1 [0088.243] lstrcmpiW (lpString1="Config.Msi", lpString2=".") returned 1 [0088.243] lstrcmpiW (lpString1="Config.Msi", lpString2="..") returned 1 [0088.243] lstrcmpiW (lpString1="Config.Msi", lpString2="...") returned 1 [0088.243] lstrcmpiW (lpString1="Config.Msi", lpString2="windows") returned -1 [0088.243] lstrcmpiW (lpString1="Config.Msi", lpString2="$RECYCLE.BIN") returned 1 [0088.243] lstrcmpiW (lpString1="Config.Msi", lpString2="rsa") returned -1 [0088.243] lstrcmpiW (lpString1="Config.Msi", lpString2="log") returned -1 [0088.243] lstrcmpiW (lpString1="Config.Msi", lpString2="NTDETECT.COM") returned -1 [0088.243] lstrcmpiW (lpString1="Config.Msi", lpString2="ntldr") returned -1 [0088.244] lstrcmpiW (lpString1="Config.Msi", lpString2="MSDOS.SYS") returned -1 [0088.244] lstrcmpiW (lpString1="Config.Msi", lpString2="IO.SYS") returned -1 [0088.244] lstrcmpiW (lpString1="Config.Msi", lpString2="boot.ini") returned 1 [0088.244] lstrcmpiW (lpString1="Config.Msi", lpString2="AUTOEXEC.BAT") returned 1 [0088.245] lstrcmpiW (lpString1="Config.Msi", lpString2="ntuser.dat") returned -1 [0088.245] lstrcmpiW (lpString1="Config.Msi", lpString2="desktop.ini") returned -1 [0088.245] lstrcmpiW (lpString1="Config.Msi", lpString2="CONFIG.SYS") returned -1 [0088.245] lstrcmpiW (lpString1="Config.Msi", lpString2="RECYCLER") returned -1 [0088.245] lstrcmpiW (lpString1="Config.Msi", lpString2="BOOTSECT.BAK") returned 1 [0088.245] lstrcmpiW (lpString1="Config.Msi", lpString2="bootmgr") returned 1 [0088.245] lstrcmpiW (lpString1="Config.Msi", lpString2="programdata") returned -1 [0088.245] lstrcmpiW (lpString1="Config.Msi", lpString2="appdata") returned 1 [0088.245] lstrcmpiW (lpString1="Config.Msi", lpString2="program files") returned -1 [0088.245] lstrcmpiW (lpString1="Config.Msi", lpString2="program files (x86)") returned -1 [0088.245] lstrcpyW (in: lpString1=0x24dfa58, lpString2="C:\\" | out: lpString1="C:\\") returned="C:\\" [0088.245] lstrcatW (in: lpString1="C:\\", lpString2="Config.Msi" | out: lpString1="C:\\Config.Msi") returned="C:\\Config.Msi" [0088.245] lstrcatW (in: lpString1="C:\\Config.Msi", lpString2="\\" | out: lpString1="C:\\Config.Msi\\") returned="C:\\Config.Msi\\" [0088.245] lstrcpyW (in: lpString1=0x24df5e0, lpString2="C:\\Config.Msi\\" | out: lpString1="C:\\Config.Msi\\") returned="C:\\Config.Msi\\" [0088.245] lstrcatW (in: lpString1="C:\\Config.Msi\\", lpString2="*.*" | out: lpString1="C:\\Config.Msi\\*.*") returned="C:\\Config.Msi\\*.*" [0088.245] FindFirstFileW (in: lpFileName="C:\\Config.Msi\\*.*", lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe0, dwReserved1=0x24df1d0, cFileName=".", cAlternateFileName="")) returned 0x4ff0b8 [0088.246] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0088.246] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe0, dwReserved1=0x24df1d0, cFileName="..", cAlternateFileName="")) returned 1 [0088.246] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0088.246] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0088.246] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe0, dwReserved1=0x24df1d0, cFileName="..", cAlternateFileName="")) returned 0 [0088.246] FindClose (in: hFindFile=0x4ff0b8 | out: hFindFile=0x4ff0b8) returned 1 [0088.246] FindNextFileW (in: hFindFile=0x4ff078, lpFindFileData=0x24df808 | out: lpFindFileData=0x24df808*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0088.246] lstrcmpiW (lpString1="Documents and Settings", lpString2=".") returned 1 [0088.246] lstrcmpiW (lpString1="Documents and Settings", lpString2="..") returned 1 [0088.246] lstrcmpiW (lpString1="Documents and Settings", lpString2="...") returned 1 [0088.246] lstrcmpiW (lpString1="Documents and Settings", lpString2="windows") returned -1 [0088.246] lstrcmpiW (lpString1="Documents and Settings", lpString2="$RECYCLE.BIN") returned 1 [0088.246] lstrcmpiW (lpString1="Documents and Settings", lpString2="rsa") returned -1 [0088.246] lstrcmpiW (lpString1="Documents and Settings", lpString2="log") returned -1 [0088.246] lstrcmpiW (lpString1="Documents and Settings", lpString2="NTDETECT.COM") returned -1 [0088.246] lstrcmpiW (lpString1="Documents and Settings", lpString2="ntldr") returned -1 [0088.247] lstrcmpiW (lpString1="Documents and Settings", lpString2="MSDOS.SYS") returned -1 [0088.247] lstrcmpiW (lpString1="Documents and Settings", lpString2="IO.SYS") returned -1 [0088.247] lstrcmpiW (lpString1="Documents and Settings", lpString2="boot.ini") returned 1 [0088.247] lstrcmpiW (lpString1="Documents and Settings", lpString2="AUTOEXEC.BAT") returned 1 [0088.247] lstrcmpiW (lpString1="Documents and Settings", lpString2="ntuser.dat") returned -1 [0088.247] lstrcmpiW (lpString1="Documents and Settings", lpString2="desktop.ini") returned 1 [0088.247] lstrcmpiW (lpString1="Documents and Settings", lpString2="CONFIG.SYS") returned 1 [0088.247] lstrcmpiW (lpString1="Documents and Settings", lpString2="RECYCLER") returned -1 [0088.247] lstrcmpiW (lpString1="Documents and Settings", lpString2="BOOTSECT.BAK") returned 1 [0088.247] lstrcmpiW (lpString1="Documents and Settings", lpString2="bootmgr") returned 1 [0088.247] lstrcmpiW (lpString1="Documents and Settings", lpString2="programdata") returned -1 [0088.247] lstrcmpiW (lpString1="Documents and Settings", lpString2="appdata") returned 1 [0088.247] lstrcmpiW (lpString1="Documents and Settings", lpString2="program files") returned -1 [0088.247] lstrcmpiW (lpString1="Documents and Settings", lpString2="program files (x86)") returned -1 [0088.247] lstrcpyW (in: lpString1=0x24dfa58, lpString2="C:\\" | out: lpString1="C:\\") returned="C:\\" [0088.247] lstrcatW (in: lpString1="C:\\", lpString2="Documents and Settings" | out: lpString1="C:\\Documents and Settings") returned="C:\\Documents and Settings" [0088.247] lstrcatW (in: lpString1="C:\\Documents and Settings", lpString2="\\" | out: lpString1="C:\\Documents and Settings\\") returned="C:\\Documents and Settings\\" [0088.247] lstrcpyW (in: lpString1=0x24df5e0, lpString2="C:\\Documents and Settings\\" | out: lpString1="C:\\Documents and Settings\\") returned="C:\\Documents and Settings\\" [0088.247] lstrcatW (in: lpString1="C:\\Documents and Settings\\", lpString2="*.*" | out: lpString1="C:\\Documents and Settings\\*.*") returned="C:\\Documents and Settings\\*.*" [0088.247] FindFirstFileW (in: lpFileName="C:\\Documents and Settings\\*.*", lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe0, dwReserved1=0x24df1d0, cFileName="..", cAlternateFileName="")) returned 0xffffffff [0088.248] FindNextFileW (in: hFindFile=0x4ff078, lpFindFileData=0x24df808 | out: lpFindFileData=0x24df808*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x56257dc0, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x56257dc0, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0xae99ef60, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x5ff9d000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0088.248] lstrcmpiW (lpString1="hiberfil.sys", lpString2=".") returned 1 [0088.248] lstrcmpiW (lpString1="hiberfil.sys", lpString2="..") returned 1 [0088.248] lstrcmpiW (lpString1="hiberfil.sys", lpString2="...") returned 1 [0088.248] lstrcmpiW (lpString1="hiberfil.sys", lpString2="windows") returned -1 [0088.248] lstrcmpiW (lpString1="hiberfil.sys", lpString2="$RECYCLE.BIN") returned 1 [0088.248] lstrcmpiW (lpString1="hiberfil.sys", lpString2="rsa") returned -1 [0088.248] lstrcmpiW (lpString1="hiberfil.sys", lpString2="log") returned -1 [0088.248] lstrcmpiW (lpString1="hiberfil.sys", lpString2="NTDETECT.COM") returned -1 [0088.248] lstrcmpiW (lpString1="hiberfil.sys", lpString2="ntldr") returned -1 [0088.248] lstrcmpiW (lpString1="hiberfil.sys", lpString2="MSDOS.SYS") returned -1 [0088.248] lstrcmpiW (lpString1="hiberfil.sys", lpString2="IO.SYS") returned -1 [0088.248] lstrcmpiW (lpString1="hiberfil.sys", lpString2="boot.ini") returned 1 [0088.248] lstrcmpiW (lpString1="hiberfil.sys", lpString2="AUTOEXEC.BAT") returned 1 [0088.248] lstrcmpiW (lpString1="hiberfil.sys", lpString2="ntuser.dat") returned -1 [0088.248] lstrcmpiW (lpString1="hiberfil.sys", lpString2="desktop.ini") returned 1 [0088.249] lstrcmpiW (lpString1="hiberfil.sys", lpString2="CONFIG.SYS") returned 1 [0088.249] lstrcmpiW (lpString1="hiberfil.sys", lpString2="RECYCLER") returned -1 [0088.249] lstrcmpiW (lpString1="hiberfil.sys", lpString2="BOOTSECT.BAK") returned 1 [0088.249] lstrcmpiW (lpString1="hiberfil.sys", lpString2="bootmgr") returned 1 [0088.249] lstrcmpiW (lpString1="hiberfil.sys", lpString2="programdata") returned -1 [0088.249] lstrcmpiW (lpString1="hiberfil.sys", lpString2="appdata") returned 1 [0088.249] lstrcmpiW (lpString1="hiberfil.sys", lpString2="program files") returned -1 [0088.249] lstrcmpiW (lpString1="hiberfil.sys", lpString2="program files (x86)") returned -1 [0088.249] lstrcpyW (in: lpString1=0x24dfa58, lpString2="C:\\" | out: lpString1="C:\\") returned="C:\\" [0088.249] lstrcatW (in: lpString1="C:\\", lpString2="hiberfil.sys" | out: lpString1="C:\\hiberfil.sys") returned="C:\\hiberfil.sys" [0088.249] PathFindExtensionW (pszPath="hiberfil.sys") returned=".sys" [0088.249] lstrcmpiW (lpString1=".sys", lpString2=".exe") returned 1 [0088.249] lstrcmpiW (lpString1=".sys", lpString2=".log") returned 1 [0088.249] lstrcmpiW (lpString1=".sys", lpString2=".cab") returned 1 [0088.249] lstrcmpiW (lpString1=".sys", lpString2=".cmd") returned 1 [0088.249] lstrcmpiW (lpString1=".sys", lpString2=".com") returned 1 [0088.249] lstrcmpiW (lpString1=".sys", lpString2=".cpl") returned 1 [0088.249] lstrcmpiW (lpString1=".sys", lpString2=".ini") returned 1 [0088.249] lstrcmpiW (lpString1=".sys", lpString2=".dll") returned 1 [0088.249] lstrcmpiW (lpString1=".sys", lpString2=".url") returned -1 [0088.249] lstrcmpiW (lpString1=".sys", lpString2=".ttf") returned -1 [0088.249] lstrcmpiW (lpString1=".sys", lpString2=".mp3") returned 1 [0088.249] lstrcmpiW (lpString1=".sys", lpString2=".pif") returned 1 [0088.249] lstrcmpiW (lpString1=".sys", lpString2=".mp4") returned 1 [0088.249] lstrcmpiW (lpString1=".sys", lpString2=".NEPHILIM") returned 1 [0088.249] lstrcmpiW (lpString1=".sys", lpString2=".msi") returned 1 [0088.249] lstrcmpiW (lpString1=".sys", lpString2=".lnk") returned 1 [0088.249] lstrcmpiW (lpString1="hiberfil.sys", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0088.249] lstrlenA (lpString="NEPHILIM") returned 8 [0088.249] GetProcessHeap () returned 0x4e0000 [0088.249] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502ab0 [0088.250] lstrlenA (lpString="NEPHILIM") returned 8 [0088.250] CreateFileW (lpFileName="C:\\hiberfil.sys" (normalized: "c:\\hiberfil.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0088.250] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24df7c8 | out: lpFileSize=0x24df7c8*=4294968320) returned 0 [0088.250] GetProcessHeap () returned 0x4e0000 [0088.250] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c60 [0088.250] GetProcessHeap () returned 0x4e0000 [0088.250] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c78 [0088.250] SystemFunction036 (in: RandomBuffer=0x504c60, RandomBufferLength=0x10 | out: RandomBuffer=0x504c60) returned 1 [0088.250] SystemFunction036 (in: RandomBuffer=0x504c78, RandomBufferLength=0x10 | out: RandomBuffer=0x504c78) returned 1 [0088.250] GetProcessHeap () returned 0x4e0000 [0088.250] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507cd8 [0088.250] GetProcessHeap () returned 0x4e0000 [0088.250] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507de0 [0088.250] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507cd8*, pdwDataLen=0x24df588*=0x10, dwBufLen=0x100 | out: pbData=0x507cd8*, pdwDataLen=0x24df588*=0x100) returned 1 [0088.250] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507de0*, pdwDataLen=0x24df584*=0x10, dwBufLen=0x100 | out: pbData=0x507de0*, pdwDataLen=0x24df584*=0x100) returned 1 [0088.250] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0088.251] SetLastError (dwErrCode=0x0) [0088.251] WriteFile (in: hFile=0xffffffff, lpBuffer=0x507cd8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24df7bc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24df7bc, lpOverlapped=0x0) returned 0 [0088.251] GetLastError () returned 0x6 [0088.251] FindNextFileW (in: hFindFile=0x4ff078, lpFindFileData=0x24df808 | out: lpFindFileData=0x24df808*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSOCache", cAlternateFileName="")) returned 1 [0088.251] lstrcmpiW (lpString1="MSOCache", lpString2=".") returned 1 [0088.251] lstrcmpiW (lpString1="MSOCache", lpString2="..") returned 1 [0088.251] lstrcmpiW (lpString1="MSOCache", lpString2="...") returned 1 [0088.251] lstrcmpiW (lpString1="MSOCache", lpString2="windows") returned -1 [0088.251] lstrcmpiW (lpString1="MSOCache", lpString2="$RECYCLE.BIN") returned 1 [0088.251] lstrcmpiW (lpString1="MSOCache", lpString2="rsa") returned -1 [0088.251] lstrcmpiW (lpString1="MSOCache", lpString2="log") returned 1 [0088.251] lstrcmpiW (lpString1="MSOCache", lpString2="NTDETECT.COM") returned -1 [0088.251] lstrcmpiW (lpString1="MSOCache", lpString2="ntldr") returned -1 [0088.251] lstrcmpiW (lpString1="MSOCache", lpString2="MSDOS.SYS") returned 1 [0088.251] lstrcmpiW (lpString1="MSOCache", lpString2="IO.SYS") returned 1 [0088.251] lstrcmpiW (lpString1="MSOCache", lpString2="boot.ini") returned 1 [0088.251] lstrcmpiW (lpString1="MSOCache", lpString2="AUTOEXEC.BAT") returned 1 [0088.251] lstrcmpiW (lpString1="MSOCache", lpString2="ntuser.dat") returned -1 [0088.251] lstrcmpiW (lpString1="MSOCache", lpString2="desktop.ini") returned 1 [0088.251] lstrcmpiW (lpString1="MSOCache", lpString2="CONFIG.SYS") returned 1 [0088.251] lstrcmpiW (lpString1="MSOCache", lpString2="RECYCLER") returned -1 [0088.251] lstrcmpiW (lpString1="MSOCache", lpString2="BOOTSECT.BAK") returned 1 [0088.251] lstrcmpiW (lpString1="MSOCache", lpString2="bootmgr") returned 1 [0088.251] lstrcmpiW (lpString1="MSOCache", lpString2="programdata") returned -1 [0088.251] lstrcmpiW (lpString1="MSOCache", lpString2="appdata") returned 1 [0088.251] lstrcmpiW (lpString1="MSOCache", lpString2="program files") returned -1 [0088.251] lstrcmpiW (lpString1="MSOCache", lpString2="program files (x86)") returned -1 [0088.251] lstrcpyW (in: lpString1=0x24dfa58, lpString2="C:\\" | out: lpString1="C:\\") returned="C:\\" [0088.251] lstrcatW (in: lpString1="C:\\", lpString2="MSOCache" | out: lpString1="C:\\MSOCache") returned="C:\\MSOCache" [0088.251] lstrcatW (in: lpString1="C:\\MSOCache", lpString2="\\" | out: lpString1="C:\\MSOCache\\") returned="C:\\MSOCache\\" [0088.252] lstrcpyW (in: lpString1=0x24df5e0, lpString2="C:\\MSOCache\\" | out: lpString1="C:\\MSOCache\\") returned="C:\\MSOCache\\" [0088.252] lstrcatW (in: lpString1="C:\\MSOCache\\", lpString2="*.*" | out: lpString1="C:\\MSOCache\\*.*") returned="C:\\MSOCache\\*.*" [0088.252] FindFirstFileW (in: lpFileName="C:\\MSOCache\\*.*", lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x98ddb240, dwReserved1=0x61134734, cFileName=".", cAlternateFileName="")) returned 0x4ff0b8 [0088.252] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0088.252] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x98ddb240, dwReserved1=0x61134734, cFileName="..", cAlternateFileName="")) returned 1 [0088.252] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0088.252] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0088.252] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x98ddb240, dwReserved1=0x61134734, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0088.252] lstrcmpiW (lpString1="All Users", lpString2=".") returned 1 [0088.252] lstrcmpiW (lpString1="All Users", lpString2="..") returned 1 [0088.252] lstrcmpiW (lpString1="All Users", lpString2="...") returned 1 [0088.252] lstrcmpiW (lpString1="All Users", lpString2="windows") returned -1 [0088.252] lstrcmpiW (lpString1="All Users", lpString2="$RECYCLE.BIN") returned 1 [0088.252] lstrcmpiW (lpString1="All Users", lpString2="rsa") returned -1 [0088.252] lstrcmpiW (lpString1="All Users", lpString2="log") returned -1 [0088.252] lstrcmpiW (lpString1="All Users", lpString2="NTDETECT.COM") returned -1 [0088.252] lstrcmpiW (lpString1="All Users", lpString2="ntldr") returned -1 [0088.252] lstrcmpiW (lpString1="All Users", lpString2="MSDOS.SYS") returned -1 [0088.252] lstrcmpiW (lpString1="All Users", lpString2="IO.SYS") returned -1 [0088.252] lstrcmpiW (lpString1="All Users", lpString2="boot.ini") returned -1 [0088.253] lstrcmpiW (lpString1="All Users", lpString2="AUTOEXEC.BAT") returned -1 [0088.253] lstrcmpiW (lpString1="All Users", lpString2="ntuser.dat") returned -1 [0088.253] lstrcmpiW (lpString1="All Users", lpString2="desktop.ini") returned -1 [0088.253] lstrcmpiW (lpString1="All Users", lpString2="CONFIG.SYS") returned -1 [0088.253] lstrcmpiW (lpString1="All Users", lpString2="RECYCLER") returned -1 [0088.253] lstrcmpiW (lpString1="All Users", lpString2="BOOTSECT.BAK") returned -1 [0088.253] lstrcmpiW (lpString1="All Users", lpString2="bootmgr") returned -1 [0088.253] lstrcmpiW (lpString1="All Users", lpString2="programdata") returned -1 [0088.253] lstrcmpiW (lpString1="All Users", lpString2="appdata") returned -1 [0088.253] lstrcmpiW (lpString1="All Users", lpString2="program files") returned -1 [0088.253] lstrcmpiW (lpString1="All Users", lpString2="program files (x86)") returned -1 [0088.253] lstrcpyW (in: lpString1=0x24df3d8, lpString2="C:\\MSOCache\\" | out: lpString1="C:\\MSOCache\\") returned="C:\\MSOCache\\" [0088.253] lstrcatW (in: lpString1="C:\\MSOCache\\", lpString2="All Users" | out: lpString1="C:\\MSOCache\\All Users") returned="C:\\MSOCache\\All Users" [0088.253] lstrcatW (in: lpString1="C:\\MSOCache\\All Users", lpString2="\\" | out: lpString1="C:\\MSOCache\\All Users\\") returned="C:\\MSOCache\\All Users\\" [0088.253] lstrcpyW (in: lpString1=0x24def60, lpString2="C:\\MSOCache\\All Users\\" | out: lpString1="C:\\MSOCache\\All Users\\") returned="C:\\MSOCache\\All Users\\" [0088.253] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\", lpString2="*.*" | out: lpString1="C:\\MSOCache\\All Users\\*.*") returned="C:\\MSOCache\\All Users\\*.*" [0088.253] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\*.*", lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x24df5e0, cFileName=".", cAlternateFileName="")) returned 0x5026e8 [0088.256] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0088.256] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x24df5e0, cFileName="..", cAlternateFileName="")) returned 1 [0088.257] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0088.257] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0088.257] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x24df5e0, cFileName="{90140000-0016-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~3")) returned 1 [0088.257] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0088.257] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0088.257] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="...") returned 1 [0088.257] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="windows") returned -1 [0088.258] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="$RECYCLE.BIN") returned 1 [0088.258] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="rsa") returned -1 [0088.258] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="log") returned -1 [0088.258] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="NTDETECT.COM") returned -1 [0088.258] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="ntldr") returned -1 [0088.258] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="MSDOS.SYS") returned -1 [0088.258] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="IO.SYS") returned -1 [0088.258] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="boot.ini") returned -1 [0088.258] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="AUTOEXEC.BAT") returned -1 [0088.258] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="ntuser.dat") returned -1 [0088.258] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="desktop.ini") returned -1 [0088.258] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="CONFIG.SYS") returned -1 [0088.258] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="RECYCLER") returned -1 [0088.258] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="BOOTSECT.BAK") returned -1 [0088.258] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="bootmgr") returned -1 [0088.258] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="programdata") returned -1 [0088.258] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="appdata") returned -1 [0088.258] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="program files") returned -1 [0088.258] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="program files (x86)") returned -1 [0088.258] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\MSOCache\\All Users\\" | out: lpString1="C:\\MSOCache\\All Users\\") returned="C:\\MSOCache\\All Users\\" [0088.258] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\", lpString2="{90140000-0016-0409-1000-0000000FF1CE}-C" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C") returned="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C" [0088.258] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\" [0088.258] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\" [0088.258] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\", lpString2="*.*" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*.*") returned="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*.*" [0088.258] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x502830 [0088.260] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0088.260] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0088.260] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0088.260] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0088.260] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x393df700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x393df700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xed035930, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x102fcbb, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="ExcelLR.cab", cAlternateFileName="")) returned 1 [0088.260] lstrcmpiW (lpString1="ExcelLR.cab", lpString2=".") returned 1 [0088.260] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="..") returned 1 [0088.260] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="...") returned 1 [0088.260] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="windows") returned -1 [0088.260] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="$RECYCLE.BIN") returned 1 [0088.260] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="rsa") returned -1 [0088.260] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="log") returned -1 [0088.260] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="NTDETECT.COM") returned -1 [0088.260] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="ntldr") returned -1 [0088.260] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="MSDOS.SYS") returned -1 [0088.260] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="IO.SYS") returned -1 [0088.260] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="boot.ini") returned 1 [0088.260] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="AUTOEXEC.BAT") returned 1 [0088.260] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="ntuser.dat") returned -1 [0088.260] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="desktop.ini") returned 1 [0088.260] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="CONFIG.SYS") returned 1 [0088.260] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="RECYCLER") returned -1 [0088.260] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="BOOTSECT.BAK") returned 1 [0088.260] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="bootmgr") returned 1 [0088.260] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="programdata") returned -1 [0088.260] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="appdata") returned 1 [0088.260] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="program files") returned -1 [0088.261] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="program files (x86)") returned -1 [0088.261] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\" [0088.261] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\", lpString2="ExcelLR.cab" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" [0088.261] PathFindExtensionW (pszPath="ExcelLR.cab") returned=".cab" [0088.261] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0088.261] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0088.261] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0088.261] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xece1ee80, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x263e00, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="ExcelMUI.msi", cAlternateFileName="")) returned 1 [0088.261] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2=".") returned 1 [0088.261] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="..") returned 1 [0088.261] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="...") returned 1 [0088.261] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="windows") returned -1 [0088.261] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="$RECYCLE.BIN") returned 1 [0088.261] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="rsa") returned -1 [0088.261] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="log") returned -1 [0088.261] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="NTDETECT.COM") returned -1 [0088.261] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="ntldr") returned -1 [0088.261] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="MSDOS.SYS") returned -1 [0088.261] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="IO.SYS") returned -1 [0088.261] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="boot.ini") returned 1 [0088.261] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="AUTOEXEC.BAT") returned 1 [0088.261] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="ntuser.dat") returned -1 [0088.261] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="desktop.ini") returned 1 [0088.261] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="CONFIG.SYS") returned 1 [0088.261] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="RECYCLER") returned -1 [0088.261] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="BOOTSECT.BAK") returned 1 [0088.261] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="bootmgr") returned 1 [0088.261] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="programdata") returned -1 [0088.261] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="appdata") returned 1 [0088.262] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="program files") returned -1 [0088.262] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="program files (x86)") returned -1 [0088.262] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\" [0088.262] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\", lpString2="ExcelMUI.msi" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" [0088.262] PathFindExtensionW (pszPath="ExcelMUI.msi") returned=".msi" [0088.262] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0088.262] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0088.262] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0088.262] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0088.262] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0088.262] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0088.262] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0088.262] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0088.262] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0088.262] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0088.262] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0088.262] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0088.262] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0088.262] lstrcmpiW (lpString1=".msi", lpString2=".NEPHILIM") returned -1 [0088.262] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0088.262] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x61d, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="ExcelMUI.xml", cAlternateFileName="")) returned 1 [0088.262] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2=".") returned 1 [0088.262] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="..") returned 1 [0088.262] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="...") returned 1 [0088.262] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="windows") returned -1 [0088.262] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="$RECYCLE.BIN") returned 1 [0088.262] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="rsa") returned -1 [0088.262] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="log") returned -1 [0088.262] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="NTDETECT.COM") returned -1 [0088.262] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="ntldr") returned -1 [0088.263] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="MSDOS.SYS") returned -1 [0088.263] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="IO.SYS") returned -1 [0088.263] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="boot.ini") returned 1 [0088.263] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="AUTOEXEC.BAT") returned 1 [0088.263] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="ntuser.dat") returned -1 [0088.263] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="desktop.ini") returned 1 [0088.263] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="CONFIG.SYS") returned 1 [0088.263] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="RECYCLER") returned -1 [0088.263] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="BOOTSECT.BAK") returned 1 [0088.263] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="bootmgr") returned 1 [0088.263] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="programdata") returned -1 [0088.263] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="appdata") returned 1 [0088.263] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="program files") returned -1 [0088.263] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="program files (x86)") returned -1 [0088.263] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\" [0088.263] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\", lpString2="ExcelMUI.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" [0088.263] PathFindExtensionW (pszPath="ExcelMUI.xml") returned=".xml" [0088.263] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0088.263] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0088.263] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0088.263] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0088.263] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0088.263] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0088.263] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0088.263] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0088.263] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0088.263] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0088.263] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0088.263] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0088.263] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0088.264] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0088.264] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0088.264] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0088.264] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0088.264] lstrlenA (lpString="NEPHILIM") returned 8 [0088.264] GetProcessHeap () returned 0x4e0000 [0088.264] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502ac0 [0088.264] lstrlenA (lpString="NEPHILIM") returned 8 [0088.264] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0088.266] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=1565) returned 1 [0088.266] GetProcessHeap () returned 0x4e0000 [0088.266] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0088.266] GetProcessHeap () returned 0x4e0000 [0088.266] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0088.266] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0088.266] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0088.266] GetProcessHeap () returned 0x4e0000 [0088.266] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0088.266] GetProcessHeap () returned 0x4e0000 [0088.266] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0088.266] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de208*=0x100) returned 1 [0088.266] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de204*=0x100) returned 1 [0088.266] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x61d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.266] SetLastError (dwErrCode=0x0) [0088.267] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0088.269] GetLastError () returned 0x0 [0088.269] GetLastError () returned 0x0 [0088.269] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x71d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.269] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0088.269] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x81d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.269] lstrlenA (lpString="NEPHILIM") returned 8 [0088.269] WriteFile (in: hFile=0xec, lpBuffer=0x502ac0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x502ac0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0088.269] GetProcessHeap () returned 0x4e0000 [0088.269] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x61d) returned 0x50a8a8 [0088.270] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.270] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x61d, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x61d, lpOverlapped=0x0) returned 1 [0088.270] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.270] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x61d, lpOverlapped=0x0) returned 1 [0088.270] GetProcessHeap () returned 0x4e0000 [0088.270] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0088.270] CloseHandle (hObject=0xec) returned 1 [0088.271] GetProcessHeap () returned 0x4e0000 [0088.271] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0088.271] GetProcessHeap () returned 0x4e0000 [0088.271] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0088.271] GetProcessHeap () returned 0x4e0000 [0088.271] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0088.271] GetProcessHeap () returned 0x4e0000 [0088.271] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0088.271] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" [0088.271] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.NEPHILIM") returned="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.NEPHILIM" [0088.271] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.NEPHILIM" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml.nephilim")) returned 1 [0088.274] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x8f8, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0088.274] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0088.274] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0088.274] lstrcmpiW (lpString1="Setup.xml", lpString2="...") returned 1 [0088.274] lstrcmpiW (lpString1="Setup.xml", lpString2="windows") returned -1 [0088.274] lstrcmpiW (lpString1="Setup.xml", lpString2="$RECYCLE.BIN") returned 1 [0088.274] lstrcmpiW (lpString1="Setup.xml", lpString2="rsa") returned 1 [0088.274] lstrcmpiW (lpString1="Setup.xml", lpString2="log") returned 1 [0088.274] lstrcmpiW (lpString1="Setup.xml", lpString2="NTDETECT.COM") returned 1 [0088.274] lstrcmpiW (lpString1="Setup.xml", lpString2="ntldr") returned 1 [0088.274] lstrcmpiW (lpString1="Setup.xml", lpString2="MSDOS.SYS") returned 1 [0088.274] lstrcmpiW (lpString1="Setup.xml", lpString2="IO.SYS") returned 1 [0088.274] lstrcmpiW (lpString1="Setup.xml", lpString2="boot.ini") returned 1 [0088.274] lstrcmpiW (lpString1="Setup.xml", lpString2="AUTOEXEC.BAT") returned 1 [0088.274] lstrcmpiW (lpString1="Setup.xml", lpString2="ntuser.dat") returned 1 [0088.274] lstrcmpiW (lpString1="Setup.xml", lpString2="desktop.ini") returned 1 [0088.274] lstrcmpiW (lpString1="Setup.xml", lpString2="CONFIG.SYS") returned 1 [0088.274] lstrcmpiW (lpString1="Setup.xml", lpString2="RECYCLER") returned 1 [0088.274] lstrcmpiW (lpString1="Setup.xml", lpString2="BOOTSECT.BAK") returned 1 [0088.274] lstrcmpiW (lpString1="Setup.xml", lpString2="bootmgr") returned 1 [0088.274] lstrcmpiW (lpString1="Setup.xml", lpString2="programdata") returned 1 [0088.274] lstrcmpiW (lpString1="Setup.xml", lpString2="appdata") returned 1 [0088.274] lstrcmpiW (lpString1="Setup.xml", lpString2="program files") returned 1 [0088.274] lstrcmpiW (lpString1="Setup.xml", lpString2="program files (x86)") returned 1 [0088.275] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\" [0088.275] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\", lpString2="Setup.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" [0088.275] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0088.275] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0088.275] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0088.275] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0088.275] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0088.275] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0088.276] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0088.276] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0088.276] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0088.276] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0088.276] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0088.276] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0088.276] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0088.276] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0088.276] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0088.276] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0088.276] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0088.276] lstrcmpiW (lpString1="Setup.xml", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0088.276] lstrlenA (lpString="NEPHILIM") returned 8 [0088.276] GetProcessHeap () returned 0x4e0000 [0088.276] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502ad0 [0088.276] lstrlenA (lpString="NEPHILIM") returned 8 [0088.276] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0088.277] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=2296) returned 1 [0088.277] GetProcessHeap () returned 0x4e0000 [0088.277] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0088.277] GetProcessHeap () returned 0x4e0000 [0088.277] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0088.277] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0088.277] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0088.277] GetProcessHeap () returned 0x4e0000 [0088.277] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0088.277] GetProcessHeap () returned 0x4e0000 [0088.278] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0088.278] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de208*=0x100) returned 1 [0088.278] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de204*=0x100) returned 1 [0088.278] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x8f8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.278] SetLastError (dwErrCode=0x0) [0088.278] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0088.280] GetLastError () returned 0x0 [0088.280] GetLastError () returned 0x0 [0088.280] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x9f8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.280] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0088.280] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xaf8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.280] lstrlenA (lpString="NEPHILIM") returned 8 [0088.280] WriteFile (in: hFile=0xec, lpBuffer=0x502ad0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x502ad0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0088.281] GetProcessHeap () returned 0x4e0000 [0088.281] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8f8) returned 0x50a8a8 [0088.281] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.281] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x8f8, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x8f8, lpOverlapped=0x0) returned 1 [0088.281] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.281] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x8f8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x8f8, lpOverlapped=0x0) returned 1 [0088.281] GetProcessHeap () returned 0x4e0000 [0088.281] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0088.281] CloseHandle (hObject=0xec) returned 1 [0088.282] GetProcessHeap () returned 0x4e0000 [0088.282] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0088.282] GetProcessHeap () returned 0x4e0000 [0088.282] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0088.282] GetProcessHeap () returned 0x4e0000 [0088.282] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0088.282] GetProcessHeap () returned 0x4e0000 [0088.282] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0088.282] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" [0088.282] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM") returned="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM" [0088.282] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml.nephilim")) returned 1 [0088.283] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x8f8, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0088.283] FindClose (in: hFindFile=0x502830 | out: hFindFile=0x502830) returned 1 [0088.283] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe8729610, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xecdfa490, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x24df5e0, cFileName="{90140000-0018-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~2")) returned 1 [0088.283] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0088.283] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0088.283] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="...") returned 1 [0088.283] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="windows") returned -1 [0088.283] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="$RECYCLE.BIN") returned 1 [0088.283] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="rsa") returned -1 [0088.283] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="log") returned -1 [0088.283] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="NTDETECT.COM") returned -1 [0088.283] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="ntldr") returned -1 [0088.283] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="MSDOS.SYS") returned -1 [0088.283] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="IO.SYS") returned -1 [0088.283] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="boot.ini") returned -1 [0088.283] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="AUTOEXEC.BAT") returned -1 [0088.283] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="ntuser.dat") returned -1 [0088.283] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="desktop.ini") returned -1 [0088.284] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="CONFIG.SYS") returned -1 [0088.284] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="RECYCLER") returned -1 [0088.284] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="BOOTSECT.BAK") returned -1 [0088.284] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="bootmgr") returned -1 [0088.284] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="programdata") returned -1 [0088.284] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="appdata") returned -1 [0088.284] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="program files") returned -1 [0088.284] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="program files (x86)") returned -1 [0088.284] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\MSOCache\\All Users\\" | out: lpString1="C:\\MSOCache\\All Users\\") returned="C:\\MSOCache\\All Users\\" [0088.284] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\", lpString2="{90140000-0018-0409-1000-0000000FF1CE}-C" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C") returned="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C" [0088.284] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\" [0088.284] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\" [0088.284] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\", lpString2="*.*" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*.*") returned="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*.*" [0088.284] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe8729610, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xecdfa490, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x502830 [0088.287] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0088.287] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe8729610, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xecdfa490, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0088.287] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0088.287] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0088.287] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe874f770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x263400, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="PowerPointMUI.msi", cAlternateFileName="POWERP~1.MSI")) returned 1 [0088.287] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2=".") returned 1 [0088.287] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="..") returned 1 [0088.287] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="...") returned 1 [0088.287] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="windows") returned -1 [0088.287] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="$RECYCLE.BIN") returned 1 [0088.287] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="rsa") returned -1 [0088.287] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="log") returned 1 [0088.288] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="NTDETECT.COM") returned 1 [0088.288] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="ntldr") returned 1 [0088.288] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="MSDOS.SYS") returned 1 [0088.288] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="IO.SYS") returned 1 [0088.288] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="boot.ini") returned 1 [0088.288] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="AUTOEXEC.BAT") returned 1 [0088.288] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="ntuser.dat") returned 1 [0088.288] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="desktop.ini") returned 1 [0088.288] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="CONFIG.SYS") returned 1 [0088.288] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="RECYCLER") returned -1 [0088.288] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="BOOTSECT.BAK") returned 1 [0088.288] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="bootmgr") returned 1 [0088.288] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="programdata") returned -1 [0088.288] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="appdata") returned 1 [0088.288] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="program files") returned -1 [0088.288] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="program files (x86)") returned -1 [0088.288] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\" [0088.288] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\", lpString2="PowerPointMUI.msi" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi" [0088.288] PathFindExtensionW (pszPath="PowerPointMUI.msi") returned=".msi" [0088.288] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0088.288] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0088.288] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0088.288] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0088.288] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0088.288] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0088.288] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0088.288] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0088.289] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0088.289] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0088.289] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0088.289] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0088.289] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0088.289] lstrcmpiW (lpString1=".msi", lpString2=".NEPHILIM") returned -1 [0088.289] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0088.289] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5aa, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="PowerPointMUI.xml", cAlternateFileName="POWERP~1.XML")) returned 1 [0088.289] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2=".") returned 1 [0088.289] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="..") returned 1 [0088.289] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="...") returned 1 [0088.289] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="windows") returned -1 [0088.289] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="$RECYCLE.BIN") returned 1 [0088.289] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="rsa") returned -1 [0088.289] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="log") returned 1 [0088.289] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="NTDETECT.COM") returned 1 [0088.289] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="ntldr") returned 1 [0088.289] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="MSDOS.SYS") returned 1 [0088.289] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="IO.SYS") returned 1 [0088.289] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="boot.ini") returned 1 [0088.289] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="AUTOEXEC.BAT") returned 1 [0088.289] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="ntuser.dat") returned 1 [0088.289] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="desktop.ini") returned 1 [0088.289] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="CONFIG.SYS") returned 1 [0088.289] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="RECYCLER") returned -1 [0088.289] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="BOOTSECT.BAK") returned 1 [0088.290] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="bootmgr") returned 1 [0088.290] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="programdata") returned -1 [0088.290] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="appdata") returned 1 [0088.290] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="program files") returned -1 [0088.290] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="program files (x86)") returned -1 [0088.290] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\" [0088.290] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\", lpString2="PowerPointMUI.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" [0088.290] PathFindExtensionW (pszPath="PowerPointMUI.xml") returned=".xml" [0088.290] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0088.290] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0088.290] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0088.290] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0088.290] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0088.291] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0088.291] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0088.291] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0088.291] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0088.291] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0088.291] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0088.291] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0088.291] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0088.291] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0088.291] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0088.291] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0088.291] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0088.291] lstrlenA (lpString="NEPHILIM") returned 8 [0088.291] GetProcessHeap () returned 0x4e0000 [0088.291] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502ae0 [0088.291] lstrlenA (lpString="NEPHILIM") returned 8 [0088.291] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0088.292] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=1450) returned 1 [0088.292] GetProcessHeap () returned 0x4e0000 [0088.292] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0088.292] GetProcessHeap () returned 0x4e0000 [0088.292] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0088.292] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0088.292] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0088.292] GetProcessHeap () returned 0x4e0000 [0088.292] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0088.292] GetProcessHeap () returned 0x4e0000 [0088.292] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0088.292] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de208*=0x100) returned 1 [0088.292] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de204*=0x100) returned 1 [0088.293] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x5aa, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.293] SetLastError (dwErrCode=0x0) [0088.293] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0088.295] GetLastError () returned 0x0 [0088.295] GetLastError () returned 0x0 [0088.295] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x6aa, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.295] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0088.295] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x7aa, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.295] lstrlenA (lpString="NEPHILIM") returned 8 [0088.296] WriteFile (in: hFile=0xec, lpBuffer=0x502ae0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x502ae0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0088.296] GetProcessHeap () returned 0x4e0000 [0088.296] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x5aa) returned 0x50a8a8 [0088.296] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.296] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x5aa, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x5aa, lpOverlapped=0x0) returned 1 [0088.296] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.296] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x5aa, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x5aa, lpOverlapped=0x0) returned 1 [0088.296] GetProcessHeap () returned 0x4e0000 [0088.296] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0088.296] CloseHandle (hObject=0xec) returned 1 [0088.305] GetProcessHeap () returned 0x4e0000 [0088.305] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0088.305] GetProcessHeap () returned 0x4e0000 [0088.305] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0088.305] GetProcessHeap () returned 0x4e0000 [0088.305] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0088.305] GetProcessHeap () returned 0x4e0000 [0088.305] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0088.305] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" [0088.305] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.NEPHILIM") returned="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.NEPHILIM" [0088.305] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.NEPHILIM" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml.nephilim")) returned 1 [0088.307] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2d523500, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x2d523500, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe8b079d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x431a290, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="PptLR.cab", cAlternateFileName="")) returned 1 [0088.307] lstrcmpiW (lpString1="PptLR.cab", lpString2=".") returned 1 [0088.307] lstrcmpiW (lpString1="PptLR.cab", lpString2="..") returned 1 [0088.307] lstrcmpiW (lpString1="PptLR.cab", lpString2="...") returned 1 [0088.307] lstrcmpiW (lpString1="PptLR.cab", lpString2="windows") returned -1 [0088.307] lstrcmpiW (lpString1="PptLR.cab", lpString2="$RECYCLE.BIN") returned 1 [0088.307] lstrcmpiW (lpString1="PptLR.cab", lpString2="rsa") returned -1 [0088.307] lstrcmpiW (lpString1="PptLR.cab", lpString2="log") returned 1 [0088.307] lstrcmpiW (lpString1="PptLR.cab", lpString2="NTDETECT.COM") returned 1 [0088.307] lstrcmpiW (lpString1="PptLR.cab", lpString2="ntldr") returned 1 [0088.307] lstrcmpiW (lpString1="PptLR.cab", lpString2="MSDOS.SYS") returned 1 [0088.307] lstrcmpiW (lpString1="PptLR.cab", lpString2="IO.SYS") returned 1 [0088.307] lstrcmpiW (lpString1="PptLR.cab", lpString2="boot.ini") returned 1 [0088.307] lstrcmpiW (lpString1="PptLR.cab", lpString2="AUTOEXEC.BAT") returned 1 [0088.307] lstrcmpiW (lpString1="PptLR.cab", lpString2="ntuser.dat") returned 1 [0088.307] lstrcmpiW (lpString1="PptLR.cab", lpString2="desktop.ini") returned 1 [0088.307] lstrcmpiW (lpString1="PptLR.cab", lpString2="CONFIG.SYS") returned 1 [0088.307] lstrcmpiW (lpString1="PptLR.cab", lpString2="RECYCLER") returned -1 [0088.307] lstrcmpiW (lpString1="PptLR.cab", lpString2="BOOTSECT.BAK") returned 1 [0088.307] lstrcmpiW (lpString1="PptLR.cab", lpString2="bootmgr") returned 1 [0088.307] lstrcmpiW (lpString1="PptLR.cab", lpString2="programdata") returned -1 [0088.307] lstrcmpiW (lpString1="PptLR.cab", lpString2="appdata") returned 1 [0088.307] lstrcmpiW (lpString1="PptLR.cab", lpString2="program files") returned -1 [0088.307] lstrcmpiW (lpString1="PptLR.cab", lpString2="program files (x86)") returned -1 [0088.307] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\" [0088.308] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\", lpString2="PptLR.cab" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" [0088.308] PathFindExtensionW (pszPath="PptLR.cab") returned=".cab" [0088.308] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0088.308] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0088.308] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0088.308] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x75e, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0088.308] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0088.308] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0088.308] lstrcmpiW (lpString1="Setup.xml", lpString2="...") returned 1 [0088.308] lstrcmpiW (lpString1="Setup.xml", lpString2="windows") returned -1 [0088.308] lstrcmpiW (lpString1="Setup.xml", lpString2="$RECYCLE.BIN") returned 1 [0088.308] lstrcmpiW (lpString1="Setup.xml", lpString2="rsa") returned 1 [0088.308] lstrcmpiW (lpString1="Setup.xml", lpString2="log") returned 1 [0088.308] lstrcmpiW (lpString1="Setup.xml", lpString2="NTDETECT.COM") returned 1 [0088.308] lstrcmpiW (lpString1="Setup.xml", lpString2="ntldr") returned 1 [0088.308] lstrcmpiW (lpString1="Setup.xml", lpString2="MSDOS.SYS") returned 1 [0088.308] lstrcmpiW (lpString1="Setup.xml", lpString2="IO.SYS") returned 1 [0088.308] lstrcmpiW (lpString1="Setup.xml", lpString2="boot.ini") returned 1 [0088.308] lstrcmpiW (lpString1="Setup.xml", lpString2="AUTOEXEC.BAT") returned 1 [0088.308] lstrcmpiW (lpString1="Setup.xml", lpString2="ntuser.dat") returned 1 [0088.308] lstrcmpiW (lpString1="Setup.xml", lpString2="desktop.ini") returned 1 [0088.308] lstrcmpiW (lpString1="Setup.xml", lpString2="CONFIG.SYS") returned 1 [0088.309] lstrcmpiW (lpString1="Setup.xml", lpString2="RECYCLER") returned 1 [0088.309] lstrcmpiW (lpString1="Setup.xml", lpString2="BOOTSECT.BAK") returned 1 [0088.309] lstrcmpiW (lpString1="Setup.xml", lpString2="bootmgr") returned 1 [0088.309] lstrcmpiW (lpString1="Setup.xml", lpString2="programdata") returned 1 [0088.309] lstrcmpiW (lpString1="Setup.xml", lpString2="appdata") returned 1 [0088.309] lstrcmpiW (lpString1="Setup.xml", lpString2="program files") returned 1 [0088.309] lstrcmpiW (lpString1="Setup.xml", lpString2="program files (x86)") returned 1 [0088.309] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\" [0088.309] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\", lpString2="Setup.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" [0088.309] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0088.309] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0088.309] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0088.309] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0088.309] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0088.309] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0088.309] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0088.309] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0088.309] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0088.309] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0088.309] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0088.309] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0088.309] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0088.310] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0088.310] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0088.310] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0088.310] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0088.310] lstrcmpiW (lpString1="Setup.xml", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0088.310] lstrlenA (lpString="NEPHILIM") returned 8 [0088.310] GetProcessHeap () returned 0x4e0000 [0088.310] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502af0 [0088.310] lstrlenA (lpString="NEPHILIM") returned 8 [0088.310] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0088.310] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=1886) returned 1 [0088.310] GetProcessHeap () returned 0x4e0000 [0088.310] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0088.310] GetProcessHeap () returned 0x4e0000 [0088.310] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0088.310] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0088.310] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0088.311] GetProcessHeap () returned 0x4e0000 [0088.311] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0088.311] GetProcessHeap () returned 0x4e0000 [0088.311] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0088.311] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de208*=0x100) returned 1 [0088.311] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de204*=0x100) returned 1 [0088.311] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x75e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.311] SetLastError (dwErrCode=0x0) [0088.311] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0088.313] GetLastError () returned 0x0 [0088.314] GetLastError () returned 0x0 [0088.314] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x85e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.314] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0088.314] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x95e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.314] lstrlenA (lpString="NEPHILIM") returned 8 [0088.314] WriteFile (in: hFile=0xec, lpBuffer=0x502af0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x502af0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0088.314] GetProcessHeap () returned 0x4e0000 [0088.314] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x75e) returned 0x50a8a8 [0088.314] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.314] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x75e, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x75e, lpOverlapped=0x0) returned 1 [0088.314] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.314] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x75e, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x75e, lpOverlapped=0x0) returned 1 [0088.315] GetProcessHeap () returned 0x4e0000 [0088.315] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0088.315] CloseHandle (hObject=0xec) returned 1 [0088.319] GetProcessHeap () returned 0x4e0000 [0088.319] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0088.319] GetProcessHeap () returned 0x4e0000 [0088.319] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0088.319] GetProcessHeap () returned 0x4e0000 [0088.319] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0088.319] GetProcessHeap () returned 0x4e0000 [0088.319] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0088.319] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" [0088.319] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM") returned="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM" [0088.319] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml.nephilim")) returned 1 [0088.320] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x75e, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0088.320] FindClose (in: hFindFile=0x502830 | out: hFindFile=0x502830) returned 1 [0088.321] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc3e6570, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc8a9170, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x24df5e0, cFileName="{90140000-0019-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9877A~1")) returned 1 [0088.321] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0088.321] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0088.321] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="...") returned 1 [0088.321] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="windows") returned -1 [0088.321] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="$RECYCLE.BIN") returned 1 [0088.321] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="rsa") returned -1 [0088.321] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="log") returned -1 [0088.321] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="NTDETECT.COM") returned -1 [0088.321] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="ntldr") returned -1 [0088.321] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="MSDOS.SYS") returned -1 [0088.321] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="IO.SYS") returned -1 [0088.321] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="boot.ini") returned -1 [0088.321] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="AUTOEXEC.BAT") returned -1 [0088.321] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="ntuser.dat") returned -1 [0088.321] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="desktop.ini") returned -1 [0088.322] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="CONFIG.SYS") returned -1 [0088.322] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="RECYCLER") returned -1 [0088.322] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="BOOTSECT.BAK") returned -1 [0088.322] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="bootmgr") returned -1 [0088.322] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="programdata") returned -1 [0088.322] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="appdata") returned -1 [0088.322] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="program files") returned -1 [0088.322] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="program files (x86)") returned -1 [0088.322] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\MSOCache\\All Users\\" | out: lpString1="C:\\MSOCache\\All Users\\") returned="C:\\MSOCache\\All Users\\" [0088.322] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\", lpString2="{90140000-0019-0409-1000-0000000FF1CE}-C" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C") returned="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C" [0088.322] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\" [0088.322] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\" [0088.322] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\", lpString2="*.*" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*.*") returned="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*.*" [0088.322] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc3e6570, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc8a9170, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x502830 [0088.325] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0088.325] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc3e6570, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc8a9170, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0088.325] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0088.325] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0088.325] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc40b730, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x265c00, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="PublisherMUI.msi", cAlternateFileName="PUBLIS~1.MSI")) returned 1 [0088.325] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2=".") returned 1 [0088.325] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="..") returned 1 [0088.325] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="...") returned 1 [0088.326] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="windows") returned -1 [0088.326] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="$RECYCLE.BIN") returned 1 [0088.326] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="rsa") returned -1 [0088.326] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="log") returned 1 [0088.326] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="NTDETECT.COM") returned 1 [0088.326] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="ntldr") returned 1 [0088.326] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="MSDOS.SYS") returned 1 [0088.326] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="IO.SYS") returned 1 [0088.326] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="boot.ini") returned 1 [0088.326] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="AUTOEXEC.BAT") returned 1 [0088.326] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="ntuser.dat") returned 1 [0088.326] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="desktop.ini") returned 1 [0088.326] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="CONFIG.SYS") returned 1 [0088.326] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="RECYCLER") returned -1 [0088.326] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="BOOTSECT.BAK") returned 1 [0088.326] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="bootmgr") returned 1 [0088.326] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="programdata") returned 1 [0088.329] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="appdata") returned 1 [0088.329] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="program files") returned 1 [0088.329] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="program files (x86)") returned 1 [0088.329] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\" [0088.329] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\", lpString2="PublisherMUI.msi" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" [0088.330] PathFindExtensionW (pszPath="PublisherMUI.msi") returned=".msi" [0088.330] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0088.330] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0088.330] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0088.330] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0088.330] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0088.330] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0088.330] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0088.330] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0088.330] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0088.330] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0088.330] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0088.330] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0088.330] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0088.330] lstrcmpiW (lpString1=".msi", lpString2=".NEPHILIM") returned -1 [0088.330] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0088.330] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc3e4630, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5aa, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="PublisherMUI.xml", cAlternateFileName="PUBLIS~1.XML")) returned 1 [0088.330] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2=".") returned 1 [0088.330] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="..") returned 1 [0088.330] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="...") returned 1 [0088.330] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="windows") returned -1 [0088.330] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="$RECYCLE.BIN") returned 1 [0088.330] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="rsa") returned -1 [0088.331] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="log") returned 1 [0088.331] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="NTDETECT.COM") returned 1 [0088.331] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="ntldr") returned 1 [0088.331] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="MSDOS.SYS") returned 1 [0088.331] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="IO.SYS") returned 1 [0088.331] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="boot.ini") returned 1 [0088.331] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="AUTOEXEC.BAT") returned 1 [0088.331] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="ntuser.dat") returned 1 [0088.331] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="desktop.ini") returned 1 [0088.331] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="CONFIG.SYS") returned 1 [0088.331] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="RECYCLER") returned -1 [0088.331] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="BOOTSECT.BAK") returned 1 [0088.331] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="bootmgr") returned 1 [0088.331] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="programdata") returned 1 [0088.331] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="appdata") returned 1 [0088.331] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="program files") returned 1 [0088.331] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="program files (x86)") returned 1 [0088.331] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\" [0088.332] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\", lpString2="PublisherMUI.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" [0088.332] PathFindExtensionW (pszPath="PublisherMUI.xml") returned=".xml" [0088.332] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0088.332] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0088.332] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0088.332] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0088.332] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0088.332] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0088.332] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0088.332] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0088.332] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0088.332] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0088.332] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0088.332] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0088.332] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0088.332] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0088.332] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0088.332] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0088.332] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0088.332] lstrlenA (lpString="NEPHILIM") returned 8 [0088.332] GetProcessHeap () returned 0x4e0000 [0088.333] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502b00 [0088.333] lstrlenA (lpString="NEPHILIM") returned 8 [0088.333] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0088.334] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=1450) returned 1 [0088.334] GetProcessHeap () returned 0x4e0000 [0088.334] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0088.334] GetProcessHeap () returned 0x4e0000 [0088.334] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0088.334] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0088.334] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0088.334] GetProcessHeap () returned 0x4e0000 [0088.334] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0088.334] GetProcessHeap () returned 0x4e0000 [0088.334] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0088.334] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de208*=0x100) returned 1 [0088.335] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de204*=0x100) returned 1 [0088.335] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x5aa, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.335] SetLastError (dwErrCode=0x0) [0088.335] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0088.338] GetLastError () returned 0x0 [0088.338] GetLastError () returned 0x0 [0088.338] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x6aa, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.338] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0088.338] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x7aa, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.338] lstrlenA (lpString="NEPHILIM") returned 8 [0088.338] WriteFile (in: hFile=0xec, lpBuffer=0x502b00*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x502b00*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0088.338] GetProcessHeap () returned 0x4e0000 [0088.338] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x5aa) returned 0x50a8a8 [0088.338] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.338] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x5aa, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x5aa, lpOverlapped=0x0) returned 1 [0088.338] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.339] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x5aa, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x5aa, lpOverlapped=0x0) returned 1 [0088.339] GetProcessHeap () returned 0x4e0000 [0088.339] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0088.339] CloseHandle (hObject=0xec) returned 1 [0088.340] GetProcessHeap () returned 0x4e0000 [0088.340] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0088.340] GetProcessHeap () returned 0x4e0000 [0088.340] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0088.340] GetProcessHeap () returned 0x4e0000 [0088.340] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0088.340] GetProcessHeap () returned 0x4e0000 [0088.340] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0088.340] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" [0088.340] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.NEPHILIM") returned="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.NEPHILIM" [0088.340] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.NEPHILIM" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml.nephilim")) returned 1 [0088.341] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3cd17e00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3cd17e00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc47e320, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x97f3f4, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="PubLR.cab", cAlternateFileName="")) returned 1 [0088.341] lstrcmpiW (lpString1="PubLR.cab", lpString2=".") returned 1 [0088.341] lstrcmpiW (lpString1="PubLR.cab", lpString2="..") returned 1 [0088.341] lstrcmpiW (lpString1="PubLR.cab", lpString2="...") returned 1 [0088.341] lstrcmpiW (lpString1="PubLR.cab", lpString2="windows") returned -1 [0088.341] lstrcmpiW (lpString1="PubLR.cab", lpString2="$RECYCLE.BIN") returned 1 [0088.342] lstrcmpiW (lpString1="PubLR.cab", lpString2="rsa") returned -1 [0088.342] lstrcmpiW (lpString1="PubLR.cab", lpString2="log") returned 1 [0088.342] lstrcmpiW (lpString1="PubLR.cab", lpString2="NTDETECT.COM") returned 1 [0088.342] lstrcmpiW (lpString1="PubLR.cab", lpString2="ntldr") returned 1 [0088.342] lstrcmpiW (lpString1="PubLR.cab", lpString2="MSDOS.SYS") returned 1 [0088.342] lstrcmpiW (lpString1="PubLR.cab", lpString2="IO.SYS") returned 1 [0088.342] lstrcmpiW (lpString1="PubLR.cab", lpString2="boot.ini") returned 1 [0088.342] lstrcmpiW (lpString1="PubLR.cab", lpString2="AUTOEXEC.BAT") returned 1 [0088.342] lstrcmpiW (lpString1="PubLR.cab", lpString2="ntuser.dat") returned 1 [0088.342] lstrcmpiW (lpString1="PubLR.cab", lpString2="desktop.ini") returned 1 [0088.342] lstrcmpiW (lpString1="PubLR.cab", lpString2="CONFIG.SYS") returned 1 [0088.342] lstrcmpiW (lpString1="PubLR.cab", lpString2="RECYCLER") returned -1 [0088.342] lstrcmpiW (lpString1="PubLR.cab", lpString2="BOOTSECT.BAK") returned 1 [0088.342] lstrcmpiW (lpString1="PubLR.cab", lpString2="bootmgr") returned 1 [0088.342] lstrcmpiW (lpString1="PubLR.cab", lpString2="programdata") returned 1 [0088.342] lstrcmpiW (lpString1="PubLR.cab", lpString2="appdata") returned 1 [0088.342] lstrcmpiW (lpString1="PubLR.cab", lpString2="program files") returned 1 [0088.342] lstrcmpiW (lpString1="PubLR.cab", lpString2="program files (x86)") returned 1 [0088.342] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\" [0088.342] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\", lpString2="PubLR.cab" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" [0088.342] PathFindExtensionW (pszPath="PubLR.cab") returned=".cab" [0088.342] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0088.342] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0088.343] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0088.343] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x648, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0088.343] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0088.343] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0088.343] lstrcmpiW (lpString1="Setup.xml", lpString2="...") returned 1 [0088.343] lstrcmpiW (lpString1="Setup.xml", lpString2="windows") returned -1 [0088.343] lstrcmpiW (lpString1="Setup.xml", lpString2="$RECYCLE.BIN") returned 1 [0088.343] lstrcmpiW (lpString1="Setup.xml", lpString2="rsa") returned 1 [0088.343] lstrcmpiW (lpString1="Setup.xml", lpString2="log") returned 1 [0088.343] lstrcmpiW (lpString1="Setup.xml", lpString2="NTDETECT.COM") returned 1 [0088.343] lstrcmpiW (lpString1="Setup.xml", lpString2="ntldr") returned 1 [0088.343] lstrcmpiW (lpString1="Setup.xml", lpString2="MSDOS.SYS") returned 1 [0088.343] lstrcmpiW (lpString1="Setup.xml", lpString2="IO.SYS") returned 1 [0088.343] lstrcmpiW (lpString1="Setup.xml", lpString2="boot.ini") returned 1 [0088.343] lstrcmpiW (lpString1="Setup.xml", lpString2="AUTOEXEC.BAT") returned 1 [0088.343] lstrcmpiW (lpString1="Setup.xml", lpString2="ntuser.dat") returned 1 [0088.343] lstrcmpiW (lpString1="Setup.xml", lpString2="desktop.ini") returned 1 [0088.343] lstrcmpiW (lpString1="Setup.xml", lpString2="CONFIG.SYS") returned 1 [0088.343] lstrcmpiW (lpString1="Setup.xml", lpString2="RECYCLER") returned 1 [0088.343] lstrcmpiW (lpString1="Setup.xml", lpString2="BOOTSECT.BAK") returned 1 [0088.343] lstrcmpiW (lpString1="Setup.xml", lpString2="bootmgr") returned 1 [0088.343] lstrcmpiW (lpString1="Setup.xml", lpString2="programdata") returned 1 [0088.344] lstrcmpiW (lpString1="Setup.xml", lpString2="appdata") returned 1 [0088.344] lstrcmpiW (lpString1="Setup.xml", lpString2="program files") returned 1 [0088.344] lstrcmpiW (lpString1="Setup.xml", lpString2="program files (x86)") returned 1 [0088.344] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\" [0088.344] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\", lpString2="Setup.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" [0088.344] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0088.344] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0088.344] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0088.344] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0088.344] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0088.344] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0088.344] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0088.344] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0088.344] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0088.344] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0088.344] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0088.344] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0088.344] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0088.344] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0088.345] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0088.345] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0088.345] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0088.345] lstrcmpiW (lpString1="Setup.xml", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0088.345] lstrlenA (lpString="NEPHILIM") returned 8 [0088.345] GetProcessHeap () returned 0x4e0000 [0088.345] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502b10 [0088.345] lstrlenA (lpString="NEPHILIM") returned 8 [0088.345] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0088.345] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=1608) returned 1 [0088.345] GetProcessHeap () returned 0x4e0000 [0088.345] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0088.346] GetProcessHeap () returned 0x4e0000 [0088.346] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0088.346] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0088.346] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0088.346] GetProcessHeap () returned 0x4e0000 [0088.346] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0088.346] GetProcessHeap () returned 0x4e0000 [0088.346] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0088.346] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de208*=0x100) returned 1 [0088.346] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de204*=0x100) returned 1 [0088.346] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x648, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.347] SetLastError (dwErrCode=0x0) [0088.347] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0088.351] GetLastError () returned 0x0 [0088.351] GetLastError () returned 0x0 [0088.351] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x748, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.351] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0088.351] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x848, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.351] lstrlenA (lpString="NEPHILIM") returned 8 [0088.352] WriteFile (in: hFile=0xec, lpBuffer=0x502b10*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x502b10*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0088.352] GetProcessHeap () returned 0x4e0000 [0088.352] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x648) returned 0x50a8a8 [0088.352] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.352] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x648, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x648, lpOverlapped=0x0) returned 1 [0088.352] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.352] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x648, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x648, lpOverlapped=0x0) returned 1 [0088.352] GetProcessHeap () returned 0x4e0000 [0088.352] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0088.352] CloseHandle (hObject=0xec) returned 1 [0088.354] GetProcessHeap () returned 0x4e0000 [0088.354] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0088.354] GetProcessHeap () returned 0x4e0000 [0088.354] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0088.354] GetProcessHeap () returned 0x4e0000 [0088.354] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0088.354] GetProcessHeap () returned 0x4e0000 [0088.354] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0088.354] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" [0088.354] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM") returned="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM" [0088.355] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml.nephilim")) returned 1 [0088.355] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x648, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0088.355] FindClose (in: hFindFile=0x502830 | out: hFindFile=0x502830) returned 1 [0088.355] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee829690, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf00dbad0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf00dbad0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x24df5e0, cFileName="{90140000-001A-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9765F~1")) returned 1 [0088.355] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0088.355] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0088.355] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="...") returned 1 [0088.356] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="windows") returned -1 [0088.356] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="$RECYCLE.BIN") returned 1 [0088.356] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="rsa") returned -1 [0088.356] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="log") returned -1 [0088.356] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="NTDETECT.COM") returned -1 [0088.356] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="ntldr") returned -1 [0088.356] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="MSDOS.SYS") returned -1 [0088.356] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="IO.SYS") returned -1 [0088.356] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="boot.ini") returned -1 [0088.356] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="AUTOEXEC.BAT") returned -1 [0088.356] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="ntuser.dat") returned -1 [0088.356] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="desktop.ini") returned -1 [0088.356] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="CONFIG.SYS") returned -1 [0088.356] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="RECYCLER") returned -1 [0088.356] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="BOOTSECT.BAK") returned -1 [0088.356] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="bootmgr") returned -1 [0088.356] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="programdata") returned -1 [0088.356] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="appdata") returned -1 [0088.356] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="program files") returned -1 [0088.356] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="program files (x86)") returned -1 [0088.356] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\MSOCache\\All Users\\" | out: lpString1="C:\\MSOCache\\All Users\\") returned="C:\\MSOCache\\All Users\\" [0088.356] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\", lpString2="{90140000-001A-0409-1000-0000000FF1CE}-C" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C") returned="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C" [0088.356] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\" [0088.356] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\" [0088.356] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\", lpString2="*.*" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*.*") returned="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*.*" [0088.356] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee829690, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf00dbad0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf00dbad0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x502830 [0088.359] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0088.359] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee829690, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf00dbad0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf00dbad0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0088.359] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0088.359] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0088.360] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3a6f2400, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3a6f2400, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xeebe0180, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xe21fcc, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="OutlkLR.cab", cAlternateFileName="")) returned 1 [0088.360] lstrcmpiW (lpString1="OutlkLR.cab", lpString2=".") returned 1 [0088.360] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="..") returned 1 [0088.360] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="...") returned 1 [0088.360] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="windows") returned -1 [0088.360] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="$RECYCLE.BIN") returned 1 [0088.360] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="rsa") returned -1 [0088.360] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="log") returned 1 [0088.360] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="NTDETECT.COM") returned 1 [0088.360] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="ntldr") returned 1 [0088.360] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="MSDOS.SYS") returned 1 [0088.360] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="IO.SYS") returned 1 [0088.360] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="boot.ini") returned 1 [0088.360] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="AUTOEXEC.BAT") returned 1 [0088.360] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="ntuser.dat") returned 1 [0088.360] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="desktop.ini") returned 1 [0088.360] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="CONFIG.SYS") returned 1 [0088.360] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="RECYCLER") returned -1 [0088.360] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="BOOTSECT.BAK") returned 1 [0088.360] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="bootmgr") returned 1 [0088.360] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="programdata") returned -1 [0088.360] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="appdata") returned 1 [0088.360] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="program files") returned -1 [0088.360] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="program files (x86)") returned -1 [0088.361] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\" [0088.361] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\", lpString2="OutlkLR.cab" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" [0088.361] PathFindExtensionW (pszPath="OutlkLR.cab") returned=".cab" [0088.361] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0088.361] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0088.361] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0088.361] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee827f20, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2bba00, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="OutlookMUI.msi", cAlternateFileName="OUTLOO~1.MSI")) returned 1 [0088.361] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2=".") returned 1 [0088.361] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="..") returned 1 [0088.361] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="...") returned 1 [0088.361] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="windows") returned -1 [0088.361] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="$RECYCLE.BIN") returned 1 [0088.361] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="rsa") returned -1 [0088.361] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="log") returned 1 [0088.361] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="NTDETECT.COM") returned 1 [0088.361] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="ntldr") returned 1 [0088.361] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="MSDOS.SYS") returned 1 [0088.361] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="IO.SYS") returned 1 [0088.361] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="boot.ini") returned 1 [0088.361] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="AUTOEXEC.BAT") returned 1 [0088.361] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="ntuser.dat") returned 1 [0088.361] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="desktop.ini") returned 1 [0088.361] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="CONFIG.SYS") returned 1 [0088.361] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="RECYCLER") returned -1 [0088.361] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="BOOTSECT.BAK") returned 1 [0088.361] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="bootmgr") returned 1 [0088.362] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="programdata") returned -1 [0088.362] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="appdata") returned 1 [0088.362] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="program files") returned -1 [0088.362] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="program files (x86)") returned -1 [0088.362] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\" [0088.362] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\", lpString2="OutlookMUI.msi" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" [0088.362] PathFindExtensionW (pszPath="OutlookMUI.msi") returned=".msi" [0088.362] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0088.362] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0088.362] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0088.362] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0088.362] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0088.362] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0088.362] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0088.362] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0088.362] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0088.362] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0088.362] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0088.362] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0088.362] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0088.362] lstrcmpiW (lpString1=".msi", lpString2=".NEPHILIM") returned -1 [0088.362] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0088.362] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee827f20, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xc72, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="OutlookMUI.xml", cAlternateFileName="OUTLOO~1.XML")) returned 1 [0088.362] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2=".") returned 1 [0088.362] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="..") returned 1 [0088.362] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="...") returned 1 [0088.363] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="windows") returned -1 [0088.363] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="$RECYCLE.BIN") returned 1 [0088.363] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="rsa") returned -1 [0088.363] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="log") returned 1 [0088.363] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="NTDETECT.COM") returned 1 [0088.363] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="ntldr") returned 1 [0088.363] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="MSDOS.SYS") returned 1 [0088.363] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="IO.SYS") returned 1 [0088.363] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="boot.ini") returned 1 [0088.363] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="AUTOEXEC.BAT") returned 1 [0088.363] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="ntuser.dat") returned 1 [0088.363] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="desktop.ini") returned 1 [0088.363] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="CONFIG.SYS") returned 1 [0088.363] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="RECYCLER") returned -1 [0088.363] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="BOOTSECT.BAK") returned 1 [0088.363] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="bootmgr") returned 1 [0088.363] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="programdata") returned -1 [0088.363] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="appdata") returned 1 [0088.363] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="program files") returned -1 [0088.363] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="program files (x86)") returned -1 [0088.363] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\" [0088.363] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\", lpString2="OutlookMUI.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" [0088.363] PathFindExtensionW (pszPath="OutlookMUI.xml") returned=".xml" [0088.363] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0088.363] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0088.363] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0088.364] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0088.364] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0088.364] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0088.364] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0088.364] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0088.364] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0088.364] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0088.364] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0088.364] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0088.364] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0088.364] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0088.364] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0088.364] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0088.364] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0088.364] lstrlenA (lpString="NEPHILIM") returned 8 [0088.364] GetProcessHeap () returned 0x4e0000 [0088.364] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502b20 [0088.364] lstrlenA (lpString="NEPHILIM") returned 8 [0088.364] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0088.365] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=3186) returned 1 [0088.365] GetProcessHeap () returned 0x4e0000 [0088.365] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0088.365] GetProcessHeap () returned 0x4e0000 [0088.365] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0088.365] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0088.365] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0088.365] GetProcessHeap () returned 0x4e0000 [0088.365] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0088.365] GetProcessHeap () returned 0x4e0000 [0088.365] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0088.365] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de208*=0x100) returned 1 [0088.365] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de204*=0x100) returned 1 [0088.366] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xc72, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.366] SetLastError (dwErrCode=0x0) [0088.366] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0088.368] GetLastError () returned 0x0 [0088.368] GetLastError () returned 0x0 [0088.369] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xd72, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.369] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0088.369] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xe72, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.369] lstrlenA (lpString="NEPHILIM") returned 8 [0088.369] WriteFile (in: hFile=0xec, lpBuffer=0x502b20*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x502b20*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0088.369] GetProcessHeap () returned 0x4e0000 [0088.369] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xc72) returned 0x50a8a8 [0088.369] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.369] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0xc72, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0xc72, lpOverlapped=0x0) returned 1 [0088.369] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.369] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0xc72, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0xc72, lpOverlapped=0x0) returned 1 [0088.370] GetProcessHeap () returned 0x4e0000 [0088.370] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0088.370] CloseHandle (hObject=0xec) returned 1 [0088.375] GetProcessHeap () returned 0x4e0000 [0088.375] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0088.375] GetProcessHeap () returned 0x4e0000 [0088.375] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0088.375] GetProcessHeap () returned 0x4e0000 [0088.375] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0088.376] GetProcessHeap () returned 0x4e0000 [0088.376] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0088.376] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" [0088.376] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.NEPHILIM") returned="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.NEPHILIM" [0088.376] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.NEPHILIM" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml.nephilim")) returned 1 [0088.376] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf00db300, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x106f, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0088.376] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0088.376] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0088.376] lstrcmpiW (lpString1="Setup.xml", lpString2="...") returned 1 [0088.376] lstrcmpiW (lpString1="Setup.xml", lpString2="windows") returned -1 [0088.376] lstrcmpiW (lpString1="Setup.xml", lpString2="$RECYCLE.BIN") returned 1 [0088.376] lstrcmpiW (lpString1="Setup.xml", lpString2="rsa") returned 1 [0088.377] lstrcmpiW (lpString1="Setup.xml", lpString2="log") returned 1 [0088.377] lstrcmpiW (lpString1="Setup.xml", lpString2="NTDETECT.COM") returned 1 [0088.377] lstrcmpiW (lpString1="Setup.xml", lpString2="ntldr") returned 1 [0088.377] lstrcmpiW (lpString1="Setup.xml", lpString2="MSDOS.SYS") returned 1 [0088.377] lstrcmpiW (lpString1="Setup.xml", lpString2="IO.SYS") returned 1 [0088.377] lstrcmpiW (lpString1="Setup.xml", lpString2="boot.ini") returned 1 [0088.377] lstrcmpiW (lpString1="Setup.xml", lpString2="AUTOEXEC.BAT") returned 1 [0088.377] lstrcmpiW (lpString1="Setup.xml", lpString2="ntuser.dat") returned 1 [0088.377] lstrcmpiW (lpString1="Setup.xml", lpString2="desktop.ini") returned 1 [0088.377] lstrcmpiW (lpString1="Setup.xml", lpString2="CONFIG.SYS") returned 1 [0088.377] lstrcmpiW (lpString1="Setup.xml", lpString2="RECYCLER") returned 1 [0088.377] lstrcmpiW (lpString1="Setup.xml", lpString2="BOOTSECT.BAK") returned 1 [0088.377] lstrcmpiW (lpString1="Setup.xml", lpString2="bootmgr") returned 1 [0088.377] lstrcmpiW (lpString1="Setup.xml", lpString2="programdata") returned 1 [0088.377] lstrcmpiW (lpString1="Setup.xml", lpString2="appdata") returned 1 [0088.377] lstrcmpiW (lpString1="Setup.xml", lpString2="program files") returned 1 [0088.377] lstrcmpiW (lpString1="Setup.xml", lpString2="program files (x86)") returned 1 [0088.377] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\" [0088.377] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\", lpString2="Setup.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" [0088.377] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0088.377] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0088.377] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0088.377] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0088.377] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0088.377] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0088.378] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0088.378] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0088.378] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0088.378] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0088.378] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0088.378] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0088.378] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0088.378] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0088.378] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0088.378] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0088.378] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0088.378] lstrcmpiW (lpString1="Setup.xml", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0088.378] lstrlenA (lpString="NEPHILIM") returned 8 [0088.378] GetProcessHeap () returned 0x4e0000 [0088.378] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502b30 [0088.378] lstrlenA (lpString="NEPHILIM") returned 8 [0088.378] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0088.380] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=4207) returned 1 [0088.380] GetProcessHeap () returned 0x4e0000 [0088.380] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0088.380] GetProcessHeap () returned 0x4e0000 [0088.380] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0088.380] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0088.380] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0088.380] GetProcessHeap () returned 0x4e0000 [0088.380] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0088.380] GetProcessHeap () returned 0x4e0000 [0088.380] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0088.380] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de208*=0x100) returned 1 [0088.380] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de204*=0x100) returned 1 [0088.381] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x106f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.381] SetLastError (dwErrCode=0x0) [0088.381] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0088.383] GetLastError () returned 0x0 [0088.383] GetLastError () returned 0x0 [0088.383] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x116f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.383] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0088.383] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x126f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.383] lstrlenA (lpString="NEPHILIM") returned 8 [0088.383] WriteFile (in: hFile=0xec, lpBuffer=0x502b30*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x502b30*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0088.383] GetProcessHeap () returned 0x4e0000 [0088.383] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x106f) returned 0x50a8a8 [0088.383] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.383] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x106f, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x106f, lpOverlapped=0x0) returned 1 [0088.385] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.385] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x106f, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x106f, lpOverlapped=0x0) returned 1 [0088.385] GetProcessHeap () returned 0x4e0000 [0088.385] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0088.385] CloseHandle (hObject=0xec) returned 1 [0088.389] GetProcessHeap () returned 0x4e0000 [0088.389] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0088.389] GetProcessHeap () returned 0x4e0000 [0088.389] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0088.389] GetProcessHeap () returned 0x4e0000 [0088.389] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0088.389] GetProcessHeap () returned 0x4e0000 [0088.389] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0088.389] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" [0088.389] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM") returned="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM" [0088.389] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml.nephilim")) returned 1 [0088.390] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf00db300, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x106f, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0088.390] FindClose (in: hFindFile=0x502830 | out: hFindFile=0x502830) returned 1 [0088.390] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc8a9170, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfe076d70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x24df5e0, cFileName="{90140000-001B-0409-1000-0000000FF1CE}-C", cAlternateFileName="{94E50~1")) returned 1 [0088.390] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0088.390] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0088.390] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="...") returned 1 [0088.390] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="windows") returned -1 [0088.390] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="$RECYCLE.BIN") returned 1 [0088.390] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="rsa") returned -1 [0088.390] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="log") returned -1 [0088.390] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="NTDETECT.COM") returned -1 [0088.390] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="ntldr") returned -1 [0088.390] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="MSDOS.SYS") returned -1 [0088.390] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="IO.SYS") returned -1 [0088.390] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="boot.ini") returned -1 [0088.390] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="AUTOEXEC.BAT") returned -1 [0088.390] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="ntuser.dat") returned -1 [0088.390] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="desktop.ini") returned -1 [0088.390] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="CONFIG.SYS") returned -1 [0088.390] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="RECYCLER") returned -1 [0088.390] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="BOOTSECT.BAK") returned -1 [0088.390] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="bootmgr") returned -1 [0088.390] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="programdata") returned -1 [0088.390] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="appdata") returned -1 [0088.390] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="program files") returned -1 [0088.390] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="program files (x86)") returned -1 [0088.390] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\MSOCache\\All Users\\" | out: lpString1="C:\\MSOCache\\All Users\\") returned="C:\\MSOCache\\All Users\\" [0088.390] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\", lpString2="{90140000-001B-0409-1000-0000000FF1CE}-C" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C") returned="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C" [0088.391] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\" [0088.391] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\" [0088.391] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\", lpString2="*.*" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*.*") returned="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*.*" [0088.391] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc8a9170, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfe076d70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x502830 [0088.392] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0088.392] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc8a9170, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfe076d70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0088.392] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0088.392] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0088.392] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x978, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0088.392] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0088.392] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0088.392] lstrcmpiW (lpString1="Setup.xml", lpString2="...") returned 1 [0088.392] lstrcmpiW (lpString1="Setup.xml", lpString2="windows") returned -1 [0088.392] lstrcmpiW (lpString1="Setup.xml", lpString2="$RECYCLE.BIN") returned 1 [0088.392] lstrcmpiW (lpString1="Setup.xml", lpString2="rsa") returned 1 [0088.392] lstrcmpiW (lpString1="Setup.xml", lpString2="log") returned 1 [0088.392] lstrcmpiW (lpString1="Setup.xml", lpString2="NTDETECT.COM") returned 1 [0088.392] lstrcmpiW (lpString1="Setup.xml", lpString2="ntldr") returned 1 [0088.392] lstrcmpiW (lpString1="Setup.xml", lpString2="MSDOS.SYS") returned 1 [0088.392] lstrcmpiW (lpString1="Setup.xml", lpString2="IO.SYS") returned 1 [0088.392] lstrcmpiW (lpString1="Setup.xml", lpString2="boot.ini") returned 1 [0088.392] lstrcmpiW (lpString1="Setup.xml", lpString2="AUTOEXEC.BAT") returned 1 [0088.392] lstrcmpiW (lpString1="Setup.xml", lpString2="ntuser.dat") returned 1 [0088.392] lstrcmpiW (lpString1="Setup.xml", lpString2="desktop.ini") returned 1 [0088.392] lstrcmpiW (lpString1="Setup.xml", lpString2="CONFIG.SYS") returned 1 [0088.392] lstrcmpiW (lpString1="Setup.xml", lpString2="RECYCLER") returned 1 [0088.392] lstrcmpiW (lpString1="Setup.xml", lpString2="BOOTSECT.BAK") returned 1 [0088.392] lstrcmpiW (lpString1="Setup.xml", lpString2="bootmgr") returned 1 [0088.392] lstrcmpiW (lpString1="Setup.xml", lpString2="programdata") returned 1 [0088.392] lstrcmpiW (lpString1="Setup.xml", lpString2="appdata") returned 1 [0088.392] lstrcmpiW (lpString1="Setup.xml", lpString2="program files") returned 1 [0088.392] lstrcmpiW (lpString1="Setup.xml", lpString2="program files (x86)") returned 1 [0088.392] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\" [0088.393] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\", lpString2="Setup.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" [0088.393] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0088.393] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0088.393] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0088.393] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0088.393] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0088.393] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0088.393] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0088.393] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0088.393] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0088.393] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0088.393] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0088.393] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0088.393] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0088.393] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0088.393] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0088.393] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0088.393] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0088.393] lstrcmpiW (lpString1="Setup.xml", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0088.393] lstrlenA (lpString="NEPHILIM") returned 8 [0088.393] GetProcessHeap () returned 0x4e0000 [0088.393] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502b40 [0088.393] lstrlenA (lpString="NEPHILIM") returned 8 [0088.393] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0088.394] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=2424) returned 1 [0088.394] GetProcessHeap () returned 0x4e0000 [0088.394] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0088.394] GetProcessHeap () returned 0x4e0000 [0088.394] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0088.394] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0088.394] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0088.394] GetProcessHeap () returned 0x4e0000 [0088.394] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0088.394] GetProcessHeap () returned 0x4e0000 [0088.394] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0088.394] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de208*=0x100) returned 1 [0088.394] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de204*=0x100) returned 1 [0088.395] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x978, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.395] SetLastError (dwErrCode=0x0) [0088.395] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0088.397] GetLastError () returned 0x0 [0088.397] GetLastError () returned 0x0 [0088.397] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xa78, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.397] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0088.397] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xb78, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.397] lstrlenA (lpString="NEPHILIM") returned 8 [0088.397] WriteFile (in: hFile=0xec, lpBuffer=0x502b40*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x502b40*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0088.397] GetProcessHeap () returned 0x4e0000 [0088.397] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x978) returned 0x50a8a8 [0088.397] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.397] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x978, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x978, lpOverlapped=0x0) returned 1 [0088.398] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.398] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x978, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x978, lpOverlapped=0x0) returned 1 [0088.398] GetProcessHeap () returned 0x4e0000 [0088.398] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0088.398] CloseHandle (hObject=0xec) returned 1 [0088.400] GetProcessHeap () returned 0x4e0000 [0088.400] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0088.400] GetProcessHeap () returned 0x4e0000 [0088.400] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0088.400] GetProcessHeap () returned 0x4e0000 [0088.400] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0088.400] GetProcessHeap () returned 0x4e0000 [0088.400] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0088.400] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" [0088.400] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM") returned="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM" [0088.401] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml.nephilim")) returned 1 [0088.403] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2fb48f00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x2fb48f00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc967850, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x29c6dbd, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="WordLR.cab", cAlternateFileName="")) returned 1 [0088.403] lstrcmpiW (lpString1="WordLR.cab", lpString2=".") returned 1 [0088.403] lstrcmpiW (lpString1="WordLR.cab", lpString2="..") returned 1 [0088.403] lstrcmpiW (lpString1="WordLR.cab", lpString2="...") returned 1 [0088.403] lstrcmpiW (lpString1="WordLR.cab", lpString2="windows") returned 1 [0088.403] lstrcmpiW (lpString1="WordLR.cab", lpString2="$RECYCLE.BIN") returned 1 [0088.403] lstrcmpiW (lpString1="WordLR.cab", lpString2="rsa") returned 1 [0088.403] lstrcmpiW (lpString1="WordLR.cab", lpString2="log") returned 1 [0088.403] lstrcmpiW (lpString1="WordLR.cab", lpString2="NTDETECT.COM") returned 1 [0088.403] lstrcmpiW (lpString1="WordLR.cab", lpString2="ntldr") returned 1 [0088.403] lstrcmpiW (lpString1="WordLR.cab", lpString2="MSDOS.SYS") returned 1 [0088.403] lstrcmpiW (lpString1="WordLR.cab", lpString2="IO.SYS") returned 1 [0088.403] lstrcmpiW (lpString1="WordLR.cab", lpString2="boot.ini") returned 1 [0088.403] lstrcmpiW (lpString1="WordLR.cab", lpString2="AUTOEXEC.BAT") returned 1 [0088.404] lstrcmpiW (lpString1="WordLR.cab", lpString2="ntuser.dat") returned 1 [0088.404] lstrcmpiW (lpString1="WordLR.cab", lpString2="desktop.ini") returned 1 [0088.404] lstrcmpiW (lpString1="WordLR.cab", lpString2="CONFIG.SYS") returned 1 [0088.404] lstrcmpiW (lpString1="WordLR.cab", lpString2="RECYCLER") returned 1 [0088.404] lstrcmpiW (lpString1="WordLR.cab", lpString2="BOOTSECT.BAK") returned 1 [0088.404] lstrcmpiW (lpString1="WordLR.cab", lpString2="bootmgr") returned 1 [0088.404] lstrcmpiW (lpString1="WordLR.cab", lpString2="programdata") returned 1 [0088.404] lstrcmpiW (lpString1="WordLR.cab", lpString2="appdata") returned 1 [0088.404] lstrcmpiW (lpString1="WordLR.cab", lpString2="program files") returned 1 [0088.404] lstrcmpiW (lpString1="WordLR.cab", lpString2="program files (x86)") returned 1 [0088.404] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\" [0088.404] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\", lpString2="WordLR.cab" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" [0088.404] PathFindExtensionW (pszPath="WordLR.cab") returned=".cab" [0088.404] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0088.404] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0088.404] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0088.404] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x267e00, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="WordMUI.msi", cAlternateFileName="")) returned 1 [0088.404] lstrcmpiW (lpString1="WordMUI.msi", lpString2=".") returned 1 [0088.404] lstrcmpiW (lpString1="WordMUI.msi", lpString2="..") returned 1 [0088.404] lstrcmpiW (lpString1="WordMUI.msi", lpString2="...") returned 1 [0088.404] lstrcmpiW (lpString1="WordMUI.msi", lpString2="windows") returned 1 [0088.404] lstrcmpiW (lpString1="WordMUI.msi", lpString2="$RECYCLE.BIN") returned 1 [0088.404] lstrcmpiW (lpString1="WordMUI.msi", lpString2="rsa") returned 1 [0088.404] lstrcmpiW (lpString1="WordMUI.msi", lpString2="log") returned 1 [0088.404] lstrcmpiW (lpString1="WordMUI.msi", lpString2="NTDETECT.COM") returned 1 [0088.405] lstrcmpiW (lpString1="WordMUI.msi", lpString2="ntldr") returned 1 [0088.405] lstrcmpiW (lpString1="WordMUI.msi", lpString2="MSDOS.SYS") returned 1 [0088.405] lstrcmpiW (lpString1="WordMUI.msi", lpString2="IO.SYS") returned 1 [0088.405] lstrcmpiW (lpString1="WordMUI.msi", lpString2="boot.ini") returned 1 [0088.405] lstrcmpiW (lpString1="WordMUI.msi", lpString2="AUTOEXEC.BAT") returned 1 [0088.405] lstrcmpiW (lpString1="WordMUI.msi", lpString2="ntuser.dat") returned 1 [0088.405] lstrcmpiW (lpString1="WordMUI.msi", lpString2="desktop.ini") returned 1 [0088.405] lstrcmpiW (lpString1="WordMUI.msi", lpString2="CONFIG.SYS") returned 1 [0088.405] lstrcmpiW (lpString1="WordMUI.msi", lpString2="RECYCLER") returned 1 [0088.405] lstrcmpiW (lpString1="WordMUI.msi", lpString2="BOOTSECT.BAK") returned 1 [0088.405] lstrcmpiW (lpString1="WordMUI.msi", lpString2="bootmgr") returned 1 [0088.405] lstrcmpiW (lpString1="WordMUI.msi", lpString2="programdata") returned 1 [0088.405] lstrcmpiW (lpString1="WordMUI.msi", lpString2="appdata") returned 1 [0088.405] lstrcmpiW (lpString1="WordMUI.msi", lpString2="program files") returned 1 [0088.405] lstrcmpiW (lpString1="WordMUI.msi", lpString2="program files (x86)") returned 1 [0088.405] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\" [0088.405] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\", lpString2="WordMUI.msi" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" [0088.405] PathFindExtensionW (pszPath="WordMUI.msi") returned=".msi" [0088.405] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0088.405] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0088.405] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0088.405] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0088.405] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0088.405] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0088.405] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0088.405] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0088.405] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0088.406] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0088.406] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0088.406] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0088.406] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0088.406] lstrcmpiW (lpString1=".msi", lpString2=".NEPHILIM") returned -1 [0088.406] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0088.406] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x708, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="WordMUI.xml", cAlternateFileName="")) returned 1 [0088.406] lstrcmpiW (lpString1="WordMUI.xml", lpString2=".") returned 1 [0088.406] lstrcmpiW (lpString1="WordMUI.xml", lpString2="..") returned 1 [0088.406] lstrcmpiW (lpString1="WordMUI.xml", lpString2="...") returned 1 [0088.406] lstrcmpiW (lpString1="WordMUI.xml", lpString2="windows") returned 1 [0088.406] lstrcmpiW (lpString1="WordMUI.xml", lpString2="$RECYCLE.BIN") returned 1 [0088.406] lstrcmpiW (lpString1="WordMUI.xml", lpString2="rsa") returned 1 [0088.406] lstrcmpiW (lpString1="WordMUI.xml", lpString2="log") returned 1 [0088.406] lstrcmpiW (lpString1="WordMUI.xml", lpString2="NTDETECT.COM") returned 1 [0088.406] lstrcmpiW (lpString1="WordMUI.xml", lpString2="ntldr") returned 1 [0088.406] lstrcmpiW (lpString1="WordMUI.xml", lpString2="MSDOS.SYS") returned 1 [0088.406] lstrcmpiW (lpString1="WordMUI.xml", lpString2="IO.SYS") returned 1 [0088.406] lstrcmpiW (lpString1="WordMUI.xml", lpString2="boot.ini") returned 1 [0088.406] lstrcmpiW (lpString1="WordMUI.xml", lpString2="AUTOEXEC.BAT") returned 1 [0088.406] lstrcmpiW (lpString1="WordMUI.xml", lpString2="ntuser.dat") returned 1 [0088.406] lstrcmpiW (lpString1="WordMUI.xml", lpString2="desktop.ini") returned 1 [0088.406] lstrcmpiW (lpString1="WordMUI.xml", lpString2="CONFIG.SYS") returned 1 [0088.406] lstrcmpiW (lpString1="WordMUI.xml", lpString2="RECYCLER") returned 1 [0088.406] lstrcmpiW (lpString1="WordMUI.xml", lpString2="BOOTSECT.BAK") returned 1 [0088.406] lstrcmpiW (lpString1="WordMUI.xml", lpString2="bootmgr") returned 1 [0088.406] lstrcmpiW (lpString1="WordMUI.xml", lpString2="programdata") returned 1 [0088.407] lstrcmpiW (lpString1="WordMUI.xml", lpString2="appdata") returned 1 [0088.407] lstrcmpiW (lpString1="WordMUI.xml", lpString2="program files") returned 1 [0088.407] lstrcmpiW (lpString1="WordMUI.xml", lpString2="program files (x86)") returned 1 [0088.407] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\" [0088.407] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\", lpString2="WordMUI.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" [0088.407] PathFindExtensionW (pszPath="WordMUI.xml") returned=".xml" [0088.407] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0088.407] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0088.407] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0088.407] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0088.407] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0088.407] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0088.407] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0088.407] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0088.407] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0088.407] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0088.407] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0088.407] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0088.407] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0088.407] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0088.407] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0088.407] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0088.407] lstrcmpiW (lpString1="WordMUI.xml", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0088.407] lstrlenA (lpString="NEPHILIM") returned 8 [0088.407] GetProcessHeap () returned 0x4e0000 [0088.408] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502b50 [0088.408] lstrlenA (lpString="NEPHILIM") returned 8 [0088.408] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0088.408] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=1800) returned 1 [0088.408] GetProcessHeap () returned 0x4e0000 [0088.408] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0088.408] GetProcessHeap () returned 0x4e0000 [0088.408] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0088.408] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0088.408] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0088.408] GetProcessHeap () returned 0x4e0000 [0088.408] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0088.408] GetProcessHeap () returned 0x4e0000 [0088.408] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0088.408] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de208*=0x100) returned 1 [0088.409] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de204*=0x100) returned 1 [0088.409] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x708, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.409] SetLastError (dwErrCode=0x0) [0088.409] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0088.411] GetLastError () returned 0x0 [0088.411] GetLastError () returned 0x0 [0088.411] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x808, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.411] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0088.411] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x908, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.412] lstrlenA (lpString="NEPHILIM") returned 8 [0088.412] WriteFile (in: hFile=0xec, lpBuffer=0x502b50*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x502b50*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0088.412] GetProcessHeap () returned 0x4e0000 [0088.412] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x708) returned 0x50a8a8 [0088.412] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.412] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x708, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x708, lpOverlapped=0x0) returned 1 [0088.412] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.412] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x708, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x708, lpOverlapped=0x0) returned 1 [0088.412] GetProcessHeap () returned 0x4e0000 [0088.412] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0088.412] CloseHandle (hObject=0xec) returned 1 [0088.451] GetProcessHeap () returned 0x4e0000 [0088.451] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0088.451] GetProcessHeap () returned 0x4e0000 [0088.451] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0088.451] GetProcessHeap () returned 0x4e0000 [0088.451] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0088.451] GetProcessHeap () returned 0x4e0000 [0088.451] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0088.451] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" [0088.451] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.NEPHILIM") returned="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.NEPHILIM" [0088.451] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.NEPHILIM" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml.nephilim")) returned 1 [0088.452] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x708, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="WordMUI.xml", cAlternateFileName="")) returned 0 [0088.452] FindClose (in: hFindFile=0x502830 | out: hFindFile=0x502830) returned 1 [0088.452] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf00dbad0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf58c8770, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf58c8770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x24df5e0, cFileName="{90140000-002C-0409-1000-0000000FF1CE}-C", cAlternateFileName="{92787~1")) returned 1 [0088.452] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0088.452] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0088.452] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="...") returned 1 [0088.452] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="windows") returned -1 [0088.452] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="$RECYCLE.BIN") returned 1 [0088.452] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="rsa") returned -1 [0088.452] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="log") returned -1 [0088.452] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="NTDETECT.COM") returned -1 [0088.452] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="ntldr") returned -1 [0088.453] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="MSDOS.SYS") returned -1 [0088.453] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="IO.SYS") returned -1 [0088.453] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="boot.ini") returned -1 [0088.453] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="AUTOEXEC.BAT") returned -1 [0088.453] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="ntuser.dat") returned -1 [0088.453] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="desktop.ini") returned -1 [0088.453] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="CONFIG.SYS") returned -1 [0088.453] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="RECYCLER") returned -1 [0088.453] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="BOOTSECT.BAK") returned -1 [0088.453] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="bootmgr") returned -1 [0088.453] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="programdata") returned -1 [0088.453] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="appdata") returned -1 [0088.453] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="program files") returned -1 [0088.453] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="program files (x86)") returned -1 [0088.453] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\MSOCache\\All Users\\" | out: lpString1="C:\\MSOCache\\All Users\\") returned="C:\\MSOCache\\All Users\\" [0088.453] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\", lpString2="{90140000-002C-0409-1000-0000000FF1CE}-C" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C" [0088.453] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\" [0088.453] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\" [0088.453] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\", lpString2="*.*" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*.*") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*.*" [0088.453] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf00dbad0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf58c8770, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf58c8770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x502830 [0088.456] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0088.456] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf00dbad0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf58c8770, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf58c8770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0088.456] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0088.456] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0088.456] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf01c0310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf07b3a10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf07b3a10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="Proof.en", cAlternateFileName="")) returned 1 [0088.456] lstrcmpiW (lpString1="Proof.en", lpString2=".") returned 1 [0088.456] lstrcmpiW (lpString1="Proof.en", lpString2="..") returned 1 [0088.456] lstrcmpiW (lpString1="Proof.en", lpString2="...") returned 1 [0088.456] lstrcmpiW (lpString1="Proof.en", lpString2="windows") returned -1 [0088.456] lstrcmpiW (lpString1="Proof.en", lpString2="$RECYCLE.BIN") returned 1 [0088.456] lstrcmpiW (lpString1="Proof.en", lpString2="rsa") returned -1 [0088.456] lstrcmpiW (lpString1="Proof.en", lpString2="log") returned 1 [0088.456] lstrcmpiW (lpString1="Proof.en", lpString2="NTDETECT.COM") returned 1 [0088.456] lstrcmpiW (lpString1="Proof.en", lpString2="ntldr") returned 1 [0088.456] lstrcmpiW (lpString1="Proof.en", lpString2="MSDOS.SYS") returned 1 [0088.456] lstrcmpiW (lpString1="Proof.en", lpString2="IO.SYS") returned 1 [0088.457] lstrcmpiW (lpString1="Proof.en", lpString2="boot.ini") returned 1 [0088.457] lstrcmpiW (lpString1="Proof.en", lpString2="AUTOEXEC.BAT") returned 1 [0088.457] lstrcmpiW (lpString1="Proof.en", lpString2="ntuser.dat") returned 1 [0088.457] lstrcmpiW (lpString1="Proof.en", lpString2="desktop.ini") returned 1 [0088.457] lstrcmpiW (lpString1="Proof.en", lpString2="CONFIG.SYS") returned 1 [0088.457] lstrcmpiW (lpString1="Proof.en", lpString2="RECYCLER") returned -1 [0088.457] lstrcmpiW (lpString1="Proof.en", lpString2="BOOTSECT.BAK") returned 1 [0088.457] lstrcmpiW (lpString1="Proof.en", lpString2="bootmgr") returned 1 [0088.457] lstrcmpiW (lpString1="Proof.en", lpString2="programdata") returned 1 [0088.457] lstrcmpiW (lpString1="Proof.en", lpString2="appdata") returned 1 [0088.457] lstrcmpiW (lpString1="Proof.en", lpString2="program files") returned 1 [0088.457] lstrcmpiW (lpString1="Proof.en", lpString2="program files (x86)") returned 1 [0088.457] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\" [0088.457] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\", lpString2="Proof.en" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en" [0088.457] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en", lpString2="\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\" [0088.457] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\" [0088.457] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\", lpString2="*.*" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*.*") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*.*" [0088.457] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf01c0310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf07b3a10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf07b3a10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x860084, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x502870 [0088.457] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0088.457] FindNextFileW (in: hFindFile=0x502870, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf01c0310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf07b3a10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf07b3a10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x860084, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0088.457] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0088.458] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0088.458] FindNextFileW (in: hFindFile=0x502870, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x219b4a00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x219b4a00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xf07b1ad0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xaf35ed, dwReserved0=0x860084, dwReserved1=0x24de8e0, cFileName="Proof.cab", cAlternateFileName="")) returned 1 [0088.458] lstrcmpiW (lpString1="Proof.cab", lpString2=".") returned 1 [0088.458] lstrcmpiW (lpString1="Proof.cab", lpString2="..") returned 1 [0088.458] lstrcmpiW (lpString1="Proof.cab", lpString2="...") returned 1 [0088.458] lstrcmpiW (lpString1="Proof.cab", lpString2="windows") returned -1 [0088.458] lstrcmpiW (lpString1="Proof.cab", lpString2="$RECYCLE.BIN") returned 1 [0088.458] lstrcmpiW (lpString1="Proof.cab", lpString2="rsa") returned -1 [0088.458] lstrcmpiW (lpString1="Proof.cab", lpString2="log") returned 1 [0088.458] lstrcmpiW (lpString1="Proof.cab", lpString2="NTDETECT.COM") returned 1 [0088.458] lstrcmpiW (lpString1="Proof.cab", lpString2="ntldr") returned 1 [0088.458] lstrcmpiW (lpString1="Proof.cab", lpString2="MSDOS.SYS") returned 1 [0088.458] lstrcmpiW (lpString1="Proof.cab", lpString2="IO.SYS") returned 1 [0088.458] lstrcmpiW (lpString1="Proof.cab", lpString2="boot.ini") returned 1 [0088.458] lstrcmpiW (lpString1="Proof.cab", lpString2="AUTOEXEC.BAT") returned 1 [0088.458] lstrcmpiW (lpString1="Proof.cab", lpString2="ntuser.dat") returned 1 [0088.458] lstrcmpiW (lpString1="Proof.cab", lpString2="desktop.ini") returned 1 [0088.458] lstrcmpiW (lpString1="Proof.cab", lpString2="CONFIG.SYS") returned 1 [0088.458] lstrcmpiW (lpString1="Proof.cab", lpString2="RECYCLER") returned -1 [0088.458] lstrcmpiW (lpString1="Proof.cab", lpString2="BOOTSECT.BAK") returned 1 [0088.458] lstrcmpiW (lpString1="Proof.cab", lpString2="bootmgr") returned 1 [0088.458] lstrcmpiW (lpString1="Proof.cab", lpString2="programdata") returned 1 [0088.458] lstrcmpiW (lpString1="Proof.cab", lpString2="appdata") returned 1 [0088.458] lstrcmpiW (lpString1="Proof.cab", lpString2="program files") returned 1 [0088.458] lstrcmpiW (lpString1="Proof.cab", lpString2="program files (x86)") returned 1 [0088.458] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\" [0088.458] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\", lpString2="Proof.cab" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" [0088.458] PathFindExtensionW (pszPath="Proof.cab") returned=".cab" [0088.458] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0088.458] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0088.459] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0088.459] FindNextFileW (in: hFindFile=0x502870, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4db6cb00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x4db6cb00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xf020c5d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd5c00, dwReserved0=0x860084, dwReserved1=0x24de8e0, cFileName="Proof.msi", cAlternateFileName="")) returned 1 [0088.459] lstrcmpiW (lpString1="Proof.msi", lpString2=".") returned 1 [0088.459] lstrcmpiW (lpString1="Proof.msi", lpString2="..") returned 1 [0088.459] lstrcmpiW (lpString1="Proof.msi", lpString2="...") returned 1 [0088.459] lstrcmpiW (lpString1="Proof.msi", lpString2="windows") returned -1 [0088.459] lstrcmpiW (lpString1="Proof.msi", lpString2="$RECYCLE.BIN") returned 1 [0088.459] lstrcmpiW (lpString1="Proof.msi", lpString2="rsa") returned -1 [0088.459] lstrcmpiW (lpString1="Proof.msi", lpString2="log") returned 1 [0088.459] lstrcmpiW (lpString1="Proof.msi", lpString2="NTDETECT.COM") returned 1 [0088.459] lstrcmpiW (lpString1="Proof.msi", lpString2="ntldr") returned 1 [0088.459] lstrcmpiW (lpString1="Proof.msi", lpString2="MSDOS.SYS") returned 1 [0088.459] lstrcmpiW (lpString1="Proof.msi", lpString2="IO.SYS") returned 1 [0088.459] lstrcmpiW (lpString1="Proof.msi", lpString2="boot.ini") returned 1 [0088.459] lstrcmpiW (lpString1="Proof.msi", lpString2="AUTOEXEC.BAT") returned 1 [0088.459] lstrcmpiW (lpString1="Proof.msi", lpString2="ntuser.dat") returned 1 [0088.459] lstrcmpiW (lpString1="Proof.msi", lpString2="desktop.ini") returned 1 [0088.459] lstrcmpiW (lpString1="Proof.msi", lpString2="CONFIG.SYS") returned 1 [0088.459] lstrcmpiW (lpString1="Proof.msi", lpString2="RECYCLER") returned -1 [0088.459] lstrcmpiW (lpString1="Proof.msi", lpString2="BOOTSECT.BAK") returned 1 [0088.459] lstrcmpiW (lpString1="Proof.msi", lpString2="bootmgr") returned 1 [0088.459] lstrcmpiW (lpString1="Proof.msi", lpString2="programdata") returned 1 [0088.459] lstrcmpiW (lpString1="Proof.msi", lpString2="appdata") returned 1 [0088.459] lstrcmpiW (lpString1="Proof.msi", lpString2="program files") returned 1 [0088.459] lstrcmpiW (lpString1="Proof.msi", lpString2="program files (x86)") returned 1 [0088.459] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\" [0088.459] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\", lpString2="Proof.msi" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" [0088.460] PathFindExtensionW (pszPath="Proof.msi") returned=".msi" [0088.460] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0088.460] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0088.460] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0088.460] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0088.460] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0088.460] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0088.460] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0088.460] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0088.460] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0088.460] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0088.460] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0088.460] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0088.460] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0088.460] lstrcmpiW (lpString1=".msi", lpString2=".NEPHILIM") returned -1 [0088.460] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0088.460] FindNextFileW (in: hFindFile=0x502870, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa38b7300, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0xa38b7300, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xf01be3d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x543, dwReserved0=0x860084, dwReserved1=0x24de8e0, cFileName="Proof.xml", cAlternateFileName="")) returned 1 [0088.460] lstrcmpiW (lpString1="Proof.xml", lpString2=".") returned 1 [0088.460] lstrcmpiW (lpString1="Proof.xml", lpString2="..") returned 1 [0088.460] lstrcmpiW (lpString1="Proof.xml", lpString2="...") returned 1 [0088.460] lstrcmpiW (lpString1="Proof.xml", lpString2="windows") returned -1 [0088.460] lstrcmpiW (lpString1="Proof.xml", lpString2="$RECYCLE.BIN") returned 1 [0088.460] lstrcmpiW (lpString1="Proof.xml", lpString2="rsa") returned -1 [0088.460] lstrcmpiW (lpString1="Proof.xml", lpString2="log") returned 1 [0088.460] lstrcmpiW (lpString1="Proof.xml", lpString2="NTDETECT.COM") returned 1 [0088.460] lstrcmpiW (lpString1="Proof.xml", lpString2="ntldr") returned 1 [0088.460] lstrcmpiW (lpString1="Proof.xml", lpString2="MSDOS.SYS") returned 1 [0088.460] lstrcmpiW (lpString1="Proof.xml", lpString2="IO.SYS") returned 1 [0088.460] lstrcmpiW (lpString1="Proof.xml", lpString2="boot.ini") returned 1 [0088.460] lstrcmpiW (lpString1="Proof.xml", lpString2="AUTOEXEC.BAT") returned 1 [0088.461] lstrcmpiW (lpString1="Proof.xml", lpString2="ntuser.dat") returned 1 [0088.461] lstrcmpiW (lpString1="Proof.xml", lpString2="desktop.ini") returned 1 [0088.461] lstrcmpiW (lpString1="Proof.xml", lpString2="CONFIG.SYS") returned 1 [0088.461] lstrcmpiW (lpString1="Proof.xml", lpString2="RECYCLER") returned -1 [0088.461] lstrcmpiW (lpString1="Proof.xml", lpString2="BOOTSECT.BAK") returned 1 [0088.461] lstrcmpiW (lpString1="Proof.xml", lpString2="bootmgr") returned 1 [0088.461] lstrcmpiW (lpString1="Proof.xml", lpString2="programdata") returned 1 [0088.461] lstrcmpiW (lpString1="Proof.xml", lpString2="appdata") returned 1 [0088.461] lstrcmpiW (lpString1="Proof.xml", lpString2="program files") returned 1 [0088.461] lstrcmpiW (lpString1="Proof.xml", lpString2="program files (x86)") returned 1 [0088.461] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\" [0088.461] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\", lpString2="Proof.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" [0088.461] PathFindExtensionW (pszPath="Proof.xml") returned=".xml" [0088.461] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0088.461] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0088.461] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0088.461] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0088.461] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0088.461] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0088.461] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0088.461] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0088.461] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0088.461] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0088.461] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0088.461] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0088.461] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0088.461] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0088.461] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0088.461] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0088.461] lstrcmpiW (lpString1="Proof.xml", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0088.461] lstrlenA (lpString="NEPHILIM") returned 8 [0088.461] GetProcessHeap () returned 0x4e0000 [0088.462] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502b60 [0088.462] lstrlenA (lpString="NEPHILIM") returned 8 [0088.462] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0088.463] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=1347) returned 1 [0088.463] GetProcessHeap () returned 0x4e0000 [0088.463] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0088.463] GetProcessHeap () returned 0x4e0000 [0088.463] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0088.463] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0088.463] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0088.463] GetProcessHeap () returned 0x4e0000 [0088.463] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0088.463] GetProcessHeap () returned 0x4e0000 [0088.463] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0088.463] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0088.463] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0088.463] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x543, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.463] SetLastError (dwErrCode=0x0) [0088.463] WriteFile (in: hFile=0xf0, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0088.466] GetLastError () returned 0x0 [0088.466] GetLastError () returned 0x0 [0088.466] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x643, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.466] WriteFile (in: hFile=0xf0, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0088.466] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x743, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.466] lstrlenA (lpString="NEPHILIM") returned 8 [0088.466] WriteFile (in: hFile=0xf0, lpBuffer=0x502b60*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x502b60*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0088.466] GetProcessHeap () returned 0x4e0000 [0088.466] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x543) returned 0x50b8b0 [0088.466] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.466] ReadFile (in: hFile=0xf0, lpBuffer=0x50b8b0, nNumberOfBytesToRead=0x543, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50b8b0*, lpNumberOfBytesRead=0x24dddb0*=0x543, lpOverlapped=0x0) returned 1 [0088.466] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.466] WriteFile (in: hFile=0xf0, lpBuffer=0x50b8b0*, nNumberOfBytesToWrite=0x543, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50b8b0*, lpNumberOfBytesWritten=0x24dddbc*=0x543, lpOverlapped=0x0) returned 1 [0088.466] GetProcessHeap () returned 0x4e0000 [0088.466] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50b8b0 | out: hHeap=0x4e0000) returned 1 [0088.466] CloseHandle (hObject=0xf0) returned 1 [0088.476] GetProcessHeap () returned 0x4e0000 [0088.476] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0088.476] GetProcessHeap () returned 0x4e0000 [0088.476] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0088.476] GetProcessHeap () returned 0x4e0000 [0088.476] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0088.477] GetProcessHeap () returned 0x4e0000 [0088.477] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0088.477] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" [0088.477] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.NEPHILIM") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.NEPHILIM" [0088.477] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.NEPHILIM" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml.nephilim")) returned 1 [0088.477] FindNextFileW (in: hFindFile=0x502870, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa38b7300, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0xa38b7300, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xf01be3d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x543, dwReserved0=0x860084, dwReserved1=0x24de8e0, cFileName="Proof.xml", cAlternateFileName="")) returned 0 [0088.478] FindClose (in: hFindFile=0x502870 | out: hFindFile=0x502870) returned 1 [0088.478] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4d53d90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf4f690d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf4f690d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="Proof.es", cAlternateFileName="")) returned 1 [0088.478] lstrcmpiW (lpString1="Proof.es", lpString2=".") returned 1 [0088.478] lstrcmpiW (lpString1="Proof.es", lpString2="..") returned 1 [0088.478] lstrcmpiW (lpString1="Proof.es", lpString2="...") returned 1 [0088.478] lstrcmpiW (lpString1="Proof.es", lpString2="windows") returned -1 [0088.478] lstrcmpiW (lpString1="Proof.es", lpString2="$RECYCLE.BIN") returned 1 [0088.478] lstrcmpiW (lpString1="Proof.es", lpString2="rsa") returned -1 [0088.478] lstrcmpiW (lpString1="Proof.es", lpString2="log") returned 1 [0088.478] lstrcmpiW (lpString1="Proof.es", lpString2="NTDETECT.COM") returned 1 [0088.478] lstrcmpiW (lpString1="Proof.es", lpString2="ntldr") returned 1 [0088.478] lstrcmpiW (lpString1="Proof.es", lpString2="MSDOS.SYS") returned 1 [0088.478] lstrcmpiW (lpString1="Proof.es", lpString2="IO.SYS") returned 1 [0088.478] lstrcmpiW (lpString1="Proof.es", lpString2="boot.ini") returned 1 [0088.478] lstrcmpiW (lpString1="Proof.es", lpString2="AUTOEXEC.BAT") returned 1 [0088.478] lstrcmpiW (lpString1="Proof.es", lpString2="ntuser.dat") returned 1 [0088.478] lstrcmpiW (lpString1="Proof.es", lpString2="desktop.ini") returned 1 [0088.478] lstrcmpiW (lpString1="Proof.es", lpString2="CONFIG.SYS") returned 1 [0088.478] lstrcmpiW (lpString1="Proof.es", lpString2="RECYCLER") returned -1 [0088.478] lstrcmpiW (lpString1="Proof.es", lpString2="BOOTSECT.BAK") returned 1 [0088.478] lstrcmpiW (lpString1="Proof.es", lpString2="bootmgr") returned 1 [0088.478] lstrcmpiW (lpString1="Proof.es", lpString2="programdata") returned 1 [0088.478] lstrcmpiW (lpString1="Proof.es", lpString2="appdata") returned 1 [0088.478] lstrcmpiW (lpString1="Proof.es", lpString2="program files") returned 1 [0088.479] lstrcmpiW (lpString1="Proof.es", lpString2="program files (x86)") returned 1 [0088.479] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\" [0088.479] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\", lpString2="Proof.es" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es" [0088.479] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es", lpString2="\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\" [0088.479] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\" [0088.479] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\", lpString2="*.*" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*.*") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*.*" [0088.479] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4d53d90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf4f690d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf4f690d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x860084, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x502870 [0088.480] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0088.480] FindNextFileW (in: hFindFile=0x502870, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4d53d90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf4f690d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf4f690d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x860084, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0088.480] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0088.480] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0088.480] FindNextFileW (in: hFindFile=0x502870, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3ba05100, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3ba05100, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf4f690d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd02aea, dwReserved0=0x860084, dwReserved1=0x24de8e0, cFileName="Proof.cab", cAlternateFileName="")) returned 1 [0088.480] lstrcmpiW (lpString1="Proof.cab", lpString2=".") returned 1 [0088.480] lstrcmpiW (lpString1="Proof.cab", lpString2="..") returned 1 [0088.480] lstrcmpiW (lpString1="Proof.cab", lpString2="...") returned 1 [0088.480] lstrcmpiW (lpString1="Proof.cab", lpString2="windows") returned -1 [0088.480] lstrcmpiW (lpString1="Proof.cab", lpString2="$RECYCLE.BIN") returned 1 [0088.480] lstrcmpiW (lpString1="Proof.cab", lpString2="rsa") returned -1 [0088.480] lstrcmpiW (lpString1="Proof.cab", lpString2="log") returned 1 [0088.480] lstrcmpiW (lpString1="Proof.cab", lpString2="NTDETECT.COM") returned 1 [0088.480] lstrcmpiW (lpString1="Proof.cab", lpString2="ntldr") returned 1 [0088.480] lstrcmpiW (lpString1="Proof.cab", lpString2="MSDOS.SYS") returned 1 [0088.480] lstrcmpiW (lpString1="Proof.cab", lpString2="IO.SYS") returned 1 [0088.480] lstrcmpiW (lpString1="Proof.cab", lpString2="boot.ini") returned 1 [0088.480] lstrcmpiW (lpString1="Proof.cab", lpString2="AUTOEXEC.BAT") returned 1 [0088.480] lstrcmpiW (lpString1="Proof.cab", lpString2="ntuser.dat") returned 1 [0088.480] lstrcmpiW (lpString1="Proof.cab", lpString2="desktop.ini") returned 1 [0088.480] lstrcmpiW (lpString1="Proof.cab", lpString2="CONFIG.SYS") returned 1 [0088.481] lstrcmpiW (lpString1="Proof.cab", lpString2="RECYCLER") returned -1 [0088.481] lstrcmpiW (lpString1="Proof.cab", lpString2="BOOTSECT.BAK") returned 1 [0088.481] lstrcmpiW (lpString1="Proof.cab", lpString2="bootmgr") returned 1 [0088.481] lstrcmpiW (lpString1="Proof.cab", lpString2="programdata") returned 1 [0088.481] lstrcmpiW (lpString1="Proof.cab", lpString2="appdata") returned 1 [0088.481] lstrcmpiW (lpString1="Proof.cab", lpString2="program files") returned 1 [0088.481] lstrcmpiW (lpString1="Proof.cab", lpString2="program files (x86)") returned 1 [0088.481] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\" [0088.481] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\", lpString2="Proof.cab" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" [0088.481] PathFindExtensionW (pszPath="Proof.cab") returned=".cab" [0088.481] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0088.481] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0088.481] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0088.481] FindNextFileW (in: hFindFile=0x502870, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf4e5c7f0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd7200, dwReserved0=0x860084, dwReserved1=0x24de8e0, cFileName="Proof.msi", cAlternateFileName="")) returned 1 [0088.481] lstrcmpiW (lpString1="Proof.msi", lpString2=".") returned 1 [0088.481] lstrcmpiW (lpString1="Proof.msi", lpString2="..") returned 1 [0088.481] lstrcmpiW (lpString1="Proof.msi", lpString2="...") returned 1 [0088.481] lstrcmpiW (lpString1="Proof.msi", lpString2="windows") returned -1 [0088.481] lstrcmpiW (lpString1="Proof.msi", lpString2="$RECYCLE.BIN") returned 1 [0088.481] lstrcmpiW (lpString1="Proof.msi", lpString2="rsa") returned -1 [0088.481] lstrcmpiW (lpString1="Proof.msi", lpString2="log") returned 1 [0088.481] lstrcmpiW (lpString1="Proof.msi", lpString2="NTDETECT.COM") returned 1 [0088.481] lstrcmpiW (lpString1="Proof.msi", lpString2="ntldr") returned 1 [0088.481] lstrcmpiW (lpString1="Proof.msi", lpString2="MSDOS.SYS") returned 1 [0088.481] lstrcmpiW (lpString1="Proof.msi", lpString2="IO.SYS") returned 1 [0088.481] lstrcmpiW (lpString1="Proof.msi", lpString2="boot.ini") returned 1 [0088.482] lstrcmpiW (lpString1="Proof.msi", lpString2="AUTOEXEC.BAT") returned 1 [0088.482] lstrcmpiW (lpString1="Proof.msi", lpString2="ntuser.dat") returned 1 [0088.482] lstrcmpiW (lpString1="Proof.msi", lpString2="desktop.ini") returned 1 [0088.482] lstrcmpiW (lpString1="Proof.msi", lpString2="CONFIG.SYS") returned 1 [0088.482] lstrcmpiW (lpString1="Proof.msi", lpString2="RECYCLER") returned -1 [0088.482] lstrcmpiW (lpString1="Proof.msi", lpString2="BOOTSECT.BAK") returned 1 [0088.482] lstrcmpiW (lpString1="Proof.msi", lpString2="bootmgr") returned 1 [0088.482] lstrcmpiW (lpString1="Proof.msi", lpString2="programdata") returned 1 [0088.482] lstrcmpiW (lpString1="Proof.msi", lpString2="appdata") returned 1 [0088.482] lstrcmpiW (lpString1="Proof.msi", lpString2="program files") returned 1 [0088.482] lstrcmpiW (lpString1="Proof.msi", lpString2="program files (x86)") returned 1 [0088.482] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\" [0088.482] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\", lpString2="Proof.msi" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" [0088.482] PathFindExtensionW (pszPath="Proof.msi") returned=".msi" [0088.482] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0088.482] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0088.482] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0088.482] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0088.482] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0088.482] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0088.482] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0088.482] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0088.482] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0088.482] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0088.482] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0088.482] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0088.483] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0088.483] lstrcmpiW (lpString1=".msi", lpString2=".NEPHILIM") returned -1 [0088.483] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0088.483] FindNextFileW (in: hFindFile=0x502870, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf4e37e00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5b1, dwReserved0=0x860084, dwReserved1=0x24de8e0, cFileName="Proof.xml", cAlternateFileName="")) returned 1 [0088.483] lstrcmpiW (lpString1="Proof.xml", lpString2=".") returned 1 [0088.483] lstrcmpiW (lpString1="Proof.xml", lpString2="..") returned 1 [0088.483] lstrcmpiW (lpString1="Proof.xml", lpString2="...") returned 1 [0088.483] lstrcmpiW (lpString1="Proof.xml", lpString2="windows") returned -1 [0088.483] lstrcmpiW (lpString1="Proof.xml", lpString2="$RECYCLE.BIN") returned 1 [0088.483] lstrcmpiW (lpString1="Proof.xml", lpString2="rsa") returned -1 [0088.483] lstrcmpiW (lpString1="Proof.xml", lpString2="log") returned 1 [0088.483] lstrcmpiW (lpString1="Proof.xml", lpString2="NTDETECT.COM") returned 1 [0088.483] lstrcmpiW (lpString1="Proof.xml", lpString2="ntldr") returned 1 [0088.483] lstrcmpiW (lpString1="Proof.xml", lpString2="MSDOS.SYS") returned 1 [0088.483] lstrcmpiW (lpString1="Proof.xml", lpString2="IO.SYS") returned 1 [0088.483] lstrcmpiW (lpString1="Proof.xml", lpString2="boot.ini") returned 1 [0088.483] lstrcmpiW (lpString1="Proof.xml", lpString2="AUTOEXEC.BAT") returned 1 [0088.483] lstrcmpiW (lpString1="Proof.xml", lpString2="ntuser.dat") returned 1 [0088.483] lstrcmpiW (lpString1="Proof.xml", lpString2="desktop.ini") returned 1 [0088.483] lstrcmpiW (lpString1="Proof.xml", lpString2="CONFIG.SYS") returned 1 [0088.483] lstrcmpiW (lpString1="Proof.xml", lpString2="RECYCLER") returned -1 [0088.483] lstrcmpiW (lpString1="Proof.xml", lpString2="BOOTSECT.BAK") returned 1 [0088.483] lstrcmpiW (lpString1="Proof.xml", lpString2="bootmgr") returned 1 [0088.483] lstrcmpiW (lpString1="Proof.xml", lpString2="programdata") returned 1 [0088.483] lstrcmpiW (lpString1="Proof.xml", lpString2="appdata") returned 1 [0088.483] lstrcmpiW (lpString1="Proof.xml", lpString2="program files") returned 1 [0088.483] lstrcmpiW (lpString1="Proof.xml", lpString2="program files (x86)") returned 1 [0088.483] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\" [0088.484] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\", lpString2="Proof.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" [0088.484] PathFindExtensionW (pszPath="Proof.xml") returned=".xml" [0088.484] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0088.484] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0088.484] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0088.484] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0088.484] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0088.484] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0088.484] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0088.484] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0088.484] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0088.484] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0088.484] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0088.484] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0088.484] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0088.484] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0088.484] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0088.484] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0088.484] lstrcmpiW (lpString1="Proof.xml", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0088.484] lstrlenA (lpString="NEPHILIM") returned 8 [0088.484] GetProcessHeap () returned 0x4e0000 [0088.484] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502b70 [0088.484] lstrlenA (lpString="NEPHILIM") returned 8 [0088.484] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0088.485] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=1457) returned 1 [0088.485] GetProcessHeap () returned 0x4e0000 [0088.485] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0088.485] GetProcessHeap () returned 0x4e0000 [0088.485] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0088.485] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0088.485] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0088.485] GetProcessHeap () returned 0x4e0000 [0088.485] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0088.485] GetProcessHeap () returned 0x4e0000 [0088.485] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0088.485] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0088.485] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0088.485] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x5b1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.485] SetLastError (dwErrCode=0x0) [0088.485] WriteFile (in: hFile=0xf0, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0088.488] GetLastError () returned 0x0 [0088.488] GetLastError () returned 0x0 [0088.488] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x6b1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.488] WriteFile (in: hFile=0xf0, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0088.488] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x7b1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.488] lstrlenA (lpString="NEPHILIM") returned 8 [0088.488] WriteFile (in: hFile=0xf0, lpBuffer=0x502b70*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x502b70*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0088.488] GetProcessHeap () returned 0x4e0000 [0088.488] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x5b1) returned 0x50b8b0 [0088.488] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.488] ReadFile (in: hFile=0xf0, lpBuffer=0x50b8b0, nNumberOfBytesToRead=0x5b1, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50b8b0*, lpNumberOfBytesRead=0x24dddb0*=0x5b1, lpOverlapped=0x0) returned 1 [0088.488] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.488] WriteFile (in: hFile=0xf0, lpBuffer=0x50b8b0*, nNumberOfBytesToWrite=0x5b1, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50b8b0*, lpNumberOfBytesWritten=0x24dddbc*=0x5b1, lpOverlapped=0x0) returned 1 [0088.488] GetProcessHeap () returned 0x4e0000 [0088.488] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50b8b0 | out: hHeap=0x4e0000) returned 1 [0088.489] CloseHandle (hObject=0xf0) returned 1 [0088.490] GetProcessHeap () returned 0x4e0000 [0088.490] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0088.490] GetProcessHeap () returned 0x4e0000 [0088.490] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0088.490] GetProcessHeap () returned 0x4e0000 [0088.490] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0088.490] GetProcessHeap () returned 0x4e0000 [0088.490] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0088.490] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" [0088.490] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.NEPHILIM") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.NEPHILIM" [0088.491] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.NEPHILIM" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml.nephilim")) returned 1 [0088.491] FindNextFileW (in: hFindFile=0x502870, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf4e37e00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5b1, dwReserved0=0x860084, dwReserved1=0x24de8e0, cFileName="Proof.xml", cAlternateFileName="")) returned 0 [0088.491] FindClose (in: hFindFile=0x502870 | out: hFindFile=0x502870) returned 1 [0088.491] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf2bda830, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf30772d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf30772d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="Proof.fr", cAlternateFileName="")) returned 1 [0088.491] lstrcmpiW (lpString1="Proof.fr", lpString2=".") returned 1 [0088.492] lstrcmpiW (lpString1="Proof.fr", lpString2="..") returned 1 [0088.492] lstrcmpiW (lpString1="Proof.fr", lpString2="...") returned 1 [0088.492] lstrcmpiW (lpString1="Proof.fr", lpString2="windows") returned -1 [0088.492] lstrcmpiW (lpString1="Proof.fr", lpString2="$RECYCLE.BIN") returned 1 [0088.492] lstrcmpiW (lpString1="Proof.fr", lpString2="rsa") returned -1 [0088.492] lstrcmpiW (lpString1="Proof.fr", lpString2="log") returned 1 [0088.492] lstrcmpiW (lpString1="Proof.fr", lpString2="NTDETECT.COM") returned 1 [0088.492] lstrcmpiW (lpString1="Proof.fr", lpString2="ntldr") returned 1 [0088.492] lstrcmpiW (lpString1="Proof.fr", lpString2="MSDOS.SYS") returned 1 [0088.492] lstrcmpiW (lpString1="Proof.fr", lpString2="IO.SYS") returned 1 [0088.492] lstrcmpiW (lpString1="Proof.fr", lpString2="boot.ini") returned 1 [0088.492] lstrcmpiW (lpString1="Proof.fr", lpString2="AUTOEXEC.BAT") returned 1 [0088.492] lstrcmpiW (lpString1="Proof.fr", lpString2="ntuser.dat") returned 1 [0088.492] lstrcmpiW (lpString1="Proof.fr", lpString2="desktop.ini") returned 1 [0088.492] lstrcmpiW (lpString1="Proof.fr", lpString2="CONFIG.SYS") returned 1 [0088.492] lstrcmpiW (lpString1="Proof.fr", lpString2="RECYCLER") returned -1 [0088.492] lstrcmpiW (lpString1="Proof.fr", lpString2="BOOTSECT.BAK") returned 1 [0088.492] lstrcmpiW (lpString1="Proof.fr", lpString2="bootmgr") returned 1 [0088.492] lstrcmpiW (lpString1="Proof.fr", lpString2="programdata") returned 1 [0088.492] lstrcmpiW (lpString1="Proof.fr", lpString2="appdata") returned 1 [0088.492] lstrcmpiW (lpString1="Proof.fr", lpString2="program files") returned 1 [0088.492] lstrcmpiW (lpString1="Proof.fr", lpString2="program files (x86)") returned 1 [0088.492] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\" [0088.492] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\", lpString2="Proof.fr" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr" [0088.492] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr", lpString2="\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\" [0088.492] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\" [0088.493] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\", lpString2="*.*" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*.*") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*.*" [0088.493] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf2bda830, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf30772d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf30772d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x860084, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x502870 [0088.493] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0088.493] FindNextFileW (in: hFindFile=0x502870, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf2bda830, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf30772d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf30772d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x860084, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0088.493] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0088.493] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0088.493] FindNextFileW (in: hFindFile=0x502870, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x35aa7000, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x35aa7000, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf3076b00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1416b54, dwReserved0=0x860084, dwReserved1=0x24de8e0, cFileName="Proof.cab", cAlternateFileName="")) returned 1 [0088.493] lstrcmpiW (lpString1="Proof.cab", lpString2=".") returned 1 [0088.493] lstrcmpiW (lpString1="Proof.cab", lpString2="..") returned 1 [0088.493] lstrcmpiW (lpString1="Proof.cab", lpString2="...") returned 1 [0088.493] lstrcmpiW (lpString1="Proof.cab", lpString2="windows") returned -1 [0088.494] lstrcmpiW (lpString1="Proof.cab", lpString2="$RECYCLE.BIN") returned 1 [0088.494] lstrcmpiW (lpString1="Proof.cab", lpString2="rsa") returned -1 [0088.494] lstrcmpiW (lpString1="Proof.cab", lpString2="log") returned 1 [0088.494] lstrcmpiW (lpString1="Proof.cab", lpString2="NTDETECT.COM") returned 1 [0088.494] lstrcmpiW (lpString1="Proof.cab", lpString2="ntldr") returned 1 [0088.494] lstrcmpiW (lpString1="Proof.cab", lpString2="MSDOS.SYS") returned 1 [0088.494] lstrcmpiW (lpString1="Proof.cab", lpString2="IO.SYS") returned 1 [0088.494] lstrcmpiW (lpString1="Proof.cab", lpString2="boot.ini") returned 1 [0088.494] lstrcmpiW (lpString1="Proof.cab", lpString2="AUTOEXEC.BAT") returned 1 [0088.494] lstrcmpiW (lpString1="Proof.cab", lpString2="ntuser.dat") returned 1 [0088.494] lstrcmpiW (lpString1="Proof.cab", lpString2="desktop.ini") returned 1 [0088.494] lstrcmpiW (lpString1="Proof.cab", lpString2="CONFIG.SYS") returned 1 [0088.494] lstrcmpiW (lpString1="Proof.cab", lpString2="RECYCLER") returned -1 [0088.494] lstrcmpiW (lpString1="Proof.cab", lpString2="BOOTSECT.BAK") returned 1 [0088.494] lstrcmpiW (lpString1="Proof.cab", lpString2="bootmgr") returned 1 [0088.494] lstrcmpiW (lpString1="Proof.cab", lpString2="programdata") returned 1 [0088.494] lstrcmpiW (lpString1="Proof.cab", lpString2="appdata") returned 1 [0088.494] lstrcmpiW (lpString1="Proof.cab", lpString2="program files") returned 1 [0088.494] lstrcmpiW (lpString1="Proof.cab", lpString2="program files (x86)") returned 1 [0088.494] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\" [0088.494] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\", lpString2="Proof.cab" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" [0088.494] PathFindExtensionW (pszPath="Proof.cab") returned=".cab" [0088.494] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0088.495] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0088.495] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0088.495] FindNextFileW (in: hFindFile=0x502870, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf2e3b660, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd8400, dwReserved0=0x860084, dwReserved1=0x24de8e0, cFileName="Proof.msi", cAlternateFileName="")) returned 1 [0088.495] lstrcmpiW (lpString1="Proof.msi", lpString2=".") returned 1 [0088.495] lstrcmpiW (lpString1="Proof.msi", lpString2="..") returned 1 [0088.495] lstrcmpiW (lpString1="Proof.msi", lpString2="...") returned 1 [0088.495] lstrcmpiW (lpString1="Proof.msi", lpString2="windows") returned -1 [0088.495] lstrcmpiW (lpString1="Proof.msi", lpString2="$RECYCLE.BIN") returned 1 [0088.495] lstrcmpiW (lpString1="Proof.msi", lpString2="rsa") returned -1 [0088.495] lstrcmpiW (lpString1="Proof.msi", lpString2="log") returned 1 [0088.495] lstrcmpiW (lpString1="Proof.msi", lpString2="NTDETECT.COM") returned 1 [0088.495] lstrcmpiW (lpString1="Proof.msi", lpString2="ntldr") returned 1 [0088.495] lstrcmpiW (lpString1="Proof.msi", lpString2="MSDOS.SYS") returned 1 [0088.495] lstrcmpiW (lpString1="Proof.msi", lpString2="IO.SYS") returned 1 [0088.495] lstrcmpiW (lpString1="Proof.msi", lpString2="boot.ini") returned 1 [0088.495] lstrcmpiW (lpString1="Proof.msi", lpString2="AUTOEXEC.BAT") returned 1 [0088.495] lstrcmpiW (lpString1="Proof.msi", lpString2="ntuser.dat") returned 1 [0088.495] lstrcmpiW (lpString1="Proof.msi", lpString2="desktop.ini") returned 1 [0088.495] lstrcmpiW (lpString1="Proof.msi", lpString2="CONFIG.SYS") returned 1 [0088.495] lstrcmpiW (lpString1="Proof.msi", lpString2="RECYCLER") returned -1 [0088.495] lstrcmpiW (lpString1="Proof.msi", lpString2="BOOTSECT.BAK") returned 1 [0088.495] lstrcmpiW (lpString1="Proof.msi", lpString2="bootmgr") returned 1 [0088.496] lstrcmpiW (lpString1="Proof.msi", lpString2="programdata") returned 1 [0088.496] lstrcmpiW (lpString1="Proof.msi", lpString2="appdata") returned 1 [0088.496] lstrcmpiW (lpString1="Proof.msi", lpString2="program files") returned 1 [0088.496] lstrcmpiW (lpString1="Proof.msi", lpString2="program files (x86)") returned 1 [0088.496] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\" [0088.496] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\", lpString2="Proof.msi" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" [0088.496] PathFindExtensionW (pszPath="Proof.msi") returned=".msi" [0088.496] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0088.496] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0088.496] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0088.496] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0088.496] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0088.496] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0088.496] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0088.496] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0088.496] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0088.496] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0088.496] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0088.496] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0088.496] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0088.496] lstrcmpiW (lpString1=".msi", lpString2=".NEPHILIM") returned -1 [0088.496] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0088.496] FindNextFileW (in: hFindFile=0x502870, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf2bd90c0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5b2, dwReserved0=0x860084, dwReserved1=0x24de8e0, cFileName="Proof.xml", cAlternateFileName="")) returned 1 [0088.496] lstrcmpiW (lpString1="Proof.xml", lpString2=".") returned 1 [0088.496] lstrcmpiW (lpString1="Proof.xml", lpString2="..") returned 1 [0088.497] lstrcmpiW (lpString1="Proof.xml", lpString2="...") returned 1 [0088.497] lstrcmpiW (lpString1="Proof.xml", lpString2="windows") returned -1 [0088.497] lstrcmpiW (lpString1="Proof.xml", lpString2="$RECYCLE.BIN") returned 1 [0088.497] lstrcmpiW (lpString1="Proof.xml", lpString2="rsa") returned -1 [0088.497] lstrcmpiW (lpString1="Proof.xml", lpString2="log") returned 1 [0088.497] lstrcmpiW (lpString1="Proof.xml", lpString2="NTDETECT.COM") returned 1 [0088.497] lstrcmpiW (lpString1="Proof.xml", lpString2="ntldr") returned 1 [0088.497] lstrcmpiW (lpString1="Proof.xml", lpString2="MSDOS.SYS") returned 1 [0088.497] lstrcmpiW (lpString1="Proof.xml", lpString2="IO.SYS") returned 1 [0088.497] lstrcmpiW (lpString1="Proof.xml", lpString2="boot.ini") returned 1 [0088.497] lstrcmpiW (lpString1="Proof.xml", lpString2="AUTOEXEC.BAT") returned 1 [0088.497] lstrcmpiW (lpString1="Proof.xml", lpString2="ntuser.dat") returned 1 [0088.497] lstrcmpiW (lpString1="Proof.xml", lpString2="desktop.ini") returned 1 [0088.497] lstrcmpiW (lpString1="Proof.xml", lpString2="CONFIG.SYS") returned 1 [0088.497] lstrcmpiW (lpString1="Proof.xml", lpString2="RECYCLER") returned -1 [0088.497] lstrcmpiW (lpString1="Proof.xml", lpString2="BOOTSECT.BAK") returned 1 [0088.497] lstrcmpiW (lpString1="Proof.xml", lpString2="bootmgr") returned 1 [0088.497] lstrcmpiW (lpString1="Proof.xml", lpString2="programdata") returned 1 [0088.497] lstrcmpiW (lpString1="Proof.xml", lpString2="appdata") returned 1 [0088.497] lstrcmpiW (lpString1="Proof.xml", lpString2="program files") returned 1 [0088.497] lstrcmpiW (lpString1="Proof.xml", lpString2="program files (x86)") returned 1 [0088.497] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\" [0088.497] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\", lpString2="Proof.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" [0088.497] PathFindExtensionW (pszPath="Proof.xml") returned=".xml" [0088.498] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0088.498] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0088.498] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0088.498] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0088.498] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0088.498] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0088.498] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0088.498] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0088.498] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0088.498] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0088.498] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0088.498] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0088.498] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0088.498] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0088.498] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0088.498] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0088.498] lstrcmpiW (lpString1="Proof.xml", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0088.498] lstrlenA (lpString="NEPHILIM") returned 8 [0088.498] GetProcessHeap () returned 0x4e0000 [0088.498] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502b80 [0088.498] lstrlenA (lpString="NEPHILIM") returned 8 [0088.498] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0088.499] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=1458) returned 1 [0088.499] GetProcessHeap () returned 0x4e0000 [0088.499] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0088.499] GetProcessHeap () returned 0x4e0000 [0088.499] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0088.499] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0088.499] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0088.499] GetProcessHeap () returned 0x4e0000 [0088.499] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0088.499] GetProcessHeap () returned 0x4e0000 [0088.499] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0088.499] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0088.500] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0088.500] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x5b2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.500] SetLastError (dwErrCode=0x0) [0088.500] WriteFile (in: hFile=0xf0, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0088.647] GetLastError () returned 0x0 [0088.647] GetLastError () returned 0x0 [0088.647] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x6b2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.648] WriteFile (in: hFile=0xf0, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0088.648] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x7b2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.648] lstrlenA (lpString="NEPHILIM") returned 8 [0088.648] WriteFile (in: hFile=0xf0, lpBuffer=0x502b80*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x502b80*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0088.648] GetProcessHeap () returned 0x4e0000 [0088.648] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x5b2) returned 0x50b8b0 [0088.648] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.648] ReadFile (in: hFile=0xf0, lpBuffer=0x50b8b0, nNumberOfBytesToRead=0x5b2, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50b8b0*, lpNumberOfBytesRead=0x24dddb0*=0x5b2, lpOverlapped=0x0) returned 1 [0088.648] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.648] WriteFile (in: hFile=0xf0, lpBuffer=0x50b8b0*, nNumberOfBytesToWrite=0x5b2, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50b8b0*, lpNumberOfBytesWritten=0x24dddbc*=0x5b2, lpOverlapped=0x0) returned 1 [0088.648] GetProcessHeap () returned 0x4e0000 [0088.648] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50b8b0 | out: hHeap=0x4e0000) returned 1 [0088.648] CloseHandle (hObject=0xf0) returned 1 [0088.652] GetProcessHeap () returned 0x4e0000 [0088.652] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0088.652] GetProcessHeap () returned 0x4e0000 [0088.652] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0088.652] GetProcessHeap () returned 0x4e0000 [0088.652] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0088.652] GetProcessHeap () returned 0x4e0000 [0088.652] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0088.652] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" [0088.653] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.NEPHILIM") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.NEPHILIM" [0088.653] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.NEPHILIM" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml.nephilim")) returned 1 [0088.653] FindNextFileW (in: hFindFile=0x502870, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf2bd90c0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5b2, dwReserved0=0x860084, dwReserved1=0x24de8e0, cFileName="Proof.xml", cAlternateFileName="")) returned 0 [0088.653] FindClose (in: hFindFile=0x502870 | out: hFindFile=0x502870) returned 1 [0088.654] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x40650500, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x40650500, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf0126df0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd4200, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="Proofing.msi", cAlternateFileName="")) returned 1 [0088.654] lstrcmpiW (lpString1="Proofing.msi", lpString2=".") returned 1 [0088.654] lstrcmpiW (lpString1="Proofing.msi", lpString2="..") returned 1 [0088.654] lstrcmpiW (lpString1="Proofing.msi", lpString2="...") returned 1 [0088.654] lstrcmpiW (lpString1="Proofing.msi", lpString2="windows") returned -1 [0088.654] lstrcmpiW (lpString1="Proofing.msi", lpString2="$RECYCLE.BIN") returned 1 [0088.654] lstrcmpiW (lpString1="Proofing.msi", lpString2="rsa") returned -1 [0088.654] lstrcmpiW (lpString1="Proofing.msi", lpString2="log") returned 1 [0088.654] lstrcmpiW (lpString1="Proofing.msi", lpString2="NTDETECT.COM") returned 1 [0088.654] lstrcmpiW (lpString1="Proofing.msi", lpString2="ntldr") returned 1 [0088.654] lstrcmpiW (lpString1="Proofing.msi", lpString2="MSDOS.SYS") returned 1 [0088.654] lstrcmpiW (lpString1="Proofing.msi", lpString2="IO.SYS") returned 1 [0088.654] lstrcmpiW (lpString1="Proofing.msi", lpString2="boot.ini") returned 1 [0088.654] lstrcmpiW (lpString1="Proofing.msi", lpString2="AUTOEXEC.BAT") returned 1 [0088.654] lstrcmpiW (lpString1="Proofing.msi", lpString2="ntuser.dat") returned 1 [0088.654] lstrcmpiW (lpString1="Proofing.msi", lpString2="desktop.ini") returned 1 [0088.654] lstrcmpiW (lpString1="Proofing.msi", lpString2="CONFIG.SYS") returned 1 [0088.654] lstrcmpiW (lpString1="Proofing.msi", lpString2="RECYCLER") returned -1 [0088.654] lstrcmpiW (lpString1="Proofing.msi", lpString2="BOOTSECT.BAK") returned 1 [0088.654] lstrcmpiW (lpString1="Proofing.msi", lpString2="bootmgr") returned 1 [0088.654] lstrcmpiW (lpString1="Proofing.msi", lpString2="programdata") returned 1 [0088.654] lstrcmpiW (lpString1="Proofing.msi", lpString2="appdata") returned 1 [0088.654] lstrcmpiW (lpString1="Proofing.msi", lpString2="program files") returned 1 [0088.654] lstrcmpiW (lpString1="Proofing.msi", lpString2="program files (x86)") returned 1 [0088.655] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\" [0088.655] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\", lpString2="Proofing.msi" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" [0088.655] PathFindExtensionW (pszPath="Proofing.msi") returned=".msi" [0088.655] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0088.655] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0088.655] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0088.655] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0088.655] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0088.655] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0088.655] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0088.655] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0088.655] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0088.655] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0088.655] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0088.655] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0088.655] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0088.655] lstrcmpiW (lpString1=".msi", lpString2=".NEPHILIM") returned -1 [0088.655] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0088.655] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf00db300, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x32b, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="Proofing.xml", cAlternateFileName="")) returned 1 [0088.655] lstrcmpiW (lpString1="Proofing.xml", lpString2=".") returned 1 [0088.655] lstrcmpiW (lpString1="Proofing.xml", lpString2="..") returned 1 [0088.655] lstrcmpiW (lpString1="Proofing.xml", lpString2="...") returned 1 [0088.655] lstrcmpiW (lpString1="Proofing.xml", lpString2="windows") returned -1 [0088.655] lstrcmpiW (lpString1="Proofing.xml", lpString2="$RECYCLE.BIN") returned 1 [0088.655] lstrcmpiW (lpString1="Proofing.xml", lpString2="rsa") returned -1 [0088.656] lstrcmpiW (lpString1="Proofing.xml", lpString2="log") returned 1 [0088.656] lstrcmpiW (lpString1="Proofing.xml", lpString2="NTDETECT.COM") returned 1 [0088.656] lstrcmpiW (lpString1="Proofing.xml", lpString2="ntldr") returned 1 [0088.656] lstrcmpiW (lpString1="Proofing.xml", lpString2="MSDOS.SYS") returned 1 [0088.656] lstrcmpiW (lpString1="Proofing.xml", lpString2="IO.SYS") returned 1 [0088.656] lstrcmpiW (lpString1="Proofing.xml", lpString2="boot.ini") returned 1 [0088.656] lstrcmpiW (lpString1="Proofing.xml", lpString2="AUTOEXEC.BAT") returned 1 [0088.656] lstrcmpiW (lpString1="Proofing.xml", lpString2="ntuser.dat") returned 1 [0088.656] lstrcmpiW (lpString1="Proofing.xml", lpString2="desktop.ini") returned 1 [0088.656] lstrcmpiW (lpString1="Proofing.xml", lpString2="CONFIG.SYS") returned 1 [0088.656] lstrcmpiW (lpString1="Proofing.xml", lpString2="RECYCLER") returned -1 [0088.656] lstrcmpiW (lpString1="Proofing.xml", lpString2="BOOTSECT.BAK") returned 1 [0088.656] lstrcmpiW (lpString1="Proofing.xml", lpString2="bootmgr") returned 1 [0088.656] lstrcmpiW (lpString1="Proofing.xml", lpString2="programdata") returned 1 [0088.656] lstrcmpiW (lpString1="Proofing.xml", lpString2="appdata") returned 1 [0088.656] lstrcmpiW (lpString1="Proofing.xml", lpString2="program files") returned 1 [0088.656] lstrcmpiW (lpString1="Proofing.xml", lpString2="program files (x86)") returned 1 [0088.656] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\" [0088.656] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\", lpString2="Proofing.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" [0088.656] PathFindExtensionW (pszPath="Proofing.xml") returned=".xml" [0088.656] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0088.656] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0088.656] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0088.656] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0088.656] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0088.657] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0088.657] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0088.657] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0088.657] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0088.657] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0088.657] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0088.657] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0088.657] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0088.657] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0088.657] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0088.657] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0088.657] lstrcmpiW (lpString1="Proofing.xml", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0088.657] lstrlenA (lpString="NEPHILIM") returned 8 [0088.657] GetProcessHeap () returned 0x4e0000 [0088.657] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502b90 [0088.657] lstrlenA (lpString="NEPHILIM") returned 8 [0088.657] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0088.658] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=811) returned 1 [0088.658] GetProcessHeap () returned 0x4e0000 [0088.658] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0088.658] GetProcessHeap () returned 0x4e0000 [0088.658] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0088.658] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0088.658] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0088.658] GetProcessHeap () returned 0x4e0000 [0088.658] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0088.658] GetProcessHeap () returned 0x4e0000 [0088.658] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0088.658] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de208*=0x100) returned 1 [0088.658] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de204*=0x100) returned 1 [0088.659] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x32b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.659] SetLastError (dwErrCode=0x0) [0088.659] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0088.665] GetLastError () returned 0x0 [0088.665] GetLastError () returned 0x0 [0088.665] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x42b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.666] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0088.666] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x52b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.666] lstrlenA (lpString="NEPHILIM") returned 8 [0088.666] WriteFile (in: hFile=0xec, lpBuffer=0x502b90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x502b90*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0088.666] GetProcessHeap () returned 0x4e0000 [0088.666] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x32b) returned 0x507390 [0088.666] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.666] ReadFile (in: hFile=0xec, lpBuffer=0x507390, nNumberOfBytesToRead=0x32b, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x507390*, lpNumberOfBytesRead=0x24de430*=0x32b, lpOverlapped=0x0) returned 1 [0088.666] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.666] WriteFile (in: hFile=0xec, lpBuffer=0x507390*, nNumberOfBytesToWrite=0x32b, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507390*, lpNumberOfBytesWritten=0x24de43c*=0x32b, lpOverlapped=0x0) returned 1 [0088.666] GetProcessHeap () returned 0x4e0000 [0088.666] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507390 | out: hHeap=0x4e0000) returned 1 [0088.666] CloseHandle (hObject=0xec) returned 1 [0088.668] GetProcessHeap () returned 0x4e0000 [0088.668] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0088.668] GetProcessHeap () returned 0x4e0000 [0088.668] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0088.668] GetProcessHeap () returned 0x4e0000 [0088.668] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0088.668] GetProcessHeap () returned 0x4e0000 [0088.668] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0088.668] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" [0088.668] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.NEPHILIM") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.NEPHILIM" [0088.669] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.NEPHILIM" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml.nephilim")) returned 1 [0088.669] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x42c75f00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x42c75f00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf58c6830, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x16fc, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0088.669] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0088.669] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0088.669] lstrcmpiW (lpString1="Setup.xml", lpString2="...") returned 1 [0088.669] lstrcmpiW (lpString1="Setup.xml", lpString2="windows") returned -1 [0088.669] lstrcmpiW (lpString1="Setup.xml", lpString2="$RECYCLE.BIN") returned 1 [0088.669] lstrcmpiW (lpString1="Setup.xml", lpString2="rsa") returned 1 [0088.669] lstrcmpiW (lpString1="Setup.xml", lpString2="log") returned 1 [0088.669] lstrcmpiW (lpString1="Setup.xml", lpString2="NTDETECT.COM") returned 1 [0088.669] lstrcmpiW (lpString1="Setup.xml", lpString2="ntldr") returned 1 [0088.669] lstrcmpiW (lpString1="Setup.xml", lpString2="MSDOS.SYS") returned 1 [0088.669] lstrcmpiW (lpString1="Setup.xml", lpString2="IO.SYS") returned 1 [0088.670] lstrcmpiW (lpString1="Setup.xml", lpString2="boot.ini") returned 1 [0088.670] lstrcmpiW (lpString1="Setup.xml", lpString2="AUTOEXEC.BAT") returned 1 [0088.670] lstrcmpiW (lpString1="Setup.xml", lpString2="ntuser.dat") returned 1 [0088.670] lstrcmpiW (lpString1="Setup.xml", lpString2="desktop.ini") returned 1 [0088.670] lstrcmpiW (lpString1="Setup.xml", lpString2="CONFIG.SYS") returned 1 [0088.670] lstrcmpiW (lpString1="Setup.xml", lpString2="RECYCLER") returned 1 [0088.670] lstrcmpiW (lpString1="Setup.xml", lpString2="BOOTSECT.BAK") returned 1 [0088.670] lstrcmpiW (lpString1="Setup.xml", lpString2="bootmgr") returned 1 [0088.670] lstrcmpiW (lpString1="Setup.xml", lpString2="programdata") returned 1 [0088.670] lstrcmpiW (lpString1="Setup.xml", lpString2="appdata") returned 1 [0088.670] lstrcmpiW (lpString1="Setup.xml", lpString2="program files") returned 1 [0088.670] lstrcmpiW (lpString1="Setup.xml", lpString2="program files (x86)") returned 1 [0088.670] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\" [0088.670] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\", lpString2="Setup.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" [0088.670] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0088.670] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0088.670] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0088.670] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0088.670] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0088.670] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0088.670] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0088.670] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0088.670] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0088.670] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0088.670] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0088.670] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0088.670] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0088.670] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0088.670] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0088.670] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0088.670] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0088.671] lstrcmpiW (lpString1="Setup.xml", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0088.671] lstrlenA (lpString="NEPHILIM") returned 8 [0088.671] GetProcessHeap () returned 0x4e0000 [0088.671] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502ba0 [0088.671] lstrlenA (lpString="NEPHILIM") returned 8 [0088.671] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0088.671] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=5884) returned 1 [0088.671] GetProcessHeap () returned 0x4e0000 [0088.671] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0088.671] GetProcessHeap () returned 0x4e0000 [0088.671] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0088.671] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0088.671] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0088.671] GetProcessHeap () returned 0x4e0000 [0088.671] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0088.671] GetProcessHeap () returned 0x4e0000 [0088.671] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0088.671] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de208*=0x100) returned 1 [0088.672] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de204*=0x100) returned 1 [0088.672] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x16fc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.672] SetLastError (dwErrCode=0x0) [0088.672] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0088.675] GetLastError () returned 0x0 [0088.675] GetLastError () returned 0x0 [0088.675] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x17fc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.675] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0088.675] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x18fc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.675] lstrlenA (lpString="NEPHILIM") returned 8 [0088.675] WriteFile (in: hFile=0xec, lpBuffer=0x502ba0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x502ba0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0088.675] GetProcessHeap () returned 0x4e0000 [0088.675] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x16fc) returned 0x50a8a8 [0088.676] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.676] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x16fc, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x16fc, lpOverlapped=0x0) returned 1 [0088.677] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.677] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x16fc, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x16fc, lpOverlapped=0x0) returned 1 [0088.677] GetProcessHeap () returned 0x4e0000 [0088.677] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0088.677] CloseHandle (hObject=0xec) returned 1 [0088.680] GetProcessHeap () returned 0x4e0000 [0088.680] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0088.680] GetProcessHeap () returned 0x4e0000 [0088.680] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0088.680] GetProcessHeap () returned 0x4e0000 [0088.680] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0088.680] GetProcessHeap () returned 0x4e0000 [0088.680] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0088.680] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" [0088.680] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM" [0088.680] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml.nephilim")) returned 1 [0088.681] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x42c75f00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x42c75f00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf58c6830, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x16fc, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0088.681] FindClose (in: hFindFile=0x502830 | out: hFindFile=0x502830) returned 1 [0088.681] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc138cb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc3e6570, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc3e6570, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x24df5e0, cFileName="{90140000-0043-0409-1000-0000000FF1CE}-C", cAlternateFileName="{95310~1")) returned 1 [0088.681] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0088.682] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0088.682] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="...") returned 1 [0088.682] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="windows") returned -1 [0088.682] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="$RECYCLE.BIN") returned 1 [0088.682] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="rsa") returned -1 [0088.682] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="log") returned -1 [0088.682] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="NTDETECT.COM") returned -1 [0088.682] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="ntldr") returned -1 [0088.682] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="MSDOS.SYS") returned -1 [0088.682] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="IO.SYS") returned -1 [0088.682] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="boot.ini") returned -1 [0088.682] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="AUTOEXEC.BAT") returned -1 [0088.682] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="ntuser.dat") returned -1 [0088.682] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="desktop.ini") returned -1 [0088.682] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="CONFIG.SYS") returned -1 [0088.682] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="RECYCLER") returned -1 [0088.682] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="BOOTSECT.BAK") returned -1 [0088.682] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="bootmgr") returned -1 [0088.682] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="programdata") returned -1 [0088.682] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="appdata") returned -1 [0088.682] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="program files") returned -1 [0088.682] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="program files (x86)") returned -1 [0088.682] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\MSOCache\\All Users\\" | out: lpString1="C:\\MSOCache\\All Users\\") returned="C:\\MSOCache\\All Users\\" [0088.682] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\", lpString2="{90140000-0043-0409-1000-0000000FF1CE}-C" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C") returned="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C" [0088.683] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\" [0088.683] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\" [0088.683] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\", lpString2="*.*" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*.*") returned="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*.*" [0088.683] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc138cb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc3e6570, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc3e6570, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x502830 [0088.686] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0088.686] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc138cb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc3e6570, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc3e6570, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0088.686] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0088.686] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0088.686] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc138cb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd5600, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="Office32MUI.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0088.686] lstrcmpiW (lpString1="Office32MUI.msi", lpString2=".") returned 1 [0088.686] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="..") returned 1 [0088.686] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="...") returned 1 [0088.686] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="windows") returned -1 [0088.686] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="$RECYCLE.BIN") returned 1 [0088.687] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="rsa") returned -1 [0088.687] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="log") returned 1 [0088.687] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="NTDETECT.COM") returned 1 [0088.687] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="ntldr") returned 1 [0088.687] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="MSDOS.SYS") returned 1 [0088.687] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="IO.SYS") returned 1 [0088.687] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="boot.ini") returned 1 [0088.687] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="AUTOEXEC.BAT") returned 1 [0088.687] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="ntuser.dat") returned 1 [0088.687] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="desktop.ini") returned 1 [0088.687] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="CONFIG.SYS") returned 1 [0088.687] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="RECYCLER") returned -1 [0088.687] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="BOOTSECT.BAK") returned 1 [0088.687] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="bootmgr") returned 1 [0088.687] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="programdata") returned -1 [0088.687] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="appdata") returned 1 [0088.687] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="program files") returned -1 [0088.687] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="program files (x86)") returned -1 [0088.687] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\" [0088.687] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\", lpString2="Office32MUI.msi" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" [0088.687] PathFindExtensionW (pszPath="Office32MUI.msi") returned=".msi" [0088.687] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0088.687] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0088.687] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0088.687] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0088.688] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0088.688] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0088.688] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0088.688] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0088.688] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0088.688] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0088.688] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0088.688] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0088.688] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0088.688] lstrcmpiW (lpString1=".msi", lpString2=".NEPHILIM") returned -1 [0088.688] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0088.688] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc138cb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x567, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="Office32MUI.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0088.688] lstrcmpiW (lpString1="Office32MUI.xml", lpString2=".") returned 1 [0088.688] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="..") returned 1 [0088.688] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="...") returned 1 [0088.688] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="windows") returned -1 [0088.688] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="$RECYCLE.BIN") returned 1 [0088.688] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="rsa") returned -1 [0088.688] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="log") returned 1 [0088.688] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="NTDETECT.COM") returned 1 [0088.688] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="ntldr") returned 1 [0088.688] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="MSDOS.SYS") returned 1 [0088.688] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="IO.SYS") returned 1 [0088.688] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="boot.ini") returned 1 [0088.688] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="AUTOEXEC.BAT") returned 1 [0088.689] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="ntuser.dat") returned 1 [0088.689] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="desktop.ini") returned 1 [0088.689] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="CONFIG.SYS") returned 1 [0088.689] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="RECYCLER") returned -1 [0088.689] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="BOOTSECT.BAK") returned 1 [0088.689] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="bootmgr") returned 1 [0088.689] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="programdata") returned -1 [0088.689] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="appdata") returned 1 [0088.689] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="program files") returned -1 [0088.689] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="program files (x86)") returned -1 [0088.689] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\" [0088.689] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\", lpString2="Office32MUI.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" [0088.689] PathFindExtensionW (pszPath="Office32MUI.xml") returned=".xml" [0088.689] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0088.689] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0088.689] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0088.689] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0088.689] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0088.689] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0088.689] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0088.689] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0088.689] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0088.689] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0088.689] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0088.689] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0088.689] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0088.690] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0088.690] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0088.690] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0088.690] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0088.690] lstrlenA (lpString="NEPHILIM") returned 8 [0088.690] GetProcessHeap () returned 0x4e0000 [0088.690] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502bb0 [0088.690] lstrlenA (lpString="NEPHILIM") returned 8 [0088.690] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0088.690] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=1383) returned 1 [0088.690] GetProcessHeap () returned 0x4e0000 [0088.690] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0088.690] GetProcessHeap () returned 0x4e0000 [0088.690] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0088.690] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0088.691] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0088.691] GetProcessHeap () returned 0x4e0000 [0088.691] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0088.691] GetProcessHeap () returned 0x4e0000 [0088.691] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0088.691] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de208*=0x100) returned 1 [0088.691] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de204*=0x100) returned 1 [0088.691] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x567, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.691] SetLastError (dwErrCode=0x0) [0088.691] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0088.694] GetLastError () returned 0x0 [0088.694] GetLastError () returned 0x0 [0088.694] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x667, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.694] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0088.694] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x767, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.694] lstrlenA (lpString="NEPHILIM") returned 8 [0088.694] WriteFile (in: hFile=0xec, lpBuffer=0x502bb0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x502bb0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0088.695] GetProcessHeap () returned 0x4e0000 [0088.695] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x567) returned 0x50a8a8 [0088.695] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.695] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x567, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x567, lpOverlapped=0x0) returned 1 [0088.695] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.695] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x567, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x567, lpOverlapped=0x0) returned 1 [0088.695] GetProcessHeap () returned 0x4e0000 [0088.695] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0088.695] CloseHandle (hObject=0xec) returned 1 [0088.700] GetProcessHeap () returned 0x4e0000 [0088.700] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0088.700] GetProcessHeap () returned 0x4e0000 [0088.700] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0088.700] GetProcessHeap () returned 0x4e0000 [0088.701] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0088.701] GetProcessHeap () returned 0x4e0000 [0088.701] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0088.701] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" [0088.701] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.NEPHILIM") returned="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.NEPHILIM" [0088.701] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.NEPHILIM" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml.nephilim")) returned 1 [0088.702] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc301560, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2cb13b, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="OWOW32LR.cab", cAlternateFileName="")) returned 1 [0088.702] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2=".") returned 1 [0088.702] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="..") returned 1 [0088.702] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="...") returned 1 [0088.702] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="windows") returned -1 [0088.702] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="$RECYCLE.BIN") returned 1 [0088.702] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="rsa") returned -1 [0088.702] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="log") returned 1 [0088.702] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="NTDETECT.COM") returned 1 [0088.702] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="ntldr") returned 1 [0088.702] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="MSDOS.SYS") returned 1 [0088.702] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="IO.SYS") returned 1 [0088.702] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="boot.ini") returned 1 [0088.702] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="AUTOEXEC.BAT") returned 1 [0088.702] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="ntuser.dat") returned 1 [0088.702] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="desktop.ini") returned 1 [0088.702] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="CONFIG.SYS") returned 1 [0088.702] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="RECYCLER") returned -1 [0088.702] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="BOOTSECT.BAK") returned 1 [0088.702] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="bootmgr") returned 1 [0088.702] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="programdata") returned -1 [0088.702] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="appdata") returned 1 [0088.702] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="program files") returned -1 [0088.702] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="program files (x86)") returned -1 [0088.703] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\" [0088.703] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\", lpString2="OWOW32LR.cab" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" [0088.703] PathFindExtensionW (pszPath="OWOW32LR.cab") returned=".cab" [0088.703] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0088.703] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0088.703] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0088.703] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc3e4630, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x93a, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0088.703] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0088.703] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0088.703] lstrcmpiW (lpString1="Setup.xml", lpString2="...") returned 1 [0088.703] lstrcmpiW (lpString1="Setup.xml", lpString2="windows") returned -1 [0088.703] lstrcmpiW (lpString1="Setup.xml", lpString2="$RECYCLE.BIN") returned 1 [0088.703] lstrcmpiW (lpString1="Setup.xml", lpString2="rsa") returned 1 [0088.703] lstrcmpiW (lpString1="Setup.xml", lpString2="log") returned 1 [0088.703] lstrcmpiW (lpString1="Setup.xml", lpString2="NTDETECT.COM") returned 1 [0088.703] lstrcmpiW (lpString1="Setup.xml", lpString2="ntldr") returned 1 [0088.703] lstrcmpiW (lpString1="Setup.xml", lpString2="MSDOS.SYS") returned 1 [0088.703] lstrcmpiW (lpString1="Setup.xml", lpString2="IO.SYS") returned 1 [0088.703] lstrcmpiW (lpString1="Setup.xml", lpString2="boot.ini") returned 1 [0088.703] lstrcmpiW (lpString1="Setup.xml", lpString2="AUTOEXEC.BAT") returned 1 [0088.703] lstrcmpiW (lpString1="Setup.xml", lpString2="ntuser.dat") returned 1 [0088.703] lstrcmpiW (lpString1="Setup.xml", lpString2="desktop.ini") returned 1 [0088.703] lstrcmpiW (lpString1="Setup.xml", lpString2="CONFIG.SYS") returned 1 [0088.703] lstrcmpiW (lpString1="Setup.xml", lpString2="RECYCLER") returned 1 [0088.704] lstrcmpiW (lpString1="Setup.xml", lpString2="BOOTSECT.BAK") returned 1 [0088.704] lstrcmpiW (lpString1="Setup.xml", lpString2="bootmgr") returned 1 [0088.704] lstrcmpiW (lpString1="Setup.xml", lpString2="programdata") returned 1 [0088.704] lstrcmpiW (lpString1="Setup.xml", lpString2="appdata") returned 1 [0088.704] lstrcmpiW (lpString1="Setup.xml", lpString2="program files") returned 1 [0088.704] lstrcmpiW (lpString1="Setup.xml", lpString2="program files (x86)") returned 1 [0088.704] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\" [0088.704] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\", lpString2="Setup.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" [0088.704] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0088.704] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0088.704] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0088.704] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0088.704] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0088.704] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0088.704] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0088.704] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0088.704] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0088.704] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0088.704] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0088.704] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0088.704] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0088.704] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0088.704] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0088.704] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0088.704] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0088.704] lstrcmpiW (lpString1="Setup.xml", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0088.705] lstrlenA (lpString="NEPHILIM") returned 8 [0088.705] GetProcessHeap () returned 0x4e0000 [0088.705] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502bc0 [0088.705] lstrlenA (lpString="NEPHILIM") returned 8 [0088.705] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0088.705] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=2362) returned 1 [0088.705] GetProcessHeap () returned 0x4e0000 [0088.705] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0088.705] GetProcessHeap () returned 0x4e0000 [0088.705] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0088.705] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0088.705] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0088.705] GetProcessHeap () returned 0x4e0000 [0088.705] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0088.705] GetProcessHeap () returned 0x4e0000 [0088.706] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0088.706] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de208*=0x100) returned 1 [0088.706] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de204*=0x100) returned 1 [0088.706] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x93a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.706] SetLastError (dwErrCode=0x0) [0088.706] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0088.709] GetLastError () returned 0x0 [0088.709] GetLastError () returned 0x0 [0088.709] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xa3a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.709] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0088.709] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xb3a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.709] lstrlenA (lpString="NEPHILIM") returned 8 [0088.709] WriteFile (in: hFile=0xec, lpBuffer=0x502bc0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x502bc0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0088.709] GetProcessHeap () returned 0x4e0000 [0088.709] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x93a) returned 0x50a8a8 [0088.709] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.709] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x93a, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x93a, lpOverlapped=0x0) returned 1 [0088.710] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.710] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x93a, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x93a, lpOverlapped=0x0) returned 1 [0088.710] GetProcessHeap () returned 0x4e0000 [0088.710] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0088.710] CloseHandle (hObject=0xec) returned 1 [0088.711] GetProcessHeap () returned 0x4e0000 [0088.711] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0088.711] GetProcessHeap () returned 0x4e0000 [0088.711] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0088.711] GetProcessHeap () returned 0x4e0000 [0088.711] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0088.711] GetProcessHeap () returned 0x4e0000 [0088.711] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0088.711] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" [0088.712] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM") returned="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM" [0088.712] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml.nephilim")) returned 1 [0088.712] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc3e4630, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x93a, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0088.712] FindClose (in: hFindFile=0x502830 | out: hFindFile=0x502830) returned 1 [0088.712] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf6e34d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa13c510, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x24df5e0, cFileName="{90140000-0044-0409-1000-0000000FF1CE}-C", cAlternateFileName="{91454~1")) returned 1 [0088.713] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0088.713] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0088.713] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="...") returned 1 [0088.713] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="windows") returned -1 [0088.713] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="$RECYCLE.BIN") returned 1 [0088.713] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="rsa") returned -1 [0088.713] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="log") returned -1 [0088.713] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="NTDETECT.COM") returned -1 [0088.713] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="ntldr") returned -1 [0088.713] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="MSDOS.SYS") returned -1 [0088.713] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="IO.SYS") returned -1 [0088.713] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="boot.ini") returned -1 [0088.713] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="AUTOEXEC.BAT") returned -1 [0088.713] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="ntuser.dat") returned -1 [0088.713] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="desktop.ini") returned -1 [0088.713] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="CONFIG.SYS") returned -1 [0088.713] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="RECYCLER") returned -1 [0088.713] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="BOOTSECT.BAK") returned -1 [0088.713] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="bootmgr") returned -1 [0088.713] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="programdata") returned -1 [0088.713] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="appdata") returned -1 [0088.713] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="program files") returned -1 [0088.713] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="program files (x86)") returned -1 [0088.714] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\MSOCache\\All Users\\" | out: lpString1="C:\\MSOCache\\All Users\\") returned="C:\\MSOCache\\All Users\\" [0088.714] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\", lpString2="{90140000-0044-0409-1000-0000000FF1CE}-C" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C") returned="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C" [0088.714] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\" [0088.714] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\" [0088.714] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\", lpString2="*.*" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*.*") returned="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*.*" [0088.714] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf6e34d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa13c510, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x502830 [0088.720] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0088.720] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf6e34d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa13c510, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0088.720] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0088.720] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0088.720] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf79111d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1200204, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="InfLR.cab", cAlternateFileName="")) returned 1 [0088.720] lstrcmpiW (lpString1="InfLR.cab", lpString2=".") returned 1 [0088.720] lstrcmpiW (lpString1="InfLR.cab", lpString2="..") returned 1 [0088.720] lstrcmpiW (lpString1="InfLR.cab", lpString2="...") returned 1 [0088.720] lstrcmpiW (lpString1="InfLR.cab", lpString2="windows") returned -1 [0088.720] lstrcmpiW (lpString1="InfLR.cab", lpString2="$RECYCLE.BIN") returned 1 [0088.720] lstrcmpiW (lpString1="InfLR.cab", lpString2="rsa") returned -1 [0088.720] lstrcmpiW (lpString1="InfLR.cab", lpString2="log") returned -1 [0088.720] lstrcmpiW (lpString1="InfLR.cab", lpString2="NTDETECT.COM") returned -1 [0088.720] lstrcmpiW (lpString1="InfLR.cab", lpString2="ntldr") returned -1 [0088.720] lstrcmpiW (lpString1="InfLR.cab", lpString2="MSDOS.SYS") returned -1 [0088.720] lstrcmpiW (lpString1="InfLR.cab", lpString2="IO.SYS") returned -1 [0088.720] lstrcmpiW (lpString1="InfLR.cab", lpString2="boot.ini") returned 1 [0088.720] lstrcmpiW (lpString1="InfLR.cab", lpString2="AUTOEXEC.BAT") returned 1 [0088.720] lstrcmpiW (lpString1="InfLR.cab", lpString2="ntuser.dat") returned -1 [0088.720] lstrcmpiW (lpString1="InfLR.cab", lpString2="desktop.ini") returned 1 [0088.720] lstrcmpiW (lpString1="InfLR.cab", lpString2="CONFIG.SYS") returned 1 [0088.720] lstrcmpiW (lpString1="InfLR.cab", lpString2="RECYCLER") returned -1 [0088.720] lstrcmpiW (lpString1="InfLR.cab", lpString2="BOOTSECT.BAK") returned 1 [0088.721] lstrcmpiW (lpString1="InfLR.cab", lpString2="bootmgr") returned 1 [0088.721] lstrcmpiW (lpString1="InfLR.cab", lpString2="programdata") returned -1 [0088.721] lstrcmpiW (lpString1="InfLR.cab", lpString2="appdata") returned 1 [0088.721] lstrcmpiW (lpString1="InfLR.cab", lpString2="program files") returned -1 [0088.721] lstrcmpiW (lpString1="InfLR.cab", lpString2="program files (x86)") returned -1 [0088.721] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\" [0088.721] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\", lpString2="InfLR.cab" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" [0088.721] PathFindExtensionW (pszPath="InfLR.cab") returned=".cab" [0088.721] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0088.721] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0088.721] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0088.721] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf6e58f90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2fac00, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="InfoPathMUI.msi", cAlternateFileName="INFOPA~1.MSI")) returned 1 [0088.721] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2=".") returned 1 [0088.721] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="..") returned 1 [0088.721] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="...") returned 1 [0088.721] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="windows") returned -1 [0088.721] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="$RECYCLE.BIN") returned 1 [0088.721] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="rsa") returned -1 [0088.721] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="log") returned -1 [0088.721] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="NTDETECT.COM") returned -1 [0088.721] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="ntldr") returned -1 [0088.721] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="MSDOS.SYS") returned -1 [0088.721] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="IO.SYS") returned -1 [0088.722] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="boot.ini") returned 1 [0088.722] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="AUTOEXEC.BAT") returned 1 [0088.722] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="ntuser.dat") returned -1 [0088.722] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="desktop.ini") returned 1 [0088.722] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="CONFIG.SYS") returned 1 [0088.722] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="RECYCLER") returned -1 [0088.722] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="BOOTSECT.BAK") returned 1 [0088.722] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="bootmgr") returned 1 [0088.722] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="programdata") returned -1 [0088.722] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="appdata") returned 1 [0088.722] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="program files") returned -1 [0088.722] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="program files (x86)") returned -1 [0088.722] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\" [0088.722] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\", lpString2="InfoPathMUI.msi" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" [0088.722] PathFindExtensionW (pszPath="InfoPathMUI.msi") returned=".msi" [0088.722] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0088.722] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0088.722] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0088.722] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0088.722] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0088.722] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0088.722] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0088.722] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0088.722] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0088.723] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0088.723] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0088.723] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0088.723] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0088.723] lstrcmpiW (lpString1=".msi", lpString2=".NEPHILIM") returned -1 [0088.723] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0088.723] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf6e345a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x4cf, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="InfoPathMUI.xml", cAlternateFileName="INFOPA~1.XML")) returned 1 [0088.723] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2=".") returned 1 [0088.723] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="..") returned 1 [0088.723] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="...") returned 1 [0088.723] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="windows") returned -1 [0088.723] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="$RECYCLE.BIN") returned 1 [0088.723] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="rsa") returned -1 [0088.723] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="log") returned -1 [0088.723] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="NTDETECT.COM") returned -1 [0088.723] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="ntldr") returned -1 [0088.723] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="MSDOS.SYS") returned -1 [0088.723] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="IO.SYS") returned -1 [0088.723] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="boot.ini") returned 1 [0088.723] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="AUTOEXEC.BAT") returned 1 [0088.723] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="ntuser.dat") returned -1 [0088.723] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="desktop.ini") returned 1 [0088.723] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="CONFIG.SYS") returned 1 [0088.723] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="RECYCLER") returned -1 [0088.723] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="BOOTSECT.BAK") returned 1 [0088.724] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="bootmgr") returned 1 [0088.724] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="programdata") returned -1 [0088.724] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="appdata") returned 1 [0088.724] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="program files") returned -1 [0088.724] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="program files (x86)") returned -1 [0088.724] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\" [0088.724] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\", lpString2="InfoPathMUI.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" [0088.724] PathFindExtensionW (pszPath="InfoPathMUI.xml") returned=".xml" [0088.724] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0088.724] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0088.724] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0088.724] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0088.724] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0088.724] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0088.724] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0088.724] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0088.724] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0088.724] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0088.724] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0088.724] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0088.724] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0088.724] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0088.724] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0088.724] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0088.724] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0088.725] lstrlenA (lpString="NEPHILIM") returned 8 [0088.725] GetProcessHeap () returned 0x4e0000 [0088.725] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502bd0 [0088.725] lstrlenA (lpString="NEPHILIM") returned 8 [0088.725] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0088.725] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=1231) returned 1 [0088.725] GetProcessHeap () returned 0x4e0000 [0088.725] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0088.725] GetProcessHeap () returned 0x4e0000 [0088.725] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0088.725] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0088.725] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0088.725] GetProcessHeap () returned 0x4e0000 [0088.726] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0088.726] GetProcessHeap () returned 0x4e0000 [0088.726] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0088.726] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de208*=0x100) returned 1 [0088.726] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de204*=0x100) returned 1 [0088.726] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x4cf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.726] SetLastError (dwErrCode=0x0) [0088.726] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0088.729] GetLastError () returned 0x0 [0088.729] GetLastError () returned 0x0 [0088.729] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x5cf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.729] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0088.729] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x6cf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.729] lstrlenA (lpString="NEPHILIM") returned 8 [0088.729] WriteFile (in: hFile=0xec, lpBuffer=0x502bd0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x502bd0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0088.729] GetProcessHeap () returned 0x4e0000 [0088.729] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x4cf) returned 0x507390 [0088.729] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.730] ReadFile (in: hFile=0xec, lpBuffer=0x507390, nNumberOfBytesToRead=0x4cf, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x507390*, lpNumberOfBytesRead=0x24de430*=0x4cf, lpOverlapped=0x0) returned 1 [0088.730] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.730] WriteFile (in: hFile=0xec, lpBuffer=0x507390*, nNumberOfBytesToWrite=0x4cf, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507390*, lpNumberOfBytesWritten=0x24de43c*=0x4cf, lpOverlapped=0x0) returned 1 [0088.730] GetProcessHeap () returned 0x4e0000 [0088.730] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507390 | out: hHeap=0x4e0000) returned 1 [0088.730] CloseHandle (hObject=0xec) returned 1 [0088.738] GetProcessHeap () returned 0x4e0000 [0088.738] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0088.738] GetProcessHeap () returned 0x4e0000 [0088.738] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0088.738] GetProcessHeap () returned 0x4e0000 [0088.738] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0088.738] GetProcessHeap () returned 0x4e0000 [0088.738] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0088.738] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" [0088.738] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.NEPHILIM") returned="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.NEPHILIM" [0088.738] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.NEPHILIM" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml.nephilim")) returned 1 [0088.739] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x73c, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0088.739] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0088.739] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0088.739] lstrcmpiW (lpString1="Setup.xml", lpString2="...") returned 1 [0088.739] lstrcmpiW (lpString1="Setup.xml", lpString2="windows") returned -1 [0088.739] lstrcmpiW (lpString1="Setup.xml", lpString2="$RECYCLE.BIN") returned 1 [0088.739] lstrcmpiW (lpString1="Setup.xml", lpString2="rsa") returned 1 [0088.739] lstrcmpiW (lpString1="Setup.xml", lpString2="log") returned 1 [0088.739] lstrcmpiW (lpString1="Setup.xml", lpString2="NTDETECT.COM") returned 1 [0088.739] lstrcmpiW (lpString1="Setup.xml", lpString2="ntldr") returned 1 [0088.739] lstrcmpiW (lpString1="Setup.xml", lpString2="MSDOS.SYS") returned 1 [0088.740] lstrcmpiW (lpString1="Setup.xml", lpString2="IO.SYS") returned 1 [0088.740] lstrcmpiW (lpString1="Setup.xml", lpString2="boot.ini") returned 1 [0088.740] lstrcmpiW (lpString1="Setup.xml", lpString2="AUTOEXEC.BAT") returned 1 [0088.740] lstrcmpiW (lpString1="Setup.xml", lpString2="ntuser.dat") returned 1 [0088.740] lstrcmpiW (lpString1="Setup.xml", lpString2="desktop.ini") returned 1 [0088.740] lstrcmpiW (lpString1="Setup.xml", lpString2="CONFIG.SYS") returned 1 [0088.740] lstrcmpiW (lpString1="Setup.xml", lpString2="RECYCLER") returned 1 [0088.740] lstrcmpiW (lpString1="Setup.xml", lpString2="BOOTSECT.BAK") returned 1 [0088.740] lstrcmpiW (lpString1="Setup.xml", lpString2="bootmgr") returned 1 [0088.740] lstrcmpiW (lpString1="Setup.xml", lpString2="programdata") returned 1 [0088.740] lstrcmpiW (lpString1="Setup.xml", lpString2="appdata") returned 1 [0088.740] lstrcmpiW (lpString1="Setup.xml", lpString2="program files") returned 1 [0088.740] lstrcmpiW (lpString1="Setup.xml", lpString2="program files (x86)") returned 1 [0088.740] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\" [0088.740] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\", lpString2="Setup.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" [0088.740] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0088.740] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0088.740] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0088.740] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0088.740] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0088.740] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0088.740] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0088.740] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0088.740] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0088.740] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0088.741] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0088.741] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0088.741] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0088.741] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0088.741] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0088.741] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0088.741] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0088.741] lstrcmpiW (lpString1="Setup.xml", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0088.741] lstrlenA (lpString="NEPHILIM") returned 8 [0088.741] GetProcessHeap () returned 0x4e0000 [0088.741] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502be0 [0088.741] lstrlenA (lpString="NEPHILIM") returned 8 [0088.741] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0088.741] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=1852) returned 1 [0088.741] GetProcessHeap () returned 0x4e0000 [0088.741] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0088.741] GetProcessHeap () returned 0x4e0000 [0088.741] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0088.742] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0088.742] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0088.742] GetProcessHeap () returned 0x4e0000 [0088.742] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0088.742] GetProcessHeap () returned 0x4e0000 [0088.742] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0088.742] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de208*=0x100) returned 1 [0088.742] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de204*=0x100) returned 1 [0088.742] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x73c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.742] SetLastError (dwErrCode=0x0) [0088.743] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0088.746] GetLastError () returned 0x0 [0088.746] GetLastError () returned 0x0 [0088.746] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x83c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.746] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0088.746] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x93c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.746] lstrlenA (lpString="NEPHILIM") returned 8 [0088.746] WriteFile (in: hFile=0xec, lpBuffer=0x502be0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x502be0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0088.746] GetProcessHeap () returned 0x4e0000 [0088.746] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x73c) returned 0x50a8a8 [0088.746] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.746] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x73c, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x73c, lpOverlapped=0x0) returned 1 [0088.746] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.747] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x73c, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x73c, lpOverlapped=0x0) returned 1 [0088.747] GetProcessHeap () returned 0x4e0000 [0088.747] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0088.747] CloseHandle (hObject=0xec) returned 1 [0088.833] GetProcessHeap () returned 0x4e0000 [0088.833] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0088.833] GetProcessHeap () returned 0x4e0000 [0088.833] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0088.833] GetProcessHeap () returned 0x4e0000 [0088.833] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0088.833] GetProcessHeap () returned 0x4e0000 [0088.833] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0088.833] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" [0088.833] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM") returned="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM" [0088.834] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml.nephilim")) returned 1 [0088.834] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x73c, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0088.834] FindClose (in: hFindFile=0x502830 | out: hFindFile=0x502830) returned 1 [0088.834] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x435769e0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x43bdc500, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x24df5e0, cFileName="{90140000-0054-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9EA85~1")) returned 1 [0088.834] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0088.835] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0088.835] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="...") returned 1 [0088.835] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="windows") returned -1 [0088.835] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="$RECYCLE.BIN") returned 1 [0088.835] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="rsa") returned -1 [0088.835] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="log") returned -1 [0088.835] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="NTDETECT.COM") returned -1 [0088.835] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="ntldr") returned -1 [0088.835] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="MSDOS.SYS") returned -1 [0088.835] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="IO.SYS") returned -1 [0088.835] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="boot.ini") returned -1 [0088.835] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="AUTOEXEC.BAT") returned -1 [0088.835] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="ntuser.dat") returned -1 [0088.835] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="desktop.ini") returned -1 [0088.835] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="CONFIG.SYS") returned -1 [0088.835] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="RECYCLER") returned -1 [0088.835] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="BOOTSECT.BAK") returned -1 [0088.835] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="bootmgr") returned -1 [0088.835] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="programdata") returned -1 [0088.835] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="appdata") returned -1 [0088.835] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="program files") returned -1 [0088.835] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="program files (x86)") returned -1 [0088.835] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\MSOCache\\All Users\\" | out: lpString1="C:\\MSOCache\\All Users\\") returned="C:\\MSOCache\\All Users\\" [0088.835] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\", lpString2="{90140000-0054-0409-1000-0000000FF1CE}-C" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C") returned="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C" [0088.835] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\" [0088.836] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\" [0088.836] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\", lpString2="*.*" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*.*") returned="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*.*" [0088.836] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x435769e0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x43bdc500, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x502830 [0088.836] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0088.836] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x435769e0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x43bdc500, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0088.836] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0088.836] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0088.836] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5f356eb0, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x5f356eb0, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x1861, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0088.837] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0088.837] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0088.837] lstrcmpiW (lpString1="Setup.xml", lpString2="...") returned 1 [0088.837] lstrcmpiW (lpString1="Setup.xml", lpString2="windows") returned -1 [0088.837] lstrcmpiW (lpString1="Setup.xml", lpString2="$RECYCLE.BIN") returned 1 [0088.837] lstrcmpiW (lpString1="Setup.xml", lpString2="rsa") returned 1 [0088.837] lstrcmpiW (lpString1="Setup.xml", lpString2="log") returned 1 [0088.837] lstrcmpiW (lpString1="Setup.xml", lpString2="NTDETECT.COM") returned 1 [0088.837] lstrcmpiW (lpString1="Setup.xml", lpString2="ntldr") returned 1 [0088.837] lstrcmpiW (lpString1="Setup.xml", lpString2="MSDOS.SYS") returned 1 [0088.837] lstrcmpiW (lpString1="Setup.xml", lpString2="IO.SYS") returned 1 [0088.837] lstrcmpiW (lpString1="Setup.xml", lpString2="boot.ini") returned 1 [0088.837] lstrcmpiW (lpString1="Setup.xml", lpString2="AUTOEXEC.BAT") returned 1 [0088.837] lstrcmpiW (lpString1="Setup.xml", lpString2="ntuser.dat") returned 1 [0088.837] lstrcmpiW (lpString1="Setup.xml", lpString2="desktop.ini") returned 1 [0088.837] lstrcmpiW (lpString1="Setup.xml", lpString2="CONFIG.SYS") returned 1 [0088.837] lstrcmpiW (lpString1="Setup.xml", lpString2="RECYCLER") returned 1 [0088.837] lstrcmpiW (lpString1="Setup.xml", lpString2="BOOTSECT.BAK") returned 1 [0088.837] lstrcmpiW (lpString1="Setup.xml", lpString2="bootmgr") returned 1 [0088.837] lstrcmpiW (lpString1="Setup.xml", lpString2="programdata") returned 1 [0088.837] lstrcmpiW (lpString1="Setup.xml", lpString2="appdata") returned 1 [0088.837] lstrcmpiW (lpString1="Setup.xml", lpString2="program files") returned 1 [0088.837] lstrcmpiW (lpString1="Setup.xml", lpString2="program files (x86)") returned 1 [0088.837] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\" [0088.837] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\", lpString2="Setup.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" [0088.837] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0088.837] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0088.838] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0088.838] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0088.838] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0088.838] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0088.838] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0088.838] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0088.838] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0088.838] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0088.838] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0088.838] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0088.838] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0088.838] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0088.838] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0088.838] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0088.838] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0088.838] lstrcmpiW (lpString1="Setup.xml", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0088.838] lstrlenA (lpString="NEPHILIM") returned 8 [0088.838] GetProcessHeap () returned 0x4e0000 [0088.838] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502bf0 [0088.838] lstrlenA (lpString="NEPHILIM") returned 8 [0088.838] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0088.978] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=6241) returned 1 [0088.978] GetProcessHeap () returned 0x4e0000 [0088.978] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0088.978] GetProcessHeap () returned 0x4e0000 [0088.978] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0088.978] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0088.978] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0088.978] GetProcessHeap () returned 0x4e0000 [0088.978] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0088.978] GetProcessHeap () returned 0x4e0000 [0088.978] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0088.978] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de208*=0x100) returned 1 [0088.979] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de204*=0x100) returned 1 [0088.979] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x1861, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.979] SetLastError (dwErrCode=0x0) [0088.979] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0088.983] GetLastError () returned 0x0 [0088.983] GetLastError () returned 0x0 [0088.983] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x1961, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.983] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0088.984] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x1a61, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.984] lstrlenA (lpString="NEPHILIM") returned 8 [0088.984] WriteFile (in: hFile=0xec, lpBuffer=0x502bf0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x502bf0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0088.984] GetProcessHeap () returned 0x4e0000 [0088.984] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1861) returned 0x50a8a8 [0088.984] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.984] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x1861, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x1861, lpOverlapped=0x0) returned 1 [0088.985] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.985] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x1861, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x1861, lpOverlapped=0x0) returned 1 [0088.986] GetProcessHeap () returned 0x4e0000 [0088.986] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0088.986] CloseHandle (hObject=0xec) returned 1 [0088.988] GetProcessHeap () returned 0x4e0000 [0088.988] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0088.988] GetProcessHeap () returned 0x4e0000 [0088.988] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0088.988] GetProcessHeap () returned 0x4e0000 [0088.988] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0088.988] GetProcessHeap () returned 0x4e0000 [0088.988] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0088.988] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" [0088.988] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM") returned="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM" [0088.988] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml.nephilim")) returned 1 [0088.990] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7fb9f9e0, ftCreationTime.dwHighDateTime=0x1cbe575, ftLastAccessTime.dwLowDateTime=0x7fb9f9e0, ftLastAccessTime.dwHighDateTime=0x1cbe575, ftLastWriteTime.dwLowDateTime=0x437179c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x30780dd, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="VisioLR.cab", cAlternateFileName="")) returned 1 [0088.990] lstrcmpiW (lpString1="VisioLR.cab", lpString2=".") returned 1 [0088.990] lstrcmpiW (lpString1="VisioLR.cab", lpString2="..") returned 1 [0088.990] lstrcmpiW (lpString1="VisioLR.cab", lpString2="...") returned 1 [0088.991] lstrcmpiW (lpString1="VisioLR.cab", lpString2="windows") returned -1 [0088.991] lstrcmpiW (lpString1="VisioLR.cab", lpString2="$RECYCLE.BIN") returned 1 [0088.991] lstrcmpiW (lpString1="VisioLR.cab", lpString2="rsa") returned 1 [0088.991] lstrcmpiW (lpString1="VisioLR.cab", lpString2="log") returned 1 [0088.991] lstrcmpiW (lpString1="VisioLR.cab", lpString2="NTDETECT.COM") returned 1 [0088.991] lstrcmpiW (lpString1="VisioLR.cab", lpString2="ntldr") returned 1 [0088.991] lstrcmpiW (lpString1="VisioLR.cab", lpString2="MSDOS.SYS") returned 1 [0088.991] lstrcmpiW (lpString1="VisioLR.cab", lpString2="IO.SYS") returned 1 [0088.991] lstrcmpiW (lpString1="VisioLR.cab", lpString2="boot.ini") returned 1 [0088.991] lstrcmpiW (lpString1="VisioLR.cab", lpString2="AUTOEXEC.BAT") returned 1 [0088.991] lstrcmpiW (lpString1="VisioLR.cab", lpString2="ntuser.dat") returned 1 [0088.991] lstrcmpiW (lpString1="VisioLR.cab", lpString2="desktop.ini") returned 1 [0088.991] lstrcmpiW (lpString1="VisioLR.cab", lpString2="CONFIG.SYS") returned 1 [0088.991] lstrcmpiW (lpString1="VisioLR.cab", lpString2="RECYCLER") returned 1 [0088.991] lstrcmpiW (lpString1="VisioLR.cab", lpString2="BOOTSECT.BAK") returned 1 [0088.991] lstrcmpiW (lpString1="VisioLR.cab", lpString2="bootmgr") returned 1 [0088.991] lstrcmpiW (lpString1="VisioLR.cab", lpString2="programdata") returned 1 [0088.991] lstrcmpiW (lpString1="VisioLR.cab", lpString2="appdata") returned 1 [0088.991] lstrcmpiW (lpString1="VisioLR.cab", lpString2="program files") returned 1 [0088.991] lstrcmpiW (lpString1="VisioLR.cab", lpString2="program files (x86)") returned 1 [0088.991] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\" [0088.992] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\", lpString2="VisioLR.cab" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" [0088.992] PathFindExtensionW (pszPath="VisioLR.cab") returned=".cab" [0088.992] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0088.992] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0088.992] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0088.992] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x272b1e70, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x272b1e70, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x435c1d00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x2ab000, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="VisioMUI.msi", cAlternateFileName="")) returned 1 [0088.992] lstrcmpiW (lpString1="VisioMUI.msi", lpString2=".") returned 1 [0088.992] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="..") returned 1 [0088.992] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="...") returned 1 [0088.992] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="windows") returned -1 [0088.992] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="$RECYCLE.BIN") returned 1 [0088.992] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="rsa") returned 1 [0088.992] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="log") returned 1 [0088.992] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="NTDETECT.COM") returned 1 [0088.992] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="ntldr") returned 1 [0088.992] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="MSDOS.SYS") returned 1 [0088.992] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="IO.SYS") returned 1 [0088.992] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="boot.ini") returned 1 [0088.992] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="AUTOEXEC.BAT") returned 1 [0088.993] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="ntuser.dat") returned 1 [0088.993] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="desktop.ini") returned 1 [0088.993] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="CONFIG.SYS") returned 1 [0088.993] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="RECYCLER") returned 1 [0088.993] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="BOOTSECT.BAK") returned 1 [0088.993] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="bootmgr") returned 1 [0088.993] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="programdata") returned 1 [0088.993] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="appdata") returned 1 [0088.993] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="program files") returned 1 [0088.993] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="program files (x86)") returned 1 [0088.993] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\" [0088.993] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\", lpString2="VisioMUI.msi" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" [0088.993] PathFindExtensionW (pszPath="VisioMUI.msi") returned=".msi" [0088.993] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0088.993] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0088.993] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0088.993] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0088.993] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0088.993] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0088.993] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0088.993] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0088.993] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0088.993] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0088.993] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0088.993] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0088.993] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0088.994] lstrcmpiW (lpString1=".msi", lpString2=".NEPHILIM") returned -1 [0088.994] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0088.994] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5f0a8e20, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x5f0a8e20, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x4359ac00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x251f, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="VisioMUI.xml", cAlternateFileName="")) returned 1 [0088.994] lstrcmpiW (lpString1="VisioMUI.xml", lpString2=".") returned 1 [0088.994] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="..") returned 1 [0088.994] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="...") returned 1 [0088.994] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="windows") returned -1 [0088.994] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="$RECYCLE.BIN") returned 1 [0088.994] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="rsa") returned 1 [0088.994] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="log") returned 1 [0088.994] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="NTDETECT.COM") returned 1 [0088.994] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="ntldr") returned 1 [0088.994] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="MSDOS.SYS") returned 1 [0088.994] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="IO.SYS") returned 1 [0088.994] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="boot.ini") returned 1 [0088.994] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="AUTOEXEC.BAT") returned 1 [0088.994] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="ntuser.dat") returned 1 [0088.994] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="desktop.ini") returned 1 [0088.994] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="CONFIG.SYS") returned 1 [0088.994] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="RECYCLER") returned 1 [0088.994] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="BOOTSECT.BAK") returned 1 [0088.994] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="bootmgr") returned 1 [0088.994] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="programdata") returned 1 [0088.994] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="appdata") returned 1 [0088.994] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="program files") returned 1 [0088.994] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="program files (x86)") returned 1 [0088.994] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\" [0088.994] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\", lpString2="VisioMUI.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" [0088.995] PathFindExtensionW (pszPath="VisioMUI.xml") returned=".xml" [0088.995] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0088.995] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0088.995] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0088.995] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0088.995] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0088.995] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0088.995] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0088.995] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0088.995] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0088.995] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0088.995] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0088.995] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0088.995] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0088.995] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0088.995] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0088.995] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0088.995] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0088.995] lstrlenA (lpString="NEPHILIM") returned 8 [0088.995] GetProcessHeap () returned 0x4e0000 [0088.995] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502c00 [0088.995] lstrlenA (lpString="NEPHILIM") returned 8 [0088.995] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0088.996] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=9503) returned 1 [0088.996] GetProcessHeap () returned 0x4e0000 [0088.996] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0088.996] GetProcessHeap () returned 0x4e0000 [0088.996] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0088.996] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0088.996] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0088.996] GetProcessHeap () returned 0x4e0000 [0088.996] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0088.996] GetProcessHeap () returned 0x4e0000 [0088.996] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0088.996] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de208*=0x100) returned 1 [0088.997] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de204*=0x100) returned 1 [0088.997] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x251f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.997] SetLastError (dwErrCode=0x0) [0088.997] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0089.003] GetLastError () returned 0x0 [0089.003] GetLastError () returned 0x0 [0089.003] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x261f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.003] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0089.003] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x271f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.003] lstrlenA (lpString="NEPHILIM") returned 8 [0089.003] WriteFile (in: hFile=0xec, lpBuffer=0x502c00*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x502c00*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0089.003] GetProcessHeap () returned 0x4e0000 [0089.003] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x251f) returned 0x50a8a8 [0089.003] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.004] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x251f, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x251f, lpOverlapped=0x0) returned 1 [0089.005] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.005] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x251f, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x251f, lpOverlapped=0x0) returned 1 [0089.006] GetProcessHeap () returned 0x4e0000 [0089.006] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0089.006] CloseHandle (hObject=0xec) returned 1 [0089.008] GetProcessHeap () returned 0x4e0000 [0089.008] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0089.008] GetProcessHeap () returned 0x4e0000 [0089.008] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0089.008] GetProcessHeap () returned 0x4e0000 [0089.008] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0089.008] GetProcessHeap () returned 0x4e0000 [0089.008] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0089.009] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" [0089.009] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.NEPHILIM") returned="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.NEPHILIM" [0089.009] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.NEPHILIM" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml.nephilim")) returned 1 [0089.009] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5f0a8e20, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x5f0a8e20, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x4359ac00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x251f, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="VisioMUI.xml", cAlternateFileName="")) returned 0 [0089.009] FindClose (in: hFindFile=0x502830 | out: hFindFile=0x502830) returned 1 [0089.010] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf58ee8d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf6e0ec10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf6e0ec10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x24df5e0, cFileName="{90140000-00A1-0409-1000-0000000FF1CE}-C", cAlternateFileName="{92572~1")) returned 1 [0089.010] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0089.010] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0089.010] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="...") returned 1 [0089.010] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="windows") returned -1 [0089.010] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="$RECYCLE.BIN") returned 1 [0089.010] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="rsa") returned -1 [0089.010] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="log") returned -1 [0089.010] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="NTDETECT.COM") returned -1 [0089.010] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="ntldr") returned -1 [0089.010] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="MSDOS.SYS") returned -1 [0089.010] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="IO.SYS") returned -1 [0089.010] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="boot.ini") returned -1 [0089.010] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="AUTOEXEC.BAT") returned -1 [0089.010] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="ntuser.dat") returned -1 [0089.010] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="desktop.ini") returned -1 [0089.010] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="CONFIG.SYS") returned -1 [0089.010] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="RECYCLER") returned -1 [0089.010] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="BOOTSECT.BAK") returned -1 [0089.010] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="bootmgr") returned -1 [0089.010] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="programdata") returned -1 [0089.010] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="appdata") returned -1 [0089.010] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="program files") returned -1 [0089.011] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="program files (x86)") returned -1 [0089.011] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\MSOCache\\All Users\\" | out: lpString1="C:\\MSOCache\\All Users\\") returned="C:\\MSOCache\\All Users\\" [0089.011] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\", lpString2="{90140000-00A1-0409-1000-0000000FF1CE}-C" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C") returned="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C" [0089.011] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\" [0089.011] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\" [0089.011] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\", lpString2="*.*" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*.*") returned="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*.*" [0089.011] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf58ee8d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf6e0ec10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf6e0ec10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x502830 [0089.014] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0089.014] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf58ee8d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf6e0ec10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf6e0ec10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0089.014] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0089.014] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0089.014] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf5914a30, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x263400, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="OneNoteMUI.msi", cAlternateFileName="ONENOT~1.MSI")) returned 1 [0089.014] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2=".") returned 1 [0089.014] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="..") returned 1 [0089.014] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="...") returned 1 [0089.014] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="windows") returned -1 [0089.014] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="$RECYCLE.BIN") returned 1 [0089.014] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="rsa") returned -1 [0089.015] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="log") returned 1 [0089.015] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="NTDETECT.COM") returned 1 [0089.015] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="ntldr") returned 1 [0089.015] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="MSDOS.SYS") returned 1 [0089.015] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="IO.SYS") returned 1 [0089.015] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="boot.ini") returned 1 [0089.015] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="AUTOEXEC.BAT") returned 1 [0089.015] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="ntuser.dat") returned 1 [0089.015] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="desktop.ini") returned 1 [0089.015] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="CONFIG.SYS") returned 1 [0089.015] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="RECYCLER") returned -1 [0089.015] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="BOOTSECT.BAK") returned 1 [0089.015] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="bootmgr") returned 1 [0089.015] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="programdata") returned -1 [0089.015] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="appdata") returned 1 [0089.015] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="program files") returned -1 [0089.015] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="program files (x86)") returned -1 [0089.015] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\" [0089.015] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\", lpString2="OneNoteMUI.msi" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" [0089.015] PathFindExtensionW (pszPath="OneNoteMUI.msi") returned=".msi" [0089.015] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0089.015] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0089.015] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0089.016] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0089.016] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0089.016] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0089.016] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0089.016] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0089.016] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0089.016] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0089.016] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0089.016] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0089.016] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0089.016] lstrcmpiW (lpString1=".msi", lpString2=".NEPHILIM") returned -1 [0089.016] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0089.016] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf58ed930, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x646, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="OneNoteMUI.xml", cAlternateFileName="ONENOT~1.XML")) returned 1 [0089.016] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2=".") returned 1 [0089.016] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="..") returned 1 [0089.016] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="...") returned 1 [0089.016] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="windows") returned -1 [0089.016] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="$RECYCLE.BIN") returned 1 [0089.016] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="rsa") returned -1 [0089.016] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="log") returned 1 [0089.016] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="NTDETECT.COM") returned 1 [0089.016] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="ntldr") returned 1 [0089.016] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="MSDOS.SYS") returned 1 [0089.016] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="IO.SYS") returned 1 [0089.016] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="boot.ini") returned 1 [0089.017] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="AUTOEXEC.BAT") returned 1 [0089.017] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="ntuser.dat") returned 1 [0089.017] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="desktop.ini") returned 1 [0089.017] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="CONFIG.SYS") returned 1 [0089.017] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="RECYCLER") returned -1 [0089.017] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="BOOTSECT.BAK") returned 1 [0089.017] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="bootmgr") returned 1 [0089.017] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="programdata") returned -1 [0089.017] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="appdata") returned 1 [0089.017] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="program files") returned -1 [0089.017] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="program files (x86)") returned -1 [0089.017] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\" [0089.017] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\", lpString2="OneNoteMUI.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" [0089.017] PathFindExtensionW (pszPath="OneNoteMUI.xml") returned=".xml" [0089.017] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0089.017] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0089.017] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0089.017] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0089.017] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0089.017] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0089.017] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0089.017] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0089.017] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0089.017] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0089.017] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0089.017] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0089.018] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0089.018] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0089.018] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0089.018] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0089.018] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0089.018] lstrlenA (lpString="NEPHILIM") returned 8 [0089.018] GetProcessHeap () returned 0x4e0000 [0089.018] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502c10 [0089.018] lstrlenA (lpString="NEPHILIM") returned 8 [0089.018] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0089.018] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=1606) returned 1 [0089.018] GetProcessHeap () returned 0x4e0000 [0089.018] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0089.018] GetProcessHeap () returned 0x4e0000 [0089.018] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0089.018] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0089.019] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0089.019] GetProcessHeap () returned 0x4e0000 [0089.019] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0089.019] GetProcessHeap () returned 0x4e0000 [0089.019] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0089.019] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de208*=0x100) returned 1 [0089.019] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de204*=0x100) returned 1 [0089.019] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x646, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.019] SetLastError (dwErrCode=0x0) [0089.019] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0089.026] GetLastError () returned 0x0 [0089.026] GetLastError () returned 0x0 [0089.026] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x746, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.026] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0089.026] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x846, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.026] lstrlenA (lpString="NEPHILIM") returned 8 [0089.026] WriteFile (in: hFile=0xec, lpBuffer=0x502c10*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x502c10*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0089.027] GetProcessHeap () returned 0x4e0000 [0089.027] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x646) returned 0x50a8a8 [0089.027] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.027] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x646, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x646, lpOverlapped=0x0) returned 1 [0089.027] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.027] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x646, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x646, lpOverlapped=0x0) returned 1 [0089.027] GetProcessHeap () returned 0x4e0000 [0089.027] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0089.027] CloseHandle (hObject=0xec) returned 1 [0089.032] GetProcessHeap () returned 0x4e0000 [0089.032] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0089.032] GetProcessHeap () returned 0x4e0000 [0089.032] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0089.032] GetProcessHeap () returned 0x4e0000 [0089.032] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0089.032] GetProcessHeap () returned 0x4e0000 [0089.032] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0089.032] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" [0089.032] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.NEPHILIM") returned="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.NEPHILIM" [0089.032] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.NEPHILIM" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml.nephilim")) returned 1 [0089.033] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x36db9d00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x36db9d00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf5e95540, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x10a5df8, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="OnoteLR.cab", cAlternateFileName="")) returned 1 [0089.033] lstrcmpiW (lpString1="OnoteLR.cab", lpString2=".") returned 1 [0089.033] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="..") returned 1 [0089.033] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="...") returned 1 [0089.033] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="windows") returned -1 [0089.033] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="$RECYCLE.BIN") returned 1 [0089.033] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="rsa") returned -1 [0089.033] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="log") returned 1 [0089.033] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="NTDETECT.COM") returned 1 [0089.033] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="ntldr") returned 1 [0089.033] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="MSDOS.SYS") returned 1 [0089.033] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="IO.SYS") returned 1 [0089.033] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="boot.ini") returned 1 [0089.033] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="AUTOEXEC.BAT") returned 1 [0089.033] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="ntuser.dat") returned 1 [0089.033] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="desktop.ini") returned 1 [0089.033] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="CONFIG.SYS") returned 1 [0089.034] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="RECYCLER") returned -1 [0089.034] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="BOOTSECT.BAK") returned 1 [0089.034] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="bootmgr") returned 1 [0089.034] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="programdata") returned -1 [0089.034] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="appdata") returned 1 [0089.034] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="program files") returned -1 [0089.034] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="program files (x86)") returned -1 [0089.034] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\" [0089.034] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\", lpString2="OnoteLR.cab" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" [0089.034] PathFindExtensionW (pszPath="OnoteLR.cab") returned=".cab" [0089.034] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0089.034] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0089.034] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0089.034] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf6e0d4a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x7c4, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0089.034] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0089.034] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0089.034] lstrcmpiW (lpString1="Setup.xml", lpString2="...") returned 1 [0089.034] lstrcmpiW (lpString1="Setup.xml", lpString2="windows") returned -1 [0089.034] lstrcmpiW (lpString1="Setup.xml", lpString2="$RECYCLE.BIN") returned 1 [0089.034] lstrcmpiW (lpString1="Setup.xml", lpString2="rsa") returned 1 [0089.034] lstrcmpiW (lpString1="Setup.xml", lpString2="log") returned 1 [0089.034] lstrcmpiW (lpString1="Setup.xml", lpString2="NTDETECT.COM") returned 1 [0089.034] lstrcmpiW (lpString1="Setup.xml", lpString2="ntldr") returned 1 [0089.034] lstrcmpiW (lpString1="Setup.xml", lpString2="MSDOS.SYS") returned 1 [0089.034] lstrcmpiW (lpString1="Setup.xml", lpString2="IO.SYS") returned 1 [0089.034] lstrcmpiW (lpString1="Setup.xml", lpString2="boot.ini") returned 1 [0089.034] lstrcmpiW (lpString1="Setup.xml", lpString2="AUTOEXEC.BAT") returned 1 [0089.035] lstrcmpiW (lpString1="Setup.xml", lpString2="ntuser.dat") returned 1 [0089.035] lstrcmpiW (lpString1="Setup.xml", lpString2="desktop.ini") returned 1 [0089.035] lstrcmpiW (lpString1="Setup.xml", lpString2="CONFIG.SYS") returned 1 [0089.035] lstrcmpiW (lpString1="Setup.xml", lpString2="RECYCLER") returned 1 [0089.035] lstrcmpiW (lpString1="Setup.xml", lpString2="BOOTSECT.BAK") returned 1 [0089.035] lstrcmpiW (lpString1="Setup.xml", lpString2="bootmgr") returned 1 [0089.035] lstrcmpiW (lpString1="Setup.xml", lpString2="programdata") returned 1 [0089.035] lstrcmpiW (lpString1="Setup.xml", lpString2="appdata") returned 1 [0089.035] lstrcmpiW (lpString1="Setup.xml", lpString2="program files") returned 1 [0089.035] lstrcmpiW (lpString1="Setup.xml", lpString2="program files (x86)") returned 1 [0089.035] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\" [0089.035] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\", lpString2="Setup.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" [0089.035] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0089.035] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0089.035] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0089.035] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0089.035] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0089.035] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0089.035] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0089.035] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0089.035] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0089.035] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0089.035] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0089.035] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0089.035] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0089.035] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0089.035] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0089.036] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0089.036] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0089.036] lstrcmpiW (lpString1="Setup.xml", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0089.036] lstrlenA (lpString="NEPHILIM") returned 8 [0089.036] GetProcessHeap () returned 0x4e0000 [0089.036] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502c20 [0089.036] lstrlenA (lpString="NEPHILIM") returned 8 [0089.036] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0089.038] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=1988) returned 1 [0089.038] GetProcessHeap () returned 0x4e0000 [0089.038] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0089.038] GetProcessHeap () returned 0x4e0000 [0089.038] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0089.038] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0089.038] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0089.038] GetProcessHeap () returned 0x4e0000 [0089.038] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0089.039] GetProcessHeap () returned 0x4e0000 [0089.039] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0089.039] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de208*=0x100) returned 1 [0089.039] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de204*=0x100) returned 1 [0089.039] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x7c4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.040] SetLastError (dwErrCode=0x0) [0089.040] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0089.046] GetLastError () returned 0x0 [0089.046] GetLastError () returned 0x0 [0089.046] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x8c4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.047] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0089.047] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x9c4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.047] lstrlenA (lpString="NEPHILIM") returned 8 [0089.047] WriteFile (in: hFile=0xec, lpBuffer=0x502c20*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x502c20*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0089.047] GetProcessHeap () returned 0x4e0000 [0089.047] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x7c4) returned 0x50a8a8 [0089.047] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.047] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x7c4, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x7c4, lpOverlapped=0x0) returned 1 [0089.047] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.047] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x7c4, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x7c4, lpOverlapped=0x0) returned 1 [0089.047] GetProcessHeap () returned 0x4e0000 [0089.047] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0089.047] CloseHandle (hObject=0xec) returned 1 [0089.052] GetProcessHeap () returned 0x4e0000 [0089.052] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0089.052] GetProcessHeap () returned 0x4e0000 [0089.052] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0089.052] GetProcessHeap () returned 0x4e0000 [0089.052] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0089.052] GetProcessHeap () returned 0x4e0000 [0089.052] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0089.052] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" [0089.052] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM") returned="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM" [0089.052] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml.nephilim")) returned 1 [0089.053] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf6e0d4a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x7c4, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0089.053] FindClose (in: hFindFile=0x502830 | out: hFindFile=0x502830) returned 1 [0089.053] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5b30b20, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa5bc90a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5bc90a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x24df5e0, cFileName="{90140000-00B4-0409-1000-0000000FF1CE}-C", cAlternateFileName="{912E0~1")) returned 1 [0089.053] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0089.053] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0089.054] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="...") returned 1 [0089.054] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="windows") returned -1 [0089.054] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="$RECYCLE.BIN") returned 1 [0089.054] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="rsa") returned -1 [0089.054] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="log") returned -1 [0089.054] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="NTDETECT.COM") returned -1 [0089.054] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="ntldr") returned -1 [0089.054] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="MSDOS.SYS") returned -1 [0089.054] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="IO.SYS") returned -1 [0089.054] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="boot.ini") returned -1 [0089.054] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="AUTOEXEC.BAT") returned -1 [0089.054] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="ntuser.dat") returned -1 [0089.054] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="desktop.ini") returned -1 [0089.054] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="CONFIG.SYS") returned -1 [0089.054] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="RECYCLER") returned -1 [0089.054] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="BOOTSECT.BAK") returned -1 [0089.054] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="bootmgr") returned -1 [0089.054] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="programdata") returned -1 [0089.054] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="appdata") returned -1 [0089.054] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="program files") returned -1 [0089.054] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="program files (x86)") returned -1 [0089.054] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\MSOCache\\All Users\\" | out: lpString1="C:\\MSOCache\\All Users\\") returned="C:\\MSOCache\\All Users\\" [0089.054] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\", lpString2="{90140000-00B4-0409-1000-0000000FF1CE}-C" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C") returned="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C" [0089.054] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\" [0089.055] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\" [0089.055] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\", lpString2="*.*" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*.*") returned="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*.*" [0089.055] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5b30b20, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa5bc90a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5bc90a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x502830 [0089.250] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0089.250] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5b30b20, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa5bc90a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5bc90a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0089.250] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0089.250] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0089.251] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x308ae9f0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x308ae9f0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5b55ce0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x265400, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="ProjectMUI.msi", cAlternateFileName="PROJEC~1.MSI")) returned 1 [0089.251] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2=".") returned 1 [0089.251] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="..") returned 1 [0089.251] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="...") returned 1 [0089.251] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="windows") returned -1 [0089.251] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="$RECYCLE.BIN") returned 1 [0089.251] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="rsa") returned -1 [0089.251] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="log") returned 1 [0089.251] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="NTDETECT.COM") returned 1 [0089.251] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="ntldr") returned 1 [0089.251] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="MSDOS.SYS") returned 1 [0089.251] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="IO.SYS") returned 1 [0089.251] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="boot.ini") returned 1 [0089.251] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="AUTOEXEC.BAT") returned 1 [0089.251] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="ntuser.dat") returned 1 [0089.251] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="desktop.ini") returned 1 [0089.251] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="CONFIG.SYS") returned 1 [0089.251] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="RECYCLER") returned -1 [0089.251] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="BOOTSECT.BAK") returned 1 [0089.251] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="bootmgr") returned 1 [0089.251] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="programdata") returned 1 [0089.251] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="appdata") returned 1 [0089.251] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="program files") returned 1 [0089.251] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="program files (x86)") returned 1 [0089.252] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\" [0089.252] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\", lpString2="ProjectMUI.msi" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" [0089.252] PathFindExtensionW (pszPath="ProjectMUI.msi") returned=".msi" [0089.252] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0089.252] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0089.252] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0089.252] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0089.252] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0089.252] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0089.252] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0089.252] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0089.252] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0089.252] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0089.252] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0089.252] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0089.252] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0089.252] lstrcmpiW (lpString1=".msi", lpString2=".NEPHILIM") returned -1 [0089.252] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0089.252] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30a2b7b0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x30a2b7b0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5b2ebe0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x5ac, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="ProjectMUI.xml", cAlternateFileName="PROJEC~1.XML")) returned 1 [0089.252] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2=".") returned 1 [0089.252] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="..") returned 1 [0089.252] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="...") returned 1 [0089.252] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="windows") returned -1 [0089.252] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="$RECYCLE.BIN") returned 1 [0089.252] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="rsa") returned -1 [0089.252] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="log") returned 1 [0089.253] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="NTDETECT.COM") returned 1 [0089.253] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="ntldr") returned 1 [0089.253] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="MSDOS.SYS") returned 1 [0089.253] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="IO.SYS") returned 1 [0089.253] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="boot.ini") returned 1 [0089.253] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="AUTOEXEC.BAT") returned 1 [0089.253] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="ntuser.dat") returned 1 [0089.253] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="desktop.ini") returned 1 [0089.253] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="CONFIG.SYS") returned 1 [0089.253] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="RECYCLER") returned -1 [0089.253] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="BOOTSECT.BAK") returned 1 [0089.253] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="bootmgr") returned 1 [0089.253] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="programdata") returned 1 [0089.253] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="appdata") returned 1 [0089.253] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="program files") returned 1 [0089.253] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="program files (x86)") returned 1 [0089.253] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\" [0089.253] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\", lpString2="ProjectMUI.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" [0089.253] PathFindExtensionW (pszPath="ProjectMUI.xml") returned=".xml" [0089.253] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0089.253] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0089.253] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0089.253] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0089.253] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0089.253] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0089.254] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0089.254] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0089.254] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0089.254] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0089.254] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0089.254] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0089.254] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0089.254] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0089.254] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0089.254] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0089.254] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0089.254] lstrlenA (lpString="NEPHILIM") returned 8 [0089.254] GetProcessHeap () returned 0x4e0000 [0089.254] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502c30 [0089.254] lstrlenA (lpString="NEPHILIM") returned 8 [0089.254] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0089.255] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=1452) returned 1 [0089.255] GetProcessHeap () returned 0x4e0000 [0089.255] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0089.256] GetProcessHeap () returned 0x4e0000 [0089.256] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0089.256] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0089.256] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0089.256] GetProcessHeap () returned 0x4e0000 [0089.256] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0089.256] GetProcessHeap () returned 0x4e0000 [0089.256] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0089.256] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de208*=0x100) returned 1 [0089.256] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de204*=0x100) returned 1 [0089.256] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x5ac, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.256] SetLastError (dwErrCode=0x0) [0089.256] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0089.262] GetLastError () returned 0x0 [0089.262] GetLastError () returned 0x0 [0089.262] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x6ac, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.262] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0089.262] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x7ac, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.262] lstrlenA (lpString="NEPHILIM") returned 8 [0089.262] WriteFile (in: hFile=0xec, lpBuffer=0x502c30*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x502c30*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0089.262] GetProcessHeap () returned 0x4e0000 [0089.262] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x5ac) returned 0x50a8a8 [0089.263] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.263] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x5ac, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x5ac, lpOverlapped=0x0) returned 1 [0089.263] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.263] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x5ac, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x5ac, lpOverlapped=0x0) returned 1 [0089.263] GetProcessHeap () returned 0x4e0000 [0089.263] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0089.263] CloseHandle (hObject=0xec) returned 1 [0089.270] GetProcessHeap () returned 0x4e0000 [0089.270] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0089.270] GetProcessHeap () returned 0x4e0000 [0089.270] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0089.270] GetProcessHeap () returned 0x4e0000 [0089.270] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0089.270] GetProcessHeap () returned 0x4e0000 [0089.270] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0089.270] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" [0089.270] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.NEPHILIM") returned="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.NEPHILIM" [0089.270] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.NEPHILIM" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml.nephilim")) returned 1 [0089.271] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30306de0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x30306de0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5b7cde0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x7e1dcd, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="ProjLR.cab", cAlternateFileName="")) returned 1 [0089.271] lstrcmpiW (lpString1="ProjLR.cab", lpString2=".") returned 1 [0089.271] lstrcmpiW (lpString1="ProjLR.cab", lpString2="..") returned 1 [0089.272] lstrcmpiW (lpString1="ProjLR.cab", lpString2="...") returned 1 [0089.272] lstrcmpiW (lpString1="ProjLR.cab", lpString2="windows") returned -1 [0089.272] lstrcmpiW (lpString1="ProjLR.cab", lpString2="$RECYCLE.BIN") returned 1 [0089.272] lstrcmpiW (lpString1="ProjLR.cab", lpString2="rsa") returned -1 [0089.272] lstrcmpiW (lpString1="ProjLR.cab", lpString2="log") returned 1 [0089.272] lstrcmpiW (lpString1="ProjLR.cab", lpString2="NTDETECT.COM") returned 1 [0089.272] lstrcmpiW (lpString1="ProjLR.cab", lpString2="ntldr") returned 1 [0089.272] lstrcmpiW (lpString1="ProjLR.cab", lpString2="MSDOS.SYS") returned 1 [0089.272] lstrcmpiW (lpString1="ProjLR.cab", lpString2="IO.SYS") returned 1 [0089.272] lstrcmpiW (lpString1="ProjLR.cab", lpString2="boot.ini") returned 1 [0089.272] lstrcmpiW (lpString1="ProjLR.cab", lpString2="AUTOEXEC.BAT") returned 1 [0089.272] lstrcmpiW (lpString1="ProjLR.cab", lpString2="ntuser.dat") returned 1 [0089.272] lstrcmpiW (lpString1="ProjLR.cab", lpString2="desktop.ini") returned 1 [0089.272] lstrcmpiW (lpString1="ProjLR.cab", lpString2="CONFIG.SYS") returned 1 [0089.272] lstrcmpiW (lpString1="ProjLR.cab", lpString2="RECYCLER") returned -1 [0089.272] lstrcmpiW (lpString1="ProjLR.cab", lpString2="BOOTSECT.BAK") returned 1 [0089.272] lstrcmpiW (lpString1="ProjLR.cab", lpString2="bootmgr") returned 1 [0089.272] lstrcmpiW (lpString1="ProjLR.cab", lpString2="programdata") returned 1 [0089.272] lstrcmpiW (lpString1="ProjLR.cab", lpString2="appdata") returned 1 [0089.272] lstrcmpiW (lpString1="ProjLR.cab", lpString2="program files") returned 1 [0089.272] lstrcmpiW (lpString1="ProjLR.cab", lpString2="program files (x86)") returned 1 [0089.272] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\" [0089.272] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\", lpString2="ProjLR.cab" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" [0089.272] PathFindExtensionW (pszPath="ProjLR.cab") returned=".cab" [0089.272] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0089.273] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0089.273] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0089.273] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x309dfcc0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x309dfcc0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5bc88d0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x750, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0089.273] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0089.273] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0089.273] lstrcmpiW (lpString1="Setup.xml", lpString2="...") returned 1 [0089.273] lstrcmpiW (lpString1="Setup.xml", lpString2="windows") returned -1 [0089.273] lstrcmpiW (lpString1="Setup.xml", lpString2="$RECYCLE.BIN") returned 1 [0089.273] lstrcmpiW (lpString1="Setup.xml", lpString2="rsa") returned 1 [0089.273] lstrcmpiW (lpString1="Setup.xml", lpString2="log") returned 1 [0089.273] lstrcmpiW (lpString1="Setup.xml", lpString2="NTDETECT.COM") returned 1 [0089.273] lstrcmpiW (lpString1="Setup.xml", lpString2="ntldr") returned 1 [0089.273] lstrcmpiW (lpString1="Setup.xml", lpString2="MSDOS.SYS") returned 1 [0089.273] lstrcmpiW (lpString1="Setup.xml", lpString2="IO.SYS") returned 1 [0089.273] lstrcmpiW (lpString1="Setup.xml", lpString2="boot.ini") returned 1 [0089.273] lstrcmpiW (lpString1="Setup.xml", lpString2="AUTOEXEC.BAT") returned 1 [0089.273] lstrcmpiW (lpString1="Setup.xml", lpString2="ntuser.dat") returned 1 [0089.273] lstrcmpiW (lpString1="Setup.xml", lpString2="desktop.ini") returned 1 [0089.273] lstrcmpiW (lpString1="Setup.xml", lpString2="CONFIG.SYS") returned 1 [0089.273] lstrcmpiW (lpString1="Setup.xml", lpString2="RECYCLER") returned 1 [0089.273] lstrcmpiW (lpString1="Setup.xml", lpString2="BOOTSECT.BAK") returned 1 [0089.273] lstrcmpiW (lpString1="Setup.xml", lpString2="bootmgr") returned 1 [0089.274] lstrcmpiW (lpString1="Setup.xml", lpString2="programdata") returned 1 [0089.274] lstrcmpiW (lpString1="Setup.xml", lpString2="appdata") returned 1 [0089.274] lstrcmpiW (lpString1="Setup.xml", lpString2="program files") returned 1 [0089.274] lstrcmpiW (lpString1="Setup.xml", lpString2="program files (x86)") returned 1 [0089.274] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\" [0089.274] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\", lpString2="Setup.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" [0089.274] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0089.274] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0089.274] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0089.274] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0089.274] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0089.274] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0089.274] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0089.274] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0089.274] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0089.274] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0089.274] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0089.274] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0089.274] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0089.274] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0089.274] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0089.274] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0089.274] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0089.274] lstrcmpiW (lpString1="Setup.xml", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0089.274] lstrlenA (lpString="NEPHILIM") returned 8 [0089.274] GetProcessHeap () returned 0x4e0000 [0089.275] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502c40 [0089.275] lstrlenA (lpString="NEPHILIM") returned 8 [0089.275] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0089.276] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=1872) returned 1 [0089.276] GetProcessHeap () returned 0x4e0000 [0089.276] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0089.276] GetProcessHeap () returned 0x4e0000 [0089.276] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0089.276] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0089.276] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0089.276] GetProcessHeap () returned 0x4e0000 [0089.276] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0089.276] GetProcessHeap () returned 0x4e0000 [0089.276] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0089.276] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de208*=0x100) returned 1 [0089.277] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de204*=0x100) returned 1 [0089.277] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x750, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.277] SetLastError (dwErrCode=0x0) [0089.277] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0089.279] GetLastError () returned 0x0 [0089.279] GetLastError () returned 0x0 [0089.279] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x850, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.279] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0089.280] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x950, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.280] lstrlenA (lpString="NEPHILIM") returned 8 [0089.280] WriteFile (in: hFile=0xec, lpBuffer=0x502c40*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x502c40*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0089.280] GetProcessHeap () returned 0x4e0000 [0089.280] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x750) returned 0x50a8a8 [0089.280] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.280] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x750, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x750, lpOverlapped=0x0) returned 1 [0089.280] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.280] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x750, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x750, lpOverlapped=0x0) returned 1 [0089.280] GetProcessHeap () returned 0x4e0000 [0089.280] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0089.280] CloseHandle (hObject=0xec) returned 1 [0089.284] GetProcessHeap () returned 0x4e0000 [0089.284] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0089.284] GetProcessHeap () returned 0x4e0000 [0089.284] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0089.284] GetProcessHeap () returned 0x4e0000 [0089.284] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0089.284] GetProcessHeap () returned 0x4e0000 [0089.284] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0089.284] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" [0089.284] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM") returned="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM" [0089.284] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml.nephilim")) returned 1 [0089.285] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x309dfcc0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x309dfcc0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5bc88d0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x750, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0089.285] FindClose (in: hFindFile=0x502830 | out: hFindFile=0x502830) returned 1 [0089.285] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee803530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x24df5e0, cFileName="{90140000-00BA-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~4")) returned 1 [0089.285] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0089.285] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0089.285] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="...") returned 1 [0089.285] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="windows") returned -1 [0089.285] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="$RECYCLE.BIN") returned 1 [0089.285] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="rsa") returned -1 [0089.285] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="log") returned -1 [0089.286] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="NTDETECT.COM") returned -1 [0089.286] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="ntldr") returned -1 [0089.286] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="MSDOS.SYS") returned -1 [0089.286] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="IO.SYS") returned -1 [0089.286] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="boot.ini") returned -1 [0089.286] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="AUTOEXEC.BAT") returned -1 [0089.286] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="ntuser.dat") returned -1 [0089.286] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="desktop.ini") returned -1 [0089.286] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="CONFIG.SYS") returned -1 [0089.286] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="RECYCLER") returned -1 [0089.286] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="BOOTSECT.BAK") returned -1 [0089.286] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="bootmgr") returned -1 [0089.286] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="programdata") returned -1 [0089.286] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="appdata") returned -1 [0089.286] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="program files") returned -1 [0089.286] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="program files (x86)") returned -1 [0089.286] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\MSOCache\\All Users\\" | out: lpString1="C:\\MSOCache\\All Users\\") returned="C:\\MSOCache\\All Users\\" [0089.286] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\", lpString2="{90140000-00BA-0409-1000-0000000FF1CE}-C" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C") returned="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C" [0089.286] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\" [0089.286] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\" [0089.286] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\", lpString2="*.*" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*.*") returned="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*.*" [0089.286] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee803530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x502830 [0089.289] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0089.289] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee803530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0089.289] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0089.289] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0089.289] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee4bb7b0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x3e7e1f, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="GrooveLR.cab", cAlternateFileName="")) returned 1 [0089.289] lstrcmpiW (lpString1="GrooveLR.cab", lpString2=".") returned 1 [0089.289] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="..") returned 1 [0089.289] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="...") returned 1 [0089.289] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="windows") returned -1 [0089.289] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="$RECYCLE.BIN") returned 1 [0089.289] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="rsa") returned -1 [0089.289] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="log") returned -1 [0089.289] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="NTDETECT.COM") returned -1 [0089.289] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="ntldr") returned -1 [0089.289] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="MSDOS.SYS") returned -1 [0089.289] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="IO.SYS") returned -1 [0089.290] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="boot.ini") returned 1 [0089.290] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="AUTOEXEC.BAT") returned 1 [0089.290] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="ntuser.dat") returned -1 [0089.290] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="desktop.ini") returned 1 [0089.290] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="CONFIG.SYS") returned 1 [0089.290] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="RECYCLER") returned -1 [0089.290] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="BOOTSECT.BAK") returned 1 [0089.290] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="bootmgr") returned 1 [0089.290] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="programdata") returned -1 [0089.290] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="appdata") returned 1 [0089.290] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="program files") returned -1 [0089.290] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="program files (x86)") returned -1 [0089.290] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\" [0089.290] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\", lpString2="GrooveLR.cab" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" [0089.290] PathFindExtensionW (pszPath="GrooveLR.cab") returned=".cab" [0089.290] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0089.290] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0089.290] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0089.290] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee3b15e0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x264400, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="GrooveMUI.msi", cAlternateFileName="GROOVE~1.MSI")) returned 1 [0089.290] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2=".") returned 1 [0089.290] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="..") returned 1 [0089.290] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="...") returned 1 [0089.290] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="windows") returned -1 [0089.290] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="$RECYCLE.BIN") returned 1 [0089.291] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="rsa") returned -1 [0089.291] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="log") returned -1 [0089.291] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="NTDETECT.COM") returned -1 [0089.291] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="ntldr") returned -1 [0089.291] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="MSDOS.SYS") returned -1 [0089.291] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="IO.SYS") returned -1 [0089.291] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="boot.ini") returned 1 [0089.291] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="AUTOEXEC.BAT") returned 1 [0089.291] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="ntuser.dat") returned -1 [0089.291] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="desktop.ini") returned 1 [0089.291] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="CONFIG.SYS") returned 1 [0089.291] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="RECYCLER") returned -1 [0089.291] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="BOOTSECT.BAK") returned 1 [0089.291] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="bootmgr") returned 1 [0089.291] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="programdata") returned -1 [0089.291] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="appdata") returned 1 [0089.291] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="program files") returned -1 [0089.291] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="program files (x86)") returned -1 [0089.291] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\" [0089.291] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\", lpString2="GrooveMUI.msi" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" [0089.291] PathFindExtensionW (pszPath="GrooveMUI.msi") returned=".msi" [0089.291] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0089.291] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0089.291] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0089.291] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0089.292] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0089.292] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0089.292] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0089.292] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0089.292] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0089.292] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0089.292] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0089.292] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0089.292] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0089.292] lstrcmpiW (lpString1=".msi", lpString2=".NEPHILIM") returned -1 [0089.292] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0089.292] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x391, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="GrooveMUI.xml", cAlternateFileName="GROOVE~1.XML")) returned 1 [0089.292] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2=".") returned 1 [0089.292] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="..") returned 1 [0089.292] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="...") returned 1 [0089.292] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="windows") returned -1 [0089.292] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="$RECYCLE.BIN") returned 1 [0089.292] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="rsa") returned -1 [0089.292] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="log") returned -1 [0089.292] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="NTDETECT.COM") returned -1 [0089.292] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="ntldr") returned -1 [0089.292] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="MSDOS.SYS") returned -1 [0089.292] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="IO.SYS") returned -1 [0089.292] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="boot.ini") returned 1 [0089.292] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="AUTOEXEC.BAT") returned 1 [0089.292] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="ntuser.dat") returned -1 [0089.293] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="desktop.ini") returned 1 [0089.293] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="CONFIG.SYS") returned 1 [0089.293] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="RECYCLER") returned -1 [0089.293] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="BOOTSECT.BAK") returned 1 [0089.293] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="bootmgr") returned 1 [0089.293] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="programdata") returned -1 [0089.293] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="appdata") returned 1 [0089.293] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="program files") returned -1 [0089.293] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="program files (x86)") returned -1 [0089.293] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\" [0089.293] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\", lpString2="GrooveMUI.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" [0089.293] PathFindExtensionW (pszPath="GrooveMUI.xml") returned=".xml" [0089.293] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0089.293] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0089.293] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0089.293] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0089.293] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0089.293] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0089.293] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0089.293] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0089.293] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0089.293] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0089.293] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0089.293] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0089.293] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0089.293] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0089.294] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0089.294] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0089.294] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0089.294] lstrlenA (lpString="NEPHILIM") returned 8 [0089.294] GetProcessHeap () returned 0x4e0000 [0089.294] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502c50 [0089.294] lstrlenA (lpString="NEPHILIM") returned 8 [0089.294] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0089.295] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=913) returned 1 [0089.295] GetProcessHeap () returned 0x4e0000 [0089.295] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0089.295] GetProcessHeap () returned 0x4e0000 [0089.295] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0089.295] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0089.295] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0089.295] GetProcessHeap () returned 0x4e0000 [0089.295] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0089.295] GetProcessHeap () returned 0x4e0000 [0089.295] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0089.295] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de208*=0x100) returned 1 [0089.296] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de204*=0x100) returned 1 [0089.296] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x391, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.296] SetLastError (dwErrCode=0x0) [0089.296] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0089.298] GetLastError () returned 0x0 [0089.298] GetLastError () returned 0x0 [0089.298] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x491, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.298] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0089.299] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x591, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.299] lstrlenA (lpString="NEPHILIM") returned 8 [0089.299] WriteFile (in: hFile=0xec, lpBuffer=0x502c50*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x502c50*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0089.299] GetProcessHeap () returned 0x4e0000 [0089.299] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x391) returned 0x507390 [0089.299] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.299] ReadFile (in: hFile=0xec, lpBuffer=0x507390, nNumberOfBytesToRead=0x391, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x507390*, lpNumberOfBytesRead=0x24de430*=0x391, lpOverlapped=0x0) returned 1 [0089.299] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.299] WriteFile (in: hFile=0xec, lpBuffer=0x507390*, nNumberOfBytesToWrite=0x391, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507390*, lpNumberOfBytesWritten=0x24de43c*=0x391, lpOverlapped=0x0) returned 1 [0089.299] GetProcessHeap () returned 0x4e0000 [0089.299] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507390 | out: hHeap=0x4e0000) returned 1 [0089.299] CloseHandle (hObject=0xec) returned 1 [0089.304] GetProcessHeap () returned 0x4e0000 [0089.304] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0089.304] GetProcessHeap () returned 0x4e0000 [0089.305] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0089.305] GetProcessHeap () returned 0x4e0000 [0089.305] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0089.305] GetProcessHeap () returned 0x4e0000 [0089.305] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0089.305] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" [0089.305] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.NEPHILIM") returned="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.NEPHILIM" [0089.305] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.NEPHILIM" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml.nephilim")) returned 1 [0089.306] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5ac, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0089.306] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0089.306] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0089.306] lstrcmpiW (lpString1="Setup.xml", lpString2="...") returned 1 [0089.306] lstrcmpiW (lpString1="Setup.xml", lpString2="windows") returned -1 [0089.306] lstrcmpiW (lpString1="Setup.xml", lpString2="$RECYCLE.BIN") returned 1 [0089.306] lstrcmpiW (lpString1="Setup.xml", lpString2="rsa") returned 1 [0089.306] lstrcmpiW (lpString1="Setup.xml", lpString2="log") returned 1 [0089.306] lstrcmpiW (lpString1="Setup.xml", lpString2="NTDETECT.COM") returned 1 [0089.306] lstrcmpiW (lpString1="Setup.xml", lpString2="ntldr") returned 1 [0089.306] lstrcmpiW (lpString1="Setup.xml", lpString2="MSDOS.SYS") returned 1 [0089.306] lstrcmpiW (lpString1="Setup.xml", lpString2="IO.SYS") returned 1 [0089.306] lstrcmpiW (lpString1="Setup.xml", lpString2="boot.ini") returned 1 [0089.307] lstrcmpiW (lpString1="Setup.xml", lpString2="AUTOEXEC.BAT") returned 1 [0089.307] lstrcmpiW (lpString1="Setup.xml", lpString2="ntuser.dat") returned 1 [0089.307] lstrcmpiW (lpString1="Setup.xml", lpString2="desktop.ini") returned 1 [0089.307] lstrcmpiW (lpString1="Setup.xml", lpString2="CONFIG.SYS") returned 1 [0089.307] lstrcmpiW (lpString1="Setup.xml", lpString2="RECYCLER") returned 1 [0089.307] lstrcmpiW (lpString1="Setup.xml", lpString2="BOOTSECT.BAK") returned 1 [0089.307] lstrcmpiW (lpString1="Setup.xml", lpString2="bootmgr") returned 1 [0089.307] lstrcmpiW (lpString1="Setup.xml", lpString2="programdata") returned 1 [0089.307] lstrcmpiW (lpString1="Setup.xml", lpString2="appdata") returned 1 [0089.307] lstrcmpiW (lpString1="Setup.xml", lpString2="program files") returned 1 [0089.307] lstrcmpiW (lpString1="Setup.xml", lpString2="program files (x86)") returned 1 [0089.307] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\" [0089.307] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\", lpString2="Setup.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" [0089.307] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0089.307] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0089.307] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0089.307] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0089.307] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0089.307] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0089.307] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0089.307] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0089.307] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0089.308] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0089.308] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0089.308] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0089.308] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0089.308] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0089.308] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0089.308] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0089.308] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0089.308] lstrcmpiW (lpString1="Setup.xml", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0089.308] lstrlenA (lpString="NEPHILIM") returned 8 [0089.308] GetProcessHeap () returned 0x4e0000 [0089.308] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502c60 [0089.308] lstrlenA (lpString="NEPHILIM") returned 8 [0089.308] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0089.309] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=1452) returned 1 [0089.309] GetProcessHeap () returned 0x4e0000 [0089.309] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0089.309] GetProcessHeap () returned 0x4e0000 [0089.309] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0089.309] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0089.309] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0089.309] GetProcessHeap () returned 0x4e0000 [0089.309] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0089.309] GetProcessHeap () returned 0x4e0000 [0089.309] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0089.309] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de208*=0x100) returned 1 [0089.309] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de204*=0x100) returned 1 [0089.310] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x5ac, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.310] SetLastError (dwErrCode=0x0) [0089.310] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0089.312] GetLastError () returned 0x0 [0089.312] GetLastError () returned 0x0 [0089.312] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x6ac, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.312] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0089.313] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x7ac, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.313] lstrlenA (lpString="NEPHILIM") returned 8 [0089.313] WriteFile (in: hFile=0xec, lpBuffer=0x502c60*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x502c60*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0089.313] GetProcessHeap () returned 0x4e0000 [0089.313] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x5ac) returned 0x50a8a8 [0089.313] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.313] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x5ac, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x5ac, lpOverlapped=0x0) returned 1 [0089.313] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.313] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x5ac, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x5ac, lpOverlapped=0x0) returned 1 [0089.313] GetProcessHeap () returned 0x4e0000 [0089.313] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0089.313] CloseHandle (hObject=0xec) returned 1 [0089.317] GetProcessHeap () returned 0x4e0000 [0089.317] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0089.317] GetProcessHeap () returned 0x4e0000 [0089.318] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0089.318] GetProcessHeap () returned 0x4e0000 [0089.318] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0089.318] GetProcessHeap () returned 0x4e0000 [0089.318] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0089.318] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" [0089.318] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM") returned="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM" [0089.318] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml.nephilim")) returned 1 [0089.319] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5ac, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0089.319] FindClose (in: hFindFile=0x502830 | out: hFindFile=0x502830) returned 1 [0089.320] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b68970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8729610, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8729610, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x24df5e0, cFileName="{90140000-0115-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~1")) returned 1 [0089.320] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0089.320] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0089.320] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="...") returned 1 [0089.320] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="windows") returned -1 [0089.320] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="$RECYCLE.BIN") returned 1 [0089.320] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="rsa") returned -1 [0089.320] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="log") returned -1 [0089.320] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="NTDETECT.COM") returned -1 [0089.320] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="ntldr") returned -1 [0089.321] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="MSDOS.SYS") returned -1 [0089.321] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="IO.SYS") returned -1 [0089.321] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="boot.ini") returned -1 [0089.321] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="AUTOEXEC.BAT") returned -1 [0089.321] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="ntuser.dat") returned -1 [0089.321] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="desktop.ini") returned -1 [0089.321] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="CONFIG.SYS") returned -1 [0089.321] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="RECYCLER") returned -1 [0089.321] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="BOOTSECT.BAK") returned -1 [0089.321] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="bootmgr") returned -1 [0089.321] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="programdata") returned -1 [0089.321] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="appdata") returned -1 [0089.321] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="program files") returned -1 [0089.321] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="program files (x86)") returned -1 [0089.321] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\MSOCache\\All Users\\" | out: lpString1="C:\\MSOCache\\All Users\\") returned="C:\\MSOCache\\All Users\\" [0089.321] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\", lpString2="{90140000-0115-0409-1000-0000000FF1CE}-C" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C" [0089.321] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" [0089.321] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" [0089.321] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", lpString2="*.*" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*.*") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*.*" [0089.321] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b68970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8729610, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8729610, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x502830 [0089.327] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0089.327] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b68970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8729610, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8729610, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0089.327] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0089.327] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0089.328] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8691090, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8691090, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="1033", cAlternateFileName="")) returned 1 [0089.328] lstrcmpiW (lpString1="1033", lpString2=".") returned 1 [0089.328] lstrcmpiW (lpString1="1033", lpString2="..") returned 1 [0089.328] lstrcmpiW (lpString1="1033", lpString2="...") returned 1 [0089.328] lstrcmpiW (lpString1="1033", lpString2="windows") returned -1 [0089.328] lstrcmpiW (lpString1="1033", lpString2="$RECYCLE.BIN") returned 1 [0089.328] lstrcmpiW (lpString1="1033", lpString2="rsa") returned -1 [0089.328] lstrcmpiW (lpString1="1033", lpString2="log") returned -1 [0089.328] lstrcmpiW (lpString1="1033", lpString2="NTDETECT.COM") returned -1 [0089.328] lstrcmpiW (lpString1="1033", lpString2="ntldr") returned -1 [0089.328] lstrcmpiW (lpString1="1033", lpString2="MSDOS.SYS") returned -1 [0089.328] lstrcmpiW (lpString1="1033", lpString2="IO.SYS") returned -1 [0089.328] lstrcmpiW (lpString1="1033", lpString2="boot.ini") returned -1 [0089.328] lstrcmpiW (lpString1="1033", lpString2="AUTOEXEC.BAT") returned -1 [0089.328] lstrcmpiW (lpString1="1033", lpString2="ntuser.dat") returned -1 [0089.328] lstrcmpiW (lpString1="1033", lpString2="desktop.ini") returned -1 [0089.328] lstrcmpiW (lpString1="1033", lpString2="CONFIG.SYS") returned -1 [0089.328] lstrcmpiW (lpString1="1033", lpString2="RECYCLER") returned -1 [0089.328] lstrcmpiW (lpString1="1033", lpString2="BOOTSECT.BAK") returned -1 [0089.328] lstrcmpiW (lpString1="1033", lpString2="bootmgr") returned -1 [0089.328] lstrcmpiW (lpString1="1033", lpString2="programdata") returned -1 [0089.328] lstrcmpiW (lpString1="1033", lpString2="appdata") returned -1 [0089.328] lstrcmpiW (lpString1="1033", lpString2="program files") returned -1 [0089.328] lstrcmpiW (lpString1="1033", lpString2="program files (x86)") returned -1 [0089.328] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" [0089.329] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", lpString2="1033" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033" [0089.329] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033", lpString2="\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\" [0089.329] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\" [0089.329] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\", lpString2="*.*" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\*.*") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\*.*" [0089.329] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8691090, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8691090, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x860084, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x502870 [0089.330] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0089.330] FindNextFileW (in: hFindFile=0x502870, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8691090, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8691090, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x860084, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0089.330] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0089.330] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0089.330] FindNextFileW (in: hFindFile=0x502870, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6a35700, ftCreationTime.dwHighDateTime=0x1cac9d7, ftLastAccessTime.dwLowDateTime=0x6a35700, ftLastAccessTime.dwHighDateTime=0x1cac9d7, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1a588, dwReserved0=0x860084, dwReserved1=0x24de8e0, cFileName="dwintl20.dll", cAlternateFileName="")) returned 1 [0089.330] lstrcmpiW (lpString1="dwintl20.dll", lpString2=".") returned 1 [0089.330] lstrcmpiW (lpString1="dwintl20.dll", lpString2="..") returned 1 [0089.330] lstrcmpiW (lpString1="dwintl20.dll", lpString2="...") returned 1 [0089.330] lstrcmpiW (lpString1="dwintl20.dll", lpString2="windows") returned -1 [0089.330] lstrcmpiW (lpString1="dwintl20.dll", lpString2="$RECYCLE.BIN") returned 1 [0089.330] lstrcmpiW (lpString1="dwintl20.dll", lpString2="rsa") returned -1 [0089.330] lstrcmpiW (lpString1="dwintl20.dll", lpString2="log") returned -1 [0089.330] lstrcmpiW (lpString1="dwintl20.dll", lpString2="NTDETECT.COM") returned -1 [0089.330] lstrcmpiW (lpString1="dwintl20.dll", lpString2="ntldr") returned -1 [0089.330] lstrcmpiW (lpString1="dwintl20.dll", lpString2="MSDOS.SYS") returned -1 [0089.330] lstrcmpiW (lpString1="dwintl20.dll", lpString2="IO.SYS") returned -1 [0089.330] lstrcmpiW (lpString1="dwintl20.dll", lpString2="boot.ini") returned 1 [0089.330] lstrcmpiW (lpString1="dwintl20.dll", lpString2="AUTOEXEC.BAT") returned 1 [0089.331] lstrcmpiW (lpString1="dwintl20.dll", lpString2="ntuser.dat") returned -1 [0089.331] lstrcmpiW (lpString1="dwintl20.dll", lpString2="desktop.ini") returned 1 [0089.331] lstrcmpiW (lpString1="dwintl20.dll", lpString2="CONFIG.SYS") returned 1 [0089.331] lstrcmpiW (lpString1="dwintl20.dll", lpString2="RECYCLER") returned -1 [0089.331] lstrcmpiW (lpString1="dwintl20.dll", lpString2="BOOTSECT.BAK") returned 1 [0089.331] lstrcmpiW (lpString1="dwintl20.dll", lpString2="bootmgr") returned 1 [0089.331] lstrcmpiW (lpString1="dwintl20.dll", lpString2="programdata") returned -1 [0089.331] lstrcmpiW (lpString1="dwintl20.dll", lpString2="appdata") returned 1 [0089.331] lstrcmpiW (lpString1="dwintl20.dll", lpString2="program files") returned -1 [0089.331] lstrcmpiW (lpString1="dwintl20.dll", lpString2="program files (x86)") returned -1 [0089.331] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\" [0089.331] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\", lpString2="dwintl20.dll" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" [0089.331] PathFindExtensionW (pszPath="dwintl20.dll") returned=".dll" [0089.331] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0089.331] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0089.331] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0089.331] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0089.331] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0089.331] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0089.331] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0089.331] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0089.331] FindNextFileW (in: hFindFile=0x502870, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6a35700, ftCreationTime.dwHighDateTime=0x1cac9d7, ftLastAccessTime.dwLowDateTime=0x6a35700, ftLastAccessTime.dwHighDateTime=0x1cac9d7, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1a588, dwReserved0=0x860084, dwReserved1=0x24de8e0, cFileName="dwintl20.dll", cAlternateFileName="")) returned 0 [0089.331] FindClose (in: hFindFile=0x502870 | out: hFindFile=0x502870) returned 1 [0089.332] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x11e8ef00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x11e8ef00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xe84c60d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x91975, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="branding.xml", cAlternateFileName="")) returned 1 [0089.332] lstrcmpiW (lpString1="branding.xml", lpString2=".") returned 1 [0089.332] lstrcmpiW (lpString1="branding.xml", lpString2="..") returned 1 [0089.332] lstrcmpiW (lpString1="branding.xml", lpString2="...") returned 1 [0089.332] lstrcmpiW (lpString1="branding.xml", lpString2="windows") returned -1 [0089.332] lstrcmpiW (lpString1="branding.xml", lpString2="$RECYCLE.BIN") returned 1 [0089.332] lstrcmpiW (lpString1="branding.xml", lpString2="rsa") returned -1 [0089.332] lstrcmpiW (lpString1="branding.xml", lpString2="log") returned -1 [0089.332] lstrcmpiW (lpString1="branding.xml", lpString2="NTDETECT.COM") returned -1 [0089.332] lstrcmpiW (lpString1="branding.xml", lpString2="ntldr") returned -1 [0089.332] lstrcmpiW (lpString1="branding.xml", lpString2="MSDOS.SYS") returned -1 [0089.332] lstrcmpiW (lpString1="branding.xml", lpString2="IO.SYS") returned -1 [0089.332] lstrcmpiW (lpString1="branding.xml", lpString2="boot.ini") returned 1 [0089.332] lstrcmpiW (lpString1="branding.xml", lpString2="AUTOEXEC.BAT") returned 1 [0089.332] lstrcmpiW (lpString1="branding.xml", lpString2="ntuser.dat") returned -1 [0089.332] lstrcmpiW (lpString1="branding.xml", lpString2="desktop.ini") returned -1 [0089.332] lstrcmpiW (lpString1="branding.xml", lpString2="CONFIG.SYS") returned -1 [0089.332] lstrcmpiW (lpString1="branding.xml", lpString2="RECYCLER") returned -1 [0089.332] lstrcmpiW (lpString1="branding.xml", lpString2="BOOTSECT.BAK") returned 1 [0089.332] lstrcmpiW (lpString1="branding.xml", lpString2="bootmgr") returned 1 [0089.332] lstrcmpiW (lpString1="branding.xml", lpString2="programdata") returned -1 [0089.332] lstrcmpiW (lpString1="branding.xml", lpString2="appdata") returned 1 [0089.332] lstrcmpiW (lpString1="branding.xml", lpString2="program files") returned -1 [0089.332] lstrcmpiW (lpString1="branding.xml", lpString2="program files (x86)") returned -1 [0089.332] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" [0089.332] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", lpString2="branding.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" [0089.333] PathFindExtensionW (pszPath="branding.xml") returned=".xml" [0089.333] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0089.333] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0089.333] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0089.333] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0089.333] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0089.333] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0089.333] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0089.333] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0089.333] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0089.333] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0089.333] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0089.333] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0089.333] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0089.333] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0089.333] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0089.333] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0089.333] lstrcmpiW (lpString1="branding.xml", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0089.333] lstrlenA (lpString="NEPHILIM") returned 8 [0089.333] GetProcessHeap () returned 0x4e0000 [0089.333] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502c70 [0089.333] lstrlenA (lpString="NEPHILIM") returned 8 [0089.333] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0089.335] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=596341) returned 1 [0089.335] GetProcessHeap () returned 0x4e0000 [0089.335] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0089.335] GetProcessHeap () returned 0x4e0000 [0089.335] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0089.335] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0089.335] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0089.335] GetProcessHeap () returned 0x4e0000 [0089.335] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0089.335] GetProcessHeap () returned 0x4e0000 [0089.335] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0089.335] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de208*=0x100) returned 1 [0089.336] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de204*=0x100) returned 1 [0089.336] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x91975, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.336] SetLastError (dwErrCode=0x0) [0089.336] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0089.339] GetLastError () returned 0x0 [0089.339] GetLastError () returned 0x0 [0089.339] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x91a75, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.339] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0089.339] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x91b75, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.339] lstrlenA (lpString="NEPHILIM") returned 8 [0089.339] WriteFile (in: hFile=0xec, lpBuffer=0x502c70*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x502c70*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0089.339] GetProcessHeap () returned 0x4e0000 [0089.339] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x91975) returned 0x2010020 [0089.339] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.340] ReadFile (in: hFile=0xec, lpBuffer=0x2010020, nNumberOfBytesToRead=0x91975, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x2010020*, lpNumberOfBytesRead=0x24de430*=0x91975, lpOverlapped=0x0) returned 1 [0089.390] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.390] WriteFile (in: hFile=0xec, lpBuffer=0x2010020*, nNumberOfBytesToWrite=0x91975, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x2010020*, lpNumberOfBytesWritten=0x24de43c*=0x91975, lpOverlapped=0x0) returned 1 [0089.393] GetProcessHeap () returned 0x4e0000 [0089.393] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x2010020 | out: hHeap=0x4e0000) returned 1 [0089.397] CloseHandle (hObject=0xec) returned 1 [0089.414] GetProcessHeap () returned 0x4e0000 [0089.414] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0089.414] GetProcessHeap () returned 0x4e0000 [0089.414] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0089.414] GetProcessHeap () returned 0x4e0000 [0089.414] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0089.414] GetProcessHeap () returned 0x4e0000 [0089.414] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0089.414] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" [0089.414] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.NEPHILIM") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.NEPHILIM" [0089.414] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.NEPHILIM" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.nephilim")) returned 1 [0089.415] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa26c9d00, ftCreationTime.dwHighDateTime=0x1cac9ae, ftLastAccessTime.dwLowDateTime=0xa26c9d00, ftLastAccessTime.dwHighDateTime=0x1cac9ae, ftLastWriteTime.dwLowDateTime=0xe85142d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xccb88, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="DW20.EXE", cAlternateFileName="")) returned 1 [0089.415] lstrcmpiW (lpString1="DW20.EXE", lpString2=".") returned 1 [0089.416] lstrcmpiW (lpString1="DW20.EXE", lpString2="..") returned 1 [0089.416] lstrcmpiW (lpString1="DW20.EXE", lpString2="...") returned 1 [0089.416] lstrcmpiW (lpString1="DW20.EXE", lpString2="windows") returned -1 [0089.416] lstrcmpiW (lpString1="DW20.EXE", lpString2="$RECYCLE.BIN") returned 1 [0089.416] lstrcmpiW (lpString1="DW20.EXE", lpString2="rsa") returned -1 [0089.416] lstrcmpiW (lpString1="DW20.EXE", lpString2="log") returned -1 [0089.416] lstrcmpiW (lpString1="DW20.EXE", lpString2="NTDETECT.COM") returned -1 [0089.416] lstrcmpiW (lpString1="DW20.EXE", lpString2="ntldr") returned -1 [0089.416] lstrcmpiW (lpString1="DW20.EXE", lpString2="MSDOS.SYS") returned -1 [0089.416] lstrcmpiW (lpString1="DW20.EXE", lpString2="IO.SYS") returned -1 [0089.416] lstrcmpiW (lpString1="DW20.EXE", lpString2="boot.ini") returned 1 [0089.416] lstrcmpiW (lpString1="DW20.EXE", lpString2="AUTOEXEC.BAT") returned 1 [0089.416] lstrcmpiW (lpString1="DW20.EXE", lpString2="ntuser.dat") returned -1 [0089.416] lstrcmpiW (lpString1="DW20.EXE", lpString2="desktop.ini") returned 1 [0089.416] lstrcmpiW (lpString1="DW20.EXE", lpString2="CONFIG.SYS") returned 1 [0089.416] lstrcmpiW (lpString1="DW20.EXE", lpString2="RECYCLER") returned -1 [0089.416] lstrcmpiW (lpString1="DW20.EXE", lpString2="BOOTSECT.BAK") returned 1 [0089.416] lstrcmpiW (lpString1="DW20.EXE", lpString2="bootmgr") returned 1 [0089.416] lstrcmpiW (lpString1="DW20.EXE", lpString2="programdata") returned -1 [0089.416] lstrcmpiW (lpString1="DW20.EXE", lpString2="appdata") returned 1 [0089.417] lstrcmpiW (lpString1="DW20.EXE", lpString2="program files") returned -1 [0089.417] lstrcmpiW (lpString1="DW20.EXE", lpString2="program files (x86)") returned -1 [0089.417] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" [0089.417] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", lpString2="DW20.EXE" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" [0089.417] PathFindExtensionW (pszPath="DW20.EXE") returned=".EXE" [0089.417] lstrcmpiW (lpString1=".EXE", lpString2=".exe") returned 0 [0089.417] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xabf60500, ftCreationTime.dwHighDateTime=0x1cac9ae, ftLastAccessTime.dwLowDateTime=0xabf60500, ftLastAccessTime.dwHighDateTime=0x1cac9ae, ftLastWriteTime.dwLowDateTime=0xe85ab8b0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x80760, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="dwdcw20.dll", cAlternateFileName="")) returned 1 [0089.417] lstrcmpiW (lpString1="dwdcw20.dll", lpString2=".") returned 1 [0089.417] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="..") returned 1 [0089.417] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="...") returned 1 [0089.417] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="windows") returned -1 [0089.417] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="$RECYCLE.BIN") returned 1 [0089.417] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="rsa") returned -1 [0089.417] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="log") returned -1 [0089.417] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="NTDETECT.COM") returned -1 [0089.417] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="ntldr") returned -1 [0089.417] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="MSDOS.SYS") returned -1 [0089.417] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="IO.SYS") returned -1 [0089.417] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="boot.ini") returned 1 [0089.417] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="AUTOEXEC.BAT") returned 1 [0089.417] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="ntuser.dat") returned -1 [0089.417] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="desktop.ini") returned 1 [0089.418] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="CONFIG.SYS") returned 1 [0089.418] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="RECYCLER") returned -1 [0089.418] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="BOOTSECT.BAK") returned 1 [0089.418] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="bootmgr") returned 1 [0089.418] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="programdata") returned -1 [0089.418] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="appdata") returned 1 [0089.418] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="program files") returned -1 [0089.418] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="program files (x86)") returned -1 [0089.418] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" [0089.418] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", lpString2="dwdcw20.dll" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" [0089.418] PathFindExtensionW (pszPath="dwdcw20.dll") returned=".dll" [0089.418] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0089.418] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0089.419] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0089.419] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0089.419] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0089.419] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0089.419] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0089.419] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0089.419] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xabf60500, ftCreationTime.dwHighDateTime=0x1cac9ae, ftLastAccessTime.dwLowDateTime=0xabf60500, ftLastAccessTime.dwHighDateTime=0x1cac9ae, ftLastWriteTime.dwLowDateTime=0xe85f73a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x7eda0, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="dwtrig20.exe", cAlternateFileName="")) returned 1 [0089.419] lstrcmpiW (lpString1="dwtrig20.exe", lpString2=".") returned 1 [0089.419] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="..") returned 1 [0089.419] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="...") returned 1 [0089.419] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="windows") returned -1 [0089.419] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="$RECYCLE.BIN") returned 1 [0089.419] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="rsa") returned -1 [0089.419] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="log") returned -1 [0089.419] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="NTDETECT.COM") returned -1 [0089.419] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="ntldr") returned -1 [0089.420] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="MSDOS.SYS") returned -1 [0089.420] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="IO.SYS") returned -1 [0089.420] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="boot.ini") returned 1 [0089.420] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="AUTOEXEC.BAT") returned 1 [0089.420] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="ntuser.dat") returned -1 [0089.420] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="desktop.ini") returned 1 [0089.420] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="CONFIG.SYS") returned 1 [0089.420] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="RECYCLER") returned -1 [0089.420] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="BOOTSECT.BAK") returned 1 [0089.420] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="bootmgr") returned 1 [0089.420] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="programdata") returned -1 [0089.420] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="appdata") returned 1 [0089.420] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="program files") returned -1 [0089.420] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="program files (x86)") returned -1 [0089.420] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" [0089.420] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", lpString2="dwtrig20.exe" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" [0089.421] PathFindExtensionW (pszPath="dwtrig20.exe") returned=".exe" [0089.421] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0089.421] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8d646800, ftCreationTime.dwHighDateTime=0x1cacc53, ftLastAccessTime.dwLowDateTime=0x8d646800, ftLastAccessTime.dwHighDateTime=0x1cacc53, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x741, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="Microsoft.VC90.CRT.manifest", cAlternateFileName="MICROS~1.MAN")) returned 1 [0089.421] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2=".") returned 1 [0089.421] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="..") returned 1 [0089.421] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="...") returned 1 [0089.421] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="windows") returned -1 [0089.421] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="$RECYCLE.BIN") returned 1 [0089.421] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="rsa") returned -1 [0089.421] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="log") returned 1 [0089.421] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="NTDETECT.COM") returned -1 [0089.421] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="ntldr") returned -1 [0089.421] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="MSDOS.SYS") returned -1 [0089.421] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="IO.SYS") returned 1 [0089.421] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="boot.ini") returned 1 [0089.421] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="AUTOEXEC.BAT") returned 1 [0089.421] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="ntuser.dat") returned -1 [0089.422] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="desktop.ini") returned 1 [0089.422] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="CONFIG.SYS") returned 1 [0089.422] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="RECYCLER") returned -1 [0089.422] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="BOOTSECT.BAK") returned 1 [0089.422] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="bootmgr") returned 1 [0089.422] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="programdata") returned -1 [0089.422] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="appdata") returned 1 [0089.422] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="program files") returned -1 [0089.422] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="program files (x86)") returned -1 [0089.422] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" [0089.422] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", lpString2="Microsoft.VC90.CRT.manifest" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" [0089.422] PathFindExtensionW (pszPath="Microsoft.VC90.CRT.manifest") returned=".manifest" [0089.422] lstrcmpiW (lpString1=".manifest", lpString2=".exe") returned 1 [0089.422] lstrcmpiW (lpString1=".manifest", lpString2=".log") returned 1 [0089.422] lstrcmpiW (lpString1=".manifest", lpString2=".cab") returned 1 [0089.422] lstrcmpiW (lpString1=".manifest", lpString2=".cmd") returned 1 [0089.422] lstrcmpiW (lpString1=".manifest", lpString2=".com") returned 1 [0089.423] lstrcmpiW (lpString1=".manifest", lpString2=".cpl") returned 1 [0089.423] lstrcmpiW (lpString1=".manifest", lpString2=".ini") returned 1 [0089.423] lstrcmpiW (lpString1=".manifest", lpString2=".dll") returned 1 [0089.423] lstrcmpiW (lpString1=".manifest", lpString2=".url") returned -1 [0089.423] lstrcmpiW (lpString1=".manifest", lpString2=".ttf") returned -1 [0089.423] lstrcmpiW (lpString1=".manifest", lpString2=".mp3") returned -1 [0089.423] lstrcmpiW (lpString1=".manifest", lpString2=".pif") returned -1 [0089.423] lstrcmpiW (lpString1=".manifest", lpString2=".mp4") returned -1 [0089.423] lstrcmpiW (lpString1=".manifest", lpString2=".NEPHILIM") returned -1 [0089.423] lstrcmpiW (lpString1=".manifest", lpString2=".msi") returned -1 [0089.423] lstrcmpiW (lpString1=".manifest", lpString2=".lnk") returned 1 [0089.423] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0089.423] lstrlenA (lpString="NEPHILIM") returned 8 [0089.423] GetProcessHeap () returned 0x4e0000 [0089.423] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502c80 [0089.423] lstrlenA (lpString="NEPHILIM") returned 8 [0089.424] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0089.425] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=1857) returned 1 [0089.425] GetProcessHeap () returned 0x4e0000 [0089.425] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0089.425] GetProcessHeap () returned 0x4e0000 [0089.425] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0089.425] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0089.425] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0089.425] GetProcessHeap () returned 0x4e0000 [0089.425] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0089.426] GetProcessHeap () returned 0x4e0000 [0089.426] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0089.426] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de208*=0x100) returned 1 [0089.426] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de204*=0x100) returned 1 [0089.426] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x741, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.426] SetLastError (dwErrCode=0x0) [0089.426] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0089.451] GetLastError () returned 0x0 [0089.451] GetLastError () returned 0x0 [0089.451] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x841, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.451] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0089.451] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x941, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.451] lstrlenA (lpString="NEPHILIM") returned 8 [0089.451] WriteFile (in: hFile=0xec, lpBuffer=0x502c80*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x502c80*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0089.452] GetProcessHeap () returned 0x4e0000 [0089.452] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x741) returned 0x50a8a8 [0089.452] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.452] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x741, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x741, lpOverlapped=0x0) returned 1 [0089.452] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.452] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x741, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x741, lpOverlapped=0x0) returned 1 [0089.452] GetProcessHeap () returned 0x4e0000 [0089.452] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0089.452] CloseHandle (hObject=0xec) returned 1 [0089.462] GetProcessHeap () returned 0x4e0000 [0089.462] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0089.462] GetProcessHeap () returned 0x4e0000 [0089.462] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0089.462] GetProcessHeap () returned 0x4e0000 [0089.462] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0089.462] GetProcessHeap () returned 0x4e0000 [0089.462] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0089.462] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" [0089.462] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.NEPHILIM") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.NEPHILIM" [0089.462] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.NEPHILIM" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest.nephilim")) returned 1 [0089.463] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8c333b00, ftCreationTime.dwHighDateTime=0x1cacc53, ftLastAccessTime.dwLowDateTime=0x8c333b00, ftLastAccessTime.dwHighDateTime=0x1cacc53, ftLastWriteTime.dwLowDateTime=0xe86b5a80, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xa0200, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="msvcr90.dll", cAlternateFileName="")) returned 1 [0089.463] lstrcmpiW (lpString1="msvcr90.dll", lpString2=".") returned 1 [0089.463] lstrcmpiW (lpString1="msvcr90.dll", lpString2="..") returned 1 [0089.463] lstrcmpiW (lpString1="msvcr90.dll", lpString2="...") returned 1 [0089.463] lstrcmpiW (lpString1="msvcr90.dll", lpString2="windows") returned -1 [0089.463] lstrcmpiW (lpString1="msvcr90.dll", lpString2="$RECYCLE.BIN") returned 1 [0089.463] lstrcmpiW (lpString1="msvcr90.dll", lpString2="rsa") returned -1 [0089.463] lstrcmpiW (lpString1="msvcr90.dll", lpString2="log") returned 1 [0089.463] lstrcmpiW (lpString1="msvcr90.dll", lpString2="NTDETECT.COM") returned -1 [0089.463] lstrcmpiW (lpString1="msvcr90.dll", lpString2="ntldr") returned -1 [0089.463] lstrcmpiW (lpString1="msvcr90.dll", lpString2="MSDOS.SYS") returned 1 [0089.464] lstrcmpiW (lpString1="msvcr90.dll", lpString2="IO.SYS") returned 1 [0089.464] lstrcmpiW (lpString1="msvcr90.dll", lpString2="boot.ini") returned 1 [0089.464] lstrcmpiW (lpString1="msvcr90.dll", lpString2="AUTOEXEC.BAT") returned 1 [0089.464] lstrcmpiW (lpString1="msvcr90.dll", lpString2="ntuser.dat") returned -1 [0089.464] lstrcmpiW (lpString1="msvcr90.dll", lpString2="desktop.ini") returned 1 [0089.464] lstrcmpiW (lpString1="msvcr90.dll", lpString2="CONFIG.SYS") returned 1 [0089.464] lstrcmpiW (lpString1="msvcr90.dll", lpString2="RECYCLER") returned -1 [0089.464] lstrcmpiW (lpString1="msvcr90.dll", lpString2="BOOTSECT.BAK") returned 1 [0089.464] lstrcmpiW (lpString1="msvcr90.dll", lpString2="bootmgr") returned 1 [0089.464] lstrcmpiW (lpString1="msvcr90.dll", lpString2="programdata") returned -1 [0089.464] lstrcmpiW (lpString1="msvcr90.dll", lpString2="appdata") returned 1 [0089.464] lstrcmpiW (lpString1="msvcr90.dll", lpString2="program files") returned -1 [0089.464] lstrcmpiW (lpString1="msvcr90.dll", lpString2="program files (x86)") returned -1 [0089.464] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" [0089.464] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", lpString2="msvcr90.dll" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" [0089.464] PathFindExtensionW (pszPath="msvcr90.dll") returned=".dll" [0089.464] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0089.464] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0089.464] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0089.464] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0089.464] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0089.464] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0089.464] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0089.464] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0089.464] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3ba05100, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3ba05100, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7e3b3f0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd79282, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="OfficeLR.cab", cAlternateFileName="")) returned 1 [0089.465] lstrcmpiW (lpString1="OfficeLR.cab", lpString2=".") returned 1 [0089.465] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="..") returned 1 [0089.465] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="...") returned 1 [0089.465] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="windows") returned -1 [0089.465] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="$RECYCLE.BIN") returned 1 [0089.465] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="rsa") returned -1 [0089.465] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="log") returned 1 [0089.465] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="NTDETECT.COM") returned 1 [0089.465] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="ntldr") returned 1 [0089.465] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="MSDOS.SYS") returned 1 [0089.465] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="IO.SYS") returned 1 [0089.465] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="boot.ini") returned 1 [0089.465] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="AUTOEXEC.BAT") returned 1 [0089.465] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="ntuser.dat") returned 1 [0089.465] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="desktop.ini") returned 1 [0089.465] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="CONFIG.SYS") returned 1 [0089.465] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="RECYCLER") returned -1 [0089.465] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="BOOTSECT.BAK") returned 1 [0089.465] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="bootmgr") returned 1 [0089.465] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="programdata") returned -1 [0089.466] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="appdata") returned 1 [0089.466] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="program files") returned -1 [0089.466] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="program files (x86)") returned -1 [0089.466] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" [0089.466] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", lpString2="OfficeLR.cab" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" [0089.466] PathFindExtensionW (pszPath="OfficeLR.cab") returned=".cab" [0089.466] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0089.466] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0089.466] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0089.466] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3cd17e00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3cd17e00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7c4ba40, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x387e00, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="OfficeMUI.msi", cAlternateFileName="OFFICE~2.MSI")) returned 1 [0089.466] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2=".") returned 1 [0089.466] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="..") returned 1 [0089.466] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="...") returned 1 [0089.466] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="windows") returned -1 [0089.466] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="$RECYCLE.BIN") returned 1 [0089.466] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="rsa") returned -1 [0089.466] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="log") returned 1 [0089.466] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="NTDETECT.COM") returned 1 [0089.466] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="ntldr") returned 1 [0089.466] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="MSDOS.SYS") returned 1 [0089.466] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="IO.SYS") returned 1 [0089.466] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="boot.ini") returned 1 [0089.466] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="AUTOEXEC.BAT") returned 1 [0089.467] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="ntuser.dat") returned 1 [0089.467] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="desktop.ini") returned 1 [0089.467] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="CONFIG.SYS") returned 1 [0089.467] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="RECYCLER") returned -1 [0089.467] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="BOOTSECT.BAK") returned 1 [0089.467] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="bootmgr") returned 1 [0089.467] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="programdata") returned -1 [0089.467] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="appdata") returned 1 [0089.467] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="program files") returned -1 [0089.467] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="program files (x86)") returned -1 [0089.467] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" [0089.467] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", lpString2="OfficeMUI.msi" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" [0089.467] PathFindExtensionW (pszPath="OfficeMUI.msi") returned=".msi" [0089.467] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0089.467] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0089.467] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0089.467] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0089.467] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0089.467] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0089.467] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0089.467] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0089.467] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0089.467] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0089.468] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0089.468] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0089.468] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0089.468] lstrcmpiW (lpString1=".msi", lpString2=".NEPHILIM") returned -1 [0089.468] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0089.468] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7c27050, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x15b5, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="OfficeMUI.xml", cAlternateFileName="OFFICE~2.XML")) returned 1 [0089.468] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2=".") returned 1 [0089.468] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="..") returned 1 [0089.468] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="...") returned 1 [0089.468] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="windows") returned -1 [0089.468] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="$RECYCLE.BIN") returned 1 [0089.468] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="rsa") returned -1 [0089.468] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="log") returned 1 [0089.468] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="NTDETECT.COM") returned 1 [0089.468] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="ntldr") returned 1 [0089.468] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="MSDOS.SYS") returned 1 [0089.468] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="IO.SYS") returned 1 [0089.468] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="boot.ini") returned 1 [0089.468] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="AUTOEXEC.BAT") returned 1 [0089.468] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="ntuser.dat") returned 1 [0089.468] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="desktop.ini") returned 1 [0089.468] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="CONFIG.SYS") returned 1 [0089.468] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="RECYCLER") returned -1 [0089.468] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="BOOTSECT.BAK") returned 1 [0089.468] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="bootmgr") returned 1 [0089.469] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="programdata") returned -1 [0089.469] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="appdata") returned 1 [0089.469] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="program files") returned -1 [0089.469] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="program files (x86)") returned -1 [0089.469] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" [0089.469] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", lpString2="OfficeMUI.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" [0089.469] PathFindExtensionW (pszPath="OfficeMUI.xml") returned=".xml" [0089.469] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0089.469] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0089.469] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0089.469] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0089.469] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0089.469] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0089.469] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0089.469] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0089.469] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0089.469] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0089.469] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0089.469] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0089.469] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0089.469] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0089.469] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0089.469] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0089.470] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0089.470] lstrlenA (lpString="NEPHILIM") returned 8 [0089.470] GetProcessHeap () returned 0x4e0000 [0089.470] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502c90 [0089.470] lstrlenA (lpString="NEPHILIM") returned 8 [0089.470] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0089.470] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=5557) returned 1 [0089.470] GetProcessHeap () returned 0x4e0000 [0089.470] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0089.470] GetProcessHeap () returned 0x4e0000 [0089.470] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0089.471] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0089.471] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0089.471] GetProcessHeap () returned 0x4e0000 [0089.471] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0089.471] GetProcessHeap () returned 0x4e0000 [0089.471] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0089.471] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de208*=0x100) returned 1 [0089.471] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de204*=0x100) returned 1 [0089.471] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x15b5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.471] SetLastError (dwErrCode=0x0) [0089.471] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0089.474] GetLastError () returned 0x0 [0089.474] GetLastError () returned 0x0 [0089.474] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x16b5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.474] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0089.474] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x17b5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.474] lstrlenA (lpString="NEPHILIM") returned 8 [0089.474] WriteFile (in: hFile=0xec, lpBuffer=0x502c90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x502c90*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0089.474] GetProcessHeap () returned 0x4e0000 [0089.474] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x15b5) returned 0x50a8a8 [0089.474] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.474] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x15b5, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x15b5, lpOverlapped=0x0) returned 1 [0089.476] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.476] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x15b5, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x15b5, lpOverlapped=0x0) returned 1 [0089.476] GetProcessHeap () returned 0x4e0000 [0089.476] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0089.476] CloseHandle (hObject=0xec) returned 1 [0089.478] GetProcessHeap () returned 0x4e0000 [0089.478] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0089.478] GetProcessHeap () returned 0x4e0000 [0089.478] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0089.478] GetProcessHeap () returned 0x4e0000 [0089.478] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0089.478] GetProcessHeap () returned 0x4e0000 [0089.478] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0089.478] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" [0089.478] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.NEPHILIM") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.NEPHILIM" [0089.478] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.NEPHILIM" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml.nephilim")) returned 1 [0089.479] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7b68970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd4200, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="OfficeMUISet.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0089.479] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2=".") returned 1 [0089.479] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="..") returned 1 [0089.479] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="...") returned 1 [0089.479] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="windows") returned -1 [0089.479] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="$RECYCLE.BIN") returned 1 [0089.480] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="rsa") returned -1 [0089.480] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="log") returned 1 [0089.480] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="NTDETECT.COM") returned 1 [0089.480] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="ntldr") returned 1 [0089.480] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="MSDOS.SYS") returned 1 [0089.480] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="IO.SYS") returned 1 [0089.480] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="boot.ini") returned 1 [0089.480] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="AUTOEXEC.BAT") returned 1 [0089.480] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="ntuser.dat") returned 1 [0089.480] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="desktop.ini") returned 1 [0089.480] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="CONFIG.SYS") returned 1 [0089.480] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="RECYCLER") returned -1 [0089.480] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="BOOTSECT.BAK") returned 1 [0089.480] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="bootmgr") returned 1 [0089.480] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="programdata") returned -1 [0089.480] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="appdata") returned 1 [0089.480] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="program files") returned -1 [0089.480] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="program files (x86)") returned -1 [0089.480] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" [0089.480] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", lpString2="OfficeMUISet.msi" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" [0089.480] PathFindExtensionW (pszPath="OfficeMUISet.msi") returned=".msi" [0089.480] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0089.480] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0089.481] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0089.481] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0089.481] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0089.481] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0089.481] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0089.481] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0089.481] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0089.481] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0089.481] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0089.481] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0089.481] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0089.481] lstrcmpiW (lpString1=".msi", lpString2=".NEPHILIM") returned -1 [0089.481] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0089.481] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7b68970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x333, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="OfficeMUISet.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0089.481] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2=".") returned 1 [0089.481] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="..") returned 1 [0089.481] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="...") returned 1 [0089.481] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="windows") returned -1 [0089.481] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="$RECYCLE.BIN") returned 1 [0089.481] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="rsa") returned -1 [0089.481] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="log") returned 1 [0089.481] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="NTDETECT.COM") returned 1 [0089.481] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="ntldr") returned 1 [0089.482] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="MSDOS.SYS") returned 1 [0089.482] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="IO.SYS") returned 1 [0089.482] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="boot.ini") returned 1 [0089.482] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="AUTOEXEC.BAT") returned 1 [0089.482] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="ntuser.dat") returned 1 [0089.482] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="desktop.ini") returned 1 [0089.482] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="CONFIG.SYS") returned 1 [0089.482] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="RECYCLER") returned -1 [0089.482] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="BOOTSECT.BAK") returned 1 [0089.482] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="bootmgr") returned 1 [0089.482] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="programdata") returned -1 [0089.482] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="appdata") returned 1 [0089.482] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="program files") returned -1 [0089.482] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="program files (x86)") returned -1 [0089.482] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" [0089.482] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", lpString2="OfficeMUISet.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" [0089.482] PathFindExtensionW (pszPath="OfficeMUISet.xml") returned=".xml" [0089.482] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0089.482] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0089.482] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0089.482] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0089.482] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0089.483] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0089.483] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0089.483] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0089.483] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0089.483] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0089.483] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0089.483] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0089.483] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0089.483] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0089.483] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0089.483] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0089.483] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0089.483] lstrlenA (lpString="NEPHILIM") returned 8 [0089.483] GetProcessHeap () returned 0x4e0000 [0089.483] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502ca0 [0089.483] lstrlenA (lpString="NEPHILIM") returned 8 [0089.483] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0089.484] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=819) returned 1 [0089.484] GetProcessHeap () returned 0x4e0000 [0089.484] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0089.484] GetProcessHeap () returned 0x4e0000 [0089.484] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0089.484] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0089.484] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0089.484] GetProcessHeap () returned 0x4e0000 [0089.484] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0089.484] GetProcessHeap () returned 0x4e0000 [0089.484] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0089.484] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de208*=0x100) returned 1 [0089.484] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de204*=0x100) returned 1 [0089.485] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x333, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.485] SetLastError (dwErrCode=0x0) [0089.485] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0089.488] GetLastError () returned 0x0 [0089.488] GetLastError () returned 0x0 [0089.488] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x433, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.488] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0089.488] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x533, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.488] lstrlenA (lpString="NEPHILIM") returned 8 [0089.488] WriteFile (in: hFile=0xec, lpBuffer=0x502ca0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x502ca0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0089.488] GetProcessHeap () returned 0x4e0000 [0089.488] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x333) returned 0x507390 [0089.488] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.488] ReadFile (in: hFile=0xec, lpBuffer=0x507390, nNumberOfBytesToRead=0x333, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x507390*, lpNumberOfBytesRead=0x24de430*=0x333, lpOverlapped=0x0) returned 1 [0089.488] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.489] WriteFile (in: hFile=0xec, lpBuffer=0x507390*, nNumberOfBytesToWrite=0x333, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507390*, lpNumberOfBytesWritten=0x24de43c*=0x333, lpOverlapped=0x0) returned 1 [0089.489] GetProcessHeap () returned 0x4e0000 [0089.489] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507390 | out: hHeap=0x4e0000) returned 1 [0089.489] CloseHandle (hObject=0xec) returned 1 [0089.492] GetProcessHeap () returned 0x4e0000 [0089.492] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0089.492] GetProcessHeap () returned 0x4e0000 [0089.492] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0089.492] GetProcessHeap () returned 0x4e0000 [0089.492] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0089.492] GetProcessHeap () returned 0x4e0000 [0089.492] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0089.492] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" [0089.492] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.NEPHILIM") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.NEPHILIM" [0089.493] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.NEPHILIM" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml.nephilim")) returned 1 [0089.494] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc8b16200, ftCreationTime.dwHighDateTime=0x1cac190, ftLastAccessTime.dwLowDateTime=0xc8b16200, ftLastAccessTime.dwHighDateTime=0x1cac190, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2ed80, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="osetupui.dll", cAlternateFileName="")) returned 1 [0089.494] lstrcmpiW (lpString1="osetupui.dll", lpString2=".") returned 1 [0089.494] lstrcmpiW (lpString1="osetupui.dll", lpString2="..") returned 1 [0089.494] lstrcmpiW (lpString1="osetupui.dll", lpString2="...") returned 1 [0089.494] lstrcmpiW (lpString1="osetupui.dll", lpString2="windows") returned -1 [0089.494] lstrcmpiW (lpString1="osetupui.dll", lpString2="$RECYCLE.BIN") returned 1 [0089.494] lstrcmpiW (lpString1="osetupui.dll", lpString2="rsa") returned -1 [0089.494] lstrcmpiW (lpString1="osetupui.dll", lpString2="log") returned 1 [0089.494] lstrcmpiW (lpString1="osetupui.dll", lpString2="NTDETECT.COM") returned 1 [0089.494] lstrcmpiW (lpString1="osetupui.dll", lpString2="ntldr") returned 1 [0089.494] lstrcmpiW (lpString1="osetupui.dll", lpString2="MSDOS.SYS") returned 1 [0089.494] lstrcmpiW (lpString1="osetupui.dll", lpString2="IO.SYS") returned 1 [0089.494] lstrcmpiW (lpString1="osetupui.dll", lpString2="boot.ini") returned 1 [0089.494] lstrcmpiW (lpString1="osetupui.dll", lpString2="AUTOEXEC.BAT") returned 1 [0089.494] lstrcmpiW (lpString1="osetupui.dll", lpString2="ntuser.dat") returned 1 [0089.494] lstrcmpiW (lpString1="osetupui.dll", lpString2="desktop.ini") returned 1 [0089.494] lstrcmpiW (lpString1="osetupui.dll", lpString2="CONFIG.SYS") returned 1 [0089.494] lstrcmpiW (lpString1="osetupui.dll", lpString2="RECYCLER") returned -1 [0089.494] lstrcmpiW (lpString1="osetupui.dll", lpString2="BOOTSECT.BAK") returned 1 [0089.494] lstrcmpiW (lpString1="osetupui.dll", lpString2="bootmgr") returned 1 [0089.494] lstrcmpiW (lpString1="osetupui.dll", lpString2="programdata") returned -1 [0089.494] lstrcmpiW (lpString1="osetupui.dll", lpString2="appdata") returned 1 [0089.494] lstrcmpiW (lpString1="osetupui.dll", lpString2="program files") returned -1 [0089.494] lstrcmpiW (lpString1="osetupui.dll", lpString2="program files (x86)") returned -1 [0089.494] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" [0089.494] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", lpString2="osetupui.dll" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" [0089.494] PathFindExtensionW (pszPath="osetupui.dll") returned=".dll" [0089.494] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0089.494] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0089.494] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0089.494] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0089.495] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0089.495] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0089.495] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0089.495] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0089.495] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x77cbb000, ftCreationTime.dwHighDateTime=0x1cac57a, ftLastAccessTime.dwLowDateTime=0x77cbb000, ftLastAccessTime.dwHighDateTime=0x1cac57a, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x6a3b, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="pss10r.chm", cAlternateFileName="")) returned 1 [0089.495] lstrcmpiW (lpString1="pss10r.chm", lpString2=".") returned 1 [0089.495] lstrcmpiW (lpString1="pss10r.chm", lpString2="..") returned 1 [0089.495] lstrcmpiW (lpString1="pss10r.chm", lpString2="...") returned 1 [0089.495] lstrcmpiW (lpString1="pss10r.chm", lpString2="windows") returned -1 [0089.495] lstrcmpiW (lpString1="pss10r.chm", lpString2="$RECYCLE.BIN") returned 1 [0089.495] lstrcmpiW (lpString1="pss10r.chm", lpString2="rsa") returned -1 [0089.495] lstrcmpiW (lpString1="pss10r.chm", lpString2="log") returned 1 [0089.495] lstrcmpiW (lpString1="pss10r.chm", lpString2="NTDETECT.COM") returned 1 [0089.495] lstrcmpiW (lpString1="pss10r.chm", lpString2="ntldr") returned 1 [0089.495] lstrcmpiW (lpString1="pss10r.chm", lpString2="MSDOS.SYS") returned 1 [0089.495] lstrcmpiW (lpString1="pss10r.chm", lpString2="IO.SYS") returned 1 [0089.495] lstrcmpiW (lpString1="pss10r.chm", lpString2="boot.ini") returned 1 [0089.495] lstrcmpiW (lpString1="pss10r.chm", lpString2="AUTOEXEC.BAT") returned 1 [0089.495] lstrcmpiW (lpString1="pss10r.chm", lpString2="ntuser.dat") returned 1 [0089.495] lstrcmpiW (lpString1="pss10r.chm", lpString2="desktop.ini") returned 1 [0089.495] lstrcmpiW (lpString1="pss10r.chm", lpString2="CONFIG.SYS") returned 1 [0089.495] lstrcmpiW (lpString1="pss10r.chm", lpString2="RECYCLER") returned -1 [0089.495] lstrcmpiW (lpString1="pss10r.chm", lpString2="BOOTSECT.BAK") returned 1 [0089.495] lstrcmpiW (lpString1="pss10r.chm", lpString2="bootmgr") returned 1 [0089.495] lstrcmpiW (lpString1="pss10r.chm", lpString2="programdata") returned 1 [0089.495] lstrcmpiW (lpString1="pss10r.chm", lpString2="appdata") returned 1 [0089.495] lstrcmpiW (lpString1="pss10r.chm", lpString2="program files") returned 1 [0089.496] lstrcmpiW (lpString1="pss10r.chm", lpString2="program files (x86)") returned 1 [0089.496] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" [0089.496] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", lpString2="pss10r.chm" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" [0089.496] PathFindExtensionW (pszPath="pss10r.chm") returned=".chm" [0089.496] lstrcmpiW (lpString1=".chm", lpString2=".exe") returned -1 [0089.496] lstrcmpiW (lpString1=".chm", lpString2=".log") returned -1 [0089.496] lstrcmpiW (lpString1=".chm", lpString2=".cab") returned 1 [0089.496] lstrcmpiW (lpString1=".chm", lpString2=".cmd") returned -1 [0089.496] lstrcmpiW (lpString1=".chm", lpString2=".com") returned -1 [0089.496] lstrcmpiW (lpString1=".chm", lpString2=".cpl") returned -1 [0089.496] lstrcmpiW (lpString1=".chm", lpString2=".ini") returned -1 [0089.496] lstrcmpiW (lpString1=".chm", lpString2=".dll") returned -1 [0089.496] lstrcmpiW (lpString1=".chm", lpString2=".url") returned -1 [0089.496] lstrcmpiW (lpString1=".chm", lpString2=".ttf") returned -1 [0089.496] lstrcmpiW (lpString1=".chm", lpString2=".mp3") returned -1 [0089.496] lstrcmpiW (lpString1=".chm", lpString2=".pif") returned -1 [0089.496] lstrcmpiW (lpString1=".chm", lpString2=".mp4") returned -1 [0089.496] lstrcmpiW (lpString1=".chm", lpString2=".NEPHILIM") returned -1 [0089.496] lstrcmpiW (lpString1=".chm", lpString2=".msi") returned -1 [0089.496] lstrcmpiW (lpString1=".chm", lpString2=".lnk") returned -1 [0089.496] lstrcmpiW (lpString1="pss10r.chm", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0089.496] lstrlenA (lpString="NEPHILIM") returned 8 [0089.496] GetProcessHeap () returned 0x4e0000 [0089.496] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502cb0 [0089.496] lstrlenA (lpString="NEPHILIM") returned 8 [0089.497] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0089.497] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=27195) returned 1 [0089.497] GetProcessHeap () returned 0x4e0000 [0089.497] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0089.497] GetProcessHeap () returned 0x4e0000 [0089.497] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0089.497] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0089.497] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0089.497] GetProcessHeap () returned 0x4e0000 [0089.497] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0089.497] GetProcessHeap () returned 0x4e0000 [0089.497] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0089.497] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de208*=0x100) returned 1 [0089.498] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de204*=0x100) returned 1 [0089.498] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x6a3b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.498] SetLastError (dwErrCode=0x0) [0089.498] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0089.501] GetLastError () returned 0x0 [0089.501] GetLastError () returned 0x0 [0089.501] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x6b3b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.501] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0089.501] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x6c3b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.501] lstrlenA (lpString="NEPHILIM") returned 8 [0089.501] WriteFile (in: hFile=0xec, lpBuffer=0x502cb0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x502cb0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0089.501] GetProcessHeap () returned 0x4e0000 [0089.501] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x6a3b) returned 0x50a8a8 [0089.501] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.501] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x6a3b, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x6a3b, lpOverlapped=0x0) returned 1 [0089.505] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.505] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x6a3b, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x6a3b, lpOverlapped=0x0) returned 1 [0089.505] GetProcessHeap () returned 0x4e0000 [0089.505] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0089.505] CloseHandle (hObject=0xec) returned 1 [0089.512] GetProcessHeap () returned 0x4e0000 [0089.512] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0089.512] GetProcessHeap () returned 0x4e0000 [0089.512] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0089.512] GetProcessHeap () returned 0x4e0000 [0089.512] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0089.512] GetProcessHeap () returned 0x4e0000 [0089.512] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0089.513] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" [0089.513] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.NEPHILIM") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.NEPHILIM" [0089.513] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.NEPHILIM" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm.nephilim")) returned 1 [0089.513] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7cab9f00, ftCreationTime.dwHighDateTime=0x1cac8ad, ftLastAccessTime.dwLowDateTime=0x7cab9f00, ftLastAccessTime.dwHighDateTime=0x1cac8ad, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x10676, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="setup.chm", cAlternateFileName="")) returned 1 [0089.514] lstrcmpiW (lpString1="setup.chm", lpString2=".") returned 1 [0089.514] lstrcmpiW (lpString1="setup.chm", lpString2="..") returned 1 [0089.514] lstrcmpiW (lpString1="setup.chm", lpString2="...") returned 1 [0089.514] lstrcmpiW (lpString1="setup.chm", lpString2="windows") returned -1 [0089.514] lstrcmpiW (lpString1="setup.chm", lpString2="$RECYCLE.BIN") returned 1 [0089.514] lstrcmpiW (lpString1="setup.chm", lpString2="rsa") returned 1 [0089.514] lstrcmpiW (lpString1="setup.chm", lpString2="log") returned 1 [0089.514] lstrcmpiW (lpString1="setup.chm", lpString2="NTDETECT.COM") returned 1 [0089.514] lstrcmpiW (lpString1="setup.chm", lpString2="ntldr") returned 1 [0089.514] lstrcmpiW (lpString1="setup.chm", lpString2="MSDOS.SYS") returned 1 [0089.514] lstrcmpiW (lpString1="setup.chm", lpString2="IO.SYS") returned 1 [0089.514] lstrcmpiW (lpString1="setup.chm", lpString2="boot.ini") returned 1 [0089.514] lstrcmpiW (lpString1="setup.chm", lpString2="AUTOEXEC.BAT") returned 1 [0089.514] lstrcmpiW (lpString1="setup.chm", lpString2="ntuser.dat") returned 1 [0089.514] lstrcmpiW (lpString1="setup.chm", lpString2="desktop.ini") returned 1 [0089.514] lstrcmpiW (lpString1="setup.chm", lpString2="CONFIG.SYS") returned 1 [0089.514] lstrcmpiW (lpString1="setup.chm", lpString2="RECYCLER") returned 1 [0089.514] lstrcmpiW (lpString1="setup.chm", lpString2="BOOTSECT.BAK") returned 1 [0089.514] lstrcmpiW (lpString1="setup.chm", lpString2="bootmgr") returned 1 [0089.514] lstrcmpiW (lpString1="setup.chm", lpString2="programdata") returned 1 [0089.514] lstrcmpiW (lpString1="setup.chm", lpString2="appdata") returned 1 [0089.514] lstrcmpiW (lpString1="setup.chm", lpString2="program files") returned 1 [0089.514] lstrcmpiW (lpString1="setup.chm", lpString2="program files (x86)") returned 1 [0089.514] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" [0089.514] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", lpString2="setup.chm" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" [0089.515] PathFindExtensionW (pszPath="setup.chm") returned=".chm" [0089.515] lstrcmpiW (lpString1=".chm", lpString2=".exe") returned -1 [0089.515] lstrcmpiW (lpString1=".chm", lpString2=".log") returned -1 [0089.515] lstrcmpiW (lpString1=".chm", lpString2=".cab") returned 1 [0089.515] lstrcmpiW (lpString1=".chm", lpString2=".cmd") returned -1 [0089.515] lstrcmpiW (lpString1=".chm", lpString2=".com") returned -1 [0089.515] lstrcmpiW (lpString1=".chm", lpString2=".cpl") returned -1 [0089.515] lstrcmpiW (lpString1=".chm", lpString2=".ini") returned -1 [0089.515] lstrcmpiW (lpString1=".chm", lpString2=".dll") returned -1 [0089.515] lstrcmpiW (lpString1=".chm", lpString2=".url") returned -1 [0089.515] lstrcmpiW (lpString1=".chm", lpString2=".ttf") returned -1 [0089.515] lstrcmpiW (lpString1=".chm", lpString2=".mp3") returned -1 [0089.515] lstrcmpiW (lpString1=".chm", lpString2=".pif") returned -1 [0089.515] lstrcmpiW (lpString1=".chm", lpString2=".mp4") returned -1 [0089.515] lstrcmpiW (lpString1=".chm", lpString2=".NEPHILIM") returned -1 [0089.515] lstrcmpiW (lpString1=".chm", lpString2=".msi") returned -1 [0089.515] lstrcmpiW (lpString1=".chm", lpString2=".lnk") returned -1 [0089.515] lstrcmpiW (lpString1="setup.chm", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0089.515] lstrlenA (lpString="NEPHILIM") returned 8 [0089.515] GetProcessHeap () returned 0x4e0000 [0089.515] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502cc0 [0089.515] lstrlenA (lpString="NEPHILIM") returned 8 [0089.515] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0089.516] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=67190) returned 1 [0089.516] GetProcessHeap () returned 0x4e0000 [0089.516] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0089.516] GetProcessHeap () returned 0x4e0000 [0089.516] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0089.516] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0089.516] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0089.516] GetProcessHeap () returned 0x4e0000 [0089.516] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0089.516] GetProcessHeap () returned 0x4e0000 [0089.516] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0089.516] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de208*=0x100) returned 1 [0089.517] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de204*=0x100) returned 1 [0089.517] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x10676, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.517] SetLastError (dwErrCode=0x0) [0089.517] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0089.522] GetLastError () returned 0x0 [0089.522] GetLastError () returned 0x0 [0089.522] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x10776, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.522] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0089.523] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x10876, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.523] lstrlenA (lpString="NEPHILIM") returned 8 [0089.523] WriteFile (in: hFile=0xec, lpBuffer=0x502cc0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x502cc0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0089.523] GetProcessHeap () returned 0x4e0000 [0089.523] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10676) returned 0x50a8a8 [0089.524] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.524] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x10676, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x10676, lpOverlapped=0x0) returned 1 [0089.530] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.530] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x10676, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x10676, lpOverlapped=0x0) returned 1 [0089.531] GetProcessHeap () returned 0x4e0000 [0089.531] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0089.531] CloseHandle (hObject=0xec) returned 1 [0089.537] GetProcessHeap () returned 0x4e0000 [0089.537] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0089.537] GetProcessHeap () returned 0x4e0000 [0089.537] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0089.537] GetProcessHeap () returned 0x4e0000 [0089.537] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0089.537] GetProcessHeap () returned 0x4e0000 [0089.537] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0089.538] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" [0089.538] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.NEPHILIM") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.NEPHILIM" [0089.538] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.NEPHILIM" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm.nephilim")) returned 1 [0089.540] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x42c75f00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x42c75f00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2488, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0089.540] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0089.540] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0089.540] lstrcmpiW (lpString1="Setup.xml", lpString2="...") returned 1 [0089.540] lstrcmpiW (lpString1="Setup.xml", lpString2="windows") returned -1 [0089.540] lstrcmpiW (lpString1="Setup.xml", lpString2="$RECYCLE.BIN") returned 1 [0089.540] lstrcmpiW (lpString1="Setup.xml", lpString2="rsa") returned 1 [0089.540] lstrcmpiW (lpString1="Setup.xml", lpString2="log") returned 1 [0089.540] lstrcmpiW (lpString1="Setup.xml", lpString2="NTDETECT.COM") returned 1 [0089.540] lstrcmpiW (lpString1="Setup.xml", lpString2="ntldr") returned 1 [0089.540] lstrcmpiW (lpString1="Setup.xml", lpString2="MSDOS.SYS") returned 1 [0089.540] lstrcmpiW (lpString1="Setup.xml", lpString2="IO.SYS") returned 1 [0089.541] lstrcmpiW (lpString1="Setup.xml", lpString2="boot.ini") returned 1 [0089.541] lstrcmpiW (lpString1="Setup.xml", lpString2="AUTOEXEC.BAT") returned 1 [0089.541] lstrcmpiW (lpString1="Setup.xml", lpString2="ntuser.dat") returned 1 [0089.541] lstrcmpiW (lpString1="Setup.xml", lpString2="desktop.ini") returned 1 [0089.541] lstrcmpiW (lpString1="Setup.xml", lpString2="CONFIG.SYS") returned 1 [0089.541] lstrcmpiW (lpString1="Setup.xml", lpString2="RECYCLER") returned 1 [0089.541] lstrcmpiW (lpString1="Setup.xml", lpString2="BOOTSECT.BAK") returned 1 [0089.541] lstrcmpiW (lpString1="Setup.xml", lpString2="bootmgr") returned 1 [0089.541] lstrcmpiW (lpString1="Setup.xml", lpString2="programdata") returned 1 [0089.541] lstrcmpiW (lpString1="Setup.xml", lpString2="appdata") returned 1 [0089.541] lstrcmpiW (lpString1="Setup.xml", lpString2="program files") returned 1 [0089.541] lstrcmpiW (lpString1="Setup.xml", lpString2="program files (x86)") returned 1 [0089.541] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" [0089.541] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", lpString2="Setup.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" [0089.541] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0089.541] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0089.541] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0089.542] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0089.542] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0089.542] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0089.542] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0089.542] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0089.542] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0089.542] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0089.542] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0089.542] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0089.542] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0089.542] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0089.542] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0089.542] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0089.542] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0089.542] lstrcmpiW (lpString1="Setup.xml", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0089.542] lstrlenA (lpString="NEPHILIM") returned 8 [0089.542] GetProcessHeap () returned 0x4e0000 [0089.543] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502cd0 [0089.543] lstrlenA (lpString="NEPHILIM") returned 8 [0089.543] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0089.543] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=9352) returned 1 [0089.543] GetProcessHeap () returned 0x4e0000 [0089.543] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0089.543] GetProcessHeap () returned 0x4e0000 [0089.543] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0089.543] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0089.543] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0089.544] GetProcessHeap () returned 0x4e0000 [0089.544] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0089.544] GetProcessHeap () returned 0x4e0000 [0089.544] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0089.544] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de208*=0x100) returned 1 [0089.544] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de204*=0x100) returned 1 [0089.544] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x2488, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.544] SetLastError (dwErrCode=0x0) [0089.544] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0089.547] GetLastError () returned 0x0 [0089.547] GetLastError () returned 0x0 [0089.547] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x2588, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.547] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0089.547] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x2688, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.547] lstrlenA (lpString="NEPHILIM") returned 8 [0089.548] WriteFile (in: hFile=0xec, lpBuffer=0x502cd0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x502cd0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0089.548] GetProcessHeap () returned 0x4e0000 [0089.548] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x2488) returned 0x50a8a8 [0089.548] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.548] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x2488, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x2488, lpOverlapped=0x0) returned 1 [0089.550] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.550] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x2488, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x2488, lpOverlapped=0x0) returned 1 [0089.550] GetProcessHeap () returned 0x4e0000 [0089.550] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0089.550] CloseHandle (hObject=0xec) returned 1 [0089.567] GetProcessHeap () returned 0x4e0000 [0089.567] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0089.567] GetProcessHeap () returned 0x4e0000 [0089.567] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0089.567] GetProcessHeap () returned 0x4e0000 [0089.567] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0089.567] GetProcessHeap () returned 0x4e0000 [0089.568] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0089.568] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" [0089.568] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM" [0089.568] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml.nephilim")) returned 1 [0089.569] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x131a1c00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x131a1c00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xe84c60d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="ShellUI.MST", cAlternateFileName="")) returned 1 [0089.569] lstrcmpiW (lpString1="ShellUI.MST", lpString2=".") returned 1 [0089.569] lstrcmpiW (lpString1="ShellUI.MST", lpString2="..") returned 1 [0089.569] lstrcmpiW (lpString1="ShellUI.MST", lpString2="...") returned 1 [0089.569] lstrcmpiW (lpString1="ShellUI.MST", lpString2="windows") returned -1 [0089.569] lstrcmpiW (lpString1="ShellUI.MST", lpString2="$RECYCLE.BIN") returned 1 [0089.569] lstrcmpiW (lpString1="ShellUI.MST", lpString2="rsa") returned 1 [0089.569] lstrcmpiW (lpString1="ShellUI.MST", lpString2="log") returned 1 [0089.570] lstrcmpiW (lpString1="ShellUI.MST", lpString2="NTDETECT.COM") returned 1 [0089.570] lstrcmpiW (lpString1="ShellUI.MST", lpString2="ntldr") returned 1 [0089.570] lstrcmpiW (lpString1="ShellUI.MST", lpString2="MSDOS.SYS") returned 1 [0089.570] lstrcmpiW (lpString1="ShellUI.MST", lpString2="IO.SYS") returned 1 [0089.570] lstrcmpiW (lpString1="ShellUI.MST", lpString2="boot.ini") returned 1 [0089.570] lstrcmpiW (lpString1="ShellUI.MST", lpString2="AUTOEXEC.BAT") returned 1 [0089.570] lstrcmpiW (lpString1="ShellUI.MST", lpString2="ntuser.dat") returned 1 [0089.570] lstrcmpiW (lpString1="ShellUI.MST", lpString2="desktop.ini") returned 1 [0089.570] lstrcmpiW (lpString1="ShellUI.MST", lpString2="CONFIG.SYS") returned 1 [0089.570] lstrcmpiW (lpString1="ShellUI.MST", lpString2="RECYCLER") returned 1 [0089.570] lstrcmpiW (lpString1="ShellUI.MST", lpString2="BOOTSECT.BAK") returned 1 [0089.570] lstrcmpiW (lpString1="ShellUI.MST", lpString2="bootmgr") returned 1 [0089.570] lstrcmpiW (lpString1="ShellUI.MST", lpString2="programdata") returned 1 [0089.570] lstrcmpiW (lpString1="ShellUI.MST", lpString2="appdata") returned 1 [0089.570] lstrcmpiW (lpString1="ShellUI.MST", lpString2="program files") returned 1 [0089.570] lstrcmpiW (lpString1="ShellUI.MST", lpString2="program files (x86)") returned 1 [0089.570] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" [0089.571] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", lpString2="ShellUI.MST" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" [0089.571] PathFindExtensionW (pszPath="ShellUI.MST") returned=".MST" [0089.571] lstrcmpiW (lpString1=".MST", lpString2=".exe") returned 1 [0089.571] lstrcmpiW (lpString1=".MST", lpString2=".log") returned 1 [0089.571] lstrcmpiW (lpString1=".MST", lpString2=".cab") returned 1 [0089.571] lstrcmpiW (lpString1=".MST", lpString2=".cmd") returned 1 [0089.571] lstrcmpiW (lpString1=".MST", lpString2=".com") returned 1 [0089.571] lstrcmpiW (lpString1=".MST", lpString2=".cpl") returned 1 [0089.571] lstrcmpiW (lpString1=".MST", lpString2=".ini") returned 1 [0089.571] lstrcmpiW (lpString1=".MST", lpString2=".dll") returned 1 [0089.571] lstrcmpiW (lpString1=".MST", lpString2=".url") returned -1 [0089.571] lstrcmpiW (lpString1=".MST", lpString2=".ttf") returned -1 [0089.571] lstrcmpiW (lpString1=".MST", lpString2=".mp3") returned 1 [0089.572] lstrcmpiW (lpString1=".MST", lpString2=".pif") returned -1 [0089.572] lstrcmpiW (lpString1=".MST", lpString2=".mp4") returned 1 [0089.572] lstrcmpiW (lpString1=".MST", lpString2=".NEPHILIM") returned -1 [0089.572] lstrcmpiW (lpString1=".MST", lpString2=".msi") returned 1 [0089.572] lstrcmpiW (lpString1=".MST", lpString2=".lnk") returned 1 [0089.572] lstrcmpiW (lpString1="ShellUI.MST", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0089.572] lstrlenA (lpString="NEPHILIM") returned 8 [0089.572] GetProcessHeap () returned 0x4e0000 [0089.572] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x502ce0 [0089.572] lstrlenA (lpString="NEPHILIM") returned 8 [0089.572] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0089.574] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=3584) returned 1 [0089.574] GetProcessHeap () returned 0x4e0000 [0089.574] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0089.574] GetProcessHeap () returned 0x4e0000 [0089.574] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0089.574] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0089.574] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0089.574] GetProcessHeap () returned 0x4e0000 [0089.574] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0089.574] GetProcessHeap () returned 0x4e0000 [0089.574] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0089.574] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de208*=0x100) returned 1 [0089.575] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de204*=0x100) returned 1 [0089.575] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xe00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.575] SetLastError (dwErrCode=0x0) [0089.575] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0089.577] GetLastError () returned 0x0 [0089.577] GetLastError () returned 0x0 [0089.577] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xf00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.578] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0089.578] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x1000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.578] lstrlenA (lpString="NEPHILIM") returned 8 [0089.578] WriteFile (in: hFile=0xec, lpBuffer=0x502ce0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x502ce0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0089.578] GetProcessHeap () returned 0x4e0000 [0089.578] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xe00) returned 0x50a8a8 [0089.578] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.578] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0xe00, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0xe00, lpOverlapped=0x0) returned 1 [0089.579] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.579] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0xe00, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0xe00, lpOverlapped=0x0) returned 1 [0089.579] GetProcessHeap () returned 0x4e0000 [0089.579] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0089.579] CloseHandle (hObject=0xec) returned 1 [0089.584] GetProcessHeap () returned 0x4e0000 [0089.584] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0089.584] GetProcessHeap () returned 0x4e0000 [0089.584] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0089.584] GetProcessHeap () returned 0x4e0000 [0089.584] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0089.584] GetProcessHeap () returned 0x4e0000 [0089.584] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0089.584] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" [0089.584] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.NEPHILIM") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.NEPHILIM" [0089.584] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.NEPHILIM" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst.nephilim")) returned 1 [0089.585] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x131a1c00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x131a1c00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xe84c60d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="ShellUI.MST", cAlternateFileName="")) returned 0 [0089.585] FindClose (in: hFindFile=0x502830 | out: hFindFile=0x502830) returned 1 [0089.585] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc112b50, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc112b50, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x24df5e0, cFileName="{90140000-0117-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9AFC7~1")) returned 1 [0089.585] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0089.585] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0089.585] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="...") returned 1 [0089.585] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="windows") returned -1 [0089.585] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="$RECYCLE.BIN") returned 1 [0089.586] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="rsa") returned -1 [0089.586] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="log") returned -1 [0089.586] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="NTDETECT.COM") returned -1 [0089.586] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="ntldr") returned -1 [0089.586] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="MSDOS.SYS") returned -1 [0089.586] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="IO.SYS") returned -1 [0089.586] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="boot.ini") returned -1 [0089.586] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="AUTOEXEC.BAT") returned -1 [0089.586] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="ntuser.dat") returned -1 [0089.586] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="desktop.ini") returned -1 [0089.586] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="CONFIG.SYS") returned -1 [0089.586] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="RECYCLER") returned -1 [0089.586] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="BOOTSECT.BAK") returned -1 [0089.586] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="bootmgr") returned -1 [0089.586] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="programdata") returned -1 [0089.586] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="appdata") returned -1 [0089.586] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="program files") returned -1 [0089.586] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="program files (x86)") returned -1 [0089.586] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\MSOCache\\All Users\\" | out: lpString1="C:\\MSOCache\\All Users\\") returned="C:\\MSOCache\\All Users\\" [0089.586] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\", lpString2="{90140000-0117-0409-1000-0000000FF1CE}-C" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C") returned="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C" [0089.586] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\" [0089.586] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\" [0089.586] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\", lpString2="*.*" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*.*") returned="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*.*" [0089.586] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc112b50, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc112b50, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x502830 [0089.607] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0089.607] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc112b50, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc112b50, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0089.607] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0089.607] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0089.607] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa2b92d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc0c6890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc0c6890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="Access.en-us", cAlternateFileName="ACCESS~1.EN-")) returned 1 [0089.607] lstrcmpiW (lpString1="Access.en-us", lpString2=".") returned 1 [0089.607] lstrcmpiW (lpString1="Access.en-us", lpString2="..") returned 1 [0089.607] lstrcmpiW (lpString1="Access.en-us", lpString2="...") returned 1 [0089.607] lstrcmpiW (lpString1="Access.en-us", lpString2="windows") returned -1 [0089.607] lstrcmpiW (lpString1="Access.en-us", lpString2="$RECYCLE.BIN") returned 1 [0089.607] lstrcmpiW (lpString1="Access.en-us", lpString2="rsa") returned -1 [0089.607] lstrcmpiW (lpString1="Access.en-us", lpString2="log") returned -1 [0089.607] lstrcmpiW (lpString1="Access.en-us", lpString2="NTDETECT.COM") returned -1 [0089.607] lstrcmpiW (lpString1="Access.en-us", lpString2="ntldr") returned -1 [0089.607] lstrcmpiW (lpString1="Access.en-us", lpString2="MSDOS.SYS") returned -1 [0089.607] lstrcmpiW (lpString1="Access.en-us", lpString2="IO.SYS") returned -1 [0089.608] lstrcmpiW (lpString1="Access.en-us", lpString2="boot.ini") returned -1 [0089.608] lstrcmpiW (lpString1="Access.en-us", lpString2="AUTOEXEC.BAT") returned -1 [0089.608] lstrcmpiW (lpString1="Access.en-us", lpString2="ntuser.dat") returned -1 [0089.608] lstrcmpiW (lpString1="Access.en-us", lpString2="desktop.ini") returned -1 [0089.608] lstrcmpiW (lpString1="Access.en-us", lpString2="CONFIG.SYS") returned -1 [0089.608] lstrcmpiW (lpString1="Access.en-us", lpString2="RECYCLER") returned -1 [0089.608] lstrcmpiW (lpString1="Access.en-us", lpString2="BOOTSECT.BAK") returned -1 [0089.608] lstrcmpiW (lpString1="Access.en-us", lpString2="bootmgr") returned -1 [0089.608] lstrcmpiW (lpString1="Access.en-us", lpString2="programdata") returned -1 [0089.608] lstrcmpiW (lpString1="Access.en-us", lpString2="appdata") returned -1 [0089.608] lstrcmpiW (lpString1="Access.en-us", lpString2="program files") returned -1 [0089.608] lstrcmpiW (lpString1="Access.en-us", lpString2="program files (x86)") returned -1 [0089.608] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\" [0089.608] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\", lpString2="Access.en-us" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us") returned="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us" [0089.608] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us", lpString2="\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\") returned="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\" [0089.608] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\") returned="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\" [0089.608] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\", lpString2="*.*" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\*.*") returned="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\*.*" [0089.608] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa2b92d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc0c6890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc0c6890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x860084, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x502870 [0089.625] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0089.625] FindNextFileW (in: hFindFile=0x502870, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa2b92d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc0c6890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc0c6890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x860084, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0089.625] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0089.625] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0089.625] FindNextFileW (in: hFindFile=0x502870, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa623330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x266a00, dwReserved0=0x860084, dwReserved1=0x24de8e0, cFileName="AccessMUI.msi", cAlternateFileName="ACCESS~1.MSI")) returned 1 [0089.625] lstrcmpiW (lpString1="AccessMUI.msi", lpString2=".") returned 1 [0089.626] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="..") returned 1 [0089.626] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="...") returned 1 [0089.626] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="windows") returned -1 [0089.626] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="$RECYCLE.BIN") returned 1 [0089.626] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="rsa") returned -1 [0089.626] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="log") returned -1 [0089.626] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="NTDETECT.COM") returned -1 [0089.626] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="ntldr") returned -1 [0089.626] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="MSDOS.SYS") returned -1 [0089.626] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="IO.SYS") returned -1 [0089.626] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="boot.ini") returned -1 [0089.626] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="AUTOEXEC.BAT") returned -1 [0089.626] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="ntuser.dat") returned -1 [0089.626] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="desktop.ini") returned -1 [0089.626] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="CONFIG.SYS") returned -1 [0089.626] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="RECYCLER") returned -1 [0089.626] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="BOOTSECT.BAK") returned -1 [0089.626] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="bootmgr") returned -1 [0089.626] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="programdata") returned -1 [0089.627] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="appdata") returned -1 [0089.627] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="program files") returned -1 [0089.627] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="program files (x86)") returned -1 [0089.627] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\") returned="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\" [0089.627] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\", lpString2="AccessMUI.msi" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" [0089.627] PathFindExtensionW (pszPath="AccessMUI.msi") returned=".msi" [0089.627] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0089.627] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0089.627] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0089.627] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0089.627] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0089.627] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0089.627] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0089.627] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0089.627] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0089.627] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0089.628] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0089.628] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0089.628] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0089.628] lstrcmpiW (lpString1=".msi", lpString2=".NEPHILIM") returned -1 [0089.628] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0089.628] FindNextFileW (in: hFindFile=0x502870, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa5fe940, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x545, dwReserved0=0x860084, dwReserved1=0x24de8e0, cFileName="AccessMUI.xml", cAlternateFileName="ACCESS~1.XML")) returned 1 [0089.628] lstrcmpiW (lpString1="AccessMUI.xml", lpString2=".") returned 1 [0089.628] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="..") returned 1 [0089.628] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="...") returned 1 [0089.628] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="windows") returned -1 [0089.628] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="$RECYCLE.BIN") returned 1 [0089.628] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="rsa") returned -1 [0089.628] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="log") returned -1 [0089.628] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="NTDETECT.COM") returned -1 [0089.628] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="ntldr") returned -1 [0089.629] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="MSDOS.SYS") returned -1 [0089.629] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="IO.SYS") returned -1 [0089.629] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="boot.ini") returned -1 [0089.629] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="AUTOEXEC.BAT") returned -1 [0089.629] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="ntuser.dat") returned -1 [0089.629] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="desktop.ini") returned -1 [0089.629] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="CONFIG.SYS") returned -1 [0089.629] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="RECYCLER") returned -1 [0089.629] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="BOOTSECT.BAK") returned -1 [0089.629] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="bootmgr") returned -1 [0089.629] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="programdata") returned -1 [0089.629] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="appdata") returned -1 [0089.629] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="program files") returned -1 [0089.629] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="program files (x86)") returned -1 [0089.629] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\") returned="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\" [0089.629] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\", lpString2="AccessMUI.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" [0089.629] PathFindExtensionW (pszPath="AccessMUI.xml") returned=".xml" [0089.629] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0089.629] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0089.629] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0089.629] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0089.630] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0089.630] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0089.630] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0089.630] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0089.630] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0089.630] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0089.630] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0089.630] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0089.630] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0089.630] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0089.630] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0089.630] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0089.630] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0089.630] lstrlenA (lpString="NEPHILIM") returned 8 [0089.630] GetProcessHeap () returned 0x4e0000 [0089.630] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x5073a8 [0089.630] lstrlenA (lpString="NEPHILIM") returned 8 [0089.630] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0089.632] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=1349) returned 1 [0089.633] GetProcessHeap () returned 0x4e0000 [0089.633] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0089.633] GetProcessHeap () returned 0x4e0000 [0089.633] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0089.633] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0089.633] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0089.633] GetProcessHeap () returned 0x4e0000 [0089.633] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0089.633] GetProcessHeap () returned 0x4e0000 [0089.633] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0089.633] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0089.633] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0089.633] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x545, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.634] SetLastError (dwErrCode=0x0) [0089.634] WriteFile (in: hFile=0xf0, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0089.636] GetLastError () returned 0x0 [0089.637] GetLastError () returned 0x0 [0089.637] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x645, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.637] WriteFile (in: hFile=0xf0, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0089.637] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x745, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.637] lstrlenA (lpString="NEPHILIM") returned 8 [0089.637] WriteFile (in: hFile=0xf0, lpBuffer=0x5073a8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x5073a8*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0089.637] GetProcessHeap () returned 0x4e0000 [0089.637] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x545) returned 0x50b8b0 [0089.637] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.637] ReadFile (in: hFile=0xf0, lpBuffer=0x50b8b0, nNumberOfBytesToRead=0x545, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50b8b0*, lpNumberOfBytesRead=0x24dddb0*=0x545, lpOverlapped=0x0) returned 1 [0089.638] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.638] WriteFile (in: hFile=0xf0, lpBuffer=0x50b8b0*, nNumberOfBytesToWrite=0x545, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50b8b0*, lpNumberOfBytesWritten=0x24dddbc*=0x545, lpOverlapped=0x0) returned 1 [0089.638] GetProcessHeap () returned 0x4e0000 [0089.638] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50b8b0 | out: hHeap=0x4e0000) returned 1 [0089.638] CloseHandle (hObject=0xf0) returned 1 [0089.661] GetProcessHeap () returned 0x4e0000 [0089.661] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0089.661] GetProcessHeap () returned 0x4e0000 [0089.661] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0089.661] GetProcessHeap () returned 0x4e0000 [0089.661] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0089.661] GetProcessHeap () returned 0x4e0000 [0089.661] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0089.661] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" [0089.661] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.NEPHILIM") returned="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.NEPHILIM" [0089.661] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.NEPHILIM" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml.nephilim")) returned 1 [0089.662] FindNextFileW (in: hFindFile=0x502870, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3216e900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3216e900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa64a430, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1ab7e94, dwReserved0=0x860084, dwReserved1=0x24de8e0, cFileName="AccLR.cab", cAlternateFileName="")) returned 1 [0089.662] lstrcmpiW (lpString1="AccLR.cab", lpString2=".") returned 1 [0089.662] lstrcmpiW (lpString1="AccLR.cab", lpString2="..") returned 1 [0089.662] lstrcmpiW (lpString1="AccLR.cab", lpString2="...") returned 1 [0089.662] lstrcmpiW (lpString1="AccLR.cab", lpString2="windows") returned -1 [0089.662] lstrcmpiW (lpString1="AccLR.cab", lpString2="$RECYCLE.BIN") returned 1 [0089.662] lstrcmpiW (lpString1="AccLR.cab", lpString2="rsa") returned -1 [0089.662] lstrcmpiW (lpString1="AccLR.cab", lpString2="log") returned -1 [0089.662] lstrcmpiW (lpString1="AccLR.cab", lpString2="NTDETECT.COM") returned -1 [0089.662] lstrcmpiW (lpString1="AccLR.cab", lpString2="ntldr") returned -1 [0089.662] lstrcmpiW (lpString1="AccLR.cab", lpString2="MSDOS.SYS") returned -1 [0089.662] lstrcmpiW (lpString1="AccLR.cab", lpString2="IO.SYS") returned -1 [0089.662] lstrcmpiW (lpString1="AccLR.cab", lpString2="boot.ini") returned -1 [0089.662] lstrcmpiW (lpString1="AccLR.cab", lpString2="AUTOEXEC.BAT") returned -1 [0089.662] lstrcmpiW (lpString1="AccLR.cab", lpString2="ntuser.dat") returned -1 [0089.662] lstrcmpiW (lpString1="AccLR.cab", lpString2="desktop.ini") returned -1 [0089.662] lstrcmpiW (lpString1="AccLR.cab", lpString2="CONFIG.SYS") returned -1 [0089.662] lstrcmpiW (lpString1="AccLR.cab", lpString2="RECYCLER") returned -1 [0089.662] lstrcmpiW (lpString1="AccLR.cab", lpString2="BOOTSECT.BAK") returned -1 [0089.662] lstrcmpiW (lpString1="AccLR.cab", lpString2="bootmgr") returned -1 [0089.662] lstrcmpiW (lpString1="AccLR.cab", lpString2="programdata") returned -1 [0089.662] lstrcmpiW (lpString1="AccLR.cab", lpString2="appdata") returned -1 [0089.662] lstrcmpiW (lpString1="AccLR.cab", lpString2="program files") returned -1 [0089.662] lstrcmpiW (lpString1="AccLR.cab", lpString2="program files (x86)") returned -1 [0089.662] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\") returned="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\" [0089.662] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\", lpString2="AccLR.cab" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" [0089.663] PathFindExtensionW (pszPath="AccLR.cab") returned=".cab" [0089.663] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0089.663] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0089.663] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0089.663] FindNextFileW (in: hFindFile=0x502870, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x11e8ef00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x11e8ef00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xfc0c60c0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x91975, dwReserved0=0x860084, dwReserved1=0x24de8e0, cFileName="branding.xml", cAlternateFileName="")) returned 1 [0089.663] lstrcmpiW (lpString1="branding.xml", lpString2=".") returned 1 [0089.663] lstrcmpiW (lpString1="branding.xml", lpString2="..") returned 1 [0089.663] lstrcmpiW (lpString1="branding.xml", lpString2="...") returned 1 [0089.663] lstrcmpiW (lpString1="branding.xml", lpString2="windows") returned -1 [0089.663] lstrcmpiW (lpString1="branding.xml", lpString2="$RECYCLE.BIN") returned 1 [0089.663] lstrcmpiW (lpString1="branding.xml", lpString2="rsa") returned -1 [0089.663] lstrcmpiW (lpString1="branding.xml", lpString2="log") returned -1 [0089.663] lstrcmpiW (lpString1="branding.xml", lpString2="NTDETECT.COM") returned -1 [0089.663] lstrcmpiW (lpString1="branding.xml", lpString2="ntldr") returned -1 [0089.663] lstrcmpiW (lpString1="branding.xml", lpString2="MSDOS.SYS") returned -1 [0089.663] lstrcmpiW (lpString1="branding.xml", lpString2="IO.SYS") returned -1 [0089.663] lstrcmpiW (lpString1="branding.xml", lpString2="boot.ini") returned 1 [0089.663] lstrcmpiW (lpString1="branding.xml", lpString2="AUTOEXEC.BAT") returned 1 [0089.663] lstrcmpiW (lpString1="branding.xml", lpString2="ntuser.dat") returned -1 [0089.663] lstrcmpiW (lpString1="branding.xml", lpString2="desktop.ini") returned -1 [0089.663] lstrcmpiW (lpString1="branding.xml", lpString2="CONFIG.SYS") returned -1 [0089.663] lstrcmpiW (lpString1="branding.xml", lpString2="RECYCLER") returned -1 [0089.663] lstrcmpiW (lpString1="branding.xml", lpString2="BOOTSECT.BAK") returned 1 [0089.663] lstrcmpiW (lpString1="branding.xml", lpString2="bootmgr") returned 1 [0089.663] lstrcmpiW (lpString1="branding.xml", lpString2="programdata") returned -1 [0089.663] lstrcmpiW (lpString1="branding.xml", lpString2="appdata") returned 1 [0089.663] lstrcmpiW (lpString1="branding.xml", lpString2="program files") returned -1 [0089.663] lstrcmpiW (lpString1="branding.xml", lpString2="program files (x86)") returned -1 [0089.663] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\") returned="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\" [0089.663] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\", lpString2="branding.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" [0089.664] PathFindExtensionW (pszPath="branding.xml") returned=".xml" [0089.664] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0089.664] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0089.664] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0089.664] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0089.664] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0089.664] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0089.664] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0089.664] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0089.664] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0089.664] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0089.664] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0089.664] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0089.664] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0089.664] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0089.664] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0089.664] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0089.664] lstrcmpiW (lpString1="branding.xml", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0089.664] lstrlenA (lpString="NEPHILIM") returned 8 [0089.664] GetProcessHeap () returned 0x4e0000 [0089.664] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x5073b8 [0089.665] lstrlenA (lpString="NEPHILIM") returned 8 [0089.665] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0089.666] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=596341) returned 1 [0089.666] GetProcessHeap () returned 0x4e0000 [0089.666] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0089.666] GetProcessHeap () returned 0x4e0000 [0089.666] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0089.666] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0089.666] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0089.666] GetProcessHeap () returned 0x4e0000 [0089.666] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0089.666] GetProcessHeap () returned 0x4e0000 [0089.666] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0089.666] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0089.666] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0089.667] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x91975, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.667] SetLastError (dwErrCode=0x0) [0089.667] WriteFile (in: hFile=0xf0, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0089.669] GetLastError () returned 0x0 [0089.669] GetLastError () returned 0x0 [0089.669] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x91a75, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.669] WriteFile (in: hFile=0xf0, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0089.669] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x91b75, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.669] lstrlenA (lpString="NEPHILIM") returned 8 [0089.670] WriteFile (in: hFile=0xf0, lpBuffer=0x5073b8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x5073b8*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0089.670] GetProcessHeap () returned 0x4e0000 [0089.670] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x91975) returned 0x2010020 [0089.670] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.670] ReadFile (in: hFile=0xf0, lpBuffer=0x2010020, nNumberOfBytesToRead=0x91975, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x2010020*, lpNumberOfBytesRead=0x24dddb0*=0x91975, lpOverlapped=0x0) returned 1 [0089.723] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.723] WriteFile (in: hFile=0xf0, lpBuffer=0x2010020*, nNumberOfBytesToWrite=0x91975, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x2010020*, lpNumberOfBytesWritten=0x24dddbc*=0x91975, lpOverlapped=0x0) returned 1 [0089.725] GetProcessHeap () returned 0x4e0000 [0089.725] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x2010020 | out: hHeap=0x4e0000) returned 1 [0089.730] CloseHandle (hObject=0xf0) returned 1 [0089.744] GetProcessHeap () returned 0x4e0000 [0089.744] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0089.744] GetProcessHeap () returned 0x4e0000 [0089.744] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0089.744] GetProcessHeap () returned 0x4e0000 [0089.744] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0089.744] GetProcessHeap () returned 0x4e0000 [0089.744] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0089.744] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" [0089.744] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.NEPHILIM") returned="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.NEPHILIM" [0089.744] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.NEPHILIM" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.nephilim")) returned 1 [0089.745] FindNextFileW (in: hFindFile=0x502870, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x11e8ef00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x11e8ef00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xfc0c60c0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x91975, dwReserved0=0x860084, dwReserved1=0x24de8e0, cFileName="branding.xml", cAlternateFileName="")) returned 0 [0089.745] FindClose (in: hFindFile=0x502870 | out: hFindFile=0x502870) returned 1 [0089.745] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa160f00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd4200, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="AccessMUISet.msi", cAlternateFileName="ACCESS~1.MSI")) returned 1 [0089.745] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2=".") returned 1 [0089.745] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="..") returned 1 [0089.745] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="...") returned 1 [0089.746] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="windows") returned -1 [0089.746] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="$RECYCLE.BIN") returned 1 [0089.746] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="rsa") returned -1 [0089.746] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="log") returned -1 [0089.746] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="NTDETECT.COM") returned -1 [0089.746] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="ntldr") returned -1 [0089.746] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="MSDOS.SYS") returned -1 [0089.746] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="IO.SYS") returned -1 [0089.746] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="boot.ini") returned -1 [0089.746] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="AUTOEXEC.BAT") returned -1 [0089.746] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="ntuser.dat") returned -1 [0089.746] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="desktop.ini") returned -1 [0089.746] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="CONFIG.SYS") returned -1 [0089.746] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="RECYCLER") returned -1 [0089.746] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="BOOTSECT.BAK") returned -1 [0089.746] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="bootmgr") returned -1 [0089.746] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="programdata") returned -1 [0089.746] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="appdata") returned -1 [0089.746] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="program files") returned -1 [0089.746] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="program files (x86)") returned -1 [0089.746] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\" [0089.746] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\", lpString2="AccessMUISet.msi" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" [0089.746] PathFindExtensionW (pszPath="AccessMUISet.msi") returned=".msi" [0089.746] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0089.746] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0089.746] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0089.746] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0089.747] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0089.747] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0089.747] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0089.747] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0089.747] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0089.747] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0089.747] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0089.747] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0089.747] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0089.747] lstrcmpiW (lpString1=".msi", lpString2=".NEPHILIM") returned -1 [0089.747] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0089.747] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x333, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="AccessMUISet.xml", cAlternateFileName="ACCESS~1.XML")) returned 1 [0089.747] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2=".") returned 1 [0089.747] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="..") returned 1 [0089.747] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="...") returned 1 [0089.771] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="windows") returned -1 [0089.784] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="$RECYCLE.BIN") returned 1 [0089.784] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="rsa") returned -1 [0089.784] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="log") returned -1 [0089.784] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="NTDETECT.COM") returned -1 [0089.785] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="ntldr") returned -1 [0089.785] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="MSDOS.SYS") returned -1 [0089.785] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="IO.SYS") returned -1 [0089.785] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="boot.ini") returned -1 [0089.785] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="AUTOEXEC.BAT") returned -1 [0089.785] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="ntuser.dat") returned -1 [0089.785] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="desktop.ini") returned -1 [0089.785] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="CONFIG.SYS") returned -1 [0089.785] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="RECYCLER") returned -1 [0089.785] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="BOOTSECT.BAK") returned -1 [0089.785] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="bootmgr") returned -1 [0089.785] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="programdata") returned -1 [0089.785] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="appdata") returned -1 [0089.785] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="program files") returned -1 [0089.785] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="program files (x86)") returned -1 [0089.785] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\" [0089.785] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\", lpString2="AccessMUISet.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" [0089.785] PathFindExtensionW (pszPath="AccessMUISet.xml") returned=".xml" [0089.785] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0089.785] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0089.785] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0089.785] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0089.785] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0089.785] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0089.786] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0089.786] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0089.786] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0089.786] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0089.786] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0089.786] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0089.786] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0089.786] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0089.786] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0089.786] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0089.786] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0089.786] lstrlenA (lpString="NEPHILIM") returned 8 [0089.786] GetProcessHeap () returned 0x4e0000 [0089.786] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x5073c8 [0089.786] lstrlenA (lpString="NEPHILIM") returned 8 [0089.786] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0089.792] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=819) returned 1 [0089.792] GetProcessHeap () returned 0x4e0000 [0089.792] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0089.792] GetProcessHeap () returned 0x4e0000 [0089.792] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0089.792] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0089.792] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0089.792] GetProcessHeap () returned 0x4e0000 [0089.792] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0089.792] GetProcessHeap () returned 0x4e0000 [0089.792] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0089.792] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de208*=0x100) returned 1 [0089.793] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de204*=0x100) returned 1 [0089.793] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x333, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.793] SetLastError (dwErrCode=0x0) [0089.793] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0089.798] GetLastError () returned 0x0 [0089.798] GetLastError () returned 0x0 [0089.798] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x433, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.798] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0089.798] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x533, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.799] lstrlenA (lpString="NEPHILIM") returned 8 [0089.799] WriteFile (in: hFile=0xec, lpBuffer=0x5073c8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5073c8*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0089.799] GetProcessHeap () returned 0x4e0000 [0089.799] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x333) returned 0x504e68 [0089.799] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.799] ReadFile (in: hFile=0xec, lpBuffer=0x504e68, nNumberOfBytesToRead=0x333, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x504e68*, lpNumberOfBytesRead=0x24de430*=0x333, lpOverlapped=0x0) returned 1 [0089.799] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.799] WriteFile (in: hFile=0xec, lpBuffer=0x504e68*, nNumberOfBytesToWrite=0x333, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x504e68*, lpNumberOfBytesWritten=0x24de43c*=0x333, lpOverlapped=0x0) returned 1 [0089.799] GetProcessHeap () returned 0x4e0000 [0089.799] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e68 | out: hHeap=0x4e0000) returned 1 [0089.799] CloseHandle (hObject=0xec) returned 1 [0089.802] GetProcessHeap () returned 0x4e0000 [0089.802] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0089.802] GetProcessHeap () returned 0x4e0000 [0089.802] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0089.802] GetProcessHeap () returned 0x4e0000 [0089.802] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0089.802] GetProcessHeap () returned 0x4e0000 [0089.802] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0089.802] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" [0089.802] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.NEPHILIM") returned="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.NEPHILIM" [0089.802] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.NEPHILIM" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml.nephilim")) returned 1 [0089.803] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc111bb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xa40, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0089.803] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0089.803] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0089.803] lstrcmpiW (lpString1="Setup.xml", lpString2="...") returned 1 [0089.803] lstrcmpiW (lpString1="Setup.xml", lpString2="windows") returned -1 [0089.804] lstrcmpiW (lpString1="Setup.xml", lpString2="$RECYCLE.BIN") returned 1 [0089.804] lstrcmpiW (lpString1="Setup.xml", lpString2="rsa") returned 1 [0089.804] lstrcmpiW (lpString1="Setup.xml", lpString2="log") returned 1 [0089.804] lstrcmpiW (lpString1="Setup.xml", lpString2="NTDETECT.COM") returned 1 [0089.804] lstrcmpiW (lpString1="Setup.xml", lpString2="ntldr") returned 1 [0089.804] lstrcmpiW (lpString1="Setup.xml", lpString2="MSDOS.SYS") returned 1 [0089.804] lstrcmpiW (lpString1="Setup.xml", lpString2="IO.SYS") returned 1 [0089.804] lstrcmpiW (lpString1="Setup.xml", lpString2="boot.ini") returned 1 [0089.804] lstrcmpiW (lpString1="Setup.xml", lpString2="AUTOEXEC.BAT") returned 1 [0089.804] lstrcmpiW (lpString1="Setup.xml", lpString2="ntuser.dat") returned 1 [0089.804] lstrcmpiW (lpString1="Setup.xml", lpString2="desktop.ini") returned 1 [0089.804] lstrcmpiW (lpString1="Setup.xml", lpString2="CONFIG.SYS") returned 1 [0089.804] lstrcmpiW (lpString1="Setup.xml", lpString2="RECYCLER") returned 1 [0089.804] lstrcmpiW (lpString1="Setup.xml", lpString2="BOOTSECT.BAK") returned 1 [0089.804] lstrcmpiW (lpString1="Setup.xml", lpString2="bootmgr") returned 1 [0089.804] lstrcmpiW (lpString1="Setup.xml", lpString2="programdata") returned 1 [0089.804] lstrcmpiW (lpString1="Setup.xml", lpString2="appdata") returned 1 [0089.804] lstrcmpiW (lpString1="Setup.xml", lpString2="program files") returned 1 [0089.804] lstrcmpiW (lpString1="Setup.xml", lpString2="program files (x86)") returned 1 [0089.804] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\" [0089.804] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\", lpString2="Setup.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" [0089.804] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0089.804] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0089.804] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0089.804] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0089.805] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0089.805] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0089.805] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0089.805] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0089.805] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0089.805] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0089.805] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0089.805] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0089.805] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0089.805] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0089.805] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0089.805] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0089.805] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0089.805] lstrcmpiW (lpString1="Setup.xml", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0089.805] lstrlenA (lpString="NEPHILIM") returned 8 [0089.805] GetProcessHeap () returned 0x4e0000 [0089.805] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x5073d8 [0089.805] lstrlenA (lpString="NEPHILIM") returned 8 [0089.805] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0089.806] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=2624) returned 1 [0089.806] GetProcessHeap () returned 0x4e0000 [0089.806] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0089.806] GetProcessHeap () returned 0x4e0000 [0089.806] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0089.806] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0089.806] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0089.806] GetProcessHeap () returned 0x4e0000 [0089.806] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0089.806] GetProcessHeap () returned 0x4e0000 [0089.806] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0089.806] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de208*=0x100) returned 1 [0089.807] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de204*=0x100) returned 1 [0089.807] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xa40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.807] SetLastError (dwErrCode=0x0) [0089.807] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0089.810] GetLastError () returned 0x0 [0089.810] GetLastError () returned 0x0 [0089.810] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xb40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.810] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0089.810] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xc40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.810] lstrlenA (lpString="NEPHILIM") returned 8 [0089.810] WriteFile (in: hFile=0xec, lpBuffer=0x5073d8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5073d8*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0089.810] GetProcessHeap () returned 0x4e0000 [0089.810] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xa40) returned 0x50a8a8 [0089.810] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.810] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0xa40, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0xa40, lpOverlapped=0x0) returned 1 [0089.811] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.811] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0xa40, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0xa40, lpOverlapped=0x0) returned 1 [0089.811] GetProcessHeap () returned 0x4e0000 [0089.811] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0089.811] CloseHandle (hObject=0xec) returned 1 [0089.822] GetProcessHeap () returned 0x4e0000 [0089.822] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0089.822] GetProcessHeap () returned 0x4e0000 [0089.822] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0089.822] GetProcessHeap () returned 0x4e0000 [0089.822] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0089.822] GetProcessHeap () returned 0x4e0000 [0089.822] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0089.822] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" [0089.822] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM") returned="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM" [0089.822] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml.nephilim")) returned 1 [0089.823] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc111bb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xa40, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0089.823] FindClose (in: hFindFile=0x502830 | out: hFindFile=0x502830) returned 1 [0089.823] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfe09ced0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x18179b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x18179b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x24df5e0, cFileName="{91140000-0011-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~1")) returned 1 [0089.823] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0089.823] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0089.823] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="...") returned 1 [0089.823] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="windows") returned -1 [0089.823] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="$RECYCLE.BIN") returned 1 [0089.823] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="rsa") returned -1 [0089.823] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="log") returned -1 [0089.823] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="NTDETECT.COM") returned -1 [0089.823] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="ntldr") returned -1 [0089.823] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="MSDOS.SYS") returned -1 [0089.824] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="IO.SYS") returned -1 [0089.824] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="boot.ini") returned -1 [0089.824] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="AUTOEXEC.BAT") returned -1 [0089.824] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="ntuser.dat") returned -1 [0089.824] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="desktop.ini") returned -1 [0089.824] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="CONFIG.SYS") returned -1 [0089.824] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="RECYCLER") returned -1 [0089.824] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="BOOTSECT.BAK") returned -1 [0089.824] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="bootmgr") returned -1 [0089.824] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="programdata") returned -1 [0089.824] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="appdata") returned -1 [0089.824] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="program files") returned -1 [0089.824] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="program files (x86)") returned -1 [0089.824] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\MSOCache\\All Users\\" | out: lpString1="C:\\MSOCache\\All Users\\") returned="C:\\MSOCache\\All Users\\" [0089.824] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\", lpString2="{91140000-0011-0000-1000-0000000FF1CE}-C" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C") returned="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C" [0089.824] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="\\" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" [0089.824] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" [0089.824] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\", lpString2="*.*" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*.*") returned="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*.*" [0089.824] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfe09ced0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x18179b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x18179b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x502830 [0089.827] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0089.827] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfe09ced0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x18179b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x18179b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0089.827] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0089.827] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0089.827] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x34ae1a00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x34ae1a00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xfe0c2860, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1e6600, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="Office32WW.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0089.827] lstrcmpiW (lpString1="Office32WW.msi", lpString2=".") returned 1 [0089.827] lstrcmpiW (lpString1="Office32WW.msi", lpString2="..") returned 1 [0089.827] lstrcmpiW (lpString1="Office32WW.msi", lpString2="...") returned 1 [0089.827] lstrcmpiW (lpString1="Office32WW.msi", lpString2="windows") returned -1 [0089.827] lstrcmpiW (lpString1="Office32WW.msi", lpString2="$RECYCLE.BIN") returned 1 [0089.827] lstrcmpiW (lpString1="Office32WW.msi", lpString2="rsa") returned -1 [0089.827] lstrcmpiW (lpString1="Office32WW.msi", lpString2="log") returned 1 [0089.827] lstrcmpiW (lpString1="Office32WW.msi", lpString2="NTDETECT.COM") returned 1 [0089.827] lstrcmpiW (lpString1="Office32WW.msi", lpString2="ntldr") returned 1 [0089.827] lstrcmpiW (lpString1="Office32WW.msi", lpString2="MSDOS.SYS") returned 1 [0089.827] lstrcmpiW (lpString1="Office32WW.msi", lpString2="IO.SYS") returned 1 [0089.827] lstrcmpiW (lpString1="Office32WW.msi", lpString2="boot.ini") returned 1 [0089.828] lstrcmpiW (lpString1="Office32WW.msi", lpString2="AUTOEXEC.BAT") returned 1 [0089.828] lstrcmpiW (lpString1="Office32WW.msi", lpString2="ntuser.dat") returned 1 [0089.828] lstrcmpiW (lpString1="Office32WW.msi", lpString2="desktop.ini") returned 1 [0089.828] lstrcmpiW (lpString1="Office32WW.msi", lpString2="CONFIG.SYS") returned 1 [0089.828] lstrcmpiW (lpString1="Office32WW.msi", lpString2="RECYCLER") returned -1 [0089.828] lstrcmpiW (lpString1="Office32WW.msi", lpString2="BOOTSECT.BAK") returned 1 [0089.828] lstrcmpiW (lpString1="Office32WW.msi", lpString2="bootmgr") returned 1 [0089.828] lstrcmpiW (lpString1="Office32WW.msi", lpString2="programdata") returned -1 [0089.828] lstrcmpiW (lpString1="Office32WW.msi", lpString2="appdata") returned 1 [0089.828] lstrcmpiW (lpString1="Office32WW.msi", lpString2="program files") returned -1 [0089.828] lstrcmpiW (lpString1="Office32WW.msi", lpString2="program files (x86)") returned -1 [0089.828] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" [0089.828] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\", lpString2="Office32WW.msi" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" [0089.828] PathFindExtensionW (pszPath="Office32WW.msi") returned=".msi" [0089.828] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0089.828] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0089.828] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0089.828] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0089.828] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0089.828] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0089.828] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0089.828] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0089.828] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0089.828] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0089.828] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0089.828] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0089.829] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0089.829] lstrcmpiW (lpString1=".msi", lpString2=".NEPHILIM") returned -1 [0089.829] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0089.829] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x940c2a00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x940c2a00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xfe09b760, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x10b2, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="Office32WW.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0089.829] lstrcmpiW (lpString1="Office32WW.xml", lpString2=".") returned 1 [0089.829] lstrcmpiW (lpString1="Office32WW.xml", lpString2="..") returned 1 [0089.829] lstrcmpiW (lpString1="Office32WW.xml", lpString2="...") returned 1 [0089.829] lstrcmpiW (lpString1="Office32WW.xml", lpString2="windows") returned -1 [0089.829] lstrcmpiW (lpString1="Office32WW.xml", lpString2="$RECYCLE.BIN") returned 1 [0089.829] lstrcmpiW (lpString1="Office32WW.xml", lpString2="rsa") returned -1 [0089.829] lstrcmpiW (lpString1="Office32WW.xml", lpString2="log") returned 1 [0089.829] lstrcmpiW (lpString1="Office32WW.xml", lpString2="NTDETECT.COM") returned 1 [0089.829] lstrcmpiW (lpString1="Office32WW.xml", lpString2="ntldr") returned 1 [0089.829] lstrcmpiW (lpString1="Office32WW.xml", lpString2="MSDOS.SYS") returned 1 [0089.829] lstrcmpiW (lpString1="Office32WW.xml", lpString2="IO.SYS") returned 1 [0089.829] lstrcmpiW (lpString1="Office32WW.xml", lpString2="boot.ini") returned 1 [0089.829] lstrcmpiW (lpString1="Office32WW.xml", lpString2="AUTOEXEC.BAT") returned 1 [0089.829] lstrcmpiW (lpString1="Office32WW.xml", lpString2="ntuser.dat") returned 1 [0089.829] lstrcmpiW (lpString1="Office32WW.xml", lpString2="desktop.ini") returned 1 [0089.829] lstrcmpiW (lpString1="Office32WW.xml", lpString2="CONFIG.SYS") returned 1 [0089.829] lstrcmpiW (lpString1="Office32WW.xml", lpString2="RECYCLER") returned -1 [0089.829] lstrcmpiW (lpString1="Office32WW.xml", lpString2="BOOTSECT.BAK") returned 1 [0089.829] lstrcmpiW (lpString1="Office32WW.xml", lpString2="bootmgr") returned 1 [0089.829] lstrcmpiW (lpString1="Office32WW.xml", lpString2="programdata") returned -1 [0089.829] lstrcmpiW (lpString1="Office32WW.xml", lpString2="appdata") returned 1 [0089.829] lstrcmpiW (lpString1="Office32WW.xml", lpString2="program files") returned -1 [0089.830] lstrcmpiW (lpString1="Office32WW.xml", lpString2="program files (x86)") returned -1 [0089.830] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" [0089.830] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\", lpString2="Office32WW.xml" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" [0089.830] PathFindExtensionW (pszPath="Office32WW.xml") returned=".xml" [0089.830] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0089.830] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0089.830] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0089.830] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0089.830] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0089.830] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0089.830] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0089.830] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0089.830] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0089.830] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0089.830] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0089.830] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0089.830] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0089.830] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0089.830] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0089.830] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0089.830] lstrcmpiW (lpString1="Office32WW.xml", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0089.830] lstrlenA (lpString="NEPHILIM") returned 8 [0089.830] GetProcessHeap () returned 0x4e0000 [0089.830] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x5073e8 [0089.831] lstrlenA (lpString="NEPHILIM") returned 8 [0089.831] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0089.832] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=4274) returned 1 [0089.832] GetProcessHeap () returned 0x4e0000 [0089.832] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0089.832] GetProcessHeap () returned 0x4e0000 [0089.832] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0089.832] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0089.832] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0089.832] GetProcessHeap () returned 0x4e0000 [0089.832] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0089.832] GetProcessHeap () returned 0x4e0000 [0089.832] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0089.832] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de208*=0x100) returned 1 [0089.833] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de204*=0x100) returned 1 [0089.833] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x10b2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.833] SetLastError (dwErrCode=0x0) [0089.833] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0089.836] GetLastError () returned 0x0 [0089.836] GetLastError () returned 0x0 [0089.836] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x11b2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.836] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0089.836] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x12b2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.836] lstrlenA (lpString="NEPHILIM") returned 8 [0089.836] WriteFile (in: hFile=0xec, lpBuffer=0x5073e8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5073e8*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0089.836] GetProcessHeap () returned 0x4e0000 [0089.837] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10b2) returned 0x50a8a8 [0089.837] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.837] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x10b2, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x10b2, lpOverlapped=0x0) returned 1 [0089.838] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.838] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x10b2, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x10b2, lpOverlapped=0x0) returned 1 [0089.839] GetProcessHeap () returned 0x4e0000 [0089.839] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0089.839] CloseHandle (hObject=0xec) returned 1 [0089.844] GetProcessHeap () returned 0x4e0000 [0089.844] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0089.844] GetProcessHeap () returned 0x4e0000 [0089.844] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0089.845] GetProcessHeap () returned 0x4e0000 [0089.845] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0089.845] GetProcessHeap () returned 0x4e0000 [0089.845] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0089.845] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" [0089.845] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.NEPHILIM") returned="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.NEPHILIM" [0089.845] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.NEPHILIM" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml.nephilim")) returned 1 [0089.860] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf885a000, ftCreationTime.dwHighDateTime=0x1cac4d7, ftLastAccessTime.dwLowDateTime=0xf885a000, ftLastAccessTime.dwHighDateTime=0x1cac4d7, ftLastWriteTime.dwLowDateTime=0x17c42c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x2a968, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="ose.exe", cAlternateFileName="")) returned 1 [0089.860] lstrcmpiW (lpString1="ose.exe", lpString2=".") returned 1 [0089.860] lstrcmpiW (lpString1="ose.exe", lpString2="..") returned 1 [0089.860] lstrcmpiW (lpString1="ose.exe", lpString2="...") returned 1 [0089.860] lstrcmpiW (lpString1="ose.exe", lpString2="windows") returned -1 [0089.860] lstrcmpiW (lpString1="ose.exe", lpString2="$RECYCLE.BIN") returned 1 [0089.860] lstrcmpiW (lpString1="ose.exe", lpString2="rsa") returned -1 [0089.860] lstrcmpiW (lpString1="ose.exe", lpString2="log") returned 1 [0089.860] lstrcmpiW (lpString1="ose.exe", lpString2="NTDETECT.COM") returned 1 [0089.860] lstrcmpiW (lpString1="ose.exe", lpString2="ntldr") returned 1 [0089.860] lstrcmpiW (lpString1="ose.exe", lpString2="MSDOS.SYS") returned 1 [0089.860] lstrcmpiW (lpString1="ose.exe", lpString2="IO.SYS") returned 1 [0089.861] lstrcmpiW (lpString1="ose.exe", lpString2="boot.ini") returned 1 [0089.861] lstrcmpiW (lpString1="ose.exe", lpString2="AUTOEXEC.BAT") returned 1 [0089.861] lstrcmpiW (lpString1="ose.exe", lpString2="ntuser.dat") returned 1 [0089.861] lstrcmpiW (lpString1="ose.exe", lpString2="desktop.ini") returned 1 [0089.861] lstrcmpiW (lpString1="ose.exe", lpString2="CONFIG.SYS") returned 1 [0089.861] lstrcmpiW (lpString1="ose.exe", lpString2="RECYCLER") returned -1 [0089.861] lstrcmpiW (lpString1="ose.exe", lpString2="BOOTSECT.BAK") returned 1 [0089.861] lstrcmpiW (lpString1="ose.exe", lpString2="bootmgr") returned 1 [0089.861] lstrcmpiW (lpString1="ose.exe", lpString2="programdata") returned -1 [0089.861] lstrcmpiW (lpString1="ose.exe", lpString2="appdata") returned 1 [0089.861] lstrcmpiW (lpString1="ose.exe", lpString2="program files") returned -1 [0089.861] lstrcmpiW (lpString1="ose.exe", lpString2="program files (x86)") returned -1 [0089.861] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" [0089.861] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\", lpString2="ose.exe" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" [0089.861] PathFindExtensionW (pszPath="ose.exe") returned=".exe" [0089.861] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0089.861] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd900f00, ftCreationTime.dwHighDateTime=0x1cac15b, ftLastAccessTime.dwLowDateTime=0xbd900f00, ftLastAccessTime.dwHighDateTime=0x1cac15b, ftLastWriteTime.dwLowDateTime=0x16854390, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x709768, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="osetup.dll", cAlternateFileName="")) returned 1 [0089.861] lstrcmpiW (lpString1="osetup.dll", lpString2=".") returned 1 [0089.861] lstrcmpiW (lpString1="osetup.dll", lpString2="..") returned 1 [0089.861] lstrcmpiW (lpString1="osetup.dll", lpString2="...") returned 1 [0089.861] lstrcmpiW (lpString1="osetup.dll", lpString2="windows") returned -1 [0089.861] lstrcmpiW (lpString1="osetup.dll", lpString2="$RECYCLE.BIN") returned 1 [0089.861] lstrcmpiW (lpString1="osetup.dll", lpString2="rsa") returned -1 [0089.861] lstrcmpiW (lpString1="osetup.dll", lpString2="log") returned 1 [0089.862] lstrcmpiW (lpString1="osetup.dll", lpString2="NTDETECT.COM") returned 1 [0089.862] lstrcmpiW (lpString1="osetup.dll", lpString2="ntldr") returned 1 [0089.862] lstrcmpiW (lpString1="osetup.dll", lpString2="MSDOS.SYS") returned 1 [0089.862] lstrcmpiW (lpString1="osetup.dll", lpString2="IO.SYS") returned 1 [0089.862] lstrcmpiW (lpString1="osetup.dll", lpString2="boot.ini") returned 1 [0089.862] lstrcmpiW (lpString1="osetup.dll", lpString2="AUTOEXEC.BAT") returned 1 [0089.862] lstrcmpiW (lpString1="osetup.dll", lpString2="ntuser.dat") returned 1 [0089.862] lstrcmpiW (lpString1="osetup.dll", lpString2="desktop.ini") returned 1 [0089.862] lstrcmpiW (lpString1="osetup.dll", lpString2="CONFIG.SYS") returned 1 [0089.862] lstrcmpiW (lpString1="osetup.dll", lpString2="RECYCLER") returned -1 [0089.862] lstrcmpiW (lpString1="osetup.dll", lpString2="BOOTSECT.BAK") returned 1 [0089.862] lstrcmpiW (lpString1="osetup.dll", lpString2="bootmgr") returned 1 [0089.862] lstrcmpiW (lpString1="osetup.dll", lpString2="programdata") returned -1 [0089.862] lstrcmpiW (lpString1="osetup.dll", lpString2="appdata") returned 1 [0089.862] lstrcmpiW (lpString1="osetup.dll", lpString2="program files") returned -1 [0089.862] lstrcmpiW (lpString1="osetup.dll", lpString2="program files (x86)") returned -1 [0089.862] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" [0089.862] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\", lpString2="osetup.dll" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" [0089.862] PathFindExtensionW (pszPath="osetup.dll") returned=".dll" [0089.862] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0089.862] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0089.862] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0089.862] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0089.862] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0089.862] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0089.863] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0089.863] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0089.863] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x147e5b00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x147e5b00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xff654fc0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x228df5c, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="OWOW32WW.cab", cAlternateFileName="")) returned 1 [0089.863] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2=".") returned 1 [0089.863] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="..") returned 1 [0089.863] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="...") returned 1 [0089.863] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="windows") returned -1 [0089.863] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="$RECYCLE.BIN") returned 1 [0089.863] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="rsa") returned -1 [0089.863] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="log") returned 1 [0089.863] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="NTDETECT.COM") returned 1 [0089.863] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="ntldr") returned 1 [0089.863] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="MSDOS.SYS") returned 1 [0089.863] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="IO.SYS") returned 1 [0089.863] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="boot.ini") returned 1 [0089.863] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="AUTOEXEC.BAT") returned 1 [0089.863] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="ntuser.dat") returned 1 [0089.863] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="desktop.ini") returned 1 [0089.863] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="CONFIG.SYS") returned 1 [0089.863] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="RECYCLER") returned -1 [0089.863] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="BOOTSECT.BAK") returned 1 [0089.863] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="bootmgr") returned 1 [0089.863] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="programdata") returned -1 [0089.863] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="appdata") returned 1 [0089.863] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="program files") returned -1 [0089.863] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="program files (x86)") returned -1 [0089.864] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" [0089.864] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\", lpString2="OWOW32WW.cab" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" [0089.864] PathFindExtensionW (pszPath="OWOW32WW.cab") returned=".cab" [0089.864] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0089.864] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0089.864] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0089.864] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe3a02e00, ftCreationTime.dwHighDateTime=0x1cac5f7, ftLastAccessTime.dwLowDateTime=0xe3a02e00, ftLastAccessTime.dwHighDateTime=0x1cac5f7, ftLastWriteTime.dwLowDateTime=0x17e0dbf0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x165510, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="PidGenX.dll", cAlternateFileName="")) returned 1 [0089.864] lstrcmpiW (lpString1="PidGenX.dll", lpString2=".") returned 1 [0089.864] lstrcmpiW (lpString1="PidGenX.dll", lpString2="..") returned 1 [0089.864] lstrcmpiW (lpString1="PidGenX.dll", lpString2="...") returned 1 [0089.864] lstrcmpiW (lpString1="PidGenX.dll", lpString2="windows") returned -1 [0089.864] lstrcmpiW (lpString1="PidGenX.dll", lpString2="$RECYCLE.BIN") returned 1 [0089.864] lstrcmpiW (lpString1="PidGenX.dll", lpString2="rsa") returned -1 [0089.864] lstrcmpiW (lpString1="PidGenX.dll", lpString2="log") returned 1 [0089.864] lstrcmpiW (lpString1="PidGenX.dll", lpString2="NTDETECT.COM") returned 1 [0089.864] lstrcmpiW (lpString1="PidGenX.dll", lpString2="ntldr") returned 1 [0089.864] lstrcmpiW (lpString1="PidGenX.dll", lpString2="MSDOS.SYS") returned 1 [0089.864] lstrcmpiW (lpString1="PidGenX.dll", lpString2="IO.SYS") returned 1 [0089.864] lstrcmpiW (lpString1="PidGenX.dll", lpString2="boot.ini") returned 1 [0089.864] lstrcmpiW (lpString1="PidGenX.dll", lpString2="AUTOEXEC.BAT") returned 1 [0089.864] lstrcmpiW (lpString1="PidGenX.dll", lpString2="ntuser.dat") returned 1 [0089.864] lstrcmpiW (lpString1="PidGenX.dll", lpString2="desktop.ini") returned 1 [0089.864] lstrcmpiW (lpString1="PidGenX.dll", lpString2="CONFIG.SYS") returned 1 [0089.864] lstrcmpiW (lpString1="PidGenX.dll", lpString2="RECYCLER") returned -1 [0089.865] lstrcmpiW (lpString1="PidGenX.dll", lpString2="BOOTSECT.BAK") returned 1 [0089.865] lstrcmpiW (lpString1="PidGenX.dll", lpString2="bootmgr") returned 1 [0089.865] lstrcmpiW (lpString1="PidGenX.dll", lpString2="programdata") returned -1 [0089.865] lstrcmpiW (lpString1="PidGenX.dll", lpString2="appdata") returned 1 [0089.865] lstrcmpiW (lpString1="PidGenX.dll", lpString2="program files") returned -1 [0089.865] lstrcmpiW (lpString1="PidGenX.dll", lpString2="program files (x86)") returned -1 [0089.865] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" [0089.865] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\", lpString2="PidGenX.dll" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" [0089.865] PathFindExtensionW (pszPath="PidGenX.dll") returned=".dll" [0089.865] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0089.865] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0089.865] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0089.865] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0089.865] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0089.865] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0089.865] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0089.865] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0089.865] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe06a9500, ftCreationTime.dwHighDateTime=0x1cac7e5, ftLastAccessTime.dwLowDateTime=0xe06a9500, ftLastAccessTime.dwHighDateTime=0x1cac7e5, ftLastWriteTime.dwLowDateTime=0x17c42c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0xaec3a, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="pkeyconfig-office.xrm-ms", cAlternateFileName="PKEYCO~1.XRM")) returned 1 [0089.865] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2=".") returned 1 [0089.865] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="..") returned 1 [0089.865] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="...") returned 1 [0089.865] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="windows") returned -1 [0089.865] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0089.865] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="rsa") returned -1 [0089.865] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="log") returned 1 [0089.865] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="NTDETECT.COM") returned 1 [0089.866] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="ntldr") returned 1 [0089.866] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="MSDOS.SYS") returned 1 [0089.866] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="IO.SYS") returned 1 [0089.866] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="boot.ini") returned 1 [0089.866] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="AUTOEXEC.BAT") returned 1 [0089.866] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="ntuser.dat") returned 1 [0089.866] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="desktop.ini") returned 1 [0089.866] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="CONFIG.SYS") returned 1 [0089.866] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="RECYCLER") returned -1 [0089.866] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="BOOTSECT.BAK") returned 1 [0089.866] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="bootmgr") returned 1 [0089.866] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="programdata") returned -1 [0089.867] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="appdata") returned 1 [0089.867] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="program files") returned -1 [0089.867] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="program files (x86)") returned -1 [0089.867] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" [0089.867] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\", lpString2="pkeyconfig-office.xrm-ms" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" [0089.867] PathFindExtensionW (pszPath="pkeyconfig-office.xrm-ms") returned=".xrm-ms" [0089.867] lstrcmpiW (lpString1=".xrm-ms", lpString2=".exe") returned 1 [0089.867] lstrcmpiW (lpString1=".xrm-ms", lpString2=".log") returned 1 [0089.867] lstrcmpiW (lpString1=".xrm-ms", lpString2=".cab") returned 1 [0089.867] lstrcmpiW (lpString1=".xrm-ms", lpString2=".cmd") returned 1 [0089.867] lstrcmpiW (lpString1=".xrm-ms", lpString2=".com") returned 1 [0089.867] lstrcmpiW (lpString1=".xrm-ms", lpString2=".cpl") returned 1 [0089.867] lstrcmpiW (lpString1=".xrm-ms", lpString2=".ini") returned 1 [0089.867] lstrcmpiW (lpString1=".xrm-ms", lpString2=".dll") returned 1 [0089.867] lstrcmpiW (lpString1=".xrm-ms", lpString2=".url") returned 1 [0089.867] lstrcmpiW (lpString1=".xrm-ms", lpString2=".ttf") returned 1 [0089.867] lstrcmpiW (lpString1=".xrm-ms", lpString2=".mp3") returned 1 [0089.867] lstrcmpiW (lpString1=".xrm-ms", lpString2=".pif") returned 1 [0089.867] lstrcmpiW (lpString1=".xrm-ms", lpString2=".mp4") returned 1 [0089.867] lstrcmpiW (lpString1=".xrm-ms", lpString2=".NEPHILIM") returned 1 [0089.867] lstrcmpiW (lpString1=".xrm-ms", lpString2=".msi") returned 1 [0089.867] lstrcmpiW (lpString1=".xrm-ms", lpString2=".lnk") returned 1 [0089.867] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0089.868] lstrlenA (lpString="NEPHILIM") returned 8 [0089.868] GetProcessHeap () returned 0x4e0000 [0089.868] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x5073f8 [0089.868] lstrlenA (lpString="NEPHILIM") returned 8 [0089.868] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0089.868] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=715834) returned 1 [0089.868] GetProcessHeap () returned 0x4e0000 [0089.868] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0089.868] GetProcessHeap () returned 0x4e0000 [0089.868] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0089.869] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0089.869] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0089.869] GetProcessHeap () returned 0x4e0000 [0089.869] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0089.869] GetProcessHeap () returned 0x4e0000 [0089.869] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0089.869] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de208*=0x100) returned 1 [0089.869] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de204*=0x100) returned 1 [0089.869] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xaec3a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.869] SetLastError (dwErrCode=0x0) [0089.869] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0089.872] GetLastError () returned 0x0 [0089.872] GetLastError () returned 0x0 [0089.872] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xaed3a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.872] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0089.872] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xaee3a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.872] lstrlenA (lpString="NEPHILIM") returned 8 [0089.872] WriteFile (in: hFile=0xec, lpBuffer=0x5073f8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5073f8*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0089.873] GetProcessHeap () returned 0x4e0000 [0089.873] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xaec3a) returned 0x2010020 [0089.873] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.873] ReadFile (in: hFile=0xec, lpBuffer=0x2010020, nNumberOfBytesToRead=0xaec3a, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x2010020*, lpNumberOfBytesRead=0x24de430*=0xaec3a, lpOverlapped=0x0) returned 1 [0089.942] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.942] WriteFile (in: hFile=0xec, lpBuffer=0x2010020*, nNumberOfBytesToWrite=0xaec3a, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x2010020*, lpNumberOfBytesWritten=0x24de43c*=0xaec3a, lpOverlapped=0x0) returned 1 [0089.946] GetProcessHeap () returned 0x4e0000 [0089.946] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x2010020 | out: hHeap=0x4e0000) returned 1 [0089.951] CloseHandle (hObject=0xec) returned 1 [0089.956] GetProcessHeap () returned 0x4e0000 [0089.956] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0089.956] GetProcessHeap () returned 0x4e0000 [0089.956] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0089.956] GetProcessHeap () returned 0x4e0000 [0089.956] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0089.956] GetProcessHeap () returned 0x4e0000 [0089.956] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0089.956] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" [0089.956] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.NEPHILIM") returned="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.NEPHILIM" [0089.956] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.NEPHILIM" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.nephilim")) returned 1 [0089.957] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbb2e2000, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbb2e2000, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x170fe40, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x1a41c00, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="ProPlusrWW.msi", cAlternateFileName="PROPLU~1.MSI")) returned 1 [0089.957] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2=".") returned 1 [0089.957] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="..") returned 1 [0089.957] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="...") returned 1 [0089.957] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="windows") returned -1 [0089.957] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="$RECYCLE.BIN") returned 1 [0089.957] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="rsa") returned -1 [0089.957] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="log") returned 1 [0089.957] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="NTDETECT.COM") returned 1 [0089.957] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="ntldr") returned 1 [0089.957] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="MSDOS.SYS") returned 1 [0089.957] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="IO.SYS") returned 1 [0089.957] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="boot.ini") returned 1 [0089.957] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="AUTOEXEC.BAT") returned 1 [0089.957] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="ntuser.dat") returned 1 [0089.957] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="desktop.ini") returned 1 [0089.957] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="CONFIG.SYS") returned 1 [0089.957] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="RECYCLER") returned -1 [0089.957] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="BOOTSECT.BAK") returned 1 [0089.957] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="bootmgr") returned 1 [0089.957] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="programdata") returned 1 [0089.958] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="appdata") returned 1 [0089.958] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="program files") returned 1 [0089.958] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="program files (x86)") returned 1 [0089.958] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" [0089.958] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\", lpString2="ProPlusrWW.msi" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" [0089.958] PathFindExtensionW (pszPath="ProPlusrWW.msi") returned=".msi" [0089.958] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0089.958] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0089.958] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0089.958] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0089.958] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0089.958] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0089.958] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0089.958] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0089.958] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0089.958] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0089.958] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0089.958] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0089.958] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0089.958] lstrcmpiW (lpString1=".msi", lpString2=".NEPHILIM") returned -1 [0089.958] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0089.958] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x170fe40, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x41d4, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="ProPlusrWW.xml", cAlternateFileName="PROPLU~1.XML")) returned 1 [0089.958] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2=".") returned 1 [0089.958] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="..") returned 1 [0089.958] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="...") returned 1 [0089.958] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="windows") returned -1 [0089.958] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="$RECYCLE.BIN") returned 1 [0089.958] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="rsa") returned -1 [0089.959] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="log") returned 1 [0089.959] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="NTDETECT.COM") returned 1 [0089.959] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="ntldr") returned 1 [0089.959] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="MSDOS.SYS") returned 1 [0089.959] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="IO.SYS") returned 1 [0089.959] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="boot.ini") returned 1 [0089.959] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="AUTOEXEC.BAT") returned 1 [0089.959] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="ntuser.dat") returned 1 [0089.959] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="desktop.ini") returned 1 [0089.959] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="CONFIG.SYS") returned 1 [0089.959] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="RECYCLER") returned -1 [0089.959] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="BOOTSECT.BAK") returned 1 [0089.959] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="bootmgr") returned 1 [0089.959] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="programdata") returned 1 [0089.959] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="appdata") returned 1 [0089.959] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="program files") returned 1 [0089.959] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="program files (x86)") returned 1 [0089.960] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" [0089.960] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\", lpString2="ProPlusrWW.xml" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" [0089.960] PathFindExtensionW (pszPath="ProPlusrWW.xml") returned=".xml" [0089.960] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0089.960] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0089.960] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0089.960] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0089.960] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0089.960] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0089.960] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0089.960] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0089.960] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0089.960] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0089.961] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0089.961] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0089.961] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0089.961] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0089.961] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0089.961] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0089.961] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0089.961] lstrlenA (lpString="NEPHILIM") returned 8 [0089.961] GetProcessHeap () returned 0x4e0000 [0089.961] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x507408 [0089.961] lstrlenA (lpString="NEPHILIM") returned 8 [0089.961] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0089.967] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=16852) returned 1 [0089.967] GetProcessHeap () returned 0x4e0000 [0089.967] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0089.967] GetProcessHeap () returned 0x4e0000 [0089.967] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0089.967] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0089.967] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0089.967] GetProcessHeap () returned 0x4e0000 [0089.967] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0089.967] GetProcessHeap () returned 0x4e0000 [0089.967] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0089.967] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de208*=0x100) returned 1 [0089.968] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de204*=0x100) returned 1 [0089.968] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x41d4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.968] SetLastError (dwErrCode=0x0) [0089.968] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0089.970] GetLastError () returned 0x0 [0089.970] GetLastError () returned 0x0 [0089.970] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x42d4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.970] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0089.970] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x43d4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.970] lstrlenA (lpString="NEPHILIM") returned 8 [0089.970] WriteFile (in: hFile=0xec, lpBuffer=0x507408*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507408*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0089.970] GetProcessHeap () returned 0x4e0000 [0089.970] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x41d4) returned 0x50a8a8 [0089.970] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.970] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x41d4, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x41d4, lpOverlapped=0x0) returned 1 [0089.972] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.972] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x41d4, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x41d4, lpOverlapped=0x0) returned 1 [0089.972] GetProcessHeap () returned 0x4e0000 [0089.972] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0089.972] CloseHandle (hObject=0xec) returned 1 [0089.974] GetProcessHeap () returned 0x4e0000 [0089.974] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0089.974] GetProcessHeap () returned 0x4e0000 [0089.974] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0089.974] GetProcessHeap () returned 0x4e0000 [0089.974] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0089.974] GetProcessHeap () returned 0x4e0000 [0089.974] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0089.974] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" [0089.974] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.NEPHILIM") returned="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.NEPHILIM" [0089.974] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.NEPHILIM" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml.nephilim")) returned 1 [0089.976] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x262b2700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x262b2700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x1ffd0c0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0xa97cbdb, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="ProPrWW.cab", cAlternateFileName="")) returned 1 [0089.976] lstrcmpiW (lpString1="ProPrWW.cab", lpString2=".") returned 1 [0089.976] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="..") returned 1 [0089.976] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="...") returned 1 [0089.976] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="windows") returned -1 [0089.976] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="$RECYCLE.BIN") returned 1 [0089.976] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="rsa") returned -1 [0089.976] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="log") returned 1 [0089.976] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="NTDETECT.COM") returned 1 [0089.976] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="ntldr") returned 1 [0089.976] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="MSDOS.SYS") returned 1 [0089.977] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="IO.SYS") returned 1 [0089.977] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="boot.ini") returned 1 [0089.977] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="AUTOEXEC.BAT") returned 1 [0089.977] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="ntuser.dat") returned 1 [0089.977] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="desktop.ini") returned 1 [0089.977] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="CONFIG.SYS") returned 1 [0089.977] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="RECYCLER") returned -1 [0089.977] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="BOOTSECT.BAK") returned 1 [0089.977] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="bootmgr") returned 1 [0089.977] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="programdata") returned 1 [0089.977] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="appdata") returned 1 [0089.977] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="program files") returned 1 [0089.977] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="program files (x86)") returned 1 [0089.977] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" [0089.977] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\", lpString2="ProPrWW.cab" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" [0089.977] PathFindExtensionW (pszPath="ProPrWW.cab") returned=".cab" [0089.977] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0089.977] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0089.977] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0089.977] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbf14900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbf14900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xc96ff40, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0xd49ee31, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="ProPrWW2.cab", cAlternateFileName="")) returned 1 [0089.977] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2=".") returned 1 [0089.977] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="..") returned 1 [0089.977] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="...") returned 1 [0089.978] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="windows") returned -1 [0089.978] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="$RECYCLE.BIN") returned 1 [0089.978] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="rsa") returned -1 [0089.978] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="log") returned 1 [0089.978] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="NTDETECT.COM") returned 1 [0089.978] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="ntldr") returned 1 [0089.978] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="MSDOS.SYS") returned 1 [0089.978] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="IO.SYS") returned 1 [0089.978] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="boot.ini") returned 1 [0089.978] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="AUTOEXEC.BAT") returned 1 [0089.978] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="ntuser.dat") returned 1 [0089.978] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="desktop.ini") returned 1 [0089.978] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="CONFIG.SYS") returned 1 [0089.978] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="RECYCLER") returned -1 [0089.978] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="BOOTSECT.BAK") returned 1 [0089.978] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="bootmgr") returned 1 [0089.978] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="programdata") returned 1 [0089.978] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="appdata") returned 1 [0089.978] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="program files") returned 1 [0089.978] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="program files (x86)") returned 1 [0089.978] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" [0089.978] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\", lpString2="ProPrWW2.cab" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab" [0089.978] PathFindExtensionW (pszPath="ProPrWW2.cab") returned=".cab" [0089.979] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0089.979] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0089.979] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0089.979] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec13c00, ftCreationTime.dwHighDateTime=0x1cac15b, ftLastAccessTime.dwLowDateTime=0xbec13c00, ftLastAccessTime.dwHighDateTime=0x1cac15b, ftLastWriteTime.dwLowDateTime=0x1682d290, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x150578, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="setup.exe", cAlternateFileName="")) returned 1 [0089.979] lstrcmpiW (lpString1="setup.exe", lpString2=".") returned 1 [0089.979] lstrcmpiW (lpString1="setup.exe", lpString2="..") returned 1 [0089.979] lstrcmpiW (lpString1="setup.exe", lpString2="...") returned 1 [0089.979] lstrcmpiW (lpString1="setup.exe", lpString2="windows") returned -1 [0089.979] lstrcmpiW (lpString1="setup.exe", lpString2="$RECYCLE.BIN") returned 1 [0089.979] lstrcmpiW (lpString1="setup.exe", lpString2="rsa") returned 1 [0089.979] lstrcmpiW (lpString1="setup.exe", lpString2="log") returned 1 [0089.979] lstrcmpiW (lpString1="setup.exe", lpString2="NTDETECT.COM") returned 1 [0089.979] lstrcmpiW (lpString1="setup.exe", lpString2="ntldr") returned 1 [0089.979] lstrcmpiW (lpString1="setup.exe", lpString2="MSDOS.SYS") returned 1 [0089.979] lstrcmpiW (lpString1="setup.exe", lpString2="IO.SYS") returned 1 [0089.979] lstrcmpiW (lpString1="setup.exe", lpString2="boot.ini") returned 1 [0089.979] lstrcmpiW (lpString1="setup.exe", lpString2="AUTOEXEC.BAT") returned 1 [0089.979] lstrcmpiW (lpString1="setup.exe", lpString2="ntuser.dat") returned 1 [0089.979] lstrcmpiW (lpString1="setup.exe", lpString2="desktop.ini") returned 1 [0089.979] lstrcmpiW (lpString1="setup.exe", lpString2="CONFIG.SYS") returned 1 [0089.979] lstrcmpiW (lpString1="setup.exe", lpString2="RECYCLER") returned 1 [0089.979] lstrcmpiW (lpString1="setup.exe", lpString2="BOOTSECT.BAK") returned 1 [0089.979] lstrcmpiW (lpString1="setup.exe", lpString2="bootmgr") returned 1 [0089.979] lstrcmpiW (lpString1="setup.exe", lpString2="programdata") returned 1 [0089.979] lstrcmpiW (lpString1="setup.exe", lpString2="appdata") returned 1 [0089.980] lstrcmpiW (lpString1="setup.exe", lpString2="program files") returned 1 [0089.980] lstrcmpiW (lpString1="setup.exe", lpString2="program files (x86)") returned 1 [0089.980] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" [0089.980] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\", lpString2="setup.exe" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" [0089.980] PathFindExtensionW (pszPath="setup.exe") returned=".exe" [0089.980] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0089.980] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x18177c50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x7976, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0089.980] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0089.980] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0089.980] lstrcmpiW (lpString1="Setup.xml", lpString2="...") returned 1 [0089.980] lstrcmpiW (lpString1="Setup.xml", lpString2="windows") returned -1 [0089.980] lstrcmpiW (lpString1="Setup.xml", lpString2="$RECYCLE.BIN") returned 1 [0089.980] lstrcmpiW (lpString1="Setup.xml", lpString2="rsa") returned 1 [0089.980] lstrcmpiW (lpString1="Setup.xml", lpString2="log") returned 1 [0089.980] lstrcmpiW (lpString1="Setup.xml", lpString2="NTDETECT.COM") returned 1 [0089.980] lstrcmpiW (lpString1="Setup.xml", lpString2="ntldr") returned 1 [0089.980] lstrcmpiW (lpString1="Setup.xml", lpString2="MSDOS.SYS") returned 1 [0089.980] lstrcmpiW (lpString1="Setup.xml", lpString2="IO.SYS") returned 1 [0089.980] lstrcmpiW (lpString1="Setup.xml", lpString2="boot.ini") returned 1 [0089.980] lstrcmpiW (lpString1="Setup.xml", lpString2="AUTOEXEC.BAT") returned 1 [0089.980] lstrcmpiW (lpString1="Setup.xml", lpString2="ntuser.dat") returned 1 [0089.980] lstrcmpiW (lpString1="Setup.xml", lpString2="desktop.ini") returned 1 [0089.980] lstrcmpiW (lpString1="Setup.xml", lpString2="CONFIG.SYS") returned 1 [0089.981] lstrcmpiW (lpString1="Setup.xml", lpString2="RECYCLER") returned 1 [0089.981] lstrcmpiW (lpString1="Setup.xml", lpString2="BOOTSECT.BAK") returned 1 [0089.981] lstrcmpiW (lpString1="Setup.xml", lpString2="bootmgr") returned 1 [0089.981] lstrcmpiW (lpString1="Setup.xml", lpString2="programdata") returned 1 [0089.981] lstrcmpiW (lpString1="Setup.xml", lpString2="appdata") returned 1 [0089.981] lstrcmpiW (lpString1="Setup.xml", lpString2="program files") returned 1 [0089.981] lstrcmpiW (lpString1="Setup.xml", lpString2="program files (x86)") returned 1 [0089.981] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" [0089.981] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\", lpString2="Setup.xml" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" [0089.981] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0089.981] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0089.981] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0089.981] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0089.981] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0089.981] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0089.981] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0089.981] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0089.981] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0089.981] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0089.981] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0089.981] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0089.981] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0089.981] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0089.981] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0089.981] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0089.982] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0089.982] lstrcmpiW (lpString1="Setup.xml", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0089.982] lstrlenA (lpString="NEPHILIM") returned 8 [0089.982] GetProcessHeap () returned 0x4e0000 [0089.982] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x507418 [0089.982] lstrlenA (lpString="NEPHILIM") returned 8 [0089.982] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0089.983] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=31094) returned 1 [0089.983] GetProcessHeap () returned 0x4e0000 [0089.983] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0089.983] GetProcessHeap () returned 0x4e0000 [0089.983] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0089.984] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0089.984] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0089.984] GetProcessHeap () returned 0x4e0000 [0089.984] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0089.984] GetProcessHeap () returned 0x4e0000 [0089.984] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0089.984] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de208*=0x100) returned 1 [0089.984] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de204*=0x100) returned 1 [0089.984] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x7976, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.984] SetLastError (dwErrCode=0x0) [0089.984] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0089.986] GetLastError () returned 0x0 [0089.987] GetLastError () returned 0x0 [0089.987] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x7a76, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.987] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0089.987] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x7b76, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.987] lstrlenA (lpString="NEPHILIM") returned 8 [0089.987] WriteFile (in: hFile=0xec, lpBuffer=0x507418*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507418*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0089.987] GetProcessHeap () returned 0x4e0000 [0089.987] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x7976) returned 0x50a8a8 [0089.987] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.987] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x7976, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x7976, lpOverlapped=0x0) returned 1 [0089.990] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.990] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x7976, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x7976, lpOverlapped=0x0) returned 1 [0089.991] GetProcessHeap () returned 0x4e0000 [0089.991] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0089.991] CloseHandle (hObject=0xec) returned 1 [0089.996] GetProcessHeap () returned 0x4e0000 [0089.996] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0089.996] GetProcessHeap () returned 0x4e0000 [0089.996] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0089.996] GetProcessHeap () returned 0x4e0000 [0089.996] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0089.996] GetProcessHeap () returned 0x4e0000 [0089.996] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0089.996] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" [0089.996] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM") returned="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM" [0089.996] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml.nephilim")) returned 1 [0089.997] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x18177c50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x7976, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0089.997] FindClose (in: hFindFile=0x502830 | out: hFindFile=0x502830) returned 1 [0089.997] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5cd3a40, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa8c22f80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa8c22f80, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x24df5e0, cFileName="{91140000-003B-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~3")) returned 1 [0089.997] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0089.997] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0089.997] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="...") returned 1 [0089.997] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="windows") returned -1 [0089.997] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="$RECYCLE.BIN") returned 1 [0089.997] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="rsa") returned -1 [0089.997] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="log") returned -1 [0089.997] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="NTDETECT.COM") returned -1 [0089.997] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="ntldr") returned -1 [0089.997] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="MSDOS.SYS") returned -1 [0089.998] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="IO.SYS") returned -1 [0089.998] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="boot.ini") returned -1 [0089.998] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="AUTOEXEC.BAT") returned -1 [0089.998] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="ntuser.dat") returned -1 [0089.998] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="desktop.ini") returned -1 [0089.998] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="CONFIG.SYS") returned -1 [0089.998] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="RECYCLER") returned -1 [0089.998] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="BOOTSECT.BAK") returned -1 [0089.998] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="bootmgr") returned -1 [0089.998] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="programdata") returned -1 [0089.998] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="appdata") returned -1 [0089.998] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="program files") returned -1 [0089.998] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="program files (x86)") returned -1 [0089.998] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\MSOCache\\All Users\\" | out: lpString1="C:\\MSOCache\\All Users\\") returned="C:\\MSOCache\\All Users\\" [0089.998] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\", lpString2="{91140000-003B-0000-1000-0000000FF1CE}-C" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C") returned="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C" [0089.998] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="\\" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" [0089.998] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" [0089.998] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\", lpString2="*.*" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*.*") returned="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*.*" [0089.998] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5cd3a40, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa8c22f80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa8c22f80, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x502830 [0090.001] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0090.001] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5cd3a40, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa8c22f80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa8c22f80, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0090.001] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0090.001] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0090.001] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x87078450, ftCreationTime.dwHighDateTime=0x1cb147f, ftLastAccessTime.dwLowDateTime=0x87078450, ftLastAccessTime.dwHighDateTime=0x1cb147f, ftLastWriteTime.dwLowDateTime=0xa5d1e590, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x1e6600, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="Office32WW.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0090.001] lstrcmpiW (lpString1="Office32WW.msi", lpString2=".") returned 1 [0090.001] lstrcmpiW (lpString1="Office32WW.msi", lpString2="..") returned 1 [0090.001] lstrcmpiW (lpString1="Office32WW.msi", lpString2="...") returned 1 [0090.001] lstrcmpiW (lpString1="Office32WW.msi", lpString2="windows") returned -1 [0090.001] lstrcmpiW (lpString1="Office32WW.msi", lpString2="$RECYCLE.BIN") returned 1 [0090.001] lstrcmpiW (lpString1="Office32WW.msi", lpString2="rsa") returned -1 [0090.001] lstrcmpiW (lpString1="Office32WW.msi", lpString2="log") returned 1 [0090.001] lstrcmpiW (lpString1="Office32WW.msi", lpString2="NTDETECT.COM") returned 1 [0090.001] lstrcmpiW (lpString1="Office32WW.msi", lpString2="ntldr") returned 1 [0090.001] lstrcmpiW (lpString1="Office32WW.msi", lpString2="MSDOS.SYS") returned 1 [0090.001] lstrcmpiW (lpString1="Office32WW.msi", lpString2="IO.SYS") returned 1 [0090.001] lstrcmpiW (lpString1="Office32WW.msi", lpString2="boot.ini") returned 1 [0090.002] lstrcmpiW (lpString1="Office32WW.msi", lpString2="AUTOEXEC.BAT") returned 1 [0090.002] lstrcmpiW (lpString1="Office32WW.msi", lpString2="ntuser.dat") returned 1 [0090.002] lstrcmpiW (lpString1="Office32WW.msi", lpString2="desktop.ini") returned 1 [0090.002] lstrcmpiW (lpString1="Office32WW.msi", lpString2="CONFIG.SYS") returned 1 [0090.002] lstrcmpiW (lpString1="Office32WW.msi", lpString2="RECYCLER") returned -1 [0090.002] lstrcmpiW (lpString1="Office32WW.msi", lpString2="BOOTSECT.BAK") returned 1 [0090.002] lstrcmpiW (lpString1="Office32WW.msi", lpString2="bootmgr") returned 1 [0090.002] lstrcmpiW (lpString1="Office32WW.msi", lpString2="programdata") returned -1 [0090.002] lstrcmpiW (lpString1="Office32WW.msi", lpString2="appdata") returned 1 [0090.002] lstrcmpiW (lpString1="Office32WW.msi", lpString2="program files") returned -1 [0090.002] lstrcmpiW (lpString1="Office32WW.msi", lpString2="program files (x86)") returned -1 [0090.002] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" [0090.002] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\", lpString2="Office32WW.msi" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" [0090.002] PathFindExtensionW (pszPath="Office32WW.msi") returned=".msi" [0090.002] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0090.002] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0090.002] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0090.002] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0090.002] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0090.002] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0090.002] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0090.002] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0090.002] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0090.002] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0090.002] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0090.002] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0090.003] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0090.003] lstrcmpiW (lpString1=".msi", lpString2=".NEPHILIM") returned -1 [0090.003] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0090.003] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x87abdaa0, ftCreationTime.dwHighDateTime=0x1cb147f, ftLastAccessTime.dwLowDateTime=0x87abdaa0, ftLastAccessTime.dwHighDateTime=0x1cb147f, ftLastWriteTime.dwLowDateTime=0xa5cd2aa0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x10b2, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="Office32WW.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0090.003] lstrcmpiW (lpString1="Office32WW.xml", lpString2=".") returned 1 [0090.003] lstrcmpiW (lpString1="Office32WW.xml", lpString2="..") returned 1 [0090.003] lstrcmpiW (lpString1="Office32WW.xml", lpString2="...") returned 1 [0090.003] lstrcmpiW (lpString1="Office32WW.xml", lpString2="windows") returned -1 [0090.003] lstrcmpiW (lpString1="Office32WW.xml", lpString2="$RECYCLE.BIN") returned 1 [0090.003] lstrcmpiW (lpString1="Office32WW.xml", lpString2="rsa") returned -1 [0090.003] lstrcmpiW (lpString1="Office32WW.xml", lpString2="log") returned 1 [0090.003] lstrcmpiW (lpString1="Office32WW.xml", lpString2="NTDETECT.COM") returned 1 [0090.003] lstrcmpiW (lpString1="Office32WW.xml", lpString2="ntldr") returned 1 [0090.003] lstrcmpiW (lpString1="Office32WW.xml", lpString2="MSDOS.SYS") returned 1 [0090.003] lstrcmpiW (lpString1="Office32WW.xml", lpString2="IO.SYS") returned 1 [0090.003] lstrcmpiW (lpString1="Office32WW.xml", lpString2="boot.ini") returned 1 [0090.003] lstrcmpiW (lpString1="Office32WW.xml", lpString2="AUTOEXEC.BAT") returned 1 [0090.003] lstrcmpiW (lpString1="Office32WW.xml", lpString2="ntuser.dat") returned 1 [0090.003] lstrcmpiW (lpString1="Office32WW.xml", lpString2="desktop.ini") returned 1 [0090.003] lstrcmpiW (lpString1="Office32WW.xml", lpString2="CONFIG.SYS") returned 1 [0090.003] lstrcmpiW (lpString1="Office32WW.xml", lpString2="RECYCLER") returned -1 [0090.003] lstrcmpiW (lpString1="Office32WW.xml", lpString2="BOOTSECT.BAK") returned 1 [0090.003] lstrcmpiW (lpString1="Office32WW.xml", lpString2="bootmgr") returned 1 [0090.003] lstrcmpiW (lpString1="Office32WW.xml", lpString2="programdata") returned -1 [0090.003] lstrcmpiW (lpString1="Office32WW.xml", lpString2="appdata") returned 1 [0090.003] lstrcmpiW (lpString1="Office32WW.xml", lpString2="program files") returned -1 [0090.004] lstrcmpiW (lpString1="Office32WW.xml", lpString2="program files (x86)") returned -1 [0090.004] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" [0090.004] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\", lpString2="Office32WW.xml" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" [0090.004] PathFindExtensionW (pszPath="Office32WW.xml") returned=".xml" [0090.004] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0090.004] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0090.004] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0090.004] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0090.004] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0090.004] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0090.004] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0090.004] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0090.004] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0090.004] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0090.004] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0090.004] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0090.004] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0090.004] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0090.004] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0090.004] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0090.004] lstrcmpiW (lpString1="Office32WW.xml", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0090.004] lstrlenA (lpString="NEPHILIM") returned 8 [0090.004] GetProcessHeap () returned 0x4e0000 [0090.004] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x507428 [0090.004] lstrlenA (lpString="NEPHILIM") returned 8 [0090.004] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0090.005] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=4274) returned 1 [0090.005] GetProcessHeap () returned 0x4e0000 [0090.005] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0090.005] GetProcessHeap () returned 0x4e0000 [0090.005] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0090.005] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0090.005] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0090.005] GetProcessHeap () returned 0x4e0000 [0090.005] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0090.005] GetProcessHeap () returned 0x4e0000 [0090.005] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0090.005] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de208*=0x100) returned 1 [0090.006] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de204*=0x100) returned 1 [0090.006] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x10b2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.006] SetLastError (dwErrCode=0x0) [0090.006] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0090.008] GetLastError () returned 0x0 [0090.008] GetLastError () returned 0x0 [0090.008] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x11b2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.009] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0090.009] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x12b2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.009] lstrlenA (lpString="NEPHILIM") returned 8 [0090.009] WriteFile (in: hFile=0xec, lpBuffer=0x507428*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507428*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0090.009] GetProcessHeap () returned 0x4e0000 [0090.009] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10b2) returned 0x50a8a8 [0090.009] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.009] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x10b2, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x10b2, lpOverlapped=0x0) returned 1 [0090.010] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.011] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x10b2, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x10b2, lpOverlapped=0x0) returned 1 [0090.011] GetProcessHeap () returned 0x4e0000 [0090.011] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0090.011] CloseHandle (hObject=0xec) returned 1 [0090.012] GetProcessHeap () returned 0x4e0000 [0090.012] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0090.012] GetProcessHeap () returned 0x4e0000 [0090.012] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0090.012] GetProcessHeap () returned 0x4e0000 [0090.012] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0090.012] GetProcessHeap () returned 0x4e0000 [0090.012] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0090.012] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" [0090.012] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.NEPHILIM") returned="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.NEPHILIM" [0090.012] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.NEPHILIM" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml.nephilim")) returned 1 [0090.013] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xfe57f8e0, ftCreationTime.dwHighDateTime=0x1cbe1cb, ftLastAccessTime.dwLowDateTime=0xfe57f8e0, ftLastAccessTime.dwHighDateTime=0x1cbe1cb, ftLastWriteTime.dwLowDateTime=0xa8bafbc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2a968, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="ose.exe", cAlternateFileName="")) returned 1 [0090.013] lstrcmpiW (lpString1="ose.exe", lpString2=".") returned 1 [0090.014] lstrcmpiW (lpString1="ose.exe", lpString2="..") returned 1 [0090.014] lstrcmpiW (lpString1="ose.exe", lpString2="...") returned 1 [0090.014] lstrcmpiW (lpString1="ose.exe", lpString2="windows") returned -1 [0090.014] lstrcmpiW (lpString1="ose.exe", lpString2="$RECYCLE.BIN") returned 1 [0090.014] lstrcmpiW (lpString1="ose.exe", lpString2="rsa") returned -1 [0090.014] lstrcmpiW (lpString1="ose.exe", lpString2="log") returned 1 [0090.014] lstrcmpiW (lpString1="ose.exe", lpString2="NTDETECT.COM") returned 1 [0090.014] lstrcmpiW (lpString1="ose.exe", lpString2="ntldr") returned 1 [0090.014] lstrcmpiW (lpString1="ose.exe", lpString2="MSDOS.SYS") returned 1 [0090.014] lstrcmpiW (lpString1="ose.exe", lpString2="IO.SYS") returned 1 [0090.014] lstrcmpiW (lpString1="ose.exe", lpString2="boot.ini") returned 1 [0090.014] lstrcmpiW (lpString1="ose.exe", lpString2="AUTOEXEC.BAT") returned 1 [0090.014] lstrcmpiW (lpString1="ose.exe", lpString2="ntuser.dat") returned 1 [0090.014] lstrcmpiW (lpString1="ose.exe", lpString2="desktop.ini") returned 1 [0090.014] lstrcmpiW (lpString1="ose.exe", lpString2="CONFIG.SYS") returned 1 [0090.014] lstrcmpiW (lpString1="ose.exe", lpString2="RECYCLER") returned -1 [0090.014] lstrcmpiW (lpString1="ose.exe", lpString2="BOOTSECT.BAK") returned 1 [0090.015] lstrcmpiW (lpString1="ose.exe", lpString2="bootmgr") returned 1 [0090.015] lstrcmpiW (lpString1="ose.exe", lpString2="programdata") returned -1 [0090.015] lstrcmpiW (lpString1="ose.exe", lpString2="appdata") returned 1 [0090.015] lstrcmpiW (lpString1="ose.exe", lpString2="program files") returned -1 [0090.015] lstrcmpiW (lpString1="ose.exe", lpString2="program files (x86)") returned -1 [0090.015] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" [0090.015] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\", lpString2="ose.exe" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" [0090.015] PathFindExtensionW (pszPath="ose.exe") returned=".exe" [0090.015] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0090.015] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6644b620, ftCreationTime.dwHighDateTime=0x1cb04b2, ftLastAccessTime.dwLowDateTime=0x6644b620, ftLastAccessTime.dwHighDateTime=0x1cb04b2, ftLastWriteTime.dwLowDateTime=0xa81b8770, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x709768, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="osetup.dll", cAlternateFileName="")) returned 1 [0090.015] lstrcmpiW (lpString1="osetup.dll", lpString2=".") returned 1 [0090.015] lstrcmpiW (lpString1="osetup.dll", lpString2="..") returned 1 [0090.015] lstrcmpiW (lpString1="osetup.dll", lpString2="...") returned 1 [0090.015] lstrcmpiW (lpString1="osetup.dll", lpString2="windows") returned -1 [0090.015] lstrcmpiW (lpString1="osetup.dll", lpString2="$RECYCLE.BIN") returned 1 [0090.015] lstrcmpiW (lpString1="osetup.dll", lpString2="rsa") returned -1 [0090.016] lstrcmpiW (lpString1="osetup.dll", lpString2="log") returned 1 [0090.016] lstrcmpiW (lpString1="osetup.dll", lpString2="NTDETECT.COM") returned 1 [0090.016] lstrcmpiW (lpString1="osetup.dll", lpString2="ntldr") returned 1 [0090.016] lstrcmpiW (lpString1="osetup.dll", lpString2="MSDOS.SYS") returned 1 [0090.016] lstrcmpiW (lpString1="osetup.dll", lpString2="IO.SYS") returned 1 [0090.016] lstrcmpiW (lpString1="osetup.dll", lpString2="boot.ini") returned 1 [0090.016] lstrcmpiW (lpString1="osetup.dll", lpString2="AUTOEXEC.BAT") returned 1 [0090.016] lstrcmpiW (lpString1="osetup.dll", lpString2="ntuser.dat") returned 1 [0090.016] lstrcmpiW (lpString1="osetup.dll", lpString2="desktop.ini") returned 1 [0090.016] lstrcmpiW (lpString1="osetup.dll", lpString2="CONFIG.SYS") returned 1 [0090.016] lstrcmpiW (lpString1="osetup.dll", lpString2="RECYCLER") returned -1 [0090.016] lstrcmpiW (lpString1="osetup.dll", lpString2="BOOTSECT.BAK") returned 1 [0090.016] lstrcmpiW (lpString1="osetup.dll", lpString2="bootmgr") returned 1 [0090.016] lstrcmpiW (lpString1="osetup.dll", lpString2="programdata") returned -1 [0090.016] lstrcmpiW (lpString1="osetup.dll", lpString2="appdata") returned 1 [0090.016] lstrcmpiW (lpString1="osetup.dll", lpString2="program files") returned -1 [0090.016] lstrcmpiW (lpString1="osetup.dll", lpString2="program files (x86)") returned -1 [0090.017] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" [0090.017] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\", lpString2="osetup.dll" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll" [0090.017] PathFindExtensionW (pszPath="osetup.dll") returned=".dll" [0090.017] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0090.017] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0090.017] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0090.017] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0090.017] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0090.017] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0090.017] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0090.017] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0090.017] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8238e540, ftCreationTime.dwHighDateTime=0x1cb147f, ftLastAccessTime.dwLowDateTime=0x8238e540, ftLastAccessTime.dwHighDateTime=0x1cb147f, ftLastWriteTime.dwLowDateTime=0xa5ddcc70, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x228df5c, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="OWOW32WW.cab", cAlternateFileName="")) returned 1 [0090.017] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2=".") returned 1 [0090.017] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="..") returned 1 [0090.017] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="...") returned 1 [0090.017] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="windows") returned -1 [0090.018] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="$RECYCLE.BIN") returned 1 [0090.018] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="rsa") returned -1 [0090.018] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="log") returned 1 [0090.018] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="NTDETECT.COM") returned 1 [0090.018] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="ntldr") returned 1 [0090.018] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="MSDOS.SYS") returned 1 [0090.018] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="IO.SYS") returned 1 [0090.018] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="boot.ini") returned 1 [0090.018] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="AUTOEXEC.BAT") returned 1 [0090.018] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="ntuser.dat") returned 1 [0090.018] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="desktop.ini") returned 1 [0090.018] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="CONFIG.SYS") returned 1 [0090.018] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="RECYCLER") returned -1 [0090.018] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="BOOTSECT.BAK") returned 1 [0090.018] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="bootmgr") returned 1 [0090.018] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="programdata") returned -1 [0090.018] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="appdata") returned 1 [0090.019] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="program files") returned -1 [0090.019] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="program files (x86)") returned -1 [0090.019] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" [0090.019] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\", lpString2="OWOW32WW.cab" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" [0090.019] PathFindExtensionW (pszPath="OWOW32WW.cab") returned=".cab" [0090.019] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0090.019] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0090.019] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0090.019] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7bd91af0, ftCreationTime.dwHighDateTime=0x1cb07b2, ftLastAccessTime.dwLowDateTime=0x7bd91af0, ftLastAccessTime.dwHighDateTime=0x1cb07b2, ftLastWriteTime.dwLowDateTime=0xa8bafbc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x165510, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="PidGenX.dll", cAlternateFileName="")) returned 1 [0090.019] lstrcmpiW (lpString1="PidGenX.dll", lpString2=".") returned 1 [0090.019] lstrcmpiW (lpString1="PidGenX.dll", lpString2="..") returned 1 [0090.019] lstrcmpiW (lpString1="PidGenX.dll", lpString2="...") returned 1 [0090.019] lstrcmpiW (lpString1="PidGenX.dll", lpString2="windows") returned -1 [0090.019] lstrcmpiW (lpString1="PidGenX.dll", lpString2="$RECYCLE.BIN") returned 1 [0090.019] lstrcmpiW (lpString1="PidGenX.dll", lpString2="rsa") returned -1 [0090.019] lstrcmpiW (lpString1="PidGenX.dll", lpString2="log") returned 1 [0090.019] lstrcmpiW (lpString1="PidGenX.dll", lpString2="NTDETECT.COM") returned 1 [0090.019] lstrcmpiW (lpString1="PidGenX.dll", lpString2="ntldr") returned 1 [0090.019] lstrcmpiW (lpString1="PidGenX.dll", lpString2="MSDOS.SYS") returned 1 [0090.020] lstrcmpiW (lpString1="PidGenX.dll", lpString2="IO.SYS") returned 1 [0090.020] lstrcmpiW (lpString1="PidGenX.dll", lpString2="boot.ini") returned 1 [0090.020] lstrcmpiW (lpString1="PidGenX.dll", lpString2="AUTOEXEC.BAT") returned 1 [0090.020] lstrcmpiW (lpString1="PidGenX.dll", lpString2="ntuser.dat") returned 1 [0090.020] lstrcmpiW (lpString1="PidGenX.dll", lpString2="desktop.ini") returned 1 [0090.020] lstrcmpiW (lpString1="PidGenX.dll", lpString2="CONFIG.SYS") returned 1 [0090.020] lstrcmpiW (lpString1="PidGenX.dll", lpString2="RECYCLER") returned -1 [0090.020] lstrcmpiW (lpString1="PidGenX.dll", lpString2="BOOTSECT.BAK") returned 1 [0090.020] lstrcmpiW (lpString1="PidGenX.dll", lpString2="bootmgr") returned 1 [0090.020] lstrcmpiW (lpString1="PidGenX.dll", lpString2="programdata") returned -1 [0090.020] lstrcmpiW (lpString1="PidGenX.dll", lpString2="appdata") returned 1 [0090.020] lstrcmpiW (lpString1="PidGenX.dll", lpString2="program files") returned -1 [0090.020] lstrcmpiW (lpString1="PidGenX.dll", lpString2="program files (x86)") returned -1 [0090.020] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" [0090.020] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\", lpString2="PidGenX.dll" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" [0090.020] PathFindExtensionW (pszPath="PidGenX.dll") returned=".dll" [0090.020] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0090.021] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0090.021] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0090.021] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0090.021] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0090.021] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0090.021] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0090.021] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0090.021] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2a2397e0, ftCreationTime.dwHighDateTime=0x1cbe19a, ftLastAccessTime.dwLowDateTime=0x2a2397e0, ftLastAccessTime.dwHighDateTime=0x1cbe19a, ftLastWriteTime.dwLowDateTime=0xa8bafbc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0xaec3a, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="pkeyconfig-office.xrm-ms", cAlternateFileName="PKEYCO~1.XRM")) returned 1 [0090.021] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2=".") returned 1 [0090.021] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="..") returned 1 [0090.021] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="...") returned 1 [0090.021] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="windows") returned -1 [0090.021] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0090.021] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="rsa") returned -1 [0090.021] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="log") returned 1 [0090.021] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="NTDETECT.COM") returned 1 [0090.021] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="ntldr") returned 1 [0090.022] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="MSDOS.SYS") returned 1 [0090.022] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="IO.SYS") returned 1 [0090.022] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="boot.ini") returned 1 [0090.022] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="AUTOEXEC.BAT") returned 1 [0090.022] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="ntuser.dat") returned 1 [0090.022] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="desktop.ini") returned 1 [0090.022] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="CONFIG.SYS") returned 1 [0090.022] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="RECYCLER") returned -1 [0090.022] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="BOOTSECT.BAK") returned 1 [0090.022] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="bootmgr") returned 1 [0090.023] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="programdata") returned -1 [0090.023] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="appdata") returned 1 [0090.023] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="program files") returned -1 [0090.023] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="program files (x86)") returned -1 [0090.023] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" [0090.023] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\", lpString2="pkeyconfig-office.xrm-ms" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" [0090.023] PathFindExtensionW (pszPath="pkeyconfig-office.xrm-ms") returned=".xrm-ms" [0090.023] lstrcmpiW (lpString1=".xrm-ms", lpString2=".exe") returned 1 [0090.023] lstrcmpiW (lpString1=".xrm-ms", lpString2=".log") returned 1 [0090.023] lstrcmpiW (lpString1=".xrm-ms", lpString2=".cab") returned 1 [0090.023] lstrcmpiW (lpString1=".xrm-ms", lpString2=".cmd") returned 1 [0090.023] lstrcmpiW (lpString1=".xrm-ms", lpString2=".com") returned 1 [0090.023] lstrcmpiW (lpString1=".xrm-ms", lpString2=".cpl") returned 1 [0090.023] lstrcmpiW (lpString1=".xrm-ms", lpString2=".ini") returned 1 [0090.023] lstrcmpiW (lpString1=".xrm-ms", lpString2=".dll") returned 1 [0090.023] lstrcmpiW (lpString1=".xrm-ms", lpString2=".url") returned 1 [0090.024] lstrcmpiW (lpString1=".xrm-ms", lpString2=".ttf") returned 1 [0090.024] lstrcmpiW (lpString1=".xrm-ms", lpString2=".mp3") returned 1 [0090.024] lstrcmpiW (lpString1=".xrm-ms", lpString2=".pif") returned 1 [0090.024] lstrcmpiW (lpString1=".xrm-ms", lpString2=".mp4") returned 1 [0090.024] lstrcmpiW (lpString1=".xrm-ms", lpString2=".NEPHILIM") returned 1 [0090.024] lstrcmpiW (lpString1=".xrm-ms", lpString2=".msi") returned 1 [0090.024] lstrcmpiW (lpString1=".xrm-ms", lpString2=".lnk") returned 1 [0090.024] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0090.024] lstrlenA (lpString="NEPHILIM") returned 8 [0090.024] GetProcessHeap () returned 0x4e0000 [0090.024] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x507438 [0090.024] lstrlenA (lpString="NEPHILIM") returned 8 [0090.024] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0090.025] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=715834) returned 1 [0090.026] GetProcessHeap () returned 0x4e0000 [0090.026] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0090.026] GetProcessHeap () returned 0x4e0000 [0090.026] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0090.026] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0090.026] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0090.026] GetProcessHeap () returned 0x4e0000 [0090.026] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0090.026] GetProcessHeap () returned 0x4e0000 [0090.026] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0090.026] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de208*=0x100) returned 1 [0090.026] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de204*=0x100) returned 1 [0090.027] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xaec3a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.027] SetLastError (dwErrCode=0x0) [0090.027] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0090.029] GetLastError () returned 0x0 [0090.029] GetLastError () returned 0x0 [0090.029] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xaed3a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.029] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0090.029] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xaee3a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.029] lstrlenA (lpString="NEPHILIM") returned 8 [0090.029] WriteFile (in: hFile=0xec, lpBuffer=0x507438*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507438*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0090.030] GetProcessHeap () returned 0x4e0000 [0090.030] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xaec3a) returned 0x2010020 [0090.030] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.030] ReadFile (in: hFile=0xec, lpBuffer=0x2010020, nNumberOfBytesToRead=0xaec3a, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x2010020*, lpNumberOfBytesRead=0x24de430*=0xaec3a, lpOverlapped=0x0) returned 1 [0090.087] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.087] WriteFile (in: hFile=0xec, lpBuffer=0x2010020*, nNumberOfBytesToWrite=0xaec3a, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x2010020*, lpNumberOfBytesWritten=0x24de43c*=0xaec3a, lpOverlapped=0x0) returned 1 [0090.090] GetProcessHeap () returned 0x4e0000 [0090.090] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x2010020 | out: hHeap=0x4e0000) returned 1 [0090.094] CloseHandle (hObject=0xec) returned 1 [0090.165] GetProcessHeap () returned 0x4e0000 [0090.165] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0090.165] GetProcessHeap () returned 0x4e0000 [0090.165] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0090.165] GetProcessHeap () returned 0x4e0000 [0090.165] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0090.165] GetProcessHeap () returned 0x4e0000 [0090.165] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0090.165] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" [0090.165] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.NEPHILIM") returned="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.NEPHILIM" [0090.165] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.NEPHILIM" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.nephilim")) returned 1 [0090.202] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7c1614f0, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x7c1614f0, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa60fd8f0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0xa4c400, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="PrjProrWW.msi", cAlternateFileName="PRJPRO~1.MSI")) returned 1 [0090.202] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2=".") returned 1 [0090.203] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="..") returned 1 [0090.203] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="...") returned 1 [0090.203] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="windows") returned -1 [0090.203] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="$RECYCLE.BIN") returned 1 [0090.203] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="rsa") returned -1 [0090.203] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="log") returned 1 [0090.203] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="NTDETECT.COM") returned 1 [0090.203] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="ntldr") returned 1 [0090.203] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="MSDOS.SYS") returned 1 [0090.203] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="IO.SYS") returned 1 [0090.203] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="boot.ini") returned 1 [0090.203] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="AUTOEXEC.BAT") returned 1 [0090.203] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="ntuser.dat") returned 1 [0090.203] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="desktop.ini") returned 1 [0090.203] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="CONFIG.SYS") returned 1 [0090.203] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="RECYCLER") returned -1 [0090.203] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="BOOTSECT.BAK") returned 1 [0090.203] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="bootmgr") returned 1 [0090.203] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="programdata") returned -1 [0090.203] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="appdata") returned 1 [0090.203] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="program files") returned -1 [0090.203] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="program files (x86)") returned -1 [0090.204] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" [0090.204] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\", lpString2="PrjProrWW.msi" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi" [0090.204] PathFindExtensionW (pszPath="PrjProrWW.msi") returned=".msi" [0090.204] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0090.204] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0090.204] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0090.204] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0090.204] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0090.204] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0090.204] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0090.204] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0090.204] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0090.204] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0090.204] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0090.204] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0090.204] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0090.204] lstrcmpiW (lpString1=".msi", lpString2=".NEPHILIM") returned -1 [0090.204] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0090.204] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7cabec50, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x7cabec50, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa60fd8f0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x1915, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="PrjProrWW.xml", cAlternateFileName="PRJPRO~1.XML")) returned 1 [0090.204] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2=".") returned 1 [0090.204] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="..") returned 1 [0090.204] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="...") returned 1 [0090.204] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="windows") returned -1 [0090.205] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="$RECYCLE.BIN") returned 1 [0090.205] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="rsa") returned -1 [0090.205] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="log") returned 1 [0090.205] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="NTDETECT.COM") returned 1 [0090.205] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="ntldr") returned 1 [0090.205] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="MSDOS.SYS") returned 1 [0090.205] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="IO.SYS") returned 1 [0090.205] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="boot.ini") returned 1 [0090.205] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="AUTOEXEC.BAT") returned 1 [0090.205] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="ntuser.dat") returned 1 [0090.205] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="desktop.ini") returned 1 [0090.205] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="CONFIG.SYS") returned 1 [0090.205] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="RECYCLER") returned -1 [0090.205] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="BOOTSECT.BAK") returned 1 [0090.205] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="bootmgr") returned 1 [0090.205] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="programdata") returned -1 [0090.205] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="appdata") returned 1 [0090.205] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="program files") returned -1 [0090.205] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="program files (x86)") returned -1 [0090.205] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" [0090.205] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\", lpString2="PrjProrWW.xml" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" [0090.205] PathFindExtensionW (pszPath="PrjProrWW.xml") returned=".xml" [0090.205] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0090.206] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0090.206] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0090.206] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0090.206] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0090.206] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0090.206] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0090.206] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0090.206] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0090.206] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0090.206] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0090.206] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0090.206] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0090.206] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0090.206] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0090.206] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0090.206] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0090.207] lstrlenA (lpString="NEPHILIM") returned 8 [0090.207] GetProcessHeap () returned 0x4e0000 [0090.207] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x507448 [0090.207] lstrlenA (lpString="NEPHILIM") returned 8 [0090.207] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0090.208] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=6421) returned 1 [0090.208] GetProcessHeap () returned 0x4e0000 [0090.209] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0090.209] GetProcessHeap () returned 0x4e0000 [0090.209] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0090.209] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0090.209] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0090.209] GetProcessHeap () returned 0x4e0000 [0090.209] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0090.209] GetProcessHeap () returned 0x4e0000 [0090.209] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0090.209] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de208*=0x100) returned 1 [0090.209] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de204*=0x100) returned 1 [0090.210] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x1915, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.210] SetLastError (dwErrCode=0x0) [0090.210] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0090.212] GetLastError () returned 0x0 [0090.212] GetLastError () returned 0x0 [0090.212] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x1a15, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.212] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0090.212] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x1b15, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.212] lstrlenA (lpString="NEPHILIM") returned 8 [0090.213] WriteFile (in: hFile=0xec, lpBuffer=0x507448*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507448*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0090.213] GetProcessHeap () returned 0x4e0000 [0090.213] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1915) returned 0x50a8a8 [0090.213] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.213] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x1915, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x1915, lpOverlapped=0x0) returned 1 [0090.214] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.214] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x1915, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x1915, lpOverlapped=0x0) returned 1 [0090.214] GetProcessHeap () returned 0x4e0000 [0090.214] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0090.214] CloseHandle (hObject=0xec) returned 1 [0090.217] GetProcessHeap () returned 0x4e0000 [0090.217] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0090.217] GetProcessHeap () returned 0x4e0000 [0090.217] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0090.217] GetProcessHeap () returned 0x4e0000 [0090.217] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0090.217] GetProcessHeap () returned 0x4e0000 [0090.217] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0090.217] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" [0090.217] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.NEPHILIM") returned="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.NEPHILIM" [0090.217] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.NEPHILIM" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml.nephilim")) returned 1 [0090.218] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6c87b0c0, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x6c87b0c0, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa6b67930, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x9b6ba9f, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="PrjPrrWW.cab", cAlternateFileName="")) returned 1 [0090.218] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2=".") returned 1 [0090.218] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="..") returned 1 [0090.218] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="...") returned 1 [0090.218] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="windows") returned -1 [0090.218] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="$RECYCLE.BIN") returned 1 [0090.218] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="rsa") returned -1 [0090.218] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="log") returned 1 [0090.218] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="NTDETECT.COM") returned 1 [0090.218] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="ntldr") returned 1 [0090.218] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="MSDOS.SYS") returned 1 [0090.218] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="IO.SYS") returned 1 [0090.218] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="boot.ini") returned 1 [0090.218] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="AUTOEXEC.BAT") returned 1 [0090.218] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="ntuser.dat") returned 1 [0090.218] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="desktop.ini") returned 1 [0090.218] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="CONFIG.SYS") returned 1 [0090.218] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="RECYCLER") returned -1 [0090.218] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="BOOTSECT.BAK") returned 1 [0090.218] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="bootmgr") returned 1 [0090.218] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="programdata") returned -1 [0090.218] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="appdata") returned 1 [0090.218] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="program files") returned -1 [0090.218] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="program files (x86)") returned -1 [0090.219] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" [0090.219] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\", lpString2="PrjPrrWW.cab" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab" [0090.219] PathFindExtensionW (pszPath="PrjPrrWW.cab") returned=".cab" [0090.219] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0090.219] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0090.219] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0090.219] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x69dde270, ftCreationTime.dwHighDateTime=0x1cb04b2, ftLastAccessTime.dwLowDateTime=0x69dde270, ftLastAccessTime.dwHighDateTime=0x1cb04b2, ftLastWriteTime.dwLowDateTime=0xa8191670, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x150578, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="setup.exe", cAlternateFileName="")) returned 1 [0090.219] lstrcmpiW (lpString1="setup.exe", lpString2=".") returned 1 [0090.219] lstrcmpiW (lpString1="setup.exe", lpString2="..") returned 1 [0090.219] lstrcmpiW (lpString1="setup.exe", lpString2="...") returned 1 [0090.219] lstrcmpiW (lpString1="setup.exe", lpString2="windows") returned -1 [0090.219] lstrcmpiW (lpString1="setup.exe", lpString2="$RECYCLE.BIN") returned 1 [0090.219] lstrcmpiW (lpString1="setup.exe", lpString2="rsa") returned 1 [0090.219] lstrcmpiW (lpString1="setup.exe", lpString2="log") returned 1 [0090.219] lstrcmpiW (lpString1="setup.exe", lpString2="NTDETECT.COM") returned 1 [0090.219] lstrcmpiW (lpString1="setup.exe", lpString2="ntldr") returned 1 [0090.219] lstrcmpiW (lpString1="setup.exe", lpString2="MSDOS.SYS") returned 1 [0090.219] lstrcmpiW (lpString1="setup.exe", lpString2="IO.SYS") returned 1 [0090.219] lstrcmpiW (lpString1="setup.exe", lpString2="boot.ini") returned 1 [0090.219] lstrcmpiW (lpString1="setup.exe", lpString2="AUTOEXEC.BAT") returned 1 [0090.219] lstrcmpiW (lpString1="setup.exe", lpString2="ntuser.dat") returned 1 [0090.219] lstrcmpiW (lpString1="setup.exe", lpString2="desktop.ini") returned 1 [0090.219] lstrcmpiW (lpString1="setup.exe", lpString2="CONFIG.SYS") returned 1 [0090.219] lstrcmpiW (lpString1="setup.exe", lpString2="RECYCLER") returned 1 [0090.219] lstrcmpiW (lpString1="setup.exe", lpString2="BOOTSECT.BAK") returned 1 [0090.219] lstrcmpiW (lpString1="setup.exe", lpString2="bootmgr") returned 1 [0090.219] lstrcmpiW (lpString1="setup.exe", lpString2="programdata") returned 1 [0090.219] lstrcmpiW (lpString1="setup.exe", lpString2="appdata") returned 1 [0090.220] lstrcmpiW (lpString1="setup.exe", lpString2="program files") returned 1 [0090.220] lstrcmpiW (lpString1="setup.exe", lpString2="program files (x86)") returned 1 [0090.220] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" [0090.220] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\", lpString2="setup.exe" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" [0090.220] PathFindExtensionW (pszPath="setup.exe") returned=".exe" [0090.220] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0090.220] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7ca00570, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x7ca00570, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa8c227b0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x412b, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0090.220] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0090.220] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0090.220] lstrcmpiW (lpString1="Setup.xml", lpString2="...") returned 1 [0090.220] lstrcmpiW (lpString1="Setup.xml", lpString2="windows") returned -1 [0090.220] lstrcmpiW (lpString1="Setup.xml", lpString2="$RECYCLE.BIN") returned 1 [0090.220] lstrcmpiW (lpString1="Setup.xml", lpString2="rsa") returned 1 [0090.220] lstrcmpiW (lpString1="Setup.xml", lpString2="log") returned 1 [0090.220] lstrcmpiW (lpString1="Setup.xml", lpString2="NTDETECT.COM") returned 1 [0090.220] lstrcmpiW (lpString1="Setup.xml", lpString2="ntldr") returned 1 [0090.220] lstrcmpiW (lpString1="Setup.xml", lpString2="MSDOS.SYS") returned 1 [0090.220] lstrcmpiW (lpString1="Setup.xml", lpString2="IO.SYS") returned 1 [0090.220] lstrcmpiW (lpString1="Setup.xml", lpString2="boot.ini") returned 1 [0090.220] lstrcmpiW (lpString1="Setup.xml", lpString2="AUTOEXEC.BAT") returned 1 [0090.220] lstrcmpiW (lpString1="Setup.xml", lpString2="ntuser.dat") returned 1 [0090.220] lstrcmpiW (lpString1="Setup.xml", lpString2="desktop.ini") returned 1 [0090.220] lstrcmpiW (lpString1="Setup.xml", lpString2="CONFIG.SYS") returned 1 [0090.220] lstrcmpiW (lpString1="Setup.xml", lpString2="RECYCLER") returned 1 [0090.220] lstrcmpiW (lpString1="Setup.xml", lpString2="BOOTSECT.BAK") returned 1 [0090.220] lstrcmpiW (lpString1="Setup.xml", lpString2="bootmgr") returned 1 [0090.220] lstrcmpiW (lpString1="Setup.xml", lpString2="programdata") returned 1 [0090.220] lstrcmpiW (lpString1="Setup.xml", lpString2="appdata") returned 1 [0090.220] lstrcmpiW (lpString1="Setup.xml", lpString2="program files") returned 1 [0090.220] lstrcmpiW (lpString1="Setup.xml", lpString2="program files (x86)") returned 1 [0090.220] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" [0090.220] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\", lpString2="Setup.xml" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" [0090.221] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0090.221] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0090.221] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0090.221] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0090.221] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0090.221] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0090.221] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0090.221] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0090.221] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0090.221] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0090.221] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0090.221] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0090.221] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0090.221] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0090.221] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0090.221] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0090.221] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0090.221] lstrcmpiW (lpString1="Setup.xml", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0090.221] lstrlenA (lpString="NEPHILIM") returned 8 [0090.221] GetProcessHeap () returned 0x4e0000 [0090.221] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x507458 [0090.221] lstrlenA (lpString="NEPHILIM") returned 8 [0090.221] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0090.222] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=16683) returned 1 [0090.222] GetProcessHeap () returned 0x4e0000 [0090.222] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0090.222] GetProcessHeap () returned 0x4e0000 [0090.222] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0090.222] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0090.222] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0090.222] GetProcessHeap () returned 0x4e0000 [0090.222] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0090.222] GetProcessHeap () returned 0x4e0000 [0090.222] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0090.222] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de208*=0x100) returned 1 [0090.222] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de204*=0x100) returned 1 [0090.223] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x412b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.223] SetLastError (dwErrCode=0x0) [0090.223] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0090.225] GetLastError () returned 0x0 [0090.225] GetLastError () returned 0x0 [0090.225] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x422b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.225] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0090.225] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x432b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.225] lstrlenA (lpString="NEPHILIM") returned 8 [0090.225] WriteFile (in: hFile=0xec, lpBuffer=0x507458*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507458*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0090.225] GetProcessHeap () returned 0x4e0000 [0090.225] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x412b) returned 0x50a8a8 [0090.225] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.225] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x412b, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x412b, lpOverlapped=0x0) returned 1 [0090.227] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.227] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x412b, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x412b, lpOverlapped=0x0) returned 1 [0090.227] GetProcessHeap () returned 0x4e0000 [0090.227] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0090.227] CloseHandle (hObject=0xec) returned 1 [0090.232] GetProcessHeap () returned 0x4e0000 [0090.232] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0090.232] GetProcessHeap () returned 0x4e0000 [0090.232] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0090.232] GetProcessHeap () returned 0x4e0000 [0090.232] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0090.232] GetProcessHeap () returned 0x4e0000 [0090.232] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0090.232] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" [0090.232] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM") returned="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM" [0090.232] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml.nephilim")) returned 1 [0090.233] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7ca00570, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x7ca00570, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa8c227b0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x412b, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0090.233] FindClose (in: hFindFile=0x502830 | out: hFindFile=0x502830) returned 1 [0090.233] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x4a6d41a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d41a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x24df5e0, cFileName="{91140000-0057-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~2")) returned 1 [0090.233] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0090.233] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0090.233] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="...") returned 1 [0090.233] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="windows") returned -1 [0090.233] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="$RECYCLE.BIN") returned 1 [0090.233] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="rsa") returned -1 [0090.233] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="log") returned -1 [0090.233] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="NTDETECT.COM") returned -1 [0090.234] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="ntldr") returned -1 [0090.234] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="MSDOS.SYS") returned -1 [0090.234] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="IO.SYS") returned -1 [0090.234] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="boot.ini") returned -1 [0090.234] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="AUTOEXEC.BAT") returned -1 [0090.234] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="ntuser.dat") returned -1 [0090.234] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="desktop.ini") returned -1 [0090.234] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="CONFIG.SYS") returned -1 [0090.234] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="RECYCLER") returned -1 [0090.234] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="BOOTSECT.BAK") returned -1 [0090.234] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="bootmgr") returned -1 [0090.234] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="programdata") returned -1 [0090.234] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="appdata") returned -1 [0090.234] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="program files") returned -1 [0090.234] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="program files (x86)") returned -1 [0090.234] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\MSOCache\\All Users\\" | out: lpString1="C:\\MSOCache\\All Users\\") returned="C:\\MSOCache\\All Users\\" [0090.234] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\", lpString2="{91140000-0057-0000-1000-0000000FF1CE}-C" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C") returned="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C" [0090.234] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="\\" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" [0090.234] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" [0090.234] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\", lpString2="*.*" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*.*") returned="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*.*" [0090.234] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x4a6d41a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d41a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x502830 [0090.238] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0090.238] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x4a6d41a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d41a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0090.238] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0090.238] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0090.238] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe5ed9630, ftCreationTime.dwHighDateTime=0x1cb12b3, ftLastAccessTime.dwLowDateTime=0xe5ed9630, ftLastAccessTime.dwHighDateTime=0x1cb12b3, ftLastWriteTime.dwLowDateTime=0x4655d500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x1e6600, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="Office32WW.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0090.238] lstrcmpiW (lpString1="Office32WW.msi", lpString2=".") returned 1 [0090.238] lstrcmpiW (lpString1="Office32WW.msi", lpString2="..") returned 1 [0090.238] lstrcmpiW (lpString1="Office32WW.msi", lpString2="...") returned 1 [0090.238] lstrcmpiW (lpString1="Office32WW.msi", lpString2="windows") returned -1 [0090.238] lstrcmpiW (lpString1="Office32WW.msi", lpString2="$RECYCLE.BIN") returned 1 [0090.238] lstrcmpiW (lpString1="Office32WW.msi", lpString2="rsa") returned -1 [0090.238] lstrcmpiW (lpString1="Office32WW.msi", lpString2="log") returned 1 [0090.238] lstrcmpiW (lpString1="Office32WW.msi", lpString2="NTDETECT.COM") returned 1 [0090.238] lstrcmpiW (lpString1="Office32WW.msi", lpString2="ntldr") returned 1 [0090.238] lstrcmpiW (lpString1="Office32WW.msi", lpString2="MSDOS.SYS") returned 1 [0090.238] lstrcmpiW (lpString1="Office32WW.msi", lpString2="IO.SYS") returned 1 [0090.238] lstrcmpiW (lpString1="Office32WW.msi", lpString2="boot.ini") returned 1 [0090.238] lstrcmpiW (lpString1="Office32WW.msi", lpString2="AUTOEXEC.BAT") returned 1 [0090.238] lstrcmpiW (lpString1="Office32WW.msi", lpString2="ntuser.dat") returned 1 [0090.238] lstrcmpiW (lpString1="Office32WW.msi", lpString2="desktop.ini") returned 1 [0090.238] lstrcmpiW (lpString1="Office32WW.msi", lpString2="CONFIG.SYS") returned 1 [0090.238] lstrcmpiW (lpString1="Office32WW.msi", lpString2="RECYCLER") returned -1 [0090.238] lstrcmpiW (lpString1="Office32WW.msi", lpString2="BOOTSECT.BAK") returned 1 [0090.238] lstrcmpiW (lpString1="Office32WW.msi", lpString2="bootmgr") returned 1 [0090.238] lstrcmpiW (lpString1="Office32WW.msi", lpString2="programdata") returned -1 [0090.239] lstrcmpiW (lpString1="Office32WW.msi", lpString2="appdata") returned 1 [0090.239] lstrcmpiW (lpString1="Office32WW.msi", lpString2="program files") returned -1 [0090.239] lstrcmpiW (lpString1="Office32WW.msi", lpString2="program files (x86)") returned -1 [0090.239] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" [0090.239] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\", lpString2="Office32WW.msi" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi" [0090.239] PathFindExtensionW (pszPath="Office32WW.msi") returned=".msi" [0090.239] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0090.239] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0090.239] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0090.239] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0090.239] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0090.239] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0090.239] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0090.239] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0090.239] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0090.239] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0090.239] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0090.239] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0090.239] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0090.239] lstrcmpiW (lpString1=".msi", lpString2=".NEPHILIM") returned -1 [0090.239] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0090.239] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x16771fb0, ftCreationTime.dwHighDateTime=0x1cb12b4, ftLastAccessTime.dwLowDateTime=0x16771fb0, ftLastAccessTime.dwHighDateTime=0x1cb12b4, ftLastWriteTime.dwLowDateTime=0x46536400, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x10b2, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="Office32WW.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0090.239] lstrcmpiW (lpString1="Office32WW.xml", lpString2=".") returned 1 [0090.239] lstrcmpiW (lpString1="Office32WW.xml", lpString2="..") returned 1 [0090.239] lstrcmpiW (lpString1="Office32WW.xml", lpString2="...") returned 1 [0090.239] lstrcmpiW (lpString1="Office32WW.xml", lpString2="windows") returned -1 [0090.239] lstrcmpiW (lpString1="Office32WW.xml", lpString2="$RECYCLE.BIN") returned 1 [0090.239] lstrcmpiW (lpString1="Office32WW.xml", lpString2="rsa") returned -1 [0090.239] lstrcmpiW (lpString1="Office32WW.xml", lpString2="log") returned 1 [0090.240] lstrcmpiW (lpString1="Office32WW.xml", lpString2="NTDETECT.COM") returned 1 [0090.240] lstrcmpiW (lpString1="Office32WW.xml", lpString2="ntldr") returned 1 [0090.240] lstrcmpiW (lpString1="Office32WW.xml", lpString2="MSDOS.SYS") returned 1 [0090.240] lstrcmpiW (lpString1="Office32WW.xml", lpString2="IO.SYS") returned 1 [0090.240] lstrcmpiW (lpString1="Office32WW.xml", lpString2="boot.ini") returned 1 [0090.240] lstrcmpiW (lpString1="Office32WW.xml", lpString2="AUTOEXEC.BAT") returned 1 [0090.240] lstrcmpiW (lpString1="Office32WW.xml", lpString2="ntuser.dat") returned 1 [0090.240] lstrcmpiW (lpString1="Office32WW.xml", lpString2="desktop.ini") returned 1 [0090.240] lstrcmpiW (lpString1="Office32WW.xml", lpString2="CONFIG.SYS") returned 1 [0090.240] lstrcmpiW (lpString1="Office32WW.xml", lpString2="RECYCLER") returned -1 [0090.240] lstrcmpiW (lpString1="Office32WW.xml", lpString2="BOOTSECT.BAK") returned 1 [0090.240] lstrcmpiW (lpString1="Office32WW.xml", lpString2="bootmgr") returned 1 [0090.240] lstrcmpiW (lpString1="Office32WW.xml", lpString2="programdata") returned -1 [0090.240] lstrcmpiW (lpString1="Office32WW.xml", lpString2="appdata") returned 1 [0090.240] lstrcmpiW (lpString1="Office32WW.xml", lpString2="program files") returned -1 [0090.240] lstrcmpiW (lpString1="Office32WW.xml", lpString2="program files (x86)") returned -1 [0090.240] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" [0090.240] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\", lpString2="Office32WW.xml" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" [0090.240] PathFindExtensionW (pszPath="Office32WW.xml") returned=".xml" [0090.240] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0090.240] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0090.240] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0090.240] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0090.240] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0090.240] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0090.240] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0090.241] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0090.241] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0090.241] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0090.241] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0090.241] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0090.241] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0090.241] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0090.241] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0090.241] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0090.241] lstrcmpiW (lpString1="Office32WW.xml", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0090.241] lstrlenA (lpString="NEPHILIM") returned 8 [0090.241] GetProcessHeap () returned 0x4e0000 [0090.241] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x507468 [0090.241] lstrlenA (lpString="NEPHILIM") returned 8 [0090.241] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0090.241] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=4274) returned 1 [0090.241] GetProcessHeap () returned 0x4e0000 [0090.241] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0090.242] GetProcessHeap () returned 0x4e0000 [0090.242] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0090.242] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0090.242] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0090.242] GetProcessHeap () returned 0x4e0000 [0090.242] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0090.242] GetProcessHeap () returned 0x4e0000 [0090.242] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0090.242] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de208*=0x100) returned 1 [0090.242] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de204*=0x100) returned 1 [0090.242] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x10b2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.242] SetLastError (dwErrCode=0x0) [0090.242] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0090.244] GetLastError () returned 0x0 [0090.244] GetLastError () returned 0x0 [0090.244] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x11b2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.245] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0090.245] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x12b2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.245] lstrlenA (lpString="NEPHILIM") returned 8 [0090.245] WriteFile (in: hFile=0xec, lpBuffer=0x507468*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507468*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0090.245] GetProcessHeap () returned 0x4e0000 [0090.245] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10b2) returned 0x50a8a8 [0090.245] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.245] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x10b2, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x10b2, lpOverlapped=0x0) returned 1 [0090.246] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.246] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x10b2, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x10b2, lpOverlapped=0x0) returned 1 [0090.246] GetProcessHeap () returned 0x4e0000 [0090.246] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0090.246] CloseHandle (hObject=0xec) returned 1 [0090.248] GetProcessHeap () returned 0x4e0000 [0090.248] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0090.248] GetProcessHeap () returned 0x4e0000 [0090.248] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0090.248] GetProcessHeap () returned 0x4e0000 [0090.248] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0090.248] GetProcessHeap () returned 0x4e0000 [0090.248] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0090.248] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" [0090.248] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.NEPHILIM") returned="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.NEPHILIM" [0090.248] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.NEPHILIM" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml.nephilim")) returned 1 [0090.249] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xec54b6b0, ftCreationTime.dwHighDateTime=0x1cb04a9, ftLastAccessTime.dwLowDateTime=0xec54b6b0, ftLastAccessTime.dwHighDateTime=0x1cb04a9, ftLastWriteTime.dwLowDateTime=0x4a687710, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x2a968, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="ose.exe", cAlternateFileName="")) returned 1 [0090.249] lstrcmpiW (lpString1="ose.exe", lpString2=".") returned 1 [0090.249] lstrcmpiW (lpString1="ose.exe", lpString2="..") returned 1 [0090.249] lstrcmpiW (lpString1="ose.exe", lpString2="...") returned 1 [0090.249] lstrcmpiW (lpString1="ose.exe", lpString2="windows") returned -1 [0090.249] lstrcmpiW (lpString1="ose.exe", lpString2="$RECYCLE.BIN") returned 1 [0090.249] lstrcmpiW (lpString1="ose.exe", lpString2="rsa") returned -1 [0090.249] lstrcmpiW (lpString1="ose.exe", lpString2="log") returned 1 [0090.249] lstrcmpiW (lpString1="ose.exe", lpString2="NTDETECT.COM") returned 1 [0090.249] lstrcmpiW (lpString1="ose.exe", lpString2="ntldr") returned 1 [0090.249] lstrcmpiW (lpString1="ose.exe", lpString2="MSDOS.SYS") returned 1 [0090.249] lstrcmpiW (lpString1="ose.exe", lpString2="IO.SYS") returned 1 [0090.249] lstrcmpiW (lpString1="ose.exe", lpString2="boot.ini") returned 1 [0090.249] lstrcmpiW (lpString1="ose.exe", lpString2="AUTOEXEC.BAT") returned 1 [0090.249] lstrcmpiW (lpString1="ose.exe", lpString2="ntuser.dat") returned 1 [0090.249] lstrcmpiW (lpString1="ose.exe", lpString2="desktop.ini") returned 1 [0090.249] lstrcmpiW (lpString1="ose.exe", lpString2="CONFIG.SYS") returned 1 [0090.249] lstrcmpiW (lpString1="ose.exe", lpString2="RECYCLER") returned -1 [0090.250] lstrcmpiW (lpString1="ose.exe", lpString2="BOOTSECT.BAK") returned 1 [0090.250] lstrcmpiW (lpString1="ose.exe", lpString2="bootmgr") returned 1 [0090.250] lstrcmpiW (lpString1="ose.exe", lpString2="programdata") returned -1 [0090.250] lstrcmpiW (lpString1="ose.exe", lpString2="appdata") returned 1 [0090.250] lstrcmpiW (lpString1="ose.exe", lpString2="program files") returned -1 [0090.250] lstrcmpiW (lpString1="ose.exe", lpString2="program files (x86)") returned -1 [0090.250] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" [0090.250] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\", lpString2="ose.exe" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" [0090.250] PathFindExtensionW (pszPath="ose.exe") returned=".exe" [0090.250] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0090.250] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xde72fbf0, ftCreationTime.dwHighDateTime=0x1cb0d0b, ftLastAccessTime.dwLowDateTime=0xde72fbf0, ftLastAccessTime.dwHighDateTime=0x1cb0d0b, ftLastWriteTime.dwLowDateTime=0x49c902c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x709768, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="osetup.dll", cAlternateFileName="")) returned 1 [0090.250] lstrcmpiW (lpString1="osetup.dll", lpString2=".") returned 1 [0090.250] lstrcmpiW (lpString1="osetup.dll", lpString2="..") returned 1 [0090.250] lstrcmpiW (lpString1="osetup.dll", lpString2="...") returned 1 [0090.250] lstrcmpiW (lpString1="osetup.dll", lpString2="windows") returned -1 [0090.250] lstrcmpiW (lpString1="osetup.dll", lpString2="$RECYCLE.BIN") returned 1 [0090.250] lstrcmpiW (lpString1="osetup.dll", lpString2="rsa") returned -1 [0090.250] lstrcmpiW (lpString1="osetup.dll", lpString2="log") returned 1 [0090.250] lstrcmpiW (lpString1="osetup.dll", lpString2="NTDETECT.COM") returned 1 [0090.250] lstrcmpiW (lpString1="osetup.dll", lpString2="ntldr") returned 1 [0090.250] lstrcmpiW (lpString1="osetup.dll", lpString2="MSDOS.SYS") returned 1 [0090.250] lstrcmpiW (lpString1="osetup.dll", lpString2="IO.SYS") returned 1 [0090.250] lstrcmpiW (lpString1="osetup.dll", lpString2="boot.ini") returned 1 [0090.251] lstrcmpiW (lpString1="osetup.dll", lpString2="AUTOEXEC.BAT") returned 1 [0090.251] lstrcmpiW (lpString1="osetup.dll", lpString2="ntuser.dat") returned 1 [0090.251] lstrcmpiW (lpString1="osetup.dll", lpString2="desktop.ini") returned 1 [0090.251] lstrcmpiW (lpString1="osetup.dll", lpString2="CONFIG.SYS") returned 1 [0090.251] lstrcmpiW (lpString1="osetup.dll", lpString2="RECYCLER") returned -1 [0090.251] lstrcmpiW (lpString1="osetup.dll", lpString2="BOOTSECT.BAK") returned 1 [0090.251] lstrcmpiW (lpString1="osetup.dll", lpString2="bootmgr") returned 1 [0090.251] lstrcmpiW (lpString1="osetup.dll", lpString2="programdata") returned -1 [0090.251] lstrcmpiW (lpString1="osetup.dll", lpString2="appdata") returned 1 [0090.251] lstrcmpiW (lpString1="osetup.dll", lpString2="program files") returned -1 [0090.251] lstrcmpiW (lpString1="osetup.dll", lpString2="program files (x86)") returned -1 [0090.251] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" [0090.251] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\", lpString2="osetup.dll" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll" [0090.251] PathFindExtensionW (pszPath="osetup.dll") returned=".dll" [0090.251] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0090.251] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0090.251] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0090.251] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0090.251] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0090.251] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0090.251] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0090.252] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0090.252] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc9c380f0, ftCreationTime.dwHighDateTime=0x1cb12b3, ftLastAccessTime.dwLowDateTime=0xc9c380f0, ftLastAccessTime.dwHighDateTime=0x1cb12b3, ftLastWriteTime.dwLowDateTime=0x465d00f0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x228df5c, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="OWOW32WW.cab", cAlternateFileName="")) returned 1 [0090.252] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2=".") returned 1 [0090.252] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="..") returned 1 [0090.252] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="...") returned 1 [0090.252] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="windows") returned -1 [0090.252] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="$RECYCLE.BIN") returned 1 [0090.252] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="rsa") returned -1 [0090.252] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="log") returned 1 [0090.252] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="NTDETECT.COM") returned 1 [0090.252] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="ntldr") returned 1 [0090.252] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="MSDOS.SYS") returned 1 [0090.252] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="IO.SYS") returned 1 [0090.252] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="boot.ini") returned 1 [0090.252] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="AUTOEXEC.BAT") returned 1 [0090.252] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="ntuser.dat") returned 1 [0090.252] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="desktop.ini") returned 1 [0090.252] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="CONFIG.SYS") returned 1 [0090.252] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="RECYCLER") returned -1 [0090.252] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="BOOTSECT.BAK") returned 1 [0090.252] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="bootmgr") returned 1 [0090.252] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="programdata") returned -1 [0090.252] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="appdata") returned 1 [0090.252] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="program files") returned -1 [0090.252] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="program files (x86)") returned -1 [0090.252] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" [0090.253] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\", lpString2="OWOW32WW.cab" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" [0090.253] PathFindExtensionW (pszPath="OWOW32WW.cab") returned=".cab" [0090.253] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0090.253] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0090.253] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0090.253] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe7c66670, ftCreationTime.dwHighDateTime=0x1cb0ee5, ftLastAccessTime.dwLowDateTime=0xe7c66670, ftLastAccessTime.dwHighDateTime=0x1cb0ee5, ftLastWriteTime.dwLowDateTime=0x4a6ac100, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x165510, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="PidGenX.dll", cAlternateFileName="")) returned 1 [0090.253] lstrcmpiW (lpString1="PidGenX.dll", lpString2=".") returned 1 [0090.253] lstrcmpiW (lpString1="PidGenX.dll", lpString2="..") returned 1 [0090.253] lstrcmpiW (lpString1="PidGenX.dll", lpString2="...") returned 1 [0090.253] lstrcmpiW (lpString1="PidGenX.dll", lpString2="windows") returned -1 [0090.253] lstrcmpiW (lpString1="PidGenX.dll", lpString2="$RECYCLE.BIN") returned 1 [0090.253] lstrcmpiW (lpString1="PidGenX.dll", lpString2="rsa") returned -1 [0090.253] lstrcmpiW (lpString1="PidGenX.dll", lpString2="log") returned 1 [0090.253] lstrcmpiW (lpString1="PidGenX.dll", lpString2="NTDETECT.COM") returned 1 [0090.253] lstrcmpiW (lpString1="PidGenX.dll", lpString2="ntldr") returned 1 [0090.253] lstrcmpiW (lpString1="PidGenX.dll", lpString2="MSDOS.SYS") returned 1 [0090.253] lstrcmpiW (lpString1="PidGenX.dll", lpString2="IO.SYS") returned 1 [0090.253] lstrcmpiW (lpString1="PidGenX.dll", lpString2="boot.ini") returned 1 [0090.253] lstrcmpiW (lpString1="PidGenX.dll", lpString2="AUTOEXEC.BAT") returned 1 [0090.253] lstrcmpiW (lpString1="PidGenX.dll", lpString2="ntuser.dat") returned 1 [0090.253] lstrcmpiW (lpString1="PidGenX.dll", lpString2="desktop.ini") returned 1 [0090.253] lstrcmpiW (lpString1="PidGenX.dll", lpString2="CONFIG.SYS") returned 1 [0090.254] lstrcmpiW (lpString1="PidGenX.dll", lpString2="RECYCLER") returned -1 [0090.254] lstrcmpiW (lpString1="PidGenX.dll", lpString2="BOOTSECT.BAK") returned 1 [0090.254] lstrcmpiW (lpString1="PidGenX.dll", lpString2="bootmgr") returned 1 [0090.254] lstrcmpiW (lpString1="PidGenX.dll", lpString2="programdata") returned -1 [0090.254] lstrcmpiW (lpString1="PidGenX.dll", lpString2="appdata") returned 1 [0090.254] lstrcmpiW (lpString1="PidGenX.dll", lpString2="program files") returned -1 [0090.254] lstrcmpiW (lpString1="PidGenX.dll", lpString2="program files (x86)") returned -1 [0090.254] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" [0090.254] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\", lpString2="PidGenX.dll" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" [0090.254] PathFindExtensionW (pszPath="PidGenX.dll") returned=".dll" [0090.254] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0090.254] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0090.254] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0090.254] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0090.254] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0090.254] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0090.254] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0090.254] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0090.254] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x95261510, ftCreationTime.dwHighDateTime=0x1cb048a, ftLastAccessTime.dwLowDateTime=0x95261510, ftLastAccessTime.dwHighDateTime=0x1cb048a, ftLastWriteTime.dwLowDateTime=0x4a6ac100, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0xaec3a, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="pkeyconfig-office.xrm-ms", cAlternateFileName="PKEYCO~1.XRM")) returned 1 [0090.254] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2=".") returned 1 [0090.255] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="..") returned 1 [0090.255] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="...") returned 1 [0090.255] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="windows") returned -1 [0090.255] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="$RECYCLE.BIN") returned 1 [0090.255] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="rsa") returned -1 [0090.255] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="log") returned 1 [0090.255] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="NTDETECT.COM") returned 1 [0090.255] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="ntldr") returned 1 [0090.255] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="MSDOS.SYS") returned 1 [0090.255] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="IO.SYS") returned 1 [0090.255] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="boot.ini") returned 1 [0090.255] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="AUTOEXEC.BAT") returned 1 [0090.255] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="ntuser.dat") returned 1 [0090.255] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="desktop.ini") returned 1 [0090.255] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="CONFIG.SYS") returned 1 [0090.255] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="RECYCLER") returned -1 [0090.255] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="BOOTSECT.BAK") returned 1 [0090.255] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="bootmgr") returned 1 [0090.255] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="programdata") returned -1 [0090.255] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="appdata") returned 1 [0090.256] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="program files") returned -1 [0090.256] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="program files (x86)") returned -1 [0090.256] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" [0090.256] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\", lpString2="pkeyconfig-office.xrm-ms" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" [0090.256] PathFindExtensionW (pszPath="pkeyconfig-office.xrm-ms") returned=".xrm-ms" [0090.256] lstrcmpiW (lpString1=".xrm-ms", lpString2=".exe") returned 1 [0090.256] lstrcmpiW (lpString1=".xrm-ms", lpString2=".log") returned 1 [0090.256] lstrcmpiW (lpString1=".xrm-ms", lpString2=".cab") returned 1 [0090.256] lstrcmpiW (lpString1=".xrm-ms", lpString2=".cmd") returned 1 [0090.256] lstrcmpiW (lpString1=".xrm-ms", lpString2=".com") returned 1 [0090.256] lstrcmpiW (lpString1=".xrm-ms", lpString2=".cpl") returned 1 [0090.256] lstrcmpiW (lpString1=".xrm-ms", lpString2=".ini") returned 1 [0090.256] lstrcmpiW (lpString1=".xrm-ms", lpString2=".dll") returned 1 [0090.256] lstrcmpiW (lpString1=".xrm-ms", lpString2=".url") returned 1 [0090.257] lstrcmpiW (lpString1=".xrm-ms", lpString2=".ttf") returned 1 [0090.257] lstrcmpiW (lpString1=".xrm-ms", lpString2=".mp3") returned 1 [0090.257] lstrcmpiW (lpString1=".xrm-ms", lpString2=".pif") returned 1 [0090.257] lstrcmpiW (lpString1=".xrm-ms", lpString2=".mp4") returned 1 [0090.257] lstrcmpiW (lpString1=".xrm-ms", lpString2=".NEPHILIM") returned 1 [0090.257] lstrcmpiW (lpString1=".xrm-ms", lpString2=".msi") returned 1 [0090.257] lstrcmpiW (lpString1=".xrm-ms", lpString2=".lnk") returned 1 [0090.257] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0090.257] lstrlenA (lpString="NEPHILIM") returned 8 [0090.257] GetProcessHeap () returned 0x4e0000 [0090.257] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x507478 [0090.257] lstrlenA (lpString="NEPHILIM") returned 8 [0090.257] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0090.258] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=715834) returned 1 [0090.258] GetProcessHeap () returned 0x4e0000 [0090.258] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0090.258] GetProcessHeap () returned 0x4e0000 [0090.258] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0090.258] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0090.258] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0090.258] GetProcessHeap () returned 0x4e0000 [0090.258] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0090.258] GetProcessHeap () returned 0x4e0000 [0090.259] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0090.259] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de208*=0x100) returned 1 [0090.259] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de204*=0x100) returned 1 [0090.259] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xaec3a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.259] SetLastError (dwErrCode=0x0) [0090.259] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0090.261] GetLastError () returned 0x0 [0090.261] GetLastError () returned 0x0 [0090.261] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xaed3a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.261] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0090.262] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xaee3a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.262] lstrlenA (lpString="NEPHILIM") returned 8 [0090.262] WriteFile (in: hFile=0xec, lpBuffer=0x507478*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507478*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0090.262] GetProcessHeap () returned 0x4e0000 [0090.262] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xaec3a) returned 0x2010020 [0090.262] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.262] ReadFile (in: hFile=0xec, lpBuffer=0x2010020, nNumberOfBytesToRead=0xaec3a, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x2010020*, lpNumberOfBytesRead=0x24de430*=0xaec3a, lpOverlapped=0x0) returned 1 [0090.316] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.316] WriteFile (in: hFile=0xec, lpBuffer=0x2010020*, nNumberOfBytesToWrite=0xaec3a, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x2010020*, lpNumberOfBytesWritten=0x24de43c*=0xaec3a, lpOverlapped=0x0) returned 1 [0090.320] GetProcessHeap () returned 0x4e0000 [0090.320] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x2010020 | out: hHeap=0x4e0000) returned 1 [0090.324] CloseHandle (hObject=0xec) returned 1 [0090.333] GetProcessHeap () returned 0x4e0000 [0090.333] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0090.333] GetProcessHeap () returned 0x4e0000 [0090.333] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0090.333] GetProcessHeap () returned 0x4e0000 [0090.333] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0090.333] GetProcessHeap () returned 0x4e0000 [0090.333] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0090.333] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" [0090.333] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.NEPHILIM") returned="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.NEPHILIM" [0090.333] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.NEPHILIM" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.nephilim")) returned 1 [0090.334] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xeb7e7af0, ftCreationTime.dwHighDateTime=0x1cb04a9, ftLastAccessTime.dwLowDateTime=0xeb7e7af0, ftLastAccessTime.dwHighDateTime=0x1cb04a9, ftLastWriteTime.dwLowDateTime=0x49c691c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x150578, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="setup.exe", cAlternateFileName="")) returned 1 [0090.334] lstrcmpiW (lpString1="setup.exe", lpString2=".") returned 1 [0090.334] lstrcmpiW (lpString1="setup.exe", lpString2="..") returned 1 [0090.334] lstrcmpiW (lpString1="setup.exe", lpString2="...") returned 1 [0090.334] lstrcmpiW (lpString1="setup.exe", lpString2="windows") returned -1 [0090.334] lstrcmpiW (lpString1="setup.exe", lpString2="$RECYCLE.BIN") returned 1 [0090.335] lstrcmpiW (lpString1="setup.exe", lpString2="rsa") returned 1 [0090.335] lstrcmpiW (lpString1="setup.exe", lpString2="log") returned 1 [0090.335] lstrcmpiW (lpString1="setup.exe", lpString2="NTDETECT.COM") returned 1 [0090.335] lstrcmpiW (lpString1="setup.exe", lpString2="ntldr") returned 1 [0090.335] lstrcmpiW (lpString1="setup.exe", lpString2="MSDOS.SYS") returned 1 [0090.335] lstrcmpiW (lpString1="setup.exe", lpString2="IO.SYS") returned 1 [0090.335] lstrcmpiW (lpString1="setup.exe", lpString2="boot.ini") returned 1 [0090.335] lstrcmpiW (lpString1="setup.exe", lpString2="AUTOEXEC.BAT") returned 1 [0090.335] lstrcmpiW (lpString1="setup.exe", lpString2="ntuser.dat") returned 1 [0090.335] lstrcmpiW (lpString1="setup.exe", lpString2="desktop.ini") returned 1 [0090.335] lstrcmpiW (lpString1="setup.exe", lpString2="CONFIG.SYS") returned 1 [0090.335] lstrcmpiW (lpString1="setup.exe", lpString2="RECYCLER") returned 1 [0090.335] lstrcmpiW (lpString1="setup.exe", lpString2="BOOTSECT.BAK") returned 1 [0090.335] lstrcmpiW (lpString1="setup.exe", lpString2="bootmgr") returned 1 [0090.335] lstrcmpiW (lpString1="setup.exe", lpString2="programdata") returned 1 [0090.335] lstrcmpiW (lpString1="setup.exe", lpString2="appdata") returned 1 [0090.335] lstrcmpiW (lpString1="setup.exe", lpString2="program files") returned 1 [0090.335] lstrcmpiW (lpString1="setup.exe", lpString2="program files (x86)") returned 1 [0090.335] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" [0090.335] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\", lpString2="setup.exe" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" [0090.335] PathFindExtensionW (pszPath="setup.exe") returned=".exe" [0090.335] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0090.335] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80aa51d0, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x80aa51d0, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x4a6d3200, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x5061, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0090.335] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0090.335] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0090.336] lstrcmpiW (lpString1="Setup.xml", lpString2="...") returned 1 [0090.336] lstrcmpiW (lpString1="Setup.xml", lpString2="windows") returned -1 [0090.336] lstrcmpiW (lpString1="Setup.xml", lpString2="$RECYCLE.BIN") returned 1 [0090.336] lstrcmpiW (lpString1="Setup.xml", lpString2="rsa") returned 1 [0090.336] lstrcmpiW (lpString1="Setup.xml", lpString2="log") returned 1 [0090.336] lstrcmpiW (lpString1="Setup.xml", lpString2="NTDETECT.COM") returned 1 [0090.336] lstrcmpiW (lpString1="Setup.xml", lpString2="ntldr") returned 1 [0090.336] lstrcmpiW (lpString1="Setup.xml", lpString2="MSDOS.SYS") returned 1 [0090.336] lstrcmpiW (lpString1="Setup.xml", lpString2="IO.SYS") returned 1 [0090.336] lstrcmpiW (lpString1="Setup.xml", lpString2="boot.ini") returned 1 [0090.336] lstrcmpiW (lpString1="Setup.xml", lpString2="AUTOEXEC.BAT") returned 1 [0090.336] lstrcmpiW (lpString1="Setup.xml", lpString2="ntuser.dat") returned 1 [0090.336] lstrcmpiW (lpString1="Setup.xml", lpString2="desktop.ini") returned 1 [0090.336] lstrcmpiW (lpString1="Setup.xml", lpString2="CONFIG.SYS") returned 1 [0090.336] lstrcmpiW (lpString1="Setup.xml", lpString2="RECYCLER") returned 1 [0090.336] lstrcmpiW (lpString1="Setup.xml", lpString2="BOOTSECT.BAK") returned 1 [0090.336] lstrcmpiW (lpString1="Setup.xml", lpString2="bootmgr") returned 1 [0090.336] lstrcmpiW (lpString1="Setup.xml", lpString2="programdata") returned 1 [0090.336] lstrcmpiW (lpString1="Setup.xml", lpString2="appdata") returned 1 [0090.336] lstrcmpiW (lpString1="Setup.xml", lpString2="program files") returned 1 [0090.336] lstrcmpiW (lpString1="Setup.xml", lpString2="program files (x86)") returned 1 [0090.336] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" [0090.336] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\", lpString2="Setup.xml" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" [0090.336] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0090.336] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0090.337] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0090.337] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0090.337] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0090.337] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0090.337] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0090.337] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0090.337] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0090.337] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0090.337] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0090.337] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0090.337] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0090.337] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0090.337] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0090.337] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0090.337] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0090.337] lstrcmpiW (lpString1="Setup.xml", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0090.337] lstrlenA (lpString="NEPHILIM") returned 8 [0090.337] GetProcessHeap () returned 0x4e0000 [0090.337] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x507488 [0090.337] lstrlenA (lpString="NEPHILIM") returned 8 [0090.337] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0090.338] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=20577) returned 1 [0090.338] GetProcessHeap () returned 0x4e0000 [0090.338] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0090.338] GetProcessHeap () returned 0x4e0000 [0090.338] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0090.338] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0090.338] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0090.338] GetProcessHeap () returned 0x4e0000 [0090.338] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0090.338] GetProcessHeap () returned 0x4e0000 [0090.338] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0090.338] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de208*=0x100) returned 1 [0090.339] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de204*=0x100) returned 1 [0090.339] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x5061, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.339] SetLastError (dwErrCode=0x0) [0090.339] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0090.341] GetLastError () returned 0x0 [0090.341] GetLastError () returned 0x0 [0090.341] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x5161, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.341] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0090.342] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x5261, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.342] lstrlenA (lpString="NEPHILIM") returned 8 [0090.342] WriteFile (in: hFile=0xec, lpBuffer=0x507488*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507488*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0090.342] GetProcessHeap () returned 0x4e0000 [0090.342] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x5061) returned 0x50a8a8 [0090.342] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.342] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x5061, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x5061, lpOverlapped=0x0) returned 1 [0090.344] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.344] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x5061, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x5061, lpOverlapped=0x0) returned 1 [0090.345] GetProcessHeap () returned 0x4e0000 [0090.345] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0090.345] CloseHandle (hObject=0xec) returned 1 [0090.348] GetProcessHeap () returned 0x4e0000 [0090.348] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0090.348] GetProcessHeap () returned 0x4e0000 [0090.348] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0090.348] GetProcessHeap () returned 0x4e0000 [0090.348] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0090.348] GetProcessHeap () returned 0x4e0000 [0090.348] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0090.348] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" [0090.348] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM") returned="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM" [0090.348] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.NEPHILIM" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml.nephilim")) returned 1 [0090.350] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x749b0240, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x749b0240, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x46a46a30, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0xb9fa2f7, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="VisiorWW.cab", cAlternateFileName="")) returned 1 [0090.350] lstrcmpiW (lpString1="VisiorWW.cab", lpString2=".") returned 1 [0090.350] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="..") returned 1 [0090.350] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="...") returned 1 [0090.350] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="windows") returned -1 [0090.350] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="$RECYCLE.BIN") returned 1 [0090.350] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="rsa") returned 1 [0090.350] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="log") returned 1 [0090.350] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="NTDETECT.COM") returned 1 [0090.350] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="ntldr") returned 1 [0090.350] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="MSDOS.SYS") returned 1 [0090.350] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="IO.SYS") returned 1 [0090.350] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="boot.ini") returned 1 [0090.350] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="AUTOEXEC.BAT") returned 1 [0090.350] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="ntuser.dat") returned 1 [0090.350] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="desktop.ini") returned 1 [0090.351] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="CONFIG.SYS") returned 1 [0090.351] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="RECYCLER") returned 1 [0090.351] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="BOOTSECT.BAK") returned 1 [0090.351] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="bootmgr") returned 1 [0090.351] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="programdata") returned 1 [0090.351] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="appdata") returned 1 [0090.351] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="program files") returned 1 [0090.351] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="program files (x86)") returned 1 [0090.351] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" [0090.351] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\", lpString2="VisiorWW.cab" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab" [0090.351] PathFindExtensionW (pszPath="VisiorWW.cab") returned=".cab" [0090.351] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0090.351] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0090.351] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0090.351] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80711960, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x80711960, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x468ee660, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0xb80800, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="VisiorWW.msi", cAlternateFileName="")) returned 1 [0090.351] lstrcmpiW (lpString1="VisiorWW.msi", lpString2=".") returned 1 [0090.351] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="..") returned 1 [0090.351] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="...") returned 1 [0090.351] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="windows") returned -1 [0090.351] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="$RECYCLE.BIN") returned 1 [0090.351] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="rsa") returned 1 [0090.351] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="log") returned 1 [0090.352] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="NTDETECT.COM") returned 1 [0090.352] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="ntldr") returned 1 [0090.352] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="MSDOS.SYS") returned 1 [0090.352] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="IO.SYS") returned 1 [0090.352] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="boot.ini") returned 1 [0090.352] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="AUTOEXEC.BAT") returned 1 [0090.352] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="ntuser.dat") returned 1 [0090.352] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="desktop.ini") returned 1 [0090.352] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="CONFIG.SYS") returned 1 [0090.352] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="RECYCLER") returned 1 [0090.352] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="BOOTSECT.BAK") returned 1 [0090.352] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="bootmgr") returned 1 [0090.352] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="programdata") returned 1 [0090.352] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="appdata") returned 1 [0090.352] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="program files") returned 1 [0090.352] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="program files (x86)") returned 1 [0090.352] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" [0090.352] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\", lpString2="VisiorWW.msi" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi" [0090.352] PathFindExtensionW (pszPath="VisiorWW.msi") returned=".msi" [0090.352] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0090.352] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0090.352] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0090.352] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0090.352] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0090.353] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0090.353] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0090.353] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0090.353] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0090.353] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0090.353] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0090.353] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0090.353] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0090.353] lstrcmpiW (lpString1=".msi", lpString2=".NEPHILIM") returned -1 [0090.353] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0090.353] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80b17dc0, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x80b17dc0, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x468a2b70, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x2213, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="VisiorWW.xml", cAlternateFileName="")) returned 1 [0090.353] lstrcmpiW (lpString1="VisiorWW.xml", lpString2=".") returned 1 [0090.353] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="..") returned 1 [0090.353] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="...") returned 1 [0090.353] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="windows") returned -1 [0090.353] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="$RECYCLE.BIN") returned 1 [0090.353] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="rsa") returned 1 [0090.353] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="log") returned 1 [0090.353] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="NTDETECT.COM") returned 1 [0090.353] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="ntldr") returned 1 [0090.353] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="MSDOS.SYS") returned 1 [0090.353] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="IO.SYS") returned 1 [0090.353] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="boot.ini") returned 1 [0090.353] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="AUTOEXEC.BAT") returned 1 [0090.354] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="ntuser.dat") returned 1 [0090.354] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="desktop.ini") returned 1 [0090.354] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="CONFIG.SYS") returned 1 [0090.354] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="RECYCLER") returned 1 [0090.354] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="BOOTSECT.BAK") returned 1 [0090.354] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="bootmgr") returned 1 [0090.354] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="programdata") returned 1 [0090.354] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="appdata") returned 1 [0090.354] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="program files") returned 1 [0090.354] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="program files (x86)") returned 1 [0090.354] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\") returned="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" [0090.354] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\", lpString2="VisiorWW.xml" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" [0090.354] PathFindExtensionW (pszPath="VisiorWW.xml") returned=".xml" [0090.354] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0090.354] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0090.354] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0090.354] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0090.354] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0090.354] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0090.354] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0090.354] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0090.354] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0090.355] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0090.355] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0090.355] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0090.355] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0090.355] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0090.355] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0090.355] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0090.355] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0090.355] lstrlenA (lpString="NEPHILIM") returned 8 [0090.355] GetProcessHeap () returned 0x4e0000 [0090.355] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x507498 [0090.355] lstrlenA (lpString="NEPHILIM") returned 8 [0090.355] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0090.357] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=8723) returned 1 [0090.357] GetProcessHeap () returned 0x4e0000 [0090.357] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0090.357] GetProcessHeap () returned 0x4e0000 [0090.357] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0090.357] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0090.357] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0090.357] GetProcessHeap () returned 0x4e0000 [0090.357] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0090.357] GetProcessHeap () returned 0x4e0000 [0090.357] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0090.357] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24de208*=0x100) returned 1 [0090.357] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24de204*=0x100) returned 1 [0090.358] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x2213, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.358] SetLastError (dwErrCode=0x0) [0090.358] WriteFile (in: hFile=0xec, lpBuffer=0x507ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ee8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0090.361] GetLastError () returned 0x0 [0090.361] GetLastError () returned 0x0 [0090.361] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x2313, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.361] WriteFile (in: hFile=0xec, lpBuffer=0x507ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507ff0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0090.361] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x2413, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.361] lstrlenA (lpString="NEPHILIM") returned 8 [0090.361] WriteFile (in: hFile=0xec, lpBuffer=0x507498*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507498*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0090.361] GetProcessHeap () returned 0x4e0000 [0090.361] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x2213) returned 0x50a8a8 [0090.361] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.361] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x2213, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x2213, lpOverlapped=0x0) returned 1 [0090.363] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.363] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x2213, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x2213, lpOverlapped=0x0) returned 1 [0090.363] GetProcessHeap () returned 0x4e0000 [0090.363] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0090.363] CloseHandle (hObject=0xec) returned 1 [0090.366] GetProcessHeap () returned 0x4e0000 [0090.366] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ee8 | out: hHeap=0x4e0000) returned 1 [0090.366] GetProcessHeap () returned 0x4e0000 [0090.366] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x507ff0 | out: hHeap=0x4e0000) returned 1 [0090.366] GetProcessHeap () returned 0x4e0000 [0090.366] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504c90 | out: hHeap=0x4e0000) returned 1 [0090.366] GetProcessHeap () returned 0x4e0000 [0090.366] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504ca8 | out: hHeap=0x4e0000) returned 1 [0090.366] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" [0090.366] lstrcatW (in: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml", lpString2=".NEPHILIM" | out: lpString1="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.NEPHILIM") returned="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.NEPHILIM" [0090.366] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.NEPHILIM" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml.nephilim")) returned 1 [0090.367] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80b17dc0, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x80b17dc0, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x468a2b70, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x2213, dwReserved0=0x340032, dwReserved1=0x24def60, cFileName="VisiorWW.xml", cAlternateFileName="")) returned 0 [0090.367] FindClose (in: hFindFile=0x502830 | out: hFindFile=0x502830) returned 1 [0090.367] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x4a6d41a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d41a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x24df5e0, cFileName="{91140000-0057-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~2")) returned 0 [0090.367] FindClose (in: hFindFile=0x5026e8 | out: hFindFile=0x5026e8) returned 1 [0090.368] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x98ddb240, dwReserved1=0x61134734, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 0 [0090.368] FindClose (in: hFindFile=0x4ff0b8 | out: hFindFile=0x4ff0b8) returned 1 [0090.368] FindNextFileW (in: hFindFile=0x4ff078, lpFindFileData=0x24df808 | out: lpFindFileData=0x24df808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3cba890, ftCreationTime.dwHighDateTime=0x1d607de, ftLastAccessTime.dwLowDateTime=0xd3cba890, ftLastAccessTime.dwHighDateTime=0x1d607de, ftLastWriteTime.dwLowDateTime=0xd3cba890, ftLastWriteTime.dwHighDateTime=0x1d607de, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NEPHILIM-DECRYPT.txt", cAlternateFileName="NEPHIL~1.TXT")) returned 1 [0090.368] lstrcmpiW (lpString1="NEPHILIM-DECRYPT.txt", lpString2=".") returned 1 [0090.368] lstrcmpiW (lpString1="NEPHILIM-DECRYPT.txt", lpString2="..") returned 1 [0090.368] lstrcmpiW (lpString1="NEPHILIM-DECRYPT.txt", lpString2="...") returned 1 [0090.368] lstrcmpiW (lpString1="NEPHILIM-DECRYPT.txt", lpString2="windows") returned -1 [0090.368] lstrcmpiW (lpString1="NEPHILIM-DECRYPT.txt", lpString2="$RECYCLE.BIN") returned 1 [0090.368] lstrcmpiW (lpString1="NEPHILIM-DECRYPT.txt", lpString2="rsa") returned -1 [0090.368] lstrcmpiW (lpString1="NEPHILIM-DECRYPT.txt", lpString2="log") returned 1 [0090.368] lstrcmpiW (lpString1="NEPHILIM-DECRYPT.txt", lpString2="NTDETECT.COM") returned -1 [0090.368] lstrcmpiW (lpString1="NEPHILIM-DECRYPT.txt", lpString2="ntldr") returned -1 [0090.368] lstrcmpiW (lpString1="NEPHILIM-DECRYPT.txt", lpString2="MSDOS.SYS") returned 1 [0090.368] lstrcmpiW (lpString1="NEPHILIM-DECRYPT.txt", lpString2="IO.SYS") returned 1 [0090.368] lstrcmpiW (lpString1="NEPHILIM-DECRYPT.txt", lpString2="boot.ini") returned 1 [0090.368] lstrcmpiW (lpString1="NEPHILIM-DECRYPT.txt", lpString2="AUTOEXEC.BAT") returned 1 [0090.368] lstrcmpiW (lpString1="NEPHILIM-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0090.368] lstrcmpiW (lpString1="NEPHILIM-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0090.368] lstrcmpiW (lpString1="NEPHILIM-DECRYPT.txt", lpString2="CONFIG.SYS") returned 1 [0090.369] lstrcmpiW (lpString1="NEPHILIM-DECRYPT.txt", lpString2="RECYCLER") returned -1 [0090.369] lstrcmpiW (lpString1="NEPHILIM-DECRYPT.txt", lpString2="BOOTSECT.BAK") returned 1 [0090.369] lstrcmpiW (lpString1="NEPHILIM-DECRYPT.txt", lpString2="bootmgr") returned 1 [0090.369] lstrcmpiW (lpString1="NEPHILIM-DECRYPT.txt", lpString2="programdata") returned -1 [0090.369] lstrcmpiW (lpString1="NEPHILIM-DECRYPT.txt", lpString2="appdata") returned 1 [0090.369] lstrcmpiW (lpString1="NEPHILIM-DECRYPT.txt", lpString2="program files") returned -1 [0090.369] lstrcmpiW (lpString1="NEPHILIM-DECRYPT.txt", lpString2="program files (x86)") returned -1 [0090.369] lstrcpyW (in: lpString1=0x24dfa58, lpString2="C:\\" | out: lpString1="C:\\") returned="C:\\" [0090.369] lstrcatW (in: lpString1="C:\\", lpString2="NEPHILIM-DECRYPT.txt" | out: lpString1="C:\\NEPHILIM-DECRYPT.txt") returned="C:\\NEPHILIM-DECRYPT.txt" [0090.369] PathFindExtensionW (pszPath="NEPHILIM-DECRYPT.txt") returned=".txt" [0090.369] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0090.369] lstrcmpiW (lpString1=".txt", lpString2=".log") returned 1 [0090.369] lstrcmpiW (lpString1=".txt", lpString2=".cab") returned 1 [0090.369] lstrcmpiW (lpString1=".txt", lpString2=".cmd") returned 1 [0090.369] lstrcmpiW (lpString1=".txt", lpString2=".com") returned 1 [0090.369] lstrcmpiW (lpString1=".txt", lpString2=".cpl") returned 1 [0090.369] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0090.369] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0090.369] lstrcmpiW (lpString1=".txt", lpString2=".url") returned -1 [0090.369] lstrcmpiW (lpString1=".txt", lpString2=".ttf") returned 1 [0090.369] lstrcmpiW (lpString1=".txt", lpString2=".mp3") returned 1 [0090.369] lstrcmpiW (lpString1=".txt", lpString2=".pif") returned 1 [0090.370] lstrcmpiW (lpString1=".txt", lpString2=".mp4") returned 1 [0090.370] lstrcmpiW (lpString1=".txt", lpString2=".NEPHILIM") returned 1 [0090.370] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0090.370] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0090.370] lstrcmpiW (lpString1="NEPHILIM-DECRYPT.txt", lpString2="NEPHILIM-DECRYPT.txt") returned 0 [0090.370] FindNextFileW (in: hFindFile=0x4ff078, lpFindFileData=0x24df808 | out: lpFindFileData=0x24df808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x563d4b80, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x563d4b80, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0xaece4da0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x7ff7c000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0090.370] lstrcmpiW (lpString1="pagefile.sys", lpString2=".") returned 1 [0090.370] lstrcmpiW (lpString1="pagefile.sys", lpString2="..") returned 1 [0090.370] lstrcmpiW (lpString1="pagefile.sys", lpString2="...") returned 1 [0090.370] lstrcmpiW (lpString1="pagefile.sys", lpString2="windows") returned -1 [0090.370] lstrcmpiW (lpString1="pagefile.sys", lpString2="$RECYCLE.BIN") returned 1 [0090.370] lstrcmpiW (lpString1="pagefile.sys", lpString2="rsa") returned -1 [0090.370] lstrcmpiW (lpString1="pagefile.sys", lpString2="log") returned 1 [0090.370] lstrcmpiW (lpString1="pagefile.sys", lpString2="NTDETECT.COM") returned 1 [0090.370] lstrcmpiW (lpString1="pagefile.sys", lpString2="ntldr") returned 1 [0090.370] lstrcmpiW (lpString1="pagefile.sys", lpString2="MSDOS.SYS") returned 1 [0090.370] lstrcmpiW (lpString1="pagefile.sys", lpString2="IO.SYS") returned 1 [0090.373] lstrcmpiW (lpString1="pagefile.sys", lpString2="boot.ini") returned 1 [0090.373] lstrcmpiW (lpString1="pagefile.sys", lpString2="AUTOEXEC.BAT") returned 1 [0090.373] lstrcmpiW (lpString1="pagefile.sys", lpString2="ntuser.dat") returned 1 [0090.373] lstrcmpiW (lpString1="pagefile.sys", lpString2="desktop.ini") returned 1 [0090.374] lstrcmpiW (lpString1="pagefile.sys", lpString2="CONFIG.SYS") returned 1 [0090.374] lstrcmpiW (lpString1="pagefile.sys", lpString2="RECYCLER") returned -1 [0090.374] lstrcmpiW (lpString1="pagefile.sys", lpString2="BOOTSECT.BAK") returned 1 [0090.374] lstrcmpiW (lpString1="pagefile.sys", lpString2="bootmgr") returned 1 [0090.374] lstrcmpiW (lpString1="pagefile.sys", lpString2="programdata") returned -1 [0090.374] lstrcmpiW (lpString1="pagefile.sys", lpString2="appdata") returned 1 [0090.374] lstrcmpiW (lpString1="pagefile.sys", lpString2="program files") returned -1 [0090.374] lstrcmpiW (lpString1="pagefile.sys", lpString2="program files (x86)") returned -1 [0090.374] lstrcpyW (in: lpString1=0x24dfa58, lpString2="C:\\" | out: lpString1="C:\\") returned="C:\\" [0090.374] lstrcatW (in: lpString1="C:\\", lpString2="pagefile.sys" | out: lpString1="C:\\pagefile.sys") returned="C:\\pagefile.sys" [0090.374] PathFindExtensionW (pszPath="pagefile.sys") returned=".sys" [0090.374] lstrcmpiW (lpString1=".sys", lpString2=".exe") returned 1 [0090.374] lstrcmpiW (lpString1=".sys", lpString2=".log") returned 1 [0090.374] lstrcmpiW (lpString1=".sys", lpString2=".cab") returned 1 [0090.374] lstrcmpiW (lpString1=".sys", lpString2=".cmd") returned 1 [0090.374] lstrcmpiW (lpString1=".sys", lpString2=".com") returned 1 [0090.374] lstrcmpiW (lpString1=".sys", lpString2=".cpl") returned 1 [0090.374] lstrcmpiW (lpString1=".sys", lpString2=".ini") returned 1 [0090.374] lstrcmpiW (lpString1=".sys", lpString2=".dll") returned 1 [0090.374] lstrcmpiW (lpString1=".sys", lpString2=".url") returned -1 [0090.374] lstrcmpiW (lpString1=".sys", lpString2=".ttf") returned -1 [0090.375] lstrcmpiW (lpString1=".sys", lpString2=".mp3") returned 1 [0090.375] lstrcmpiW (lpString1=".sys", lpString2=".pif") returned 1 [0090.375] lstrcmpiW (lpString1=".sys", lpString2=".mp4") returned 1 [0090.375] lstrcmpiW (lpString1=".sys", lpString2=".NEPHILIM") returned 1 [0090.375] lstrcmpiW (lpString1=".sys", lpString2=".msi") returned 1 [0090.375] lstrcmpiW (lpString1=".sys", lpString2=".lnk") returned 1 [0090.375] lstrcmpiW (lpString1="pagefile.sys", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0090.375] lstrlenA (lpString="NEPHILIM") returned 8 [0090.375] GetProcessHeap () returned 0x4e0000 [0090.375] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x5074a8 [0090.375] lstrlenA (lpString="NEPHILIM") returned 8 [0090.375] CreateFileW (lpFileName="C:\\pagefile.sys" (normalized: "c:\\pagefile.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0090.376] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24df7c8 | out: lpFileSize=0x24df7c8*=4294968320) returned 0 [0090.376] GetProcessHeap () returned 0x4e0000 [0090.376] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504ca8 [0090.376] GetProcessHeap () returned 0x4e0000 [0090.376] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504c90 [0090.376] SystemFunction036 (in: RandomBuffer=0x504ca8, RandomBufferLength=0x10 | out: RandomBuffer=0x504ca8) returned 1 [0090.376] SystemFunction036 (in: RandomBuffer=0x504c90, RandomBufferLength=0x10 | out: RandomBuffer=0x504c90) returned 1 [0090.376] GetProcessHeap () returned 0x4e0000 [0090.376] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ff0 [0090.376] GetProcessHeap () returned 0x4e0000 [0090.376] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x507ee8 [0090.377] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ff0*, pdwDataLen=0x24df588*=0x10, dwBufLen=0x100 | out: pbData=0x507ff0*, pdwDataLen=0x24df588*=0x100) returned 1 [0090.377] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x507ee8*, pdwDataLen=0x24df584*=0x10, dwBufLen=0x100 | out: pbData=0x507ee8*, pdwDataLen=0x24df584*=0x100) returned 1 [0090.377] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0090.377] SetLastError (dwErrCode=0x0) [0090.377] WriteFile (in: hFile=0xffffffff, lpBuffer=0x507ff0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24df7bc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24df7bc, lpOverlapped=0x0) returned 0 [0090.378] GetLastError () returned 0x6 [0090.378] FindNextFileW (in: hFindFile=0x4ff078, lpFindFileData=0x24df808 | out: lpFindFileData=0x24df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd72e458, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PerfLogs", cAlternateFileName="")) returned 1 [0090.378] lstrcmpiW (lpString1="PerfLogs", lpString2=".") returned 1 [0090.378] lstrcmpiW (lpString1="PerfLogs", lpString2="..") returned 1 [0090.378] lstrcmpiW (lpString1="PerfLogs", lpString2="...") returned 1 [0090.378] lstrcmpiW (lpString1="PerfLogs", lpString2="windows") returned -1 [0090.378] lstrcmpiW (lpString1="PerfLogs", lpString2="$RECYCLE.BIN") returned 1 [0090.378] lstrcmpiW (lpString1="PerfLogs", lpString2="rsa") returned -1 [0090.378] lstrcmpiW (lpString1="PerfLogs", lpString2="log") returned 1 [0090.378] lstrcmpiW (lpString1="PerfLogs", lpString2="NTDETECT.COM") returned 1 [0090.378] lstrcmpiW (lpString1="PerfLogs", lpString2="ntldr") returned 1 [0090.378] lstrcmpiW (lpString1="PerfLogs", lpString2="MSDOS.SYS") returned 1 [0090.378] lstrcmpiW (lpString1="PerfLogs", lpString2="IO.SYS") returned 1 [0090.378] lstrcmpiW (lpString1="PerfLogs", lpString2="boot.ini") returned 1 [0090.379] lstrcmpiW (lpString1="PerfLogs", lpString2="AUTOEXEC.BAT") returned 1 [0090.379] lstrcmpiW (lpString1="PerfLogs", lpString2="ntuser.dat") returned 1 [0090.379] lstrcmpiW (lpString1="PerfLogs", lpString2="desktop.ini") returned 1 [0090.379] lstrcmpiW (lpString1="PerfLogs", lpString2="CONFIG.SYS") returned 1 [0090.379] lstrcmpiW (lpString1="PerfLogs", lpString2="RECYCLER") returned -1 [0090.379] lstrcmpiW (lpString1="PerfLogs", lpString2="BOOTSECT.BAK") returned 1 [0090.379] lstrcmpiW (lpString1="PerfLogs", lpString2="bootmgr") returned 1 [0090.379] lstrcmpiW (lpString1="PerfLogs", lpString2="programdata") returned -1 [0090.379] lstrcmpiW (lpString1="PerfLogs", lpString2="appdata") returned 1 [0090.379] lstrcmpiW (lpString1="PerfLogs", lpString2="program files") returned -1 [0090.379] lstrcmpiW (lpString1="PerfLogs", lpString2="program files (x86)") returned -1 [0090.379] lstrcpyW (in: lpString1=0x24dfa58, lpString2="C:\\" | out: lpString1="C:\\") returned="C:\\" [0090.379] lstrcatW (in: lpString1="C:\\", lpString2="PerfLogs" | out: lpString1="C:\\PerfLogs") returned="C:\\PerfLogs" [0090.379] lstrcatW (in: lpString1="C:\\PerfLogs", lpString2="\\" | out: lpString1="C:\\PerfLogs\\") returned="C:\\PerfLogs\\" [0090.379] lstrcpyW (in: lpString1=0x24df5e0, lpString2="C:\\PerfLogs\\" | out: lpString1="C:\\PerfLogs\\") returned="C:\\PerfLogs\\" [0090.379] lstrcatW (in: lpString1="C:\\PerfLogs\\", lpString2="*.*" | out: lpString1="C:\\PerfLogs\\*.*") returned="C:\\PerfLogs\\*.*" [0090.380] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\*.*", lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd72e458, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x8a7b2e4f, dwReserved1=0x3c67b114, cFileName=".", cAlternateFileName="")) returned 0x4ff0b8 [0090.380] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0090.380] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd72e458, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x8a7b2e4f, dwReserved1=0x3c67b114, cFileName="..", cAlternateFileName="")) returned 1 [0090.380] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0090.380] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0090.381] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x8a7b2e4f, dwReserved1=0x3c67b114, cFileName="Admin", cAlternateFileName="")) returned 1 [0090.381] lstrcmpiW (lpString1="Admin", lpString2=".") returned 1 [0090.381] lstrcmpiW (lpString1="Admin", lpString2="..") returned 1 [0090.381] lstrcmpiW (lpString1="Admin", lpString2="...") returned 1 [0090.381] lstrcmpiW (lpString1="Admin", lpString2="windows") returned -1 [0090.382] lstrcmpiW (lpString1="Admin", lpString2="$RECYCLE.BIN") returned 1 [0090.382] lstrcmpiW (lpString1="Admin", lpString2="rsa") returned -1 [0090.382] lstrcmpiW (lpString1="Admin", lpString2="log") returned -1 [0090.382] lstrcmpiW (lpString1="Admin", lpString2="NTDETECT.COM") returned -1 [0090.382] lstrcmpiW (lpString1="Admin", lpString2="ntldr") returned -1 [0090.382] lstrcmpiW (lpString1="Admin", lpString2="MSDOS.SYS") returned -1 [0090.382] lstrcmpiW (lpString1="Admin", lpString2="IO.SYS") returned -1 [0090.382] lstrcmpiW (lpString1="Admin", lpString2="boot.ini") returned -1 [0090.382] lstrcmpiW (lpString1="Admin", lpString2="AUTOEXEC.BAT") returned -1 [0090.382] lstrcmpiW (lpString1="Admin", lpString2="ntuser.dat") returned -1 [0090.382] lstrcmpiW (lpString1="Admin", lpString2="desktop.ini") returned -1 [0090.382] lstrcmpiW (lpString1="Admin", lpString2="CONFIG.SYS") returned -1 [0090.382] lstrcmpiW (lpString1="Admin", lpString2="RECYCLER") returned -1 [0090.382] lstrcmpiW (lpString1="Admin", lpString2="BOOTSECT.BAK") returned -1 [0090.382] lstrcmpiW (lpString1="Admin", lpString2="bootmgr") returned -1 [0090.382] lstrcmpiW (lpString1="Admin", lpString2="programdata") returned -1 [0090.382] lstrcmpiW (lpString1="Admin", lpString2="appdata") returned -1 [0090.382] lstrcmpiW (lpString1="Admin", lpString2="program files") returned -1 [0090.383] lstrcmpiW (lpString1="Admin", lpString2="program files (x86)") returned -1 [0090.383] lstrcpyW (in: lpString1=0x24df3d8, lpString2="C:\\PerfLogs\\" | out: lpString1="C:\\PerfLogs\\") returned="C:\\PerfLogs\\" [0090.383] lstrcatW (in: lpString1="C:\\PerfLogs\\", lpString2="Admin" | out: lpString1="C:\\PerfLogs\\Admin") returned="C:\\PerfLogs\\Admin" [0090.383] lstrcatW (in: lpString1="C:\\PerfLogs\\Admin", lpString2="\\" | out: lpString1="C:\\PerfLogs\\Admin\\") returned="C:\\PerfLogs\\Admin\\" [0090.383] lstrcpyW (in: lpString1=0x24def60, lpString2="C:\\PerfLogs\\Admin\\" | out: lpString1="C:\\PerfLogs\\Admin\\") returned="C:\\PerfLogs\\Admin\\" [0090.383] lstrcatW (in: lpString1="C:\\PerfLogs\\Admin\\", lpString2="*.*" | out: lpString1="C:\\PerfLogs\\Admin\\*.*") returned="C:\\PerfLogs\\Admin\\*.*" [0090.383] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\Admin\\*.*", lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x24df5e0, cFileName=".", cAlternateFileName="")) returned 0x5026e8 [0090.383] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0090.383] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x24df5e0, cFileName="..", cAlternateFileName="")) returned 1 [0090.383] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0090.384] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0090.384] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x24df5e0, cFileName="..", cAlternateFileName="")) returned 0 [0090.384] FindClose (in: hFindFile=0x5026e8 | out: hFindFile=0x5026e8) returned 1 [0090.384] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x8a7b2e4f, dwReserved1=0x3c67b114, cFileName="Admin", cAlternateFileName="")) returned 0 [0090.384] FindClose (in: hFindFile=0x4ff0b8 | out: hFindFile=0x4ff0b8) returned 1 [0090.384] FindNextFileW (in: hFindFile=0x4ff078, lpFindFileData=0x24df808 | out: lpFindFileData=0x24df808*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xf185f440, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xf185f440, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0090.384] lstrcmpiW (lpString1="Program Files", lpString2=".") returned 1 [0090.384] lstrcmpiW (lpString1="Program Files", lpString2="..") returned 1 [0090.384] lstrcmpiW (lpString1="Program Files", lpString2="...") returned 1 [0090.384] lstrcmpiW (lpString1="Program Files", lpString2="windows") returned -1 [0090.384] lstrcmpiW (lpString1="Program Files", lpString2="$RECYCLE.BIN") returned 1 [0090.384] lstrcmpiW (lpString1="Program Files", lpString2="rsa") returned -1 [0090.384] lstrcmpiW (lpString1="Program Files", lpString2="log") returned 1 [0090.384] lstrcmpiW (lpString1="Program Files", lpString2="NTDETECT.COM") returned 1 [0090.384] lstrcmpiW (lpString1="Program Files", lpString2="ntldr") returned 1 [0090.384] lstrcmpiW (lpString1="Program Files", lpString2="MSDOS.SYS") returned 1 [0090.384] lstrcmpiW (lpString1="Program Files", lpString2="IO.SYS") returned 1 [0090.384] lstrcmpiW (lpString1="Program Files", lpString2="boot.ini") returned 1 [0090.384] lstrcmpiW (lpString1="Program Files", lpString2="AUTOEXEC.BAT") returned 1 [0090.384] lstrcmpiW (lpString1="Program Files", lpString2="ntuser.dat") returned 1 [0090.385] lstrcmpiW (lpString1="Program Files", lpString2="desktop.ini") returned 1 [0090.385] lstrcmpiW (lpString1="Program Files", lpString2="CONFIG.SYS") returned 1 [0090.385] lstrcmpiW (lpString1="Program Files", lpString2="RECYCLER") returned -1 [0090.385] lstrcmpiW (lpString1="Program Files", lpString2="BOOTSECT.BAK") returned 1 [0090.385] lstrcmpiW (lpString1="Program Files", lpString2="bootmgr") returned 1 [0090.385] lstrcmpiW (lpString1="Program Files", lpString2="programdata") returned -1 [0090.385] lstrcmpiW (lpString1="Program Files", lpString2="appdata") returned 1 [0090.385] lstrcmpiW (lpString1="Program Files", lpString2="program files") returned 0 [0090.385] FindNextFileW (in: hFindFile=0x4ff078, lpFindFileData=0x24df808 | out: lpFindFileData=0x24df808*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd8ab1dc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x10f11a30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x10f11a30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files (x86)", cAlternateFileName="PROGRA~2")) returned 1 [0090.385] lstrcmpiW (lpString1="Program Files (x86)", lpString2=".") returned 1 [0090.385] lstrcmpiW (lpString1="Program Files (x86)", lpString2="..") returned 1 [0090.385] lstrcmpiW (lpString1="Program Files (x86)", lpString2="...") returned 1 [0090.385] lstrcmpiW (lpString1="Program Files (x86)", lpString2="windows") returned -1 [0090.385] lstrcmpiW (lpString1="Program Files (x86)", lpString2="$RECYCLE.BIN") returned 1 [0090.385] lstrcmpiW (lpString1="Program Files (x86)", lpString2="rsa") returned -1 [0090.385] lstrcmpiW (lpString1="Program Files (x86)", lpString2="log") returned 1 [0090.385] lstrcmpiW (lpString1="Program Files (x86)", lpString2="NTDETECT.COM") returned 1 [0090.385] lstrcmpiW (lpString1="Program Files (x86)", lpString2="ntldr") returned 1 [0090.385] lstrcmpiW (lpString1="Program Files (x86)", lpString2="MSDOS.SYS") returned 1 [0090.385] lstrcmpiW (lpString1="Program Files (x86)", lpString2="IO.SYS") returned 1 [0090.385] lstrcmpiW (lpString1="Program Files (x86)", lpString2="boot.ini") returned 1 [0090.385] lstrcmpiW (lpString1="Program Files (x86)", lpString2="AUTOEXEC.BAT") returned 1 [0090.385] lstrcmpiW (lpString1="Program Files (x86)", lpString2="ntuser.dat") returned 1 [0090.385] lstrcmpiW (lpString1="Program Files (x86)", lpString2="desktop.ini") returned 1 [0090.385] lstrcmpiW (lpString1="Program Files (x86)", lpString2="CONFIG.SYS") returned 1 [0090.385] lstrcmpiW (lpString1="Program Files (x86)", lpString2="RECYCLER") returned -1 [0090.386] lstrcmpiW (lpString1="Program Files (x86)", lpString2="BOOTSECT.BAK") returned 1 [0090.386] lstrcmpiW (lpString1="Program Files (x86)", lpString2="bootmgr") returned 1 [0090.386] lstrcmpiW (lpString1="Program Files (x86)", lpString2="programdata") returned -1 [0090.386] lstrcmpiW (lpString1="Program Files (x86)", lpString2="appdata") returned 1 [0090.386] lstrcmpiW (lpString1="Program Files (x86)", lpString2="program files") returned 1 [0090.386] lstrcmpiW (lpString1="Program Files (x86)", lpString2="program files (x86)") returned 0 [0090.386] FindNextFileW (in: hFindFile=0x4ff078, lpFindFileData=0x24df808 | out: lpFindFileData=0x24df808*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProgramData", cAlternateFileName="PROGRA~3")) returned 1 [0090.386] lstrcmpiW (lpString1="ProgramData", lpString2=".") returned 1 [0090.386] lstrcmpiW (lpString1="ProgramData", lpString2="..") returned 1 [0090.386] lstrcmpiW (lpString1="ProgramData", lpString2="...") returned 1 [0090.386] lstrcmpiW (lpString1="ProgramData", lpString2="windows") returned -1 [0090.386] lstrcmpiW (lpString1="ProgramData", lpString2="$RECYCLE.BIN") returned 1 [0090.386] lstrcmpiW (lpString1="ProgramData", lpString2="rsa") returned -1 [0090.386] lstrcmpiW (lpString1="ProgramData", lpString2="log") returned 1 [0090.386] lstrcmpiW (lpString1="ProgramData", lpString2="NTDETECT.COM") returned 1 [0090.386] lstrcmpiW (lpString1="ProgramData", lpString2="ntldr") returned 1 [0090.386] lstrcmpiW (lpString1="ProgramData", lpString2="MSDOS.SYS") returned 1 [0090.386] lstrcmpiW (lpString1="ProgramData", lpString2="IO.SYS") returned 1 [0090.386] lstrcmpiW (lpString1="ProgramData", lpString2="boot.ini") returned 1 [0090.386] lstrcmpiW (lpString1="ProgramData", lpString2="AUTOEXEC.BAT") returned 1 [0090.386] lstrcmpiW (lpString1="ProgramData", lpString2="ntuser.dat") returned 1 [0090.386] lstrcmpiW (lpString1="ProgramData", lpString2="desktop.ini") returned 1 [0090.386] lstrcmpiW (lpString1="ProgramData", lpString2="CONFIG.SYS") returned 1 [0090.386] lstrcmpiW (lpString1="ProgramData", lpString2="RECYCLER") returned -1 [0090.387] lstrcmpiW (lpString1="ProgramData", lpString2="BOOTSECT.BAK") returned 1 [0090.387] lstrcmpiW (lpString1="ProgramData", lpString2="bootmgr") returned 1 [0090.387] lstrcmpiW (lpString1="ProgramData", lpString2="programdata") returned 0 [0090.387] FindNextFileW (in: hFindFile=0x4ff078, lpFindFileData=0x24df808 | out: lpFindFileData=0x24df808*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27cc8060, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27cc8060, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recovery", cAlternateFileName="")) returned 1 [0090.387] lstrcmpiW (lpString1="Recovery", lpString2=".") returned 1 [0090.387] lstrcmpiW (lpString1="Recovery", lpString2="..") returned 1 [0090.387] lstrcmpiW (lpString1="Recovery", lpString2="...") returned 1 [0090.387] lstrcmpiW (lpString1="Recovery", lpString2="windows") returned -1 [0090.387] lstrcmpiW (lpString1="Recovery", lpString2="$RECYCLE.BIN") returned 1 [0090.387] lstrcmpiW (lpString1="Recovery", lpString2="rsa") returned -1 [0090.387] lstrcmpiW (lpString1="Recovery", lpString2="log") returned 1 [0090.387] lstrcmpiW (lpString1="Recovery", lpString2="NTDETECT.COM") returned 1 [0090.387] lstrcmpiW (lpString1="Recovery", lpString2="ntldr") returned 1 [0090.387] lstrcmpiW (lpString1="Recovery", lpString2="MSDOS.SYS") returned 1 [0090.387] lstrcmpiW (lpString1="Recovery", lpString2="IO.SYS") returned 1 [0090.387] lstrcmpiW (lpString1="Recovery", lpString2="boot.ini") returned 1 [0090.387] lstrcmpiW (lpString1="Recovery", lpString2="AUTOEXEC.BAT") returned 1 [0090.387] lstrcmpiW (lpString1="Recovery", lpString2="ntuser.dat") returned 1 [0090.387] lstrcmpiW (lpString1="Recovery", lpString2="desktop.ini") returned 1 [0090.387] lstrcmpiW (lpString1="Recovery", lpString2="CONFIG.SYS") returned 1 [0090.387] lstrcmpiW (lpString1="Recovery", lpString2="RECYCLER") returned -1 [0090.387] lstrcmpiW (lpString1="Recovery", lpString2="BOOTSECT.BAK") returned 1 [0090.387] lstrcmpiW (lpString1="Recovery", lpString2="bootmgr") returned 1 [0090.387] lstrcmpiW (lpString1="Recovery", lpString2="programdata") returned 1 [0090.387] lstrcmpiW (lpString1="Recovery", lpString2="appdata") returned 1 [0090.388] lstrcmpiW (lpString1="Recovery", lpString2="program files") returned 1 [0090.388] lstrcmpiW (lpString1="Recovery", lpString2="program files (x86)") returned 1 [0090.388] lstrcpyW (in: lpString1=0x24dfa58, lpString2="C:\\" | out: lpString1="C:\\") returned="C:\\" [0090.388] lstrcatW (in: lpString1="C:\\", lpString2="Recovery" | out: lpString1="C:\\Recovery") returned="C:\\Recovery" [0090.388] lstrcatW (in: lpString1="C:\\Recovery", lpString2="\\" | out: lpString1="C:\\Recovery\\") returned="C:\\Recovery\\" [0090.388] lstrcpyW (in: lpString1=0x24df5e0, lpString2="C:\\Recovery\\" | out: lpString1="C:\\Recovery\\") returned="C:\\Recovery\\" [0090.388] lstrcatW (in: lpString1="C:\\Recovery\\", lpString2="*.*" | out: lpString1="C:\\Recovery\\*.*") returned="C:\\Recovery\\*.*" [0090.388] FindFirstFileW (in: lpFileName="C:\\Recovery\\*.*", lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27cc8060, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27cc8060, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x8a7b2e4f, dwReserved1=0x3c67b114, cFileName=".", cAlternateFileName="")) returned 0x4ff0b8 [0090.389] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0090.389] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27cc8060, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27cc8060, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x8a7b2e4f, dwReserved1=0x3c67b114, cFileName="..", cAlternateFileName="")) returned 1 [0090.389] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0090.389] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0090.390] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27c2fae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27c2fae0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x8a7b2e4f, dwReserved1=0x3c67b114, cFileName="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", cAlternateFileName="E9E239~1")) returned 1 [0090.390] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2=".") returned 1 [0090.390] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="..") returned 1 [0090.390] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="...") returned 1 [0090.390] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="windows") returned -1 [0090.390] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="$RECYCLE.BIN") returned 1 [0090.390] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="rsa") returned -1 [0090.390] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="log") returned -1 [0090.390] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="NTDETECT.COM") returned -1 [0090.390] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="ntldr") returned -1 [0090.390] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="MSDOS.SYS") returned -1 [0090.390] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="IO.SYS") returned -1 [0090.390] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="boot.ini") returned 1 [0090.390] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="AUTOEXEC.BAT") returned 1 [0090.390] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="ntuser.dat") returned -1 [0090.390] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="desktop.ini") returned 1 [0090.390] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="CONFIG.SYS") returned 1 [0090.390] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="RECYCLER") returned -1 [0090.390] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="BOOTSECT.BAK") returned 1 [0090.390] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="bootmgr") returned 1 [0090.390] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="programdata") returned -1 [0090.390] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="appdata") returned 1 [0090.390] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="program files") returned -1 [0090.390] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="program files (x86)") returned -1 [0090.390] lstrcpyW (in: lpString1=0x24df3d8, lpString2="C:\\Recovery\\" | out: lpString1="C:\\Recovery\\") returned="C:\\Recovery\\" [0090.390] lstrcatW (in: lpString1="C:\\Recovery\\", lpString2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b" | out: lpString1="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b" [0090.391] lstrcatW (in: lpString1="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="\\" | out: lpString1="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\") returned="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\" [0090.391] lstrcpyW (in: lpString1=0x24def60, lpString2="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\" | out: lpString1="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\") returned="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\" [0090.391] lstrcatW (in: lpString1="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\", lpString2="*.*" | out: lpString1="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\*.*") returned="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\*.*" [0090.391] FindFirstFileW (in: lpFileName="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\*.*", lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27c2fae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27c2fae0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x24df5e0, cFileName=".", cAlternateFileName="")) returned 0x5026e8 [0090.391] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0090.391] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27c2fae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27c2fae0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x24df5e0, cFileName="..", cAlternateFileName="")) returned 1 [0090.391] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0090.391] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0090.391] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0x27c2fae0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27c2fae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x4185decd, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x306000, dwReserved0=0x20001e, dwReserved1=0x24df5e0, cFileName="boot.sdi", cAlternateFileName="")) returned 1 [0090.391] lstrcmpiW (lpString1="boot.sdi", lpString2=".") returned 1 [0090.391] lstrcmpiW (lpString1="boot.sdi", lpString2="..") returned 1 [0090.391] lstrcmpiW (lpString1="boot.sdi", lpString2="...") returned 1 [0090.391] lstrcmpiW (lpString1="boot.sdi", lpString2="windows") returned -1 [0090.391] lstrcmpiW (lpString1="boot.sdi", lpString2="$RECYCLE.BIN") returned 1 [0090.392] lstrcmpiW (lpString1="boot.sdi", lpString2="rsa") returned -1 [0090.392] lstrcmpiW (lpString1="boot.sdi", lpString2="log") returned -1 [0090.392] lstrcmpiW (lpString1="boot.sdi", lpString2="NTDETECT.COM") returned -1 [0090.392] lstrcmpiW (lpString1="boot.sdi", lpString2="ntldr") returned -1 [0090.392] lstrcmpiW (lpString1="boot.sdi", lpString2="MSDOS.SYS") returned -1 [0090.392] lstrcmpiW (lpString1="boot.sdi", lpString2="IO.SYS") returned -1 [0090.392] lstrcmpiW (lpString1="boot.sdi", lpString2="boot.ini") returned 1 [0090.392] lstrcmpiW (lpString1="boot.sdi", lpString2="AUTOEXEC.BAT") returned 1 [0090.392] lstrcmpiW (lpString1="boot.sdi", lpString2="ntuser.dat") returned -1 [0090.392] lstrcmpiW (lpString1="boot.sdi", lpString2="desktop.ini") returned -1 [0090.392] lstrcmpiW (lpString1="boot.sdi", lpString2="CONFIG.SYS") returned -1 [0090.392] lstrcmpiW (lpString1="boot.sdi", lpString2="RECYCLER") returned -1 [0090.392] lstrcmpiW (lpString1="boot.sdi", lpString2="BOOTSECT.BAK") returned -1 [0090.392] lstrcmpiW (lpString1="boot.sdi", lpString2="bootmgr") returned -1 [0090.392] lstrcmpiW (lpString1="boot.sdi", lpString2="programdata") returned -1 [0090.392] lstrcmpiW (lpString1="boot.sdi", lpString2="appdata") returned 1 [0090.392] lstrcmpiW (lpString1="boot.sdi", lpString2="program files") returned -1 [0090.392] lstrcmpiW (lpString1="boot.sdi", lpString2="program files (x86)") returned -1 [0090.392] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\" | out: lpString1="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\") returned="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\" [0090.392] lstrcatW (in: lpString1="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\", lpString2="boot.sdi" | out: lpString1="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi") returned="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" [0090.392] PathFindExtensionW (pszPath="boot.sdi") returned=".sdi" [0090.392] lstrcmpiW (lpString1=".sdi", lpString2=".exe") returned 1 [0090.392] lstrcmpiW (lpString1=".sdi", lpString2=".log") returned 1 [0090.392] lstrcmpiW (lpString1=".sdi", lpString2=".cab") returned 1 [0090.392] lstrcmpiW (lpString1=".sdi", lpString2=".cmd") returned 1 [0090.392] lstrcmpiW (lpString1=".sdi", lpString2=".com") returned 1 [0090.393] lstrcmpiW (lpString1=".sdi", lpString2=".cpl") returned 1 [0090.393] lstrcmpiW (lpString1=".sdi", lpString2=".ini") returned 1 [0090.393] lstrcmpiW (lpString1=".sdi", lpString2=".dll") returned 1 [0090.393] lstrcmpiW (lpString1=".sdi", lpString2=".url") returned -1 [0090.393] lstrcmpiW (lpString1=".sdi", lpString2=".ttf") returned -1 [0090.393] lstrcmpiW (lpString1=".sdi", lpString2=".mp3") returned 1 [0090.393] lstrcmpiW (lpString1=".sdi", lpString2=".pif") returned 1 [0090.393] lstrcmpiW (lpString1=".sdi", lpString2=".mp4") returned 1 [0090.393] lstrcmpiW (lpString1=".sdi", lpString2=".NEPHILIM") returned 1 [0090.393] lstrcmpiW (lpString1=".sdi", lpString2=".msi") returned 1 [0090.393] lstrcmpiW (lpString1=".sdi", lpString2=".lnk") returned 1 [0090.393] lstrcmpiW (lpString1="boot.sdi", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0090.393] lstrlenA (lpString="NEPHILIM") returned 8 [0090.393] GetProcessHeap () returned 0x4e0000 [0090.393] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x5074b8 [0090.393] lstrlenA (lpString="NEPHILIM") returned 8 [0090.393] CreateFileW (lpFileName="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe8 [0090.394] GetFileSizeEx (in: hFile=0xe8, lpFileSize=0x24deac8 | out: lpFileSize=0x24deac8*=3170304) returned 1 [0090.394] GetProcessHeap () returned 0x4e0000 [0090.394] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0090.394] GetProcessHeap () returned 0x4e0000 [0090.394] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0090.394] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0090.394] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0090.394] GetProcessHeap () returned 0x4e0000 [0090.394] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0090.394] GetProcessHeap () returned 0x4e0000 [0090.394] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0090.394] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de888*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de888*=0x100) returned 1 [0090.395] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de884*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de884*=0x100) returned 1 [0090.395] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x306000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.395] SetLastError (dwErrCode=0x0) [0090.395] WriteFile (in: hFile=0xe8, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24deabc*=0x100, lpOverlapped=0x0) returned 1 [0090.397] GetLastError () returned 0x0 [0090.397] GetLastError () returned 0x0 [0090.397] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x306100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.397] WriteFile (in: hFile=0xe8, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24deabc*=0x100, lpOverlapped=0x0) returned 1 [0090.397] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x306200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.397] lstrlenA (lpString="NEPHILIM") returned 8 [0090.397] WriteFile (in: hFile=0xe8, lpBuffer=0x5074b8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5074b8*, lpNumberOfBytesWritten=0x24deabc*=0x8, lpOverlapped=0x0) returned 1 [0090.397] GetProcessHeap () returned 0x4e0000 [0090.397] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x927c0) returned 0x2010020 [0090.398] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.398] ReadFile (in: hFile=0xe8, lpBuffer=0x2010020, nNumberOfBytesToRead=0x927c0, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x2010020*, lpNumberOfBytesRead=0x24deab0*=0x927c0, lpOverlapped=0x0) returned 1 [0090.462] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.462] WriteFile (in: hFile=0xe8, lpBuffer=0x2010020*, nNumberOfBytesToWrite=0x927c0, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x2010020*, lpNumberOfBytesWritten=0x24deabc*=0x927c0, lpOverlapped=0x0) returned 1 [0090.464] GetProcessHeap () returned 0x4e0000 [0090.464] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x2010020 | out: hHeap=0x4e0000) returned 1 [0090.468] CloseHandle (hObject=0xe8) returned 1 [0090.570] GetProcessHeap () returned 0x4e0000 [0090.570] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0090.570] GetProcessHeap () returned 0x4e0000 [0090.570] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0090.570] GetProcessHeap () returned 0x4e0000 [0090.570] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0090.571] GetProcessHeap () returned 0x4e0000 [0090.571] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0090.571] lstrcpyW (in: lpString1=0x24de8a8, lpString2="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" | out: lpString1="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi") returned="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" [0090.571] lstrcatW (in: lpString1="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpString2=".NEPHILIM" | out: lpString1="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.NEPHILIM") returned="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.NEPHILIM" [0090.571] MoveFileW (lpExistingFileName="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi"), lpNewFileName="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.NEPHILIM" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.nephilim")) returned 1 [0090.571] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0x6496a3c6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x64b0e1b9, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfa6eb761, ftLastWriteTime.dwHighDateTime=0x1cb88d1, nFileSizeHigh=0x0, nFileSizeLow=0xa160012, dwReserved0=0x20001e, dwReserved1=0x24df5e0, cFileName="Winre.wim", cAlternateFileName="")) returned 1 [0090.571] lstrcmpiW (lpString1="Winre.wim", lpString2=".") returned 1 [0090.571] lstrcmpiW (lpString1="Winre.wim", lpString2="..") returned 1 [0090.572] lstrcmpiW (lpString1="Winre.wim", lpString2="...") returned 1 [0090.572] lstrcmpiW (lpString1="Winre.wim", lpString2="windows") returned 1 [0090.572] lstrcmpiW (lpString1="Winre.wim", lpString2="$RECYCLE.BIN") returned 1 [0090.572] lstrcmpiW (lpString1="Winre.wim", lpString2="rsa") returned 1 [0090.572] lstrcmpiW (lpString1="Winre.wim", lpString2="log") returned 1 [0090.572] lstrcmpiW (lpString1="Winre.wim", lpString2="NTDETECT.COM") returned 1 [0090.572] lstrcmpiW (lpString1="Winre.wim", lpString2="ntldr") returned 1 [0090.572] lstrcmpiW (lpString1="Winre.wim", lpString2="MSDOS.SYS") returned 1 [0090.572] lstrcmpiW (lpString1="Winre.wim", lpString2="IO.SYS") returned 1 [0090.572] lstrcmpiW (lpString1="Winre.wim", lpString2="boot.ini") returned 1 [0090.572] lstrcmpiW (lpString1="Winre.wim", lpString2="AUTOEXEC.BAT") returned 1 [0090.572] lstrcmpiW (lpString1="Winre.wim", lpString2="ntuser.dat") returned 1 [0090.572] lstrcmpiW (lpString1="Winre.wim", lpString2="desktop.ini") returned 1 [0090.572] lstrcmpiW (lpString1="Winre.wim", lpString2="CONFIG.SYS") returned 1 [0090.572] lstrcmpiW (lpString1="Winre.wim", lpString2="RECYCLER") returned 1 [0090.572] lstrcmpiW (lpString1="Winre.wim", lpString2="BOOTSECT.BAK") returned 1 [0090.572] lstrcmpiW (lpString1="Winre.wim", lpString2="bootmgr") returned 1 [0090.572] lstrcmpiW (lpString1="Winre.wim", lpString2="programdata") returned 1 [0090.572] lstrcmpiW (lpString1="Winre.wim", lpString2="appdata") returned 1 [0090.572] lstrcmpiW (lpString1="Winre.wim", lpString2="program files") returned 1 [0090.572] lstrcmpiW (lpString1="Winre.wim", lpString2="program files (x86)") returned 1 [0090.572] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\" | out: lpString1="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\") returned="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\" [0090.572] lstrcatW (in: lpString1="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\", lpString2="Winre.wim" | out: lpString1="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim") returned="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" [0090.572] PathFindExtensionW (pszPath="Winre.wim") returned=".wim" [0090.573] lstrcmpiW (lpString1=".wim", lpString2=".exe") returned 1 [0090.573] lstrcmpiW (lpString1=".wim", lpString2=".log") returned 1 [0090.573] lstrcmpiW (lpString1=".wim", lpString2=".cab") returned 1 [0090.573] lstrcmpiW (lpString1=".wim", lpString2=".cmd") returned 1 [0090.573] lstrcmpiW (lpString1=".wim", lpString2=".com") returned 1 [0090.573] lstrcmpiW (lpString1=".wim", lpString2=".cpl") returned 1 [0090.573] lstrcmpiW (lpString1=".wim", lpString2=".ini") returned 1 [0090.573] lstrcmpiW (lpString1=".wim", lpString2=".dll") returned 1 [0090.573] lstrcmpiW (lpString1=".wim", lpString2=".url") returned 1 [0090.573] lstrcmpiW (lpString1=".wim", lpString2=".ttf") returned 1 [0090.573] lstrcmpiW (lpString1=".wim", lpString2=".mp3") returned 1 [0090.573] lstrcmpiW (lpString1=".wim", lpString2=".pif") returned 1 [0090.573] lstrcmpiW (lpString1=".wim", lpString2=".mp4") returned 1 [0090.573] lstrcmpiW (lpString1=".wim", lpString2=".NEPHILIM") returned 1 [0090.573] lstrcmpiW (lpString1=".wim", lpString2=".msi") returned 1 [0090.573] lstrcmpiW (lpString1=".wim", lpString2=".lnk") returned 1 [0090.573] lstrcmpiW (lpString1="Winre.wim", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0090.573] lstrlenA (lpString="NEPHILIM") returned 8 [0090.573] GetProcessHeap () returned 0x4e0000 [0090.573] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x5074c8 [0090.573] lstrlenA (lpString="NEPHILIM") returned 8 [0090.573] CreateFileW (lpFileName="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\winre.wim"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe8 [0090.587] GetFileSizeEx (in: hFile=0xe8, lpFileSize=0x24deac8 | out: lpFileSize=0x24deac8*=169213970) returned 1 [0090.588] GetProcessHeap () returned 0x4e0000 [0090.588] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0090.588] GetProcessHeap () returned 0x4e0000 [0090.588] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0090.588] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0090.588] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0090.588] GetProcessHeap () returned 0x4e0000 [0090.588] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0090.588] GetProcessHeap () returned 0x4e0000 [0090.588] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0090.588] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de888*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de888*=0x100) returned 1 [0090.588] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de884*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de884*=0x100) returned 1 [0090.589] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xa160012, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.589] SetLastError (dwErrCode=0x0) [0090.589] WriteFile (in: hFile=0xe8, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24deabc*=0x100, lpOverlapped=0x0) returned 1 [0090.595] GetLastError () returned 0x0 [0090.595] GetLastError () returned 0x0 [0090.595] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xa160112, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.595] WriteFile (in: hFile=0xe8, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24deabc*=0x100, lpOverlapped=0x0) returned 1 [0090.596] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xa160212, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.596] lstrlenA (lpString="NEPHILIM") returned 8 [0090.596] WriteFile (in: hFile=0xe8, lpBuffer=0x5074c8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5074c8*, lpNumberOfBytesWritten=0x24deabc*=0x8, lpOverlapped=0x0) returned 1 [0090.596] GetProcessHeap () returned 0x4e0000 [0090.596] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0090.596] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.596] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.608] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.608] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.609] GetProcessHeap () returned 0x4e0000 [0090.609] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0090.609] GetProcessHeap () returned 0x4e0000 [0090.609] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0090.609] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3d090, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.609] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.618] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3d090, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.618] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.619] GetProcessHeap () returned 0x4e0000 [0090.619] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0090.619] GetProcessHeap () returned 0x4e0000 [0090.619] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0090.619] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7a120, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.619] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.632] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7a120, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.632] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.633] GetProcessHeap () returned 0x4e0000 [0090.633] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0090.633] GetProcessHeap () returned 0x4e0000 [0090.633] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0090.633] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xb71b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.633] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.642] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xb71b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.642] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.642] GetProcessHeap () returned 0x4e0000 [0090.642] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0090.642] GetProcessHeap () returned 0x4e0000 [0090.642] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0090.642] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xf4240, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.643] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.658] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xf4240, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.658] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.659] GetProcessHeap () returned 0x4e0000 [0090.659] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0090.659] GetProcessHeap () returned 0x4e0000 [0090.659] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0090.659] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1312d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.659] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.668] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1312d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.668] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.669] GetProcessHeap () returned 0x4e0000 [0090.669] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0090.669] GetProcessHeap () returned 0x4e0000 [0090.669] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0090.669] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x16e360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.669] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.678] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x16e360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.678] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.679] GetProcessHeap () returned 0x4e0000 [0090.679] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0090.679] GetProcessHeap () returned 0x4e0000 [0090.679] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0090.679] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1ab3f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.679] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.689] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1ab3f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.689] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.690] GetProcessHeap () returned 0x4e0000 [0090.690] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0090.690] GetProcessHeap () returned 0x4e0000 [0090.690] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0090.690] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1e8480, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.690] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.708] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1e8480, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.708] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.710] GetProcessHeap () returned 0x4e0000 [0090.710] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0090.710] GetProcessHeap () returned 0x4e0000 [0090.710] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0090.710] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x225510, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.710] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.763] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x225510, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.763] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.764] GetProcessHeap () returned 0x4e0000 [0090.764] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0090.764] GetProcessHeap () returned 0x4e0000 [0090.764] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0090.764] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2625a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.764] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.772] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2625a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.772] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.773] GetProcessHeap () returned 0x4e0000 [0090.773] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0090.773] GetProcessHeap () returned 0x4e0000 [0090.773] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0090.773] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x29f630, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.773] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.798] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x29f630, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.798] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.799] GetProcessHeap () returned 0x4e0000 [0090.799] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0090.799] GetProcessHeap () returned 0x4e0000 [0090.799] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0090.799] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2dc6c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.799] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.805] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2dc6c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.806] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.806] GetProcessHeap () returned 0x4e0000 [0090.806] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0090.806] GetProcessHeap () returned 0x4e0000 [0090.806] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0090.806] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x319750, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.806] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.852] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x319750, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.852] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.853] GetProcessHeap () returned 0x4e0000 [0090.853] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0090.853] GetProcessHeap () returned 0x4e0000 [0090.853] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0090.853] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3567e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.853] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.863] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3567e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.863] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.863] GetProcessHeap () returned 0x4e0000 [0090.863] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0090.863] GetProcessHeap () returned 0x4e0000 [0090.864] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0090.864] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x393870, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.864] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.873] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x393870, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.873] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.874] GetProcessHeap () returned 0x4e0000 [0090.874] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0090.874] GetProcessHeap () returned 0x4e0000 [0090.874] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0090.874] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3d0900, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.874] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.884] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3d0900, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.884] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.885] GetProcessHeap () returned 0x4e0000 [0090.885] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0090.885] GetProcessHeap () returned 0x4e0000 [0090.885] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0090.885] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x40d990, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.885] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.902] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x40d990, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.902] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.903] GetProcessHeap () returned 0x4e0000 [0090.903] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0090.903] GetProcessHeap () returned 0x4e0000 [0090.903] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0090.903] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x44aa20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.903] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.914] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x44aa20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.914] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.914] GetProcessHeap () returned 0x4e0000 [0090.914] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0090.914] GetProcessHeap () returned 0x4e0000 [0090.914] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0090.915] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x487ab0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.915] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.924] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x487ab0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.924] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.925] GetProcessHeap () returned 0x4e0000 [0090.925] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0090.925] GetProcessHeap () returned 0x4e0000 [0090.925] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0090.925] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4c4b40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.925] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.935] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4c4b40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.935] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.936] GetProcessHeap () returned 0x4e0000 [0090.936] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0090.936] GetProcessHeap () returned 0x4e0000 [0090.936] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0090.936] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x501bd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.936] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.954] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x501bd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.954] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.954] GetProcessHeap () returned 0x4e0000 [0090.954] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0090.954] GetProcessHeap () returned 0x4e0000 [0090.954] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0090.955] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x53ec60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.955] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.964] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x53ec60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.965] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.965] GetProcessHeap () returned 0x4e0000 [0090.965] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0090.965] GetProcessHeap () returned 0x4e0000 [0090.965] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0090.965] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x57bcf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.965] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.975] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x57bcf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.975] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.976] GetProcessHeap () returned 0x4e0000 [0090.976] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0090.976] GetProcessHeap () returned 0x4e0000 [0090.976] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0090.976] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5b8d80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.976] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.986] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5b8d80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.986] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.987] GetProcessHeap () returned 0x4e0000 [0090.987] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0090.987] GetProcessHeap () returned 0x4e0000 [0090.987] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0090.987] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5f5e10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.987] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.004] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5f5e10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.004] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.006] GetProcessHeap () returned 0x4e0000 [0091.006] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.006] GetProcessHeap () returned 0x4e0000 [0091.006] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.006] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x632ea0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.006] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.015] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x632ea0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.015] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.016] GetProcessHeap () returned 0x4e0000 [0091.016] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.016] GetProcessHeap () returned 0x4e0000 [0091.016] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.016] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x66ff30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.016] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.025] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x66ff30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.025] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.025] GetProcessHeap () returned 0x4e0000 [0091.025] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.025] GetProcessHeap () returned 0x4e0000 [0091.025] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.025] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6acfc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.025] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.035] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6acfc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.035] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.035] GetProcessHeap () returned 0x4e0000 [0091.035] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.035] GetProcessHeap () returned 0x4e0000 [0091.036] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.036] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6ea050, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.036] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.054] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6ea050, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.054] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.055] GetProcessHeap () returned 0x4e0000 [0091.056] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.056] GetProcessHeap () returned 0x4e0000 [0091.056] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.056] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7270e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.056] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.070] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7270e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.070] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.071] GetProcessHeap () returned 0x4e0000 [0091.071] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.071] GetProcessHeap () returned 0x4e0000 [0091.071] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.071] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x764170, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.071] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.080] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x764170, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.080] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.081] GetProcessHeap () returned 0x4e0000 [0091.081] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.081] GetProcessHeap () returned 0x4e0000 [0091.081] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.081] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7a1200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.081] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.090] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7a1200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.090] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.090] GetProcessHeap () returned 0x4e0000 [0091.091] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.091] GetProcessHeap () returned 0x4e0000 [0091.091] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.091] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7de290, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.091] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.099] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7de290, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.099] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.100] GetProcessHeap () returned 0x4e0000 [0091.100] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.100] GetProcessHeap () returned 0x4e0000 [0091.100] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.100] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x81b320, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.100] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.117] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x81b320, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.117] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.118] GetProcessHeap () returned 0x4e0000 [0091.118] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.118] GetProcessHeap () returned 0x4e0000 [0091.118] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.118] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8583b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.118] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.126] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8583b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.126] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.127] GetProcessHeap () returned 0x4e0000 [0091.127] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.127] GetProcessHeap () returned 0x4e0000 [0091.127] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.127] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x895440, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.127] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.136] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x895440, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.136] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.136] GetProcessHeap () returned 0x4e0000 [0091.136] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.137] GetProcessHeap () returned 0x4e0000 [0091.137] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.137] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8d24d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.137] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.146] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8d24d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.146] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.146] GetProcessHeap () returned 0x4e0000 [0091.146] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.146] GetProcessHeap () returned 0x4e0000 [0091.146] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.146] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x90f560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.146] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.161] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x90f560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.161] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.161] GetProcessHeap () returned 0x4e0000 [0091.161] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.161] GetProcessHeap () returned 0x4e0000 [0091.161] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.162] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x94c5f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.162] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.171] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x94c5f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.171] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.172] GetProcessHeap () returned 0x4e0000 [0091.172] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.172] GetProcessHeap () returned 0x4e0000 [0091.172] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.172] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x989680, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.172] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.195] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x989680, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.195] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.196] GetProcessHeap () returned 0x4e0000 [0091.196] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.196] GetProcessHeap () returned 0x4e0000 [0091.196] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.196] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9c6710, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.196] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.204] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9c6710, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.204] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.205] GetProcessHeap () returned 0x4e0000 [0091.205] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.205] GetProcessHeap () returned 0x4e0000 [0091.205] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.205] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xa037a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.205] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.220] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xa037a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.220] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.220] GetProcessHeap () returned 0x4e0000 [0091.220] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.220] GetProcessHeap () returned 0x4e0000 [0091.220] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.220] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xa40830, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.220] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.228] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xa40830, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.229] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.229] GetProcessHeap () returned 0x4e0000 [0091.229] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.229] GetProcessHeap () returned 0x4e0000 [0091.229] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.229] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xa7d8c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.229] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.240] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xa7d8c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.240] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.241] GetProcessHeap () returned 0x4e0000 [0091.241] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.241] GetProcessHeap () returned 0x4e0000 [0091.241] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.241] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xaba950, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.241] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.250] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xaba950, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.250] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.251] GetProcessHeap () returned 0x4e0000 [0091.251] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.251] GetProcessHeap () returned 0x4e0000 [0091.251] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.251] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xaf79e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.251] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.266] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xaf79e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.266] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.267] GetProcessHeap () returned 0x4e0000 [0091.267] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.267] GetProcessHeap () returned 0x4e0000 [0091.267] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.267] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xb34a70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.268] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.276] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xb34a70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.276] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.277] GetProcessHeap () returned 0x4e0000 [0091.277] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.277] GetProcessHeap () returned 0x4e0000 [0091.277] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.277] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xb71b00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.277] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.285] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xb71b00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.285] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.286] GetProcessHeap () returned 0x4e0000 [0091.286] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.286] GetProcessHeap () returned 0x4e0000 [0091.286] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.286] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xbaeb90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.286] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.295] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xbaeb90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.295] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.295] GetProcessHeap () returned 0x4e0000 [0091.295] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.295] GetProcessHeap () returned 0x4e0000 [0091.295] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.295] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xbebc20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.295] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.312] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xbebc20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.312] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.313] GetProcessHeap () returned 0x4e0000 [0091.313] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.313] GetProcessHeap () returned 0x4e0000 [0091.313] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.313] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xc28cb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.313] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.322] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xc28cb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.322] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.322] GetProcessHeap () returned 0x4e0000 [0091.322] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.322] GetProcessHeap () returned 0x4e0000 [0091.322] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.322] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xc65d40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.322] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.331] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xc65d40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.331] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.333] GetProcessHeap () returned 0x4e0000 [0091.333] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.333] GetProcessHeap () returned 0x4e0000 [0091.333] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.333] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xca2dd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.333] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.341] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xca2dd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.341] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.341] GetProcessHeap () returned 0x4e0000 [0091.342] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.342] GetProcessHeap () returned 0x4e0000 [0091.342] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.342] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xcdfe60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.342] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.351] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xcdfe60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.351] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.352] GetProcessHeap () returned 0x4e0000 [0091.352] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.352] GetProcessHeap () returned 0x4e0000 [0091.352] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.352] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xd1cef0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.352] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.368] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xd1cef0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.368] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.369] GetProcessHeap () returned 0x4e0000 [0091.369] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.369] GetProcessHeap () returned 0x4e0000 [0091.369] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.369] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xd59f80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.369] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.378] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xd59f80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.378] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.378] GetProcessHeap () returned 0x4e0000 [0091.378] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.378] GetProcessHeap () returned 0x4e0000 [0091.378] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.378] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xd97010, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.378] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.387] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xd97010, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.387] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.387] GetProcessHeap () returned 0x4e0000 [0091.387] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.387] GetProcessHeap () returned 0x4e0000 [0091.387] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.388] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xdd40a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.388] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.400] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xdd40a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.400] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.401] GetProcessHeap () returned 0x4e0000 [0091.401] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.401] GetProcessHeap () returned 0x4e0000 [0091.401] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.401] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xe11130, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.401] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.416] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xe11130, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.416] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.416] GetProcessHeap () returned 0x4e0000 [0091.416] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.416] GetProcessHeap () returned 0x4e0000 [0091.416] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.416] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xe4e1c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.416] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.424] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xe4e1c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.424] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.425] GetProcessHeap () returned 0x4e0000 [0091.425] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.425] GetProcessHeap () returned 0x4e0000 [0091.425] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.425] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xe8b250, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.425] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.434] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xe8b250, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.434] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.434] GetProcessHeap () returned 0x4e0000 [0091.435] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.435] GetProcessHeap () returned 0x4e0000 [0091.435] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.435] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xec82e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.435] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.444] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xec82e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.444] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.445] GetProcessHeap () returned 0x4e0000 [0091.445] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.445] GetProcessHeap () returned 0x4e0000 [0091.445] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.445] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xf05370, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.445] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.463] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xf05370, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.463] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.463] GetProcessHeap () returned 0x4e0000 [0091.464] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.464] GetProcessHeap () returned 0x4e0000 [0091.464] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.464] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xf42400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.464] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.474] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xf42400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.474] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.474] GetProcessHeap () returned 0x4e0000 [0091.474] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.474] GetProcessHeap () returned 0x4e0000 [0091.474] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.475] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xf7f490, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.475] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.484] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xf7f490, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.484] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.485] GetProcessHeap () returned 0x4e0000 [0091.485] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.485] GetProcessHeap () returned 0x4e0000 [0091.485] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.485] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xfbc520, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.485] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.512] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xfbc520, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.512] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.513] GetProcessHeap () returned 0x4e0000 [0091.513] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.513] GetProcessHeap () returned 0x4e0000 [0091.513] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.513] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xff95b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.513] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.528] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xff95b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.528] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.529] GetProcessHeap () returned 0x4e0000 [0091.529] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.529] GetProcessHeap () returned 0x4e0000 [0091.529] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.529] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1036640, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.529] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.539] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1036640, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.540] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.540] GetProcessHeap () returned 0x4e0000 [0091.540] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.540] GetProcessHeap () returned 0x4e0000 [0091.540] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.540] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x10736d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.540] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.548] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x10736d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.548] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.549] GetProcessHeap () returned 0x4e0000 [0091.549] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.549] GetProcessHeap () returned 0x4e0000 [0091.549] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.549] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x10b0760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.549] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.561] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x10b0760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.561] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.561] GetProcessHeap () returned 0x4e0000 [0091.561] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.561] GetProcessHeap () returned 0x4e0000 [0091.562] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.562] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x10ed7f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.562] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.579] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x10ed7f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.579] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.580] GetProcessHeap () returned 0x4e0000 [0091.580] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.580] GetProcessHeap () returned 0x4e0000 [0091.580] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.580] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x112a880, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.580] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.588] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x112a880, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.588] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.589] GetProcessHeap () returned 0x4e0000 [0091.589] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.589] GetProcessHeap () returned 0x4e0000 [0091.589] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.589] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1167910, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.589] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.598] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1167910, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.598] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.598] GetProcessHeap () returned 0x4e0000 [0091.599] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.599] GetProcessHeap () returned 0x4e0000 [0091.599] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.599] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x11a49a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.599] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.607] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x11a49a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.607] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.607] GetProcessHeap () returned 0x4e0000 [0091.607] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.607] GetProcessHeap () returned 0x4e0000 [0091.607] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.608] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x11e1a30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.608] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.624] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x11e1a30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.624] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.626] GetProcessHeap () returned 0x4e0000 [0091.626] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.626] GetProcessHeap () returned 0x4e0000 [0091.626] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.626] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x121eac0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.626] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.634] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x121eac0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.634] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.635] GetProcessHeap () returned 0x4e0000 [0091.635] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.635] GetProcessHeap () returned 0x4e0000 [0091.635] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.635] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x125bb50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.635] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.643] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x125bb50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.643] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.643] GetProcessHeap () returned 0x4e0000 [0091.643] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.643] GetProcessHeap () returned 0x4e0000 [0091.643] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.643] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1298be0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.644] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.652] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1298be0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.652] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.652] GetProcessHeap () returned 0x4e0000 [0091.652] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.652] GetProcessHeap () returned 0x4e0000 [0091.652] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.652] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x12d5c70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.652] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.661] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x12d5c70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.661] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.661] GetProcessHeap () returned 0x4e0000 [0091.662] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.662] GetProcessHeap () returned 0x4e0000 [0091.662] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.662] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1312d00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.662] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.679] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1312d00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.679] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.680] GetProcessHeap () returned 0x4e0000 [0091.680] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.680] GetProcessHeap () returned 0x4e0000 [0091.680] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.680] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x134fd90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.680] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.689] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x134fd90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.689] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.689] GetProcessHeap () returned 0x4e0000 [0091.689] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.689] GetProcessHeap () returned 0x4e0000 [0091.689] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.689] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x138ce20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.689] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.702] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x138ce20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.702] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.703] GetProcessHeap () returned 0x4e0000 [0091.703] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.703] GetProcessHeap () returned 0x4e0000 [0091.703] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.703] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x13c9eb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.703] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.712] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x13c9eb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.712] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.713] GetProcessHeap () returned 0x4e0000 [0091.713] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.713] GetProcessHeap () returned 0x4e0000 [0091.713] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.713] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1406f40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.713] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.738] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1406f40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.738] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.739] GetProcessHeap () returned 0x4e0000 [0091.739] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.739] GetProcessHeap () returned 0x4e0000 [0091.739] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.739] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1443fd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.739] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.754] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1443fd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.755] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.755] GetProcessHeap () returned 0x4e0000 [0091.755] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.755] GetProcessHeap () returned 0x4e0000 [0091.755] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.755] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1481060, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.756] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.764] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1481060, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.764] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.764] GetProcessHeap () returned 0x4e0000 [0091.764] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.764] GetProcessHeap () returned 0x4e0000 [0091.764] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.764] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x14be0f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.765] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.775] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x14be0f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.775] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.776] GetProcessHeap () returned 0x4e0000 [0091.776] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.776] GetProcessHeap () returned 0x4e0000 [0091.776] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.776] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x14fb180, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.776] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.793] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x14fb180, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.793] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.795] GetProcessHeap () returned 0x4e0000 [0091.795] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.795] GetProcessHeap () returned 0x4e0000 [0091.795] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.795] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1538210, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.795] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.805] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1538210, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.805] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.806] GetProcessHeap () returned 0x4e0000 [0091.806] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.806] GetProcessHeap () returned 0x4e0000 [0091.806] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.806] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x15752a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.806] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.823] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x15752a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.824] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.824] GetProcessHeap () returned 0x4e0000 [0091.824] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.824] GetProcessHeap () returned 0x4e0000 [0091.824] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.824] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x15b2330, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.824] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.833] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x15b2330, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.833] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.834] GetProcessHeap () returned 0x4e0000 [0091.834] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.834] GetProcessHeap () returned 0x4e0000 [0091.834] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.834] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x15ef3c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.834] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.852] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x15ef3c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.852] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.854] GetProcessHeap () returned 0x4e0000 [0091.854] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.854] GetProcessHeap () returned 0x4e0000 [0091.854] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.854] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x162c450, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.854] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.869] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x162c450, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.870] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.870] GetProcessHeap () returned 0x4e0000 [0091.870] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.870] GetProcessHeap () returned 0x4e0000 [0091.870] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.870] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x16694e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.870] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.878] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x16694e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.878] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.879] GetProcessHeap () returned 0x4e0000 [0091.879] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.879] GetProcessHeap () returned 0x4e0000 [0091.879] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.879] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x16a6570, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.879] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.887] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x16a6570, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.887] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.887] GetProcessHeap () returned 0x4e0000 [0091.887] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.887] GetProcessHeap () returned 0x4e0000 [0091.887] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.887] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x16e3600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.887] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.903] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x16e3600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.903] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.904] GetProcessHeap () returned 0x4e0000 [0091.904] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.904] GetProcessHeap () returned 0x4e0000 [0091.904] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.904] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1720690, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.904] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.927] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1720690, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.928] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.928] GetProcessHeap () returned 0x4e0000 [0091.928] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.928] GetProcessHeap () returned 0x4e0000 [0091.928] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.928] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x175d720, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.928] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.938] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x175d720, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.938] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.938] GetProcessHeap () returned 0x4e0000 [0091.938] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.938] GetProcessHeap () returned 0x4e0000 [0091.938] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.939] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x179a7b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.939] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.949] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x179a7b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.949] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.950] GetProcessHeap () returned 0x4e0000 [0091.950] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.950] GetProcessHeap () returned 0x4e0000 [0091.950] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.950] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x17d7840, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.950] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.958] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x17d7840, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.958] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.958] GetProcessHeap () returned 0x4e0000 [0091.958] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.958] GetProcessHeap () returned 0x4e0000 [0091.958] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.958] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x18148d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.958] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.987] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x18148d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.987] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.988] GetProcessHeap () returned 0x4e0000 [0091.988] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.988] GetProcessHeap () returned 0x4e0000 [0091.988] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.988] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1851960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.988] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.996] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1851960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.997] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.997] GetProcessHeap () returned 0x4e0000 [0091.997] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0091.997] GetProcessHeap () returned 0x4e0000 [0091.997] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0091.997] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x188e9f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.997] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.006] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x188e9f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.006] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.007] GetProcessHeap () returned 0x4e0000 [0092.007] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.007] GetProcessHeap () returned 0x4e0000 [0092.007] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.007] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x18cba80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.007] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.018] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x18cba80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.018] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.019] GetProcessHeap () returned 0x4e0000 [0092.019] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.019] GetProcessHeap () returned 0x4e0000 [0092.019] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.019] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1908b10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.019] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.033] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1908b10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.033] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.034] GetProcessHeap () returned 0x4e0000 [0092.034] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.034] GetProcessHeap () returned 0x4e0000 [0092.034] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.034] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1945ba0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.034] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.043] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1945ba0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.043] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.044] GetProcessHeap () returned 0x4e0000 [0092.044] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.044] GetProcessHeap () returned 0x4e0000 [0092.044] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.044] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1982c30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.044] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.056] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1982c30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.056] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.056] GetProcessHeap () returned 0x4e0000 [0092.056] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.056] GetProcessHeap () returned 0x4e0000 [0092.056] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.056] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x19bfcc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.057] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.066] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x19bfcc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.066] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.067] GetProcessHeap () returned 0x4e0000 [0092.067] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.067] GetProcessHeap () returned 0x4e0000 [0092.067] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.067] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x19fcd50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.067] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.094] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x19fcd50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.094] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.095] GetProcessHeap () returned 0x4e0000 [0092.095] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.095] GetProcessHeap () returned 0x4e0000 [0092.095] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.095] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1a39de0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.095] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.104] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1a39de0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.104] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.104] GetProcessHeap () returned 0x4e0000 [0092.104] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.104] GetProcessHeap () returned 0x4e0000 [0092.105] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.105] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1a76e70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.105] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.113] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1a76e70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.113] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.114] GetProcessHeap () returned 0x4e0000 [0092.114] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.114] GetProcessHeap () returned 0x4e0000 [0092.114] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.114] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1ab3f00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.114] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.123] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1ab3f00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.123] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.124] GetProcessHeap () returned 0x4e0000 [0092.124] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.124] GetProcessHeap () returned 0x4e0000 [0092.124] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.124] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1af0f90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.124] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.143] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1af0f90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.143] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.144] GetProcessHeap () returned 0x4e0000 [0092.144] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.144] GetProcessHeap () returned 0x4e0000 [0092.144] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.144] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1b2e020, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.144] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.153] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1b2e020, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.153] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.153] GetProcessHeap () returned 0x4e0000 [0092.153] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.153] GetProcessHeap () returned 0x4e0000 [0092.153] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.153] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1b6b0b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.153] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.163] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1b6b0b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.163] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.164] GetProcessHeap () returned 0x4e0000 [0092.164] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.164] GetProcessHeap () returned 0x4e0000 [0092.164] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.164] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1ba8140, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.164] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.173] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1ba8140, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.173] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.174] GetProcessHeap () returned 0x4e0000 [0092.174] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.174] GetProcessHeap () returned 0x4e0000 [0092.174] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.174] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1be51d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.174] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.203] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1be51d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.203] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.204] GetProcessHeap () returned 0x4e0000 [0092.204] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.204] GetProcessHeap () returned 0x4e0000 [0092.204] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.204] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1c22260, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.204] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.213] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1c22260, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.213] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.213] GetProcessHeap () returned 0x4e0000 [0092.213] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.213] GetProcessHeap () returned 0x4e0000 [0092.213] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.214] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1c5f2f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.214] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.221] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1c5f2f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.221] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.222] GetProcessHeap () returned 0x4e0000 [0092.222] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.222] GetProcessHeap () returned 0x4e0000 [0092.222] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.222] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1c9c380, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.222] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.249] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1c9c380, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.249] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.249] GetProcessHeap () returned 0x4e0000 [0092.249] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.250] GetProcessHeap () returned 0x4e0000 [0092.250] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.250] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1cd9410, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.250] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.260] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1cd9410, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.260] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.261] GetProcessHeap () returned 0x4e0000 [0092.261] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.261] GetProcessHeap () returned 0x4e0000 [0092.261] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.261] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1d164a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.261] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.280] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1d164a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.281] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.281] GetProcessHeap () returned 0x4e0000 [0092.281] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.281] GetProcessHeap () returned 0x4e0000 [0092.281] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.281] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1d53530, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.282] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.290] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1d53530, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.290] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.290] GetProcessHeap () returned 0x4e0000 [0092.290] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.290] GetProcessHeap () returned 0x4e0000 [0092.290] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.290] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1d905c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.291] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.300] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1d905c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.300] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.301] GetProcessHeap () returned 0x4e0000 [0092.301] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.301] GetProcessHeap () returned 0x4e0000 [0092.301] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.302] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1dcd650, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.302] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.311] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1dcd650, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.311] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.311] GetProcessHeap () returned 0x4e0000 [0092.311] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.311] GetProcessHeap () returned 0x4e0000 [0092.311] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.312] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1e0a6e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.312] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.328] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1e0a6e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.329] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.329] GetProcessHeap () returned 0x4e0000 [0092.329] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.329] GetProcessHeap () returned 0x4e0000 [0092.329] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.329] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1e47770, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.330] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.339] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1e47770, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.339] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.340] GetProcessHeap () returned 0x4e0000 [0092.340] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.340] GetProcessHeap () returned 0x4e0000 [0092.340] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.340] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1e84800, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.340] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.349] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1e84800, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.349] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.351] GetProcessHeap () returned 0x4e0000 [0092.351] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.351] GetProcessHeap () returned 0x4e0000 [0092.351] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.351] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1ec1890, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.351] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.362] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1ec1890, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.362] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.363] GetProcessHeap () returned 0x4e0000 [0092.363] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.363] GetProcessHeap () returned 0x4e0000 [0092.363] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.363] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1efe920, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.363] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.385] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1efe920, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.385] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.386] GetProcessHeap () returned 0x4e0000 [0092.386] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.387] GetProcessHeap () returned 0x4e0000 [0092.387] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.387] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1f3b9b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.387] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.407] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1f3b9b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.407] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.408] GetProcessHeap () returned 0x4e0000 [0092.408] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.408] GetProcessHeap () returned 0x4e0000 [0092.408] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.408] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1f78a40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.409] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.419] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1f78a40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.420] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.420] GetProcessHeap () returned 0x4e0000 [0092.420] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.420] GetProcessHeap () returned 0x4e0000 [0092.420] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.420] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1fb5ad0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.421] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.431] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1fb5ad0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.432] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.433] GetProcessHeap () returned 0x4e0000 [0092.433] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.433] GetProcessHeap () returned 0x4e0000 [0092.433] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.433] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1ff2b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.433] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.451] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x1ff2b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.452] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.453] GetProcessHeap () returned 0x4e0000 [0092.453] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.453] GetProcessHeap () returned 0x4e0000 [0092.453] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.453] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x202fbf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.453] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.464] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x202fbf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.464] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.465] GetProcessHeap () returned 0x4e0000 [0092.465] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.465] GetProcessHeap () returned 0x4e0000 [0092.465] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.465] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x206cc80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.465] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.476] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x206cc80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.476] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.477] GetProcessHeap () returned 0x4e0000 [0092.477] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.477] GetProcessHeap () returned 0x4e0000 [0092.477] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.477] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x20a9d10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.477] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.500] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x20a9d10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.500] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.501] GetProcessHeap () returned 0x4e0000 [0092.501] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.501] GetProcessHeap () returned 0x4e0000 [0092.501] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.501] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x20e6da0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.501] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.519] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x20e6da0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.519] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.521] GetProcessHeap () returned 0x4e0000 [0092.521] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.521] GetProcessHeap () returned 0x4e0000 [0092.521] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.521] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2123e30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.521] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.529] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2123e30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.529] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.530] GetProcessHeap () returned 0x4e0000 [0092.530] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.530] GetProcessHeap () returned 0x4e0000 [0092.530] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.530] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2160ec0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.530] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.539] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2160ec0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.539] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.540] GetProcessHeap () returned 0x4e0000 [0092.540] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.540] GetProcessHeap () returned 0x4e0000 [0092.540] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.540] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x219df50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.540] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.549] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x219df50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.550] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.550] GetProcessHeap () returned 0x4e0000 [0092.550] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.550] GetProcessHeap () returned 0x4e0000 [0092.550] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.550] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x21dafe0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.550] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.566] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x21dafe0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.566] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.567] GetProcessHeap () returned 0x4e0000 [0092.567] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.567] GetProcessHeap () returned 0x4e0000 [0092.567] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.567] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2218070, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.567] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.584] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2218070, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.584] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.585] GetProcessHeap () returned 0x4e0000 [0092.585] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.585] GetProcessHeap () returned 0x4e0000 [0092.585] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.585] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2255100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.585] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.593] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2255100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.593] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.594] GetProcessHeap () returned 0x4e0000 [0092.594] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.594] GetProcessHeap () returned 0x4e0000 [0092.594] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.594] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2292190, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.594] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.603] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2292190, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.603] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.604] GetProcessHeap () returned 0x4e0000 [0092.604] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.604] GetProcessHeap () returned 0x4e0000 [0092.604] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.604] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x22cf220, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.604] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.613] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x22cf220, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.613] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.613] GetProcessHeap () returned 0x4e0000 [0092.613] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.613] GetProcessHeap () returned 0x4e0000 [0092.613] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.613] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x230c2b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.614] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.630] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x230c2b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.630] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.631] GetProcessHeap () returned 0x4e0000 [0092.631] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.631] GetProcessHeap () returned 0x4e0000 [0092.631] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.631] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2349340, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.631] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.639] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2349340, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.639] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.640] GetProcessHeap () returned 0x4e0000 [0092.640] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.640] GetProcessHeap () returned 0x4e0000 [0092.640] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.640] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x23863d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.640] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.648] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x23863d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.648] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.649] GetProcessHeap () returned 0x4e0000 [0092.649] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.649] GetProcessHeap () returned 0x4e0000 [0092.649] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.649] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x23c3460, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.649] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.657] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x23c3460, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.657] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.657] GetProcessHeap () returned 0x4e0000 [0092.657] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.657] GetProcessHeap () returned 0x4e0000 [0092.657] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.657] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x24004f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.657] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.673] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x24004f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.673] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.673] GetProcessHeap () returned 0x4e0000 [0092.673] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.673] GetProcessHeap () returned 0x4e0000 [0092.673] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.673] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x243d580, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.674] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.682] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x243d580, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.682] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.682] GetProcessHeap () returned 0x4e0000 [0092.682] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.682] GetProcessHeap () returned 0x4e0000 [0092.682] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.682] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x247a610, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.682] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.693] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x247a610, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.693] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.693] GetProcessHeap () returned 0x4e0000 [0092.693] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.693] GetProcessHeap () returned 0x4e0000 [0092.693] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.693] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x24b76a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.693] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.700] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x24b76a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.700] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.701] GetProcessHeap () returned 0x4e0000 [0092.701] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.701] GetProcessHeap () returned 0x4e0000 [0092.701] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.701] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x24f4730, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.701] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.728] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x24f4730, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.728] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.730] GetProcessHeap () returned 0x4e0000 [0092.730] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.730] GetProcessHeap () returned 0x4e0000 [0092.730] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.730] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x25317c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.730] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.738] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x25317c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.738] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.738] GetProcessHeap () returned 0x4e0000 [0092.739] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.739] GetProcessHeap () returned 0x4e0000 [0092.739] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.739] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x256e850, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.739] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.766] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x256e850, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.766] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.767] GetProcessHeap () returned 0x4e0000 [0092.767] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.767] GetProcessHeap () returned 0x4e0000 [0092.767] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.767] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x25ab8e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.767] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.782] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x25ab8e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.782] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.783] GetProcessHeap () returned 0x4e0000 [0092.783] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.783] GetProcessHeap () returned 0x4e0000 [0092.783] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.783] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x25e8970, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.783] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.799] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x25e8970, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.799] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.801] GetProcessHeap () returned 0x4e0000 [0092.801] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.801] GetProcessHeap () returned 0x4e0000 [0092.801] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.801] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2625a00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.801] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.811] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2625a00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.811] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.812] GetProcessHeap () returned 0x4e0000 [0092.812] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.812] GetProcessHeap () returned 0x4e0000 [0092.812] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.812] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2662a90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.812] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.844] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2662a90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.844] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.844] GetProcessHeap () returned 0x4e0000 [0092.844] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.844] GetProcessHeap () returned 0x4e0000 [0092.845] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.845] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x269fb20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.845] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.854] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x269fb20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.855] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.855] GetProcessHeap () returned 0x4e0000 [0092.855] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.855] GetProcessHeap () returned 0x4e0000 [0092.855] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.855] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x26dcbb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.855] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.865] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x26dcbb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.866] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.866] GetProcessHeap () returned 0x4e0000 [0092.866] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.866] GetProcessHeap () returned 0x4e0000 [0092.866] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.866] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2719c40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.866] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.897] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2719c40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.898] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.898] GetProcessHeap () returned 0x4e0000 [0092.898] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.898] GetProcessHeap () returned 0x4e0000 [0092.898] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.898] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2756cd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.898] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.919] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2756cd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.919] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.920] GetProcessHeap () returned 0x4e0000 [0092.920] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.920] GetProcessHeap () returned 0x4e0000 [0092.920] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.920] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2793d60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.920] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.935] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2793d60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.935] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.936] GetProcessHeap () returned 0x4e0000 [0092.936] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.936] GetProcessHeap () returned 0x4e0000 [0092.936] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.936] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x27d0df0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.936] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.953] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x27d0df0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.953] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.954] GetProcessHeap () returned 0x4e0000 [0092.954] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.954] GetProcessHeap () returned 0x4e0000 [0092.954] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.954] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x280de80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.954] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.972] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x280de80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.972] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.973] GetProcessHeap () returned 0x4e0000 [0092.973] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0092.973] GetProcessHeap () returned 0x4e0000 [0092.973] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0092.973] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x284af10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.973] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.052] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x284af10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.052] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.053] GetProcessHeap () returned 0x4e0000 [0093.053] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.053] GetProcessHeap () returned 0x4e0000 [0093.053] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.053] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2887fa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.053] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.061] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2887fa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.061] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.062] GetProcessHeap () returned 0x4e0000 [0093.062] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.062] GetProcessHeap () returned 0x4e0000 [0093.062] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.062] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x28c5030, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.062] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.076] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x28c5030, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.076] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.077] GetProcessHeap () returned 0x4e0000 [0093.077] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.077] GetProcessHeap () returned 0x4e0000 [0093.077] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.077] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x29020c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.077] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.096] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x29020c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.096] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.097] GetProcessHeap () returned 0x4e0000 [0093.097] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.097] GetProcessHeap () returned 0x4e0000 [0093.097] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.097] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x293f150, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.097] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.105] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x293f150, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.105] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.106] GetProcessHeap () returned 0x4e0000 [0093.106] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.106] GetProcessHeap () returned 0x4e0000 [0093.106] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.106] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x297c1e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.106] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.131] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x297c1e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.131] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.132] GetProcessHeap () returned 0x4e0000 [0093.132] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.132] GetProcessHeap () returned 0x4e0000 [0093.132] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.132] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x29b9270, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.132] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.143] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x29b9270, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.143] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.143] GetProcessHeap () returned 0x4e0000 [0093.143] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.143] GetProcessHeap () returned 0x4e0000 [0093.143] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.143] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x29f6300, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.144] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.159] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x29f6300, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.159] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.161] GetProcessHeap () returned 0x4e0000 [0093.161] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.161] GetProcessHeap () returned 0x4e0000 [0093.161] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.161] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2a33390, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.161] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.172] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2a33390, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.172] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.173] GetProcessHeap () returned 0x4e0000 [0093.173] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.173] GetProcessHeap () returned 0x4e0000 [0093.173] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.173] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2a70420, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.173] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.203] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2a70420, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.203] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.203] GetProcessHeap () returned 0x4e0000 [0093.203] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.203] GetProcessHeap () returned 0x4e0000 [0093.203] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.204] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2aad4b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.204] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.213] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2aad4b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.214] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.214] GetProcessHeap () returned 0x4e0000 [0093.214] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.214] GetProcessHeap () returned 0x4e0000 [0093.214] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.214] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2aea540, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.214] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.233] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2aea540, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.233] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.235] GetProcessHeap () returned 0x4e0000 [0093.235] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.235] GetProcessHeap () returned 0x4e0000 [0093.235] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.235] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2b275d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.235] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.244] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2b275d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.244] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.245] GetProcessHeap () returned 0x4e0000 [0093.245] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.245] GetProcessHeap () returned 0x4e0000 [0093.245] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.245] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2b64660, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.245] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.254] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2b64660, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.255] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.255] GetProcessHeap () returned 0x4e0000 [0093.255] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.255] GetProcessHeap () returned 0x4e0000 [0093.255] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.255] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2ba16f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.255] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.265] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2ba16f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.265] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.266] GetProcessHeap () returned 0x4e0000 [0093.266] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.266] GetProcessHeap () returned 0x4e0000 [0093.266] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.266] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2bde780, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.266] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.275] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2bde780, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.275] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.276] GetProcessHeap () returned 0x4e0000 [0093.276] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.276] GetProcessHeap () returned 0x4e0000 [0093.276] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.276] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2c1b810, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.276] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.298] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2c1b810, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.298] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.298] GetProcessHeap () returned 0x4e0000 [0093.298] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.298] GetProcessHeap () returned 0x4e0000 [0093.298] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.298] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2c588a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.299] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.308] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2c588a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.308] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.309] GetProcessHeap () returned 0x4e0000 [0093.309] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.309] GetProcessHeap () returned 0x4e0000 [0093.309] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.309] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2c95930, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.309] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.319] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2c95930, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.319] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.320] GetProcessHeap () returned 0x4e0000 [0093.320] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.320] GetProcessHeap () returned 0x4e0000 [0093.320] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.320] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2cd29c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.320] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.329] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2cd29c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.330] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.330] GetProcessHeap () returned 0x4e0000 [0093.330] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.330] GetProcessHeap () returned 0x4e0000 [0093.330] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.330] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2d0fa50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.331] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.346] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2d0fa50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.346] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.347] GetProcessHeap () returned 0x4e0000 [0093.347] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.347] GetProcessHeap () returned 0x4e0000 [0093.347] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.347] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2d4cae0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.347] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.356] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2d4cae0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.356] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.356] GetProcessHeap () returned 0x4e0000 [0093.356] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.356] GetProcessHeap () returned 0x4e0000 [0093.356] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.357] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2d89b70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.357] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.366] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2d89b70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.366] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.367] GetProcessHeap () returned 0x4e0000 [0093.367] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.367] GetProcessHeap () returned 0x4e0000 [0093.367] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.367] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2dc6c00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.367] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.377] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2dc6c00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.377] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.377] GetProcessHeap () returned 0x4e0000 [0093.377] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.377] GetProcessHeap () returned 0x4e0000 [0093.377] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.377] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2e03c90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.377] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.393] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2e03c90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.393] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.394] GetProcessHeap () returned 0x4e0000 [0093.394] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.394] GetProcessHeap () returned 0x4e0000 [0093.394] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.394] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2e40d20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.394] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.404] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2e40d20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.404] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.405] GetProcessHeap () returned 0x4e0000 [0093.405] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.405] GetProcessHeap () returned 0x4e0000 [0093.405] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.405] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2e7ddb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.405] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.415] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2e7ddb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.415] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.416] GetProcessHeap () returned 0x4e0000 [0093.416] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.416] GetProcessHeap () returned 0x4e0000 [0093.416] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.416] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2ebae40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.416] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.426] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2ebae40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.426] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.427] GetProcessHeap () returned 0x4e0000 [0093.427] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.427] GetProcessHeap () returned 0x4e0000 [0093.427] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.427] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2ef7ed0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.427] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.445] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2ef7ed0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.445] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.446] GetProcessHeap () returned 0x4e0000 [0093.446] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.446] GetProcessHeap () returned 0x4e0000 [0093.446] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.446] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2f34f60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.446] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.456] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2f34f60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.456] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.457] GetProcessHeap () returned 0x4e0000 [0093.457] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.457] GetProcessHeap () returned 0x4e0000 [0093.457] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.457] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2f71ff0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.457] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.466] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2f71ff0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.466] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.467] GetProcessHeap () returned 0x4e0000 [0093.467] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.467] GetProcessHeap () returned 0x4e0000 [0093.467] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.467] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2faf080, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.467] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.476] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2faf080, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.476] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.476] GetProcessHeap () returned 0x4e0000 [0093.476] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.476] GetProcessHeap () returned 0x4e0000 [0093.476] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.477] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2fec110, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.477] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.521] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2fec110, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.521] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.522] GetProcessHeap () returned 0x4e0000 [0093.522] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.522] GetProcessHeap () returned 0x4e0000 [0093.522] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.522] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x30291a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.522] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.529] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x30291a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.529] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.529] GetProcessHeap () returned 0x4e0000 [0093.529] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.529] GetProcessHeap () returned 0x4e0000 [0093.530] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.530] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3066230, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.530] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.539] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3066230, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.539] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.540] GetProcessHeap () returned 0x4e0000 [0093.540] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.540] GetProcessHeap () returned 0x4e0000 [0093.540] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.540] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x30a32c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.540] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.555] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x30a32c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.555] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.556] GetProcessHeap () returned 0x4e0000 [0093.556] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.556] GetProcessHeap () returned 0x4e0000 [0093.556] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.556] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x30e0350, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.556] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.564] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x30e0350, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.564] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.565] GetProcessHeap () returned 0x4e0000 [0093.565] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.565] GetProcessHeap () returned 0x4e0000 [0093.565] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.565] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x311d3e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.565] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.583] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x311d3e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.583] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.584] GetProcessHeap () returned 0x4e0000 [0093.584] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.584] GetProcessHeap () returned 0x4e0000 [0093.584] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.584] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x315a470, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.584] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.594] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x315a470, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.594] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.595] GetProcessHeap () returned 0x4e0000 [0093.595] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.595] GetProcessHeap () returned 0x4e0000 [0093.595] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.595] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3197500, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.595] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.605] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3197500, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.605] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.605] GetProcessHeap () returned 0x4e0000 [0093.606] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.606] GetProcessHeap () returned 0x4e0000 [0093.606] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.606] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x31d4590, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.606] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.615] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x31d4590, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.615] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.616] GetProcessHeap () returned 0x4e0000 [0093.616] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.616] GetProcessHeap () returned 0x4e0000 [0093.616] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.616] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3211620, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.616] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.634] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3211620, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.635] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.635] GetProcessHeap () returned 0x4e0000 [0093.635] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.635] GetProcessHeap () returned 0x4e0000 [0093.635] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.635] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x324e6b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.635] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.645] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x324e6b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.645] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.646] GetProcessHeap () returned 0x4e0000 [0093.646] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.646] GetProcessHeap () returned 0x4e0000 [0093.646] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.646] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x328b740, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.646] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.656] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x328b740, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.656] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.657] GetProcessHeap () returned 0x4e0000 [0093.657] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.657] GetProcessHeap () returned 0x4e0000 [0093.657] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.657] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x32c87d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.657] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.666] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x32c87d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.666] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.667] GetProcessHeap () returned 0x4e0000 [0093.667] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.667] GetProcessHeap () returned 0x4e0000 [0093.667] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.667] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3305860, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.667] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.686] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3305860, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.686] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.687] GetProcessHeap () returned 0x4e0000 [0093.687] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.687] GetProcessHeap () returned 0x4e0000 [0093.687] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.687] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x33428f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.687] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.696] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x33428f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.696] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.697] GetProcessHeap () returned 0x4e0000 [0093.697] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.697] GetProcessHeap () returned 0x4e0000 [0093.697] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.697] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x337f980, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.697] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.707] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x337f980, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.707] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.708] GetProcessHeap () returned 0x4e0000 [0093.708] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.708] GetProcessHeap () returned 0x4e0000 [0093.708] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.708] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x33bca10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.708] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.718] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x33bca10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.718] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.719] GetProcessHeap () returned 0x4e0000 [0093.719] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.719] GetProcessHeap () returned 0x4e0000 [0093.719] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.719] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x33f9aa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.720] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.735] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x33f9aa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.735] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.737] GetProcessHeap () returned 0x4e0000 [0093.737] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.737] GetProcessHeap () returned 0x4e0000 [0093.737] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.737] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3436b30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.737] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.747] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3436b30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.747] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.748] GetProcessHeap () returned 0x4e0000 [0093.748] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.748] GetProcessHeap () returned 0x4e0000 [0093.748] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.748] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3473bc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.748] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.757] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3473bc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.757] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.758] GetProcessHeap () returned 0x4e0000 [0093.758] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.758] GetProcessHeap () returned 0x4e0000 [0093.758] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.758] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x34b0c50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.758] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.768] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x34b0c50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.768] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.769] GetProcessHeap () returned 0x4e0000 [0093.769] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.769] GetProcessHeap () returned 0x4e0000 [0093.769] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.769] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x34edce0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.769] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.787] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x34edce0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.787] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.789] GetProcessHeap () returned 0x4e0000 [0093.789] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.789] GetProcessHeap () returned 0x4e0000 [0093.789] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.789] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x352ad70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.789] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.797] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x352ad70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.798] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.798] GetProcessHeap () returned 0x4e0000 [0093.798] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.798] GetProcessHeap () returned 0x4e0000 [0093.798] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.798] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3567e00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.798] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.808] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3567e00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.808] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.809] GetProcessHeap () returned 0x4e0000 [0093.809] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.809] GetProcessHeap () returned 0x4e0000 [0093.809] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.809] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x35a4e90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.809] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.820] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x35a4e90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.820] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.821] GetProcessHeap () returned 0x4e0000 [0093.821] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.821] GetProcessHeap () returned 0x4e0000 [0093.821] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.821] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x35e1f20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.821] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.839] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x35e1f20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.839] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.841] GetProcessHeap () returned 0x4e0000 [0093.841] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.841] GetProcessHeap () returned 0x4e0000 [0093.841] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.841] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x361efb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.841] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.850] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x361efb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.850] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.851] GetProcessHeap () returned 0x4e0000 [0093.851] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.851] GetProcessHeap () returned 0x4e0000 [0093.851] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.851] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x365c040, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.851] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.859] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x365c040, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.859] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.859] GetProcessHeap () returned 0x4e0000 [0093.860] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.860] GetProcessHeap () returned 0x4e0000 [0093.860] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.860] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x36990d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.860] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.868] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x36990d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.868] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.869] GetProcessHeap () returned 0x4e0000 [0093.869] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.869] GetProcessHeap () returned 0x4e0000 [0093.869] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.869] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x36d6160, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.869] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.878] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x36d6160, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.878] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.880] GetProcessHeap () returned 0x4e0000 [0093.880] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.880] GetProcessHeap () returned 0x4e0000 [0093.880] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.880] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x37131f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.880] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.897] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x37131f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.897] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.898] GetProcessHeap () returned 0x4e0000 [0093.898] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.898] GetProcessHeap () returned 0x4e0000 [0093.898] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.898] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3750280, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.898] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.907] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3750280, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.908] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.908] GetProcessHeap () returned 0x4e0000 [0093.908] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.908] GetProcessHeap () returned 0x4e0000 [0093.908] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.908] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x378d310, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.909] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.918] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x378d310, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.918] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.919] GetProcessHeap () returned 0x4e0000 [0093.919] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.919] GetProcessHeap () returned 0x4e0000 [0093.919] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.919] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x37ca3a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.919] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.929] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x37ca3a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.929] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.930] GetProcessHeap () returned 0x4e0000 [0093.930] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.930] GetProcessHeap () returned 0x4e0000 [0093.930] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.930] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3807430, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.930] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.945] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3807430, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.945] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.946] GetProcessHeap () returned 0x4e0000 [0093.946] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.946] GetProcessHeap () returned 0x4e0000 [0093.946] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.946] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x38444c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.946] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.956] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x38444c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.956] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.956] GetProcessHeap () returned 0x4e0000 [0093.956] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.956] GetProcessHeap () returned 0x4e0000 [0093.957] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.957] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3881550, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.957] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.966] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3881550, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.966] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.967] GetProcessHeap () returned 0x4e0000 [0093.967] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.967] GetProcessHeap () returned 0x4e0000 [0093.967] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.967] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x38be5e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.967] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.975] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x38be5e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.975] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.976] GetProcessHeap () returned 0x4e0000 [0093.976] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.976] GetProcessHeap () returned 0x4e0000 [0093.976] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.976] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x38fb670, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.976] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.990] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x38fb670, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.990] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.991] GetProcessHeap () returned 0x4e0000 [0093.991] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0093.991] GetProcessHeap () returned 0x4e0000 [0093.991] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0093.991] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3938700, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.991] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.003] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3938700, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.003] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.004] GetProcessHeap () returned 0x4e0000 [0094.004] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.004] GetProcessHeap () returned 0x4e0000 [0094.004] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.004] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3975790, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.004] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.012] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3975790, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.012] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.013] GetProcessHeap () returned 0x4e0000 [0094.013] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.013] GetProcessHeap () returned 0x4e0000 [0094.013] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.013] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x39b2820, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.013] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.022] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x39b2820, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.022] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.022] GetProcessHeap () returned 0x4e0000 [0094.022] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.022] GetProcessHeap () returned 0x4e0000 [0094.022] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.022] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x39ef8b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.022] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.039] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x39ef8b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.039] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.041] GetProcessHeap () returned 0x4e0000 [0094.041] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.041] GetProcessHeap () returned 0x4e0000 [0094.041] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.041] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3a2c940, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.041] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.050] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3a2c940, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.050] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.050] GetProcessHeap () returned 0x4e0000 [0094.050] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.050] GetProcessHeap () returned 0x4e0000 [0094.050] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.050] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3a699d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.051] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.059] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3a699d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.059] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.060] GetProcessHeap () returned 0x4e0000 [0094.060] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.060] GetProcessHeap () returned 0x4e0000 [0094.060] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.060] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3aa6a60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.060] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.071] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3aa6a60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.071] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.071] GetProcessHeap () returned 0x4e0000 [0094.071] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.071] GetProcessHeap () returned 0x4e0000 [0094.072] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.072] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3ae3af0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.072] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.090] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3ae3af0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.091] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.092] GetProcessHeap () returned 0x4e0000 [0094.092] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.092] GetProcessHeap () returned 0x4e0000 [0094.092] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.092] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3b20b80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.092] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.102] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3b20b80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.102] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.103] GetProcessHeap () returned 0x4e0000 [0094.103] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.103] GetProcessHeap () returned 0x4e0000 [0094.103] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.103] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3b5dc10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.103] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.113] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3b5dc10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.113] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.114] GetProcessHeap () returned 0x4e0000 [0094.114] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.114] GetProcessHeap () returned 0x4e0000 [0094.114] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.114] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3b9aca0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.114] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.124] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3b9aca0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.124] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.125] GetProcessHeap () returned 0x4e0000 [0094.125] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.125] GetProcessHeap () returned 0x4e0000 [0094.125] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.125] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3bd7d30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.125] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.136] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3bd7d30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.136] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.137] GetProcessHeap () returned 0x4e0000 [0094.137] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.137] GetProcessHeap () returned 0x4e0000 [0094.137] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.137] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3c14dc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.137] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.156] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3c14dc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.156] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.157] GetProcessHeap () returned 0x4e0000 [0094.157] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.157] GetProcessHeap () returned 0x4e0000 [0094.157] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.157] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3c51e50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.157] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.166] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3c51e50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.166] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.167] GetProcessHeap () returned 0x4e0000 [0094.167] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.167] GetProcessHeap () returned 0x4e0000 [0094.167] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.167] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3c8eee0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.167] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.177] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3c8eee0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.177] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.178] GetProcessHeap () returned 0x4e0000 [0094.178] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.178] GetProcessHeap () returned 0x4e0000 [0094.178] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.178] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3ccbf70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.178] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.204] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3ccbf70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.205] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.205] GetProcessHeap () returned 0x4e0000 [0094.205] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.205] GetProcessHeap () returned 0x4e0000 [0094.205] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.205] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3d09000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.205] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.222] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3d09000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.222] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.222] GetProcessHeap () returned 0x4e0000 [0094.222] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.222] GetProcessHeap () returned 0x4e0000 [0094.222] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.222] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3d46090, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.222] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.232] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3d46090, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.232] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.233] GetProcessHeap () returned 0x4e0000 [0094.233] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.233] GetProcessHeap () returned 0x4e0000 [0094.233] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.233] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3d83120, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.233] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.243] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3d83120, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.243] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.244] GetProcessHeap () returned 0x4e0000 [0094.244] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.244] GetProcessHeap () returned 0x4e0000 [0094.244] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.244] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3dc01b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.245] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.255] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3dc01b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.255] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.256] GetProcessHeap () returned 0x4e0000 [0094.256] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.256] GetProcessHeap () returned 0x4e0000 [0094.256] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.256] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3dfd240, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.256] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.272] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3dfd240, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.272] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.274] GetProcessHeap () returned 0x4e0000 [0094.274] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.274] GetProcessHeap () returned 0x4e0000 [0094.274] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.274] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3e3a2d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.274] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.283] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3e3a2d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.283] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.284] GetProcessHeap () returned 0x4e0000 [0094.284] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.284] GetProcessHeap () returned 0x4e0000 [0094.284] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.284] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3e77360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.284] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.294] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3e77360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.294] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.294] GetProcessHeap () returned 0x4e0000 [0094.294] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.295] GetProcessHeap () returned 0x4e0000 [0094.295] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.295] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3eb43f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.295] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.304] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3eb43f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.304] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.305] GetProcessHeap () returned 0x4e0000 [0094.305] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.305] GetProcessHeap () returned 0x4e0000 [0094.305] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.305] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3ef1480, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.305] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.322] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3ef1480, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.322] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.324] GetProcessHeap () returned 0x4e0000 [0094.324] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.324] GetProcessHeap () returned 0x4e0000 [0094.324] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.324] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3f2e510, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.324] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.334] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3f2e510, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.334] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.334] GetProcessHeap () returned 0x4e0000 [0094.334] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.334] GetProcessHeap () returned 0x4e0000 [0094.335] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.335] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3f6b5a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.335] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.345] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3f6b5a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.345] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.345] GetProcessHeap () returned 0x4e0000 [0094.345] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.345] GetProcessHeap () returned 0x4e0000 [0094.345] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.345] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3fa8630, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.346] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.355] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3fa8630, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.355] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.356] GetProcessHeap () returned 0x4e0000 [0094.356] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.356] GetProcessHeap () returned 0x4e0000 [0094.356] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.356] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3fe56c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.356] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.374] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x3fe56c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.374] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.376] GetProcessHeap () returned 0x4e0000 [0094.376] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.376] GetProcessHeap () returned 0x4e0000 [0094.376] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.376] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4022750, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.376] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.384] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4022750, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.384] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.385] GetProcessHeap () returned 0x4e0000 [0094.385] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.385] GetProcessHeap () returned 0x4e0000 [0094.385] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.385] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x405f7e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.385] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.396] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x405f7e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.396] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.397] GetProcessHeap () returned 0x4e0000 [0094.397] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.397] GetProcessHeap () returned 0x4e0000 [0094.397] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.397] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x409c870, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.397] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.406] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x409c870, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.406] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.407] GetProcessHeap () returned 0x4e0000 [0094.407] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.407] GetProcessHeap () returned 0x4e0000 [0094.407] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.407] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x40d9900, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.407] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.417] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x40d9900, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.417] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.417] GetProcessHeap () returned 0x4e0000 [0094.417] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.417] GetProcessHeap () returned 0x4e0000 [0094.417] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.417] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4116990, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.417] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.435] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4116990, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.435] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.435] GetProcessHeap () returned 0x4e0000 [0094.436] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.436] GetProcessHeap () returned 0x4e0000 [0094.436] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.436] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4153a20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.436] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.446] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4153a20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.446] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.446] GetProcessHeap () returned 0x4e0000 [0094.446] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.446] GetProcessHeap () returned 0x4e0000 [0094.447] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.447] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4190ab0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.447] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.456] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4190ab0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.456] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.457] GetProcessHeap () returned 0x4e0000 [0094.457] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.457] GetProcessHeap () returned 0x4e0000 [0094.457] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.457] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x41cdb40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.457] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.466] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x41cdb40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.466] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.467] GetProcessHeap () returned 0x4e0000 [0094.467] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.467] GetProcessHeap () returned 0x4e0000 [0094.467] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.467] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x420abd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.467] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.498] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x420abd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.498] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.499] GetProcessHeap () returned 0x4e0000 [0094.499] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.499] GetProcessHeap () returned 0x4e0000 [0094.499] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.499] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4247c60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.499] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.509] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4247c60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.509] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.509] GetProcessHeap () returned 0x4e0000 [0094.509] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.509] GetProcessHeap () returned 0x4e0000 [0094.509] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.509] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4284cf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.509] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.519] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4284cf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.519] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.520] GetProcessHeap () returned 0x4e0000 [0094.520] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.520] GetProcessHeap () returned 0x4e0000 [0094.520] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.520] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x42c1d80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.520] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.529] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x42c1d80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.529] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.530] GetProcessHeap () returned 0x4e0000 [0094.530] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.530] GetProcessHeap () returned 0x4e0000 [0094.530] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.530] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x42fee10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.530] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.547] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x42fee10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.547] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.548] GetProcessHeap () returned 0x4e0000 [0094.548] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.548] GetProcessHeap () returned 0x4e0000 [0094.548] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.548] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x433bea0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.548] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.558] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x433bea0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.558] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.558] GetProcessHeap () returned 0x4e0000 [0094.558] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.558] GetProcessHeap () returned 0x4e0000 [0094.559] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.559] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4378f30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.559] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.567] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4378f30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.567] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.568] GetProcessHeap () returned 0x4e0000 [0094.568] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.568] GetProcessHeap () returned 0x4e0000 [0094.568] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.568] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x43b5fc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.568] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.576] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x43b5fc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.576] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.577] GetProcessHeap () returned 0x4e0000 [0094.577] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.577] GetProcessHeap () returned 0x4e0000 [0094.577] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.577] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x43f3050, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.577] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.595] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x43f3050, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.595] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.596] GetProcessHeap () returned 0x4e0000 [0094.596] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.596] GetProcessHeap () returned 0x4e0000 [0094.596] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.597] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x44300e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.597] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.604] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x44300e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.605] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.605] GetProcessHeap () returned 0x4e0000 [0094.605] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.605] GetProcessHeap () returned 0x4e0000 [0094.605] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.605] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x446d170, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.605] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.615] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x446d170, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.615] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.615] GetProcessHeap () returned 0x4e0000 [0094.615] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.615] GetProcessHeap () returned 0x4e0000 [0094.615] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.615] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x44aa200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.615] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.626] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x44aa200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.626] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.627] GetProcessHeap () returned 0x4e0000 [0094.627] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.627] GetProcessHeap () returned 0x4e0000 [0094.627] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.627] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x44e7290, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.627] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.645] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x44e7290, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.646] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.647] GetProcessHeap () returned 0x4e0000 [0094.647] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.647] GetProcessHeap () returned 0x4e0000 [0094.647] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.647] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4524320, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.648] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.657] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4524320, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.657] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.658] GetProcessHeap () returned 0x4e0000 [0094.658] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.658] GetProcessHeap () returned 0x4e0000 [0094.658] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.658] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x45613b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.658] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.668] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x45613b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.669] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.669] GetProcessHeap () returned 0x4e0000 [0094.669] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.669] GetProcessHeap () returned 0x4e0000 [0094.669] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.670] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x459e440, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.670] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.678] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x459e440, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.678] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.679] GetProcessHeap () returned 0x4e0000 [0094.679] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.679] GetProcessHeap () returned 0x4e0000 [0094.679] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.679] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x45db4d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.679] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.709] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x45db4d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.709] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.710] GetProcessHeap () returned 0x4e0000 [0094.710] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.710] GetProcessHeap () returned 0x4e0000 [0094.710] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.710] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4618560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.710] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.731] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4618560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.731] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.732] GetProcessHeap () returned 0x4e0000 [0094.732] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.732] GetProcessHeap () returned 0x4e0000 [0094.732] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.732] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x46555f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.732] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.743] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x46555f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.743] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.744] GetProcessHeap () returned 0x4e0000 [0094.744] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.744] GetProcessHeap () returned 0x4e0000 [0094.744] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.744] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4692680, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.744] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.757] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4692680, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.757] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.758] GetProcessHeap () returned 0x4e0000 [0094.758] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.758] GetProcessHeap () returned 0x4e0000 [0094.758] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.758] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x46cf710, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.758] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.767] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x46cf710, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.767] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.767] GetProcessHeap () returned 0x4e0000 [0094.767] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.767] GetProcessHeap () returned 0x4e0000 [0094.767] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.768] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x470c7a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.768] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.789] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x470c7a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.789] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.790] GetProcessHeap () returned 0x4e0000 [0094.790] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.790] GetProcessHeap () returned 0x4e0000 [0094.790] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.790] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4749830, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.790] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.802] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4749830, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.803] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.803] GetProcessHeap () returned 0x4e0000 [0094.803] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.803] GetProcessHeap () returned 0x4e0000 [0094.803] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.803] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x47868c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.803] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.813] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x47868c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.813] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.814] GetProcessHeap () returned 0x4e0000 [0094.814] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.814] GetProcessHeap () returned 0x4e0000 [0094.814] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.814] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x47c3950, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.814] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.822] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x47c3950, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.824] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.824] GetProcessHeap () returned 0x4e0000 [0094.824] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.824] GetProcessHeap () returned 0x4e0000 [0094.825] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.825] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x48009e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.825] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.843] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x48009e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.843] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.844] GetProcessHeap () returned 0x4e0000 [0094.844] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.844] GetProcessHeap () returned 0x4e0000 [0094.844] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.844] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x483da70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.844] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.854] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x483da70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.854] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.855] GetProcessHeap () returned 0x4e0000 [0094.855] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.855] GetProcessHeap () returned 0x4e0000 [0094.855] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.855] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x487ab00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.855] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.865] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x487ab00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.865] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.866] GetProcessHeap () returned 0x4e0000 [0094.866] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.866] GetProcessHeap () returned 0x4e0000 [0094.866] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.866] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x48b7b90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.866] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.875] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x48b7b90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.875] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.876] GetProcessHeap () returned 0x4e0000 [0094.876] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.876] GetProcessHeap () returned 0x4e0000 [0094.876] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.876] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x48f4c20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.877] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.895] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x48f4c20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.896] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.897] GetProcessHeap () returned 0x4e0000 [0094.897] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.897] GetProcessHeap () returned 0x4e0000 [0094.897] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.897] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4931cb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.897] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.907] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4931cb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.907] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.907] GetProcessHeap () returned 0x4e0000 [0094.907] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.908] GetProcessHeap () returned 0x4e0000 [0094.908] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.908] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x496ed40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.908] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.918] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x496ed40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.918] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.919] GetProcessHeap () returned 0x4e0000 [0094.919] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.919] GetProcessHeap () returned 0x4e0000 [0094.919] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.919] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x49abdd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.919] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.953] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x49abdd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.953] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.954] GetProcessHeap () returned 0x4e0000 [0094.954] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.954] GetProcessHeap () returned 0x4e0000 [0094.954] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.954] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x49e8e60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.955] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.975] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x49e8e60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.975] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.976] GetProcessHeap () returned 0x4e0000 [0094.976] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.976] GetProcessHeap () returned 0x4e0000 [0094.976] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.976] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4a25ef0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.976] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.988] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4a25ef0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.989] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.989] GetProcessHeap () returned 0x4e0000 [0094.990] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0094.990] GetProcessHeap () returned 0x4e0000 [0094.990] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0094.990] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4a62f80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.990] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.000] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4a62f80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.000] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.002] GetProcessHeap () returned 0x4e0000 [0095.002] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.002] GetProcessHeap () returned 0x4e0000 [0095.002] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.002] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4aa0010, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.003] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.012] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4aa0010, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.012] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.013] GetProcessHeap () returned 0x4e0000 [0095.013] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.013] GetProcessHeap () returned 0x4e0000 [0095.013] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.013] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4add0a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.013] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.022] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4add0a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.023] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.023] GetProcessHeap () returned 0x4e0000 [0095.023] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.023] GetProcessHeap () returned 0x4e0000 [0095.023] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.023] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4b1a130, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.023] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.048] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4b1a130, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.048] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.048] GetProcessHeap () returned 0x4e0000 [0095.048] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.048] GetProcessHeap () returned 0x4e0000 [0095.048] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.048] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4b571c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.048] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.057] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4b571c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.057] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.058] GetProcessHeap () returned 0x4e0000 [0095.058] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.058] GetProcessHeap () returned 0x4e0000 [0095.058] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.058] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4b94250, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.058] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.067] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4b94250, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.067] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.068] GetProcessHeap () returned 0x4e0000 [0095.068] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.068] GetProcessHeap () returned 0x4e0000 [0095.068] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.068] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4bd12e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.068] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.079] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4bd12e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.079] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.079] GetProcessHeap () returned 0x4e0000 [0095.080] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.080] GetProcessHeap () returned 0x4e0000 [0095.080] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.080] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4c0e370, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.080] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.095] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4c0e370, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.096] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.096] GetProcessHeap () returned 0x4e0000 [0095.096] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.096] GetProcessHeap () returned 0x4e0000 [0095.096] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.096] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4c4b400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.097] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.106] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4c4b400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.106] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.107] GetProcessHeap () returned 0x4e0000 [0095.107] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.107] GetProcessHeap () returned 0x4e0000 [0095.107] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.107] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4c88490, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.107] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.118] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4c88490, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.118] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.119] GetProcessHeap () returned 0x4e0000 [0095.119] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.119] GetProcessHeap () returned 0x4e0000 [0095.119] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.119] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4cc5520, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.119] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.126] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4cc5520, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.127] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.127] GetProcessHeap () returned 0x4e0000 [0095.127] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.127] GetProcessHeap () returned 0x4e0000 [0095.127] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.127] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4d025b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.127] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.155] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4d025b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.155] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.156] GetProcessHeap () returned 0x4e0000 [0095.156] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.156] GetProcessHeap () returned 0x4e0000 [0095.156] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.156] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4d3f640, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.156] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.165] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4d3f640, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.165] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.166] GetProcessHeap () returned 0x4e0000 [0095.166] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.166] GetProcessHeap () returned 0x4e0000 [0095.166] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.166] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4d7c6d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.166] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.178] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4d7c6d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.178] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.178] GetProcessHeap () returned 0x4e0000 [0095.179] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.179] GetProcessHeap () returned 0x4e0000 [0095.179] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.179] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4db9760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.179] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.209] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4db9760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.209] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.209] GetProcessHeap () returned 0x4e0000 [0095.210] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.210] GetProcessHeap () returned 0x4e0000 [0095.210] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.210] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4df67f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.210] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.227] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4df67f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.227] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.229] GetProcessHeap () returned 0x4e0000 [0095.229] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.229] GetProcessHeap () returned 0x4e0000 [0095.229] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.229] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4e33880, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.229] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.237] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4e33880, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.237] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.237] GetProcessHeap () returned 0x4e0000 [0095.237] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.238] GetProcessHeap () returned 0x4e0000 [0095.238] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.238] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4e70910, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.238] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.246] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4e70910, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.246] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.247] GetProcessHeap () returned 0x4e0000 [0095.247] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.247] GetProcessHeap () returned 0x4e0000 [0095.247] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.247] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4ead9a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.247] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.255] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4ead9a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.256] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.256] GetProcessHeap () returned 0x4e0000 [0095.256] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.256] GetProcessHeap () returned 0x4e0000 [0095.256] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.256] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4eeaa30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.256] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.274] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4eeaa30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.274] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.275] GetProcessHeap () returned 0x4e0000 [0095.275] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.275] GetProcessHeap () returned 0x4e0000 [0095.275] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.275] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4f27ac0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.275] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.284] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4f27ac0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.284] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.285] GetProcessHeap () returned 0x4e0000 [0095.285] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.285] GetProcessHeap () returned 0x4e0000 [0095.285] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.285] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4f64b50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.285] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.293] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4f64b50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.293] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.293] GetProcessHeap () returned 0x4e0000 [0095.294] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.294] GetProcessHeap () returned 0x4e0000 [0095.294] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.294] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4fa1be0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.294] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.303] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4fa1be0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.303] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.304] GetProcessHeap () returned 0x4e0000 [0095.304] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.304] GetProcessHeap () returned 0x4e0000 [0095.304] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.304] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4fdec70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.304] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.313] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x4fdec70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.313] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.313] GetProcessHeap () returned 0x4e0000 [0095.313] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.313] GetProcessHeap () returned 0x4e0000 [0095.313] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.313] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x501bd00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.313] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.329] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x501bd00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.329] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.330] GetProcessHeap () returned 0x4e0000 [0095.330] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.330] GetProcessHeap () returned 0x4e0000 [0095.330] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.330] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5058d90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.330] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.339] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5058d90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.339] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.339] GetProcessHeap () returned 0x4e0000 [0095.339] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.339] GetProcessHeap () returned 0x4e0000 [0095.339] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.339] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5095e20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.340] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.349] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5095e20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.349] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.350] GetProcessHeap () returned 0x4e0000 [0095.350] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.350] GetProcessHeap () returned 0x4e0000 [0095.350] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.350] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x50d2eb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.350] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.358] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x50d2eb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.358] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.359] GetProcessHeap () returned 0x4e0000 [0095.359] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.359] GetProcessHeap () returned 0x4e0000 [0095.359] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.359] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x510ff40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.359] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.374] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x510ff40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.375] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.375] GetProcessHeap () returned 0x4e0000 [0095.375] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.375] GetProcessHeap () returned 0x4e0000 [0095.375] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.375] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x514cfd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.375] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.385] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x514cfd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.385] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.386] GetProcessHeap () returned 0x4e0000 [0095.386] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.386] GetProcessHeap () returned 0x4e0000 [0095.386] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.386] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x518a060, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.386] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.396] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x518a060, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.396] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.397] GetProcessHeap () returned 0x4e0000 [0095.397] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.397] GetProcessHeap () returned 0x4e0000 [0095.397] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.397] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x51c70f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.397] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.417] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x51c70f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.418] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.420] GetProcessHeap () returned 0x4e0000 [0095.420] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.420] GetProcessHeap () returned 0x4e0000 [0095.420] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.420] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5204180, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.420] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.445] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5204180, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.445] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.446] GetProcessHeap () returned 0x4e0000 [0095.446] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.446] GetProcessHeap () returned 0x4e0000 [0095.446] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.446] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5241210, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.446] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.458] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5241210, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.458] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.458] GetProcessHeap () returned 0x4e0000 [0095.459] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.459] GetProcessHeap () returned 0x4e0000 [0095.459] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.459] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x527e2a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.459] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.470] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x527e2a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.470] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.470] GetProcessHeap () returned 0x4e0000 [0095.470] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.470] GetProcessHeap () returned 0x4e0000 [0095.470] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.470] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x52bb330, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.471] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.479] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x52bb330, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.480] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.480] GetProcessHeap () returned 0x4e0000 [0095.480] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.480] GetProcessHeap () returned 0x4e0000 [0095.480] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.480] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x52f83c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.480] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.513] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x52f83c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.513] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.515] GetProcessHeap () returned 0x4e0000 [0095.515] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.515] GetProcessHeap () returned 0x4e0000 [0095.515] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.515] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5335450, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.515] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.524] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5335450, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.525] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.525] GetProcessHeap () returned 0x4e0000 [0095.525] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.525] GetProcessHeap () returned 0x4e0000 [0095.525] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.525] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x53724e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.526] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.534] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x53724e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.534] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.535] GetProcessHeap () returned 0x4e0000 [0095.535] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.535] GetProcessHeap () returned 0x4e0000 [0095.535] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.535] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x53af570, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.535] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.544] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x53af570, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.544] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.546] GetProcessHeap () returned 0x4e0000 [0095.546] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.546] GetProcessHeap () returned 0x4e0000 [0095.546] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.546] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x53ec600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.546] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.562] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x53ec600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.562] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.563] GetProcessHeap () returned 0x4e0000 [0095.564] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.564] GetProcessHeap () returned 0x4e0000 [0095.564] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.564] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5429690, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.564] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.572] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5429690, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.572] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.572] GetProcessHeap () returned 0x4e0000 [0095.572] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.572] GetProcessHeap () returned 0x4e0000 [0095.573] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.573] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5466720, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.573] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.581] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5466720, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.581] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.582] GetProcessHeap () returned 0x4e0000 [0095.582] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.582] GetProcessHeap () returned 0x4e0000 [0095.582] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.582] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x54a37b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.582] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.591] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x54a37b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.591] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.592] GetProcessHeap () returned 0x4e0000 [0095.592] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.592] GetProcessHeap () returned 0x4e0000 [0095.592] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.592] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x54e0840, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.592] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.600] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x54e0840, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.600] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.600] GetProcessHeap () returned 0x4e0000 [0095.600] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.600] GetProcessHeap () returned 0x4e0000 [0095.600] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.601] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x551d8d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.601] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.615] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x551d8d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.615] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.616] GetProcessHeap () returned 0x4e0000 [0095.616] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.616] GetProcessHeap () returned 0x4e0000 [0095.616] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.616] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x555a960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.616] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.629] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x555a960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.629] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.630] GetProcessHeap () returned 0x4e0000 [0095.630] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.630] GetProcessHeap () returned 0x4e0000 [0095.630] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.630] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x55979f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.630] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.638] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x55979f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.638] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.639] GetProcessHeap () returned 0x4e0000 [0095.639] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.639] GetProcessHeap () returned 0x4e0000 [0095.639] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.639] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x55d4a80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.639] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.647] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x55d4a80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.647] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.647] GetProcessHeap () returned 0x4e0000 [0095.648] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.648] GetProcessHeap () returned 0x4e0000 [0095.648] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.648] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5611b10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.648] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.662] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5611b10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.662] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.663] GetProcessHeap () returned 0x4e0000 [0095.663] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.663] GetProcessHeap () returned 0x4e0000 [0095.663] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.663] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x564eba0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.663] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.673] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x564eba0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.673] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.673] GetProcessHeap () returned 0x4e0000 [0095.673] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.673] GetProcessHeap () returned 0x4e0000 [0095.673] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.673] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x568bc30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.673] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.681] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x568bc30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.682] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.682] GetProcessHeap () returned 0x4e0000 [0095.682] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.682] GetProcessHeap () returned 0x4e0000 [0095.682] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.682] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x56c8cc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.682] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.691] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x56c8cc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.691] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.691] GetProcessHeap () returned 0x4e0000 [0095.691] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.691] GetProcessHeap () returned 0x4e0000 [0095.692] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.692] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5705d50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.692] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.706] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5705d50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.706] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.706] GetProcessHeap () returned 0x4e0000 [0095.706] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.707] GetProcessHeap () returned 0x4e0000 [0095.707] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.707] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5742de0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.707] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.717] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5742de0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.717] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.718] GetProcessHeap () returned 0x4e0000 [0095.718] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.718] GetProcessHeap () returned 0x4e0000 [0095.718] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.718] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x577fe70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.718] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.726] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x577fe70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.726] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.727] GetProcessHeap () returned 0x4e0000 [0095.727] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.727] GetProcessHeap () returned 0x4e0000 [0095.727] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.727] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x57bcf00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.727] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.737] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x57bcf00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.737] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.738] GetProcessHeap () returned 0x4e0000 [0095.738] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.738] GetProcessHeap () returned 0x4e0000 [0095.738] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.738] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x57f9f90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.738] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.755] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x57f9f90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.755] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.756] GetProcessHeap () returned 0x4e0000 [0095.756] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.756] GetProcessHeap () returned 0x4e0000 [0095.756] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.756] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5837020, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.756] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.770] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5837020, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.770] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.771] GetProcessHeap () returned 0x4e0000 [0095.771] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.771] GetProcessHeap () returned 0x4e0000 [0095.771] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.771] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x58740b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.771] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.781] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x58740b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.782] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.782] GetProcessHeap () returned 0x4e0000 [0095.782] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.782] GetProcessHeap () returned 0x4e0000 [0095.782] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.782] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x58b1140, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.782] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.792] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x58b1140, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.792] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.793] GetProcessHeap () returned 0x4e0000 [0095.793] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.793] GetProcessHeap () returned 0x4e0000 [0095.793] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.793] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x58ee1d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.793] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.813] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x58ee1d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.813] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.814] GetProcessHeap () returned 0x4e0000 [0095.814] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.814] GetProcessHeap () returned 0x4e0000 [0095.814] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.814] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x592b260, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.814] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.824] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x592b260, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.824] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.824] GetProcessHeap () returned 0x4e0000 [0095.824] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.824] GetProcessHeap () returned 0x4e0000 [0095.825] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.825] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x59682f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.825] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.834] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x59682f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.834] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.835] GetProcessHeap () returned 0x4e0000 [0095.835] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.835] GetProcessHeap () returned 0x4e0000 [0095.835] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.835] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x59a5380, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.835] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.846] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x59a5380, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.846] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.846] GetProcessHeap () returned 0x4e0000 [0095.846] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.846] GetProcessHeap () returned 0x4e0000 [0095.846] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.846] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x59e2410, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.846] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.865] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x59e2410, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.865] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.867] GetProcessHeap () returned 0x4e0000 [0095.867] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.867] GetProcessHeap () returned 0x4e0000 [0095.867] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.867] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5a1f4a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.867] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.877] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5a1f4a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.877] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.878] GetProcessHeap () returned 0x4e0000 [0095.878] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.878] GetProcessHeap () returned 0x4e0000 [0095.878] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.878] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5a5c530, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.878] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.895] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5a5c530, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.895] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.895] GetProcessHeap () returned 0x4e0000 [0095.895] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.895] GetProcessHeap () returned 0x4e0000 [0095.895] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.895] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5a995c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.895] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.905] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5a995c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.905] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.906] GetProcessHeap () returned 0x4e0000 [0095.906] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.906] GetProcessHeap () returned 0x4e0000 [0095.906] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.906] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5ad6650, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.906] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.915] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5ad6650, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.915] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.916] GetProcessHeap () returned 0x4e0000 [0095.916] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.916] GetProcessHeap () returned 0x4e0000 [0095.916] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.916] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5b136e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.916] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.932] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5b136e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.932] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.933] GetProcessHeap () returned 0x4e0000 [0095.933] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.933] GetProcessHeap () returned 0x4e0000 [0095.933] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.933] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5b50770, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.933] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.944] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5b50770, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.944] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.945] GetProcessHeap () returned 0x4e0000 [0095.945] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.945] GetProcessHeap () returned 0x4e0000 [0095.945] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.945] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5b8d800, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.945] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.959] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5b8d800, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.959] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.960] GetProcessHeap () returned 0x4e0000 [0095.960] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.960] GetProcessHeap () returned 0x4e0000 [0095.960] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.960] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5bca890, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.960] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.970] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5bca890, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.970] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.971] GetProcessHeap () returned 0x4e0000 [0095.971] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.971] GetProcessHeap () returned 0x4e0000 [0095.971] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.971] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5c07920, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.971] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.986] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5c07920, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.987] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.987] GetProcessHeap () returned 0x4e0000 [0095.987] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.987] GetProcessHeap () returned 0x4e0000 [0095.987] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.987] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5c449b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.987] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.997] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5c449b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.997] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.998] GetProcessHeap () returned 0x4e0000 [0095.998] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0095.998] GetProcessHeap () returned 0x4e0000 [0095.998] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0095.998] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5c81a40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.998] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.007] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5c81a40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.007] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.008] GetProcessHeap () returned 0x4e0000 [0096.008] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.008] GetProcessHeap () returned 0x4e0000 [0096.008] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.008] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5cbead0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.008] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.018] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5cbead0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.018] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.018] GetProcessHeap () returned 0x4e0000 [0096.018] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.018] GetProcessHeap () returned 0x4e0000 [0096.018] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.018] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5cfbb60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.019] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.033] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5cfbb60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.033] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.035] GetProcessHeap () returned 0x4e0000 [0096.035] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.035] GetProcessHeap () returned 0x4e0000 [0096.035] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.035] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5d38bf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.035] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.046] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5d38bf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.046] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.046] GetProcessHeap () returned 0x4e0000 [0096.046] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.046] GetProcessHeap () returned 0x4e0000 [0096.046] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.046] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5d75c80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.046] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.055] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5d75c80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.055] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.056] GetProcessHeap () returned 0x4e0000 [0096.056] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.056] GetProcessHeap () returned 0x4e0000 [0096.056] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.056] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5db2d10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.056] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.065] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5db2d10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.065] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.066] GetProcessHeap () returned 0x4e0000 [0096.066] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.066] GetProcessHeap () returned 0x4e0000 [0096.066] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.066] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5defda0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.066] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.085] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5defda0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.085] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.086] GetProcessHeap () returned 0x4e0000 [0096.087] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.087] GetProcessHeap () returned 0x4e0000 [0096.087] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.087] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5e2ce30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.087] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.097] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5e2ce30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.097] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.097] GetProcessHeap () returned 0x4e0000 [0096.097] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.097] GetProcessHeap () returned 0x4e0000 [0096.097] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.097] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5e69ec0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.098] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.107] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5e69ec0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.107] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.108] GetProcessHeap () returned 0x4e0000 [0096.108] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.108] GetProcessHeap () returned 0x4e0000 [0096.108] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.108] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5ea6f50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.108] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.117] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5ea6f50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.118] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.118] GetProcessHeap () returned 0x4e0000 [0096.118] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.118] GetProcessHeap () returned 0x4e0000 [0096.118] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.118] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5ee3fe0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.118] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.136] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5ee3fe0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.136] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.137] GetProcessHeap () returned 0x4e0000 [0096.137] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.137] GetProcessHeap () returned 0x4e0000 [0096.137] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.138] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5f21070, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.138] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.146] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5f21070, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.146] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.147] GetProcessHeap () returned 0x4e0000 [0096.147] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.147] GetProcessHeap () returned 0x4e0000 [0096.147] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.147] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5f5e100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.147] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.158] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5f5e100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.158] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.159] GetProcessHeap () returned 0x4e0000 [0096.159] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.159] GetProcessHeap () returned 0x4e0000 [0096.159] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.159] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5f9b190, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.159] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.170] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5f9b190, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.170] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.171] GetProcessHeap () returned 0x4e0000 [0096.171] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.171] GetProcessHeap () returned 0x4e0000 [0096.171] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.171] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5fd8220, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.171] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.181] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x5fd8220, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.181] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.182] GetProcessHeap () returned 0x4e0000 [0096.182] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.182] GetProcessHeap () returned 0x4e0000 [0096.182] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.182] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x60152b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.182] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.222] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x60152b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.222] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.222] GetProcessHeap () returned 0x4e0000 [0096.222] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.222] GetProcessHeap () returned 0x4e0000 [0096.222] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.222] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6052340, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.222] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.234] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6052340, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.234] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.235] GetProcessHeap () returned 0x4e0000 [0096.235] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.235] GetProcessHeap () returned 0x4e0000 [0096.235] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.235] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x608f3d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.235] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.244] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x608f3d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.244] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.245] GetProcessHeap () returned 0x4e0000 [0096.245] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.245] GetProcessHeap () returned 0x4e0000 [0096.245] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.245] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x60cc460, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.245] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.255] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x60cc460, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.255] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.256] GetProcessHeap () returned 0x4e0000 [0096.256] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.256] GetProcessHeap () returned 0x4e0000 [0096.256] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.256] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x61094f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.256] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.274] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x61094f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.274] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.275] GetProcessHeap () returned 0x4e0000 [0096.275] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.275] GetProcessHeap () returned 0x4e0000 [0096.275] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.275] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6146580, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.275] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.284] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6146580, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.284] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.285] GetProcessHeap () returned 0x4e0000 [0096.285] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.285] GetProcessHeap () returned 0x4e0000 [0096.285] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.285] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6183610, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.285] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.295] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6183610, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.295] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.296] GetProcessHeap () returned 0x4e0000 [0096.296] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.296] GetProcessHeap () returned 0x4e0000 [0096.296] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.296] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x61c06a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.296] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.304] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x61c06a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.304] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.305] GetProcessHeap () returned 0x4e0000 [0096.305] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.305] GetProcessHeap () returned 0x4e0000 [0096.305] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.305] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x61fd730, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.305] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.335] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x61fd730, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.335] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.336] GetProcessHeap () returned 0x4e0000 [0096.336] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.336] GetProcessHeap () returned 0x4e0000 [0096.337] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.337] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x623a7c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.337] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.352] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x623a7c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.352] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.353] GetProcessHeap () returned 0x4e0000 [0096.353] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.353] GetProcessHeap () returned 0x4e0000 [0096.353] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.353] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6277850, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.353] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.366] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6277850, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.366] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.367] GetProcessHeap () returned 0x4e0000 [0096.367] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.367] GetProcessHeap () returned 0x4e0000 [0096.367] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.367] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x62b48e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.367] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.377] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x62b48e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.377] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.378] GetProcessHeap () returned 0x4e0000 [0096.378] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.378] GetProcessHeap () returned 0x4e0000 [0096.378] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.378] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x62f1970, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.378] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.395] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x62f1970, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.395] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.397] GetProcessHeap () returned 0x4e0000 [0096.397] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.397] GetProcessHeap () returned 0x4e0000 [0096.397] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.397] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x632ea00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.397] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.407] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x632ea00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.407] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.408] GetProcessHeap () returned 0x4e0000 [0096.408] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.408] GetProcessHeap () returned 0x4e0000 [0096.408] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.408] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x636ba90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.408] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.420] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x636ba90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.420] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.421] GetProcessHeap () returned 0x4e0000 [0096.421] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.421] GetProcessHeap () returned 0x4e0000 [0096.421] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.421] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x63a8b20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.421] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.429] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x63a8b20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.429] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.430] GetProcessHeap () returned 0x4e0000 [0096.430] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.430] GetProcessHeap () returned 0x4e0000 [0096.430] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.430] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x63e5bb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.430] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.445] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x63e5bb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.445] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.446] GetProcessHeap () returned 0x4e0000 [0096.446] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.446] GetProcessHeap () returned 0x4e0000 [0096.446] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.446] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6422c40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.446] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.454] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6422c40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.454] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.455] GetProcessHeap () returned 0x4e0000 [0096.455] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.455] GetProcessHeap () returned 0x4e0000 [0096.455] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.455] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x645fcd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.455] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.465] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x645fcd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.465] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.466] GetProcessHeap () returned 0x4e0000 [0096.466] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.466] GetProcessHeap () returned 0x4e0000 [0096.466] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.466] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x649cd60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.466] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.475] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x649cd60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.475] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.475] GetProcessHeap () returned 0x4e0000 [0096.475] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.476] GetProcessHeap () returned 0x4e0000 [0096.476] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.476] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x64d9df0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.476] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.485] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x64d9df0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.485] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.485] GetProcessHeap () returned 0x4e0000 [0096.485] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.485] GetProcessHeap () returned 0x4e0000 [0096.485] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.485] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6516e80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.485] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.518] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6516e80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.518] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.519] GetProcessHeap () returned 0x4e0000 [0096.519] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.519] GetProcessHeap () returned 0x4e0000 [0096.519] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.519] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6553f10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.519] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.528] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6553f10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.529] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.529] GetProcessHeap () returned 0x4e0000 [0096.529] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.529] GetProcessHeap () returned 0x4e0000 [0096.529] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.529] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6590fa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.529] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.538] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6590fa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.538] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.538] GetProcessHeap () returned 0x4e0000 [0096.539] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.539] GetProcessHeap () returned 0x4e0000 [0096.539] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.539] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x65ce030, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.539] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.549] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x65ce030, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.549] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.549] GetProcessHeap () returned 0x4e0000 [0096.549] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.549] GetProcessHeap () returned 0x4e0000 [0096.549] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.549] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x660b0c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.550] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.567] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x660b0c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.567] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.568] GetProcessHeap () returned 0x4e0000 [0096.568] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.568] GetProcessHeap () returned 0x4e0000 [0096.568] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.568] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6648150, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.568] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.578] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6648150, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.578] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.579] GetProcessHeap () returned 0x4e0000 [0096.579] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.579] GetProcessHeap () returned 0x4e0000 [0096.579] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.579] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x66851e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.579] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.588] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x66851e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.588] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.589] GetProcessHeap () returned 0x4e0000 [0096.589] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.589] GetProcessHeap () returned 0x4e0000 [0096.589] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.589] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x66c2270, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.589] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.598] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x66c2270, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.598] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.598] GetProcessHeap () returned 0x4e0000 [0096.598] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.598] GetProcessHeap () returned 0x4e0000 [0096.598] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.598] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x66ff300, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.598] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.618] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x66ff300, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.618] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.619] GetProcessHeap () returned 0x4e0000 [0096.619] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.619] GetProcessHeap () returned 0x4e0000 [0096.619] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.620] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x673c390, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.620] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.629] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x673c390, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.630] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.630] GetProcessHeap () returned 0x4e0000 [0096.630] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.630] GetProcessHeap () returned 0x4e0000 [0096.630] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.630] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6779420, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.630] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.639] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6779420, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.639] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.639] GetProcessHeap () returned 0x4e0000 [0096.639] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.639] GetProcessHeap () returned 0x4e0000 [0096.639] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.639] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x67b64b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.639] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.648] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x67b64b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.648] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.649] GetProcessHeap () returned 0x4e0000 [0096.649] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.649] GetProcessHeap () returned 0x4e0000 [0096.649] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.649] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x67f3540, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.649] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.670] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x67f3540, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.670] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.672] GetProcessHeap () returned 0x4e0000 [0096.672] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.672] GetProcessHeap () returned 0x4e0000 [0096.672] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.672] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x68305d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.672] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.680] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x68305d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.680] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.681] GetProcessHeap () returned 0x4e0000 [0096.681] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.681] GetProcessHeap () returned 0x4e0000 [0096.681] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.681] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x686d660, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.681] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.691] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x686d660, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.691] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.692] GetProcessHeap () returned 0x4e0000 [0096.692] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.692] GetProcessHeap () returned 0x4e0000 [0096.692] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.692] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x68aa6f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.692] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.706] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x68aa6f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.706] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.707] GetProcessHeap () returned 0x4e0000 [0096.707] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.707] GetProcessHeap () returned 0x4e0000 [0096.707] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.707] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x68e7780, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.707] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.722] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x68e7780, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.722] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.723] GetProcessHeap () returned 0x4e0000 [0096.723] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.723] GetProcessHeap () returned 0x4e0000 [0096.723] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.723] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6924810, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.723] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.734] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6924810, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.734] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.735] GetProcessHeap () returned 0x4e0000 [0096.735] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.735] GetProcessHeap () returned 0x4e0000 [0096.735] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.735] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x69618a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.735] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.745] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x69618a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.745] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.747] GetProcessHeap () returned 0x4e0000 [0096.748] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.748] GetProcessHeap () returned 0x4e0000 [0096.748] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.748] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x699e930, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.748] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.757] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x699e930, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.757] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.758] GetProcessHeap () returned 0x4e0000 [0096.758] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.758] GetProcessHeap () returned 0x4e0000 [0096.758] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.758] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x69db9c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.758] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.769] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x69db9c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.769] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.769] GetProcessHeap () returned 0x4e0000 [0096.769] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.769] GetProcessHeap () returned 0x4e0000 [0096.769] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.769] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6a18a50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.769] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.789] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6a18a50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.789] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.789] GetProcessHeap () returned 0x4e0000 [0096.789] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.789] GetProcessHeap () returned 0x4e0000 [0096.790] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.790] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6a55ae0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.790] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.800] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6a55ae0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.801] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.801] GetProcessHeap () returned 0x4e0000 [0096.801] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.801] GetProcessHeap () returned 0x4e0000 [0096.801] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.801] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6a92b70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.801] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.813] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6a92b70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.814] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.814] GetProcessHeap () returned 0x4e0000 [0096.814] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.814] GetProcessHeap () returned 0x4e0000 [0096.814] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.814] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6acfc00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.814] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.826] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6acfc00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.826] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.827] GetProcessHeap () returned 0x4e0000 [0096.827] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.827] GetProcessHeap () returned 0x4e0000 [0096.827] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.827] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6b0cc90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.827] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.846] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6b0cc90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.847] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.847] GetProcessHeap () returned 0x4e0000 [0096.847] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.847] GetProcessHeap () returned 0x4e0000 [0096.847] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.847] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6b49d20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.847] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.859] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6b49d20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.859] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.859] GetProcessHeap () returned 0x4e0000 [0096.859] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.859] GetProcessHeap () returned 0x4e0000 [0096.859] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.859] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6b86db0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.859] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.873] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6b86db0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.873] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.874] GetProcessHeap () returned 0x4e0000 [0096.874] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.874] GetProcessHeap () returned 0x4e0000 [0096.874] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.874] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6bc3e40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.874] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.885] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6bc3e40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.885] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.886] GetProcessHeap () returned 0x4e0000 [0096.886] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.886] GetProcessHeap () returned 0x4e0000 [0096.886] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.887] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6c00ed0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.887] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.904] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6c00ed0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.904] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.904] GetProcessHeap () returned 0x4e0000 [0096.904] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.904] GetProcessHeap () returned 0x4e0000 [0096.904] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.904] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6c3df60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.904] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.915] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6c3df60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.915] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.916] GetProcessHeap () returned 0x4e0000 [0096.916] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.916] GetProcessHeap () returned 0x4e0000 [0096.916] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.916] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6c7aff0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.916] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.926] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6c7aff0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.926] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.927] GetProcessHeap () returned 0x4e0000 [0096.927] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.927] GetProcessHeap () returned 0x4e0000 [0096.927] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.927] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6cb8080, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.927] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.938] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6cb8080, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.939] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.939] GetProcessHeap () returned 0x4e0000 [0096.939] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.939] GetProcessHeap () returned 0x4e0000 [0096.939] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.939] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6cf5110, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.939] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.954] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6cf5110, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.954] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.955] GetProcessHeap () returned 0x4e0000 [0096.955] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.955] GetProcessHeap () returned 0x4e0000 [0096.955] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.955] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6d321a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.955] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.964] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6d321a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.964] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.965] GetProcessHeap () returned 0x4e0000 [0096.965] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.965] GetProcessHeap () returned 0x4e0000 [0096.965] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.965] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6d6f230, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.965] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.974] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6d6f230, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.974] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.974] GetProcessHeap () returned 0x4e0000 [0096.974] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.974] GetProcessHeap () returned 0x4e0000 [0096.974] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.974] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6dac2c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.974] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0096.984] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6dac2c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.984] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0096.985] GetProcessHeap () returned 0x4e0000 [0096.985] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0096.985] GetProcessHeap () returned 0x4e0000 [0096.985] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0096.985] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6de9350, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.985] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.010] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6de9350, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.010] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.012] GetProcessHeap () returned 0x4e0000 [0097.012] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.012] GetProcessHeap () returned 0x4e0000 [0097.012] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.012] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6e263e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.012] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.032] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6e263e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.032] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.033] GetProcessHeap () returned 0x4e0000 [0097.033] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.033] GetProcessHeap () returned 0x4e0000 [0097.033] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.033] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6e63470, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.033] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.043] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6e63470, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.043] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.044] GetProcessHeap () returned 0x4e0000 [0097.044] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.044] GetProcessHeap () returned 0x4e0000 [0097.044] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.044] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6ea0500, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.044] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.054] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6ea0500, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.054] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.054] GetProcessHeap () returned 0x4e0000 [0097.054] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.054] GetProcessHeap () returned 0x4e0000 [0097.054] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.054] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6edd590, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.054] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.068] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6edd590, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.068] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.069] GetProcessHeap () returned 0x4e0000 [0097.069] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.069] GetProcessHeap () returned 0x4e0000 [0097.069] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.069] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6f1a620, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.069] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.091] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6f1a620, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.091] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.091] GetProcessHeap () returned 0x4e0000 [0097.091] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.092] GetProcessHeap () returned 0x4e0000 [0097.092] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.092] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6f576b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.092] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.103] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6f576b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.103] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.104] GetProcessHeap () returned 0x4e0000 [0097.104] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.104] GetProcessHeap () returned 0x4e0000 [0097.105] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.106] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6f94740, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.106] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.118] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6f94740, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.118] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.119] GetProcessHeap () returned 0x4e0000 [0097.119] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.119] GetProcessHeap () returned 0x4e0000 [0097.119] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.119] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6fd17d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.119] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.131] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x6fd17d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.131] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.132] GetProcessHeap () returned 0x4e0000 [0097.132] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.132] GetProcessHeap () returned 0x4e0000 [0097.132] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.132] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x700e860, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.132] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.148] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x700e860, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.148] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.149] GetProcessHeap () returned 0x4e0000 [0097.149] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.149] GetProcessHeap () returned 0x4e0000 [0097.149] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.149] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x704b8f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.149] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.160] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x704b8f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.160] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.160] GetProcessHeap () returned 0x4e0000 [0097.160] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.161] GetProcessHeap () returned 0x4e0000 [0097.161] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.161] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7088980, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.161] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.170] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7088980, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.170] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.171] GetProcessHeap () returned 0x4e0000 [0097.171] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.171] GetProcessHeap () returned 0x4e0000 [0097.171] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.171] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x70c5a10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.171] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.183] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x70c5a10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.183] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.184] GetProcessHeap () returned 0x4e0000 [0097.184] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.184] GetProcessHeap () returned 0x4e0000 [0097.184] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.184] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7102aa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.184] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.224] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7102aa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.224] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.225] GetProcessHeap () returned 0x4e0000 [0097.225] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.225] GetProcessHeap () returned 0x4e0000 [0097.225] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.225] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x713fb30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.225] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.236] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x713fb30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.236] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.236] GetProcessHeap () returned 0x4e0000 [0097.236] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.236] GetProcessHeap () returned 0x4e0000 [0097.236] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.236] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x717cbc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.236] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.248] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x717cbc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.248] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.249] GetProcessHeap () returned 0x4e0000 [0097.249] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.249] GetProcessHeap () returned 0x4e0000 [0097.249] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.249] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x71b9c50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.249] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.259] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x71b9c50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.259] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.260] GetProcessHeap () returned 0x4e0000 [0097.260] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.261] GetProcessHeap () returned 0x4e0000 [0097.261] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.261] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x71f6ce0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.261] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.278] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x71f6ce0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.278] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.279] GetProcessHeap () returned 0x4e0000 [0097.279] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.279] GetProcessHeap () returned 0x4e0000 [0097.279] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.279] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7233d70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.279] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.288] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7233d70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.289] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.289] GetProcessHeap () returned 0x4e0000 [0097.289] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.289] GetProcessHeap () returned 0x4e0000 [0097.289] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.289] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7270e00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.289] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.300] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7270e00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.300] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.300] GetProcessHeap () returned 0x4e0000 [0097.300] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.300] GetProcessHeap () returned 0x4e0000 [0097.301] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.301] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x72ade90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.301] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.311] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x72ade90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.311] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.312] GetProcessHeap () returned 0x4e0000 [0097.312] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.312] GetProcessHeap () returned 0x4e0000 [0097.312] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.312] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x72eaf20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.312] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.330] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x72eaf20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.330] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.331] GetProcessHeap () returned 0x4e0000 [0097.332] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.332] GetProcessHeap () returned 0x4e0000 [0097.332] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.332] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7327fb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.332] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.346] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7327fb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.346] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.347] GetProcessHeap () returned 0x4e0000 [0097.347] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.347] GetProcessHeap () returned 0x4e0000 [0097.347] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.347] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7365040, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.347] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.356] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7365040, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.356] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.358] GetProcessHeap () returned 0x4e0000 [0097.358] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.358] GetProcessHeap () returned 0x4e0000 [0097.358] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.359] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x73a20d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.359] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.370] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x73a20d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.370] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.370] GetProcessHeap () returned 0x4e0000 [0097.370] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.370] GetProcessHeap () returned 0x4e0000 [0097.370] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.370] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x73df160, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.371] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.379] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x73df160, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.379] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.380] GetProcessHeap () returned 0x4e0000 [0097.380] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.380] GetProcessHeap () returned 0x4e0000 [0097.380] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.380] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x741c1f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.380] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.402] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x741c1f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.402] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.403] GetProcessHeap () returned 0x4e0000 [0097.403] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.403] GetProcessHeap () returned 0x4e0000 [0097.403] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.403] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7459280, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.403] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.413] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7459280, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.413] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.414] GetProcessHeap () returned 0x4e0000 [0097.414] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.414] GetProcessHeap () returned 0x4e0000 [0097.414] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.414] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7496310, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.414] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.426] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7496310, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.426] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.427] GetProcessHeap () returned 0x4e0000 [0097.427] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.427] GetProcessHeap () returned 0x4e0000 [0097.427] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.427] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x74d33a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.427] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.438] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x74d33a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.438] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.438] GetProcessHeap () returned 0x4e0000 [0097.439] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.439] GetProcessHeap () returned 0x4e0000 [0097.439] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.439] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7510430, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.439] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.454] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7510430, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.455] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.455] GetProcessHeap () returned 0x4e0000 [0097.455] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.455] GetProcessHeap () returned 0x4e0000 [0097.455] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.455] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x754d4c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.455] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.469] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x754d4c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.469] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.470] GetProcessHeap () returned 0x4e0000 [0097.470] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.470] GetProcessHeap () returned 0x4e0000 [0097.470] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.470] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x758a550, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.470] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.495] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x758a550, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.495] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.495] GetProcessHeap () returned 0x4e0000 [0097.496] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.496] GetProcessHeap () returned 0x4e0000 [0097.496] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.496] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x75c75e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.496] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.507] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x75c75e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.507] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.508] GetProcessHeap () returned 0x4e0000 [0097.508] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.508] GetProcessHeap () returned 0x4e0000 [0097.508] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.508] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7604670, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.508] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.547] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7604670, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.548] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.548] GetProcessHeap () returned 0x4e0000 [0097.548] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.548] GetProcessHeap () returned 0x4e0000 [0097.548] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.548] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7641700, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.548] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.562] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7641700, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.562] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.563] GetProcessHeap () returned 0x4e0000 [0097.563] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.563] GetProcessHeap () returned 0x4e0000 [0097.563] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.563] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x767e790, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.563] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.573] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x767e790, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.573] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.574] GetProcessHeap () returned 0x4e0000 [0097.574] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.574] GetProcessHeap () returned 0x4e0000 [0097.574] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.574] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x76bb820, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.574] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.588] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x76bb820, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.589] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.589] GetProcessHeap () returned 0x4e0000 [0097.589] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.589] GetProcessHeap () returned 0x4e0000 [0097.589] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.589] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x76f88b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.590] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.612] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x76f88b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.612] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.614] GetProcessHeap () returned 0x4e0000 [0097.614] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.614] GetProcessHeap () returned 0x4e0000 [0097.614] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.614] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7735940, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.614] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.628] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7735940, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.628] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.629] GetProcessHeap () returned 0x4e0000 [0097.629] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.629] GetProcessHeap () returned 0x4e0000 [0097.629] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.629] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x77729d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.629] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.642] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x77729d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.642] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.642] GetProcessHeap () returned 0x4e0000 [0097.642] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.642] GetProcessHeap () returned 0x4e0000 [0097.642] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.643] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x77afa60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.643] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.658] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x77afa60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.658] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.659] GetProcessHeap () returned 0x4e0000 [0097.659] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.659] GetProcessHeap () returned 0x4e0000 [0097.659] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.659] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x77ecaf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.659] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.678] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x77ecaf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.678] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.680] GetProcessHeap () returned 0x4e0000 [0097.680] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.680] GetProcessHeap () returned 0x4e0000 [0097.680] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.680] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7829b80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.680] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.692] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7829b80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.692] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.693] GetProcessHeap () returned 0x4e0000 [0097.693] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.693] GetProcessHeap () returned 0x4e0000 [0097.693] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.693] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7866c10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.693] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.705] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7866c10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.705] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.706] GetProcessHeap () returned 0x4e0000 [0097.706] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.706] GetProcessHeap () returned 0x4e0000 [0097.706] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.706] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x78a3ca0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.706] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.717] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x78a3ca0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.717] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.718] GetProcessHeap () returned 0x4e0000 [0097.718] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.718] GetProcessHeap () returned 0x4e0000 [0097.718] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.718] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x78e0d30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.718] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.729] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x78e0d30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.729] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.729] GetProcessHeap () returned 0x4e0000 [0097.729] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.730] GetProcessHeap () returned 0x4e0000 [0097.730] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.730] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x791ddc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.730] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.750] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x791ddc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.751] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.751] GetProcessHeap () returned 0x4e0000 [0097.751] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.751] GetProcessHeap () returned 0x4e0000 [0097.751] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.751] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x795ae50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.752] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.762] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x795ae50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.762] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.763] GetProcessHeap () returned 0x4e0000 [0097.763] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.763] GetProcessHeap () returned 0x4e0000 [0097.763] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.763] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7997ee0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.763] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.775] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7997ee0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.775] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.776] GetProcessHeap () returned 0x4e0000 [0097.776] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.776] GetProcessHeap () returned 0x4e0000 [0097.776] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.776] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x79d4f70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.776] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.790] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x79d4f70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.790] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.790] GetProcessHeap () returned 0x4e0000 [0097.790] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.790] GetProcessHeap () returned 0x4e0000 [0097.790] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.791] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7a12000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.791] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.809] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7a12000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.809] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.810] GetProcessHeap () returned 0x4e0000 [0097.810] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.810] GetProcessHeap () returned 0x4e0000 [0097.810] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.810] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7a4f090, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.810] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.821] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7a4f090, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.821] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.821] GetProcessHeap () returned 0x4e0000 [0097.821] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.821] GetProcessHeap () returned 0x4e0000 [0097.822] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.822] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7a8c120, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.822] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.834] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7a8c120, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.834] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.835] GetProcessHeap () returned 0x4e0000 [0097.835] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.835] GetProcessHeap () returned 0x4e0000 [0097.835] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.835] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7ac91b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.835] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.846] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7ac91b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.846] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.847] GetProcessHeap () returned 0x4e0000 [0097.847] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.847] GetProcessHeap () returned 0x4e0000 [0097.847] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.847] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7b06240, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.847] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.868] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7b06240, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.868] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.870] GetProcessHeap () returned 0x4e0000 [0097.870] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.870] GetProcessHeap () returned 0x4e0000 [0097.870] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.870] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7b432d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.870] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.877] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7b432d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.878] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.878] GetProcessHeap () returned 0x4e0000 [0097.878] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.878] GetProcessHeap () returned 0x4e0000 [0097.878] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.878] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7b80360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.878] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.889] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7b80360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.889] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.889] GetProcessHeap () returned 0x4e0000 [0097.890] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.890] GetProcessHeap () returned 0x4e0000 [0097.890] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.890] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7bbd3f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.890] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.900] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7bbd3f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.901] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.901] GetProcessHeap () returned 0x4e0000 [0097.901] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.901] GetProcessHeap () returned 0x4e0000 [0097.901] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.901] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7bfa480, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.901] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.924] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7bfa480, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.924] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.926] GetProcessHeap () returned 0x4e0000 [0097.926] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.926] GetProcessHeap () returned 0x4e0000 [0097.926] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.926] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7c37510, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.926] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.937] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7c37510, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.937] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.937] GetProcessHeap () returned 0x4e0000 [0097.937] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.938] GetProcessHeap () returned 0x4e0000 [0097.938] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.938] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7c745a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.938] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.948] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7c745a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.948] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.949] GetProcessHeap () returned 0x4e0000 [0097.949] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.949] GetProcessHeap () returned 0x4e0000 [0097.949] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.949] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7cb1630, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.949] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.960] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7cb1630, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.960] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.961] GetProcessHeap () returned 0x4e0000 [0097.961] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.961] GetProcessHeap () returned 0x4e0000 [0097.961] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.961] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7cee6c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.961] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0097.992] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7cee6c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.992] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0097.994] GetProcessHeap () returned 0x4e0000 [0097.994] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0097.994] GetProcessHeap () returned 0x4e0000 [0097.994] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0097.994] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7d2b750, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.994] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0098.006] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7d2b750, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.006] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0098.007] GetProcessHeap () returned 0x4e0000 [0098.007] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0098.007] GetProcessHeap () returned 0x4e0000 [0098.007] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0098.007] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7d687e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.007] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0098.026] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7d687e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.026] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0098.027] GetProcessHeap () returned 0x4e0000 [0098.027] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0098.027] GetProcessHeap () returned 0x4e0000 [0098.027] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0098.027] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7da5870, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.027] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0098.049] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7da5870, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.049] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0098.050] GetProcessHeap () returned 0x4e0000 [0098.050] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0098.050] GetProcessHeap () returned 0x4e0000 [0098.050] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0098.050] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7de2900, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.050] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0098.194] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7de2900, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.194] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0098.195] GetProcessHeap () returned 0x4e0000 [0098.195] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0098.195] GetProcessHeap () returned 0x4e0000 [0098.195] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0098.196] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7e1f990, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.196] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0098.202] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7e1f990, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.202] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0098.202] GetProcessHeap () returned 0x4e0000 [0098.202] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0098.202] GetProcessHeap () returned 0x4e0000 [0098.202] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0098.203] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7e5ca20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.203] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0098.291] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7e5ca20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.291] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0098.292] GetProcessHeap () returned 0x4e0000 [0098.293] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0098.293] GetProcessHeap () returned 0x4e0000 [0098.293] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0098.293] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7e99ab0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.293] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0098.302] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7e99ab0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.302] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0098.303] GetProcessHeap () returned 0x4e0000 [0098.303] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0098.303] GetProcessHeap () returned 0x4e0000 [0098.303] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0098.303] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7ed6b40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.303] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0098.324] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7ed6b40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.324] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0098.325] GetProcessHeap () returned 0x4e0000 [0098.325] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0098.325] GetProcessHeap () returned 0x4e0000 [0098.325] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0098.325] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7f13bd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.325] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0098.459] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7f13bd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.459] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0098.460] GetProcessHeap () returned 0x4e0000 [0098.460] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0098.460] GetProcessHeap () returned 0x4e0000 [0098.460] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0098.460] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7f50c60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.460] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0098.468] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7f50c60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.468] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0098.469] GetProcessHeap () returned 0x4e0000 [0098.469] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0098.469] GetProcessHeap () returned 0x4e0000 [0098.469] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0098.469] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7f8dcf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.469] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0098.592] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7f8dcf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.592] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0098.592] GetProcessHeap () returned 0x4e0000 [0098.592] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0098.592] GetProcessHeap () returned 0x4e0000 [0098.592] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0098.593] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7fcad80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.593] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0098.603] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x7fcad80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.603] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0098.604] GetProcessHeap () returned 0x4e0000 [0098.604] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0098.604] GetProcessHeap () returned 0x4e0000 [0098.604] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0098.604] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8007e10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.604] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0098.656] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8007e10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.656] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0098.657] GetProcessHeap () returned 0x4e0000 [0098.657] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0098.657] GetProcessHeap () returned 0x4e0000 [0098.657] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0098.657] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8044ea0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.657] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.014] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8044ea0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.014] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.015] GetProcessHeap () returned 0x4e0000 [0099.015] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.015] GetProcessHeap () returned 0x4e0000 [0099.015] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.015] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8081f30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.015] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.024] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8081f30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.024] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.024] GetProcessHeap () returned 0x4e0000 [0099.024] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.024] GetProcessHeap () returned 0x4e0000 [0099.024] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.024] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x80befc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.024] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.034] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x80befc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.034] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.034] GetProcessHeap () returned 0x4e0000 [0099.034] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.034] GetProcessHeap () returned 0x4e0000 [0099.034] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.034] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x80fc050, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.035] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.050] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x80fc050, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.050] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.052] GetProcessHeap () returned 0x4e0000 [0099.052] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.052] GetProcessHeap () returned 0x4e0000 [0099.052] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.052] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x81390e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.052] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.089] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x81390e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.089] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.089] GetProcessHeap () returned 0x4e0000 [0099.089] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.089] GetProcessHeap () returned 0x4e0000 [0099.090] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.090] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8176170, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.090] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.100] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8176170, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.100] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.100] GetProcessHeap () returned 0x4e0000 [0099.101] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.101] GetProcessHeap () returned 0x4e0000 [0099.101] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.101] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x81b3200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.101] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.110] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x81b3200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.110] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.111] GetProcessHeap () returned 0x4e0000 [0099.111] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.111] GetProcessHeap () returned 0x4e0000 [0099.111] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.111] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x81f0290, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.111] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.130] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x81f0290, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.130] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.131] GetProcessHeap () returned 0x4e0000 [0099.132] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.132] GetProcessHeap () returned 0x4e0000 [0099.132] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.132] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x822d320, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.132] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.139] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x822d320, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.139] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.139] GetProcessHeap () returned 0x4e0000 [0099.139] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.139] GetProcessHeap () returned 0x4e0000 [0099.139] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.140] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x826a3b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.140] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.185] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x826a3b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.186] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.186] GetProcessHeap () returned 0x4e0000 [0099.186] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.186] GetProcessHeap () returned 0x4e0000 [0099.186] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.186] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x82a7440, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.186] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.276] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x82a7440, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.276] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.276] GetProcessHeap () returned 0x4e0000 [0099.276] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.277] GetProcessHeap () returned 0x4e0000 [0099.277] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.277] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x82e44d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.277] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.295] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x82e44d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.295] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.297] GetProcessHeap () returned 0x4e0000 [0099.297] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.297] GetProcessHeap () returned 0x4e0000 [0099.297] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.297] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8321560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.297] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.308] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8321560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.308] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.309] GetProcessHeap () returned 0x4e0000 [0099.309] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.309] GetProcessHeap () returned 0x4e0000 [0099.309] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.309] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x835e5f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.309] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.319] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x835e5f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.319] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.320] GetProcessHeap () returned 0x4e0000 [0099.320] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.320] GetProcessHeap () returned 0x4e0000 [0099.320] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.320] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x839b680, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.320] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.330] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x839b680, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.330] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.330] GetProcessHeap () returned 0x4e0000 [0099.331] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.331] GetProcessHeap () returned 0x4e0000 [0099.331] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.331] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x83d8710, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.331] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.341] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x83d8710, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.341] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.341] GetProcessHeap () returned 0x4e0000 [0099.341] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.341] GetProcessHeap () returned 0x4e0000 [0099.341] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.342] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x84157a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.342] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.362] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x84157a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.362] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.363] GetProcessHeap () returned 0x4e0000 [0099.363] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.363] GetProcessHeap () returned 0x4e0000 [0099.363] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.363] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8452830, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.363] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.373] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8452830, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.373] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.374] GetProcessHeap () returned 0x4e0000 [0099.374] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.374] GetProcessHeap () returned 0x4e0000 [0099.374] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.374] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x848f8c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.374] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.384] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x848f8c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.384] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.385] GetProcessHeap () returned 0x4e0000 [0099.385] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.385] GetProcessHeap () returned 0x4e0000 [0099.385] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.385] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x84cc950, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.385] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.397] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x84cc950, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.397] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.398] GetProcessHeap () returned 0x4e0000 [0099.398] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.398] GetProcessHeap () returned 0x4e0000 [0099.398] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.398] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x85099e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.398] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.416] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x85099e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.416] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.416] GetProcessHeap () returned 0x4e0000 [0099.416] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.416] GetProcessHeap () returned 0x4e0000 [0099.416] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.417] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8546a70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.417] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.427] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8546a70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.427] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.428] GetProcessHeap () returned 0x4e0000 [0099.428] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.428] GetProcessHeap () returned 0x4e0000 [0099.428] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.428] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8583b00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.428] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.440] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8583b00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.440] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.440] GetProcessHeap () returned 0x4e0000 [0099.441] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.441] GetProcessHeap () returned 0x4e0000 [0099.441] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.441] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x85c0b90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.441] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.464] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x85c0b90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.465] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.465] GetProcessHeap () returned 0x4e0000 [0099.465] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.465] GetProcessHeap () returned 0x4e0000 [0099.465] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.465] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x85fdc20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.465] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.480] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x85fdc20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.480] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.482] GetProcessHeap () returned 0x4e0000 [0099.482] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.482] GetProcessHeap () returned 0x4e0000 [0099.482] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.482] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x863acb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.482] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.495] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x863acb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.496] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.496] GetProcessHeap () returned 0x4e0000 [0099.496] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.496] GetProcessHeap () returned 0x4e0000 [0099.496] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.496] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8677d40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.496] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.505] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8677d40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.505] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.506] GetProcessHeap () returned 0x4e0000 [0099.506] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.506] GetProcessHeap () returned 0x4e0000 [0099.506] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.506] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x86b4dd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.506] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.514] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x86b4dd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.514] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.515] GetProcessHeap () returned 0x4e0000 [0099.515] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.515] GetProcessHeap () returned 0x4e0000 [0099.515] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.515] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x86f1e60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.516] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.535] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x86f1e60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.535] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.536] GetProcessHeap () returned 0x4e0000 [0099.536] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.536] GetProcessHeap () returned 0x4e0000 [0099.537] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.537] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x872eef0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.537] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.545] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x872eef0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.545] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.546] GetProcessHeap () returned 0x4e0000 [0099.546] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.546] GetProcessHeap () returned 0x4e0000 [0099.546] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.546] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x876bf80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.546] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.570] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x876bf80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.570] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.571] GetProcessHeap () returned 0x4e0000 [0099.571] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.571] GetProcessHeap () returned 0x4e0000 [0099.571] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.571] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x87a9010, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.571] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.579] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x87a9010, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.579] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.579] GetProcessHeap () returned 0x4e0000 [0099.580] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.580] GetProcessHeap () returned 0x4e0000 [0099.580] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.580] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x87e60a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.580] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.598] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x87e60a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.598] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.600] GetProcessHeap () returned 0x4e0000 [0099.600] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.600] GetProcessHeap () returned 0x4e0000 [0099.600] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.600] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8823130, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.600] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.608] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8823130, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.609] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.609] GetProcessHeap () returned 0x4e0000 [0099.609] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.609] GetProcessHeap () returned 0x4e0000 [0099.609] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.609] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x88601c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.609] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.618] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x88601c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.618] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.619] GetProcessHeap () returned 0x4e0000 [0099.619] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.619] GetProcessHeap () returned 0x4e0000 [0099.619] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.619] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x889d250, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.619] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.630] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x889d250, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.630] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.631] GetProcessHeap () returned 0x4e0000 [0099.631] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.631] GetProcessHeap () returned 0x4e0000 [0099.631] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.631] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x88da2e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.631] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.640] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x88da2e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.640] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.641] GetProcessHeap () returned 0x4e0000 [0099.641] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.641] GetProcessHeap () returned 0x4e0000 [0099.641] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.641] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8917370, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.641] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.659] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8917370, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.659] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.659] GetProcessHeap () returned 0x4e0000 [0099.659] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.659] GetProcessHeap () returned 0x4e0000 [0099.659] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.660] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8954400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.660] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.669] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8954400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.669] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.670] GetProcessHeap () returned 0x4e0000 [0099.670] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.670] GetProcessHeap () returned 0x4e0000 [0099.670] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.670] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8991490, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.670] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.680] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8991490, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.680] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.681] GetProcessHeap () returned 0x4e0000 [0099.681] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.681] GetProcessHeap () returned 0x4e0000 [0099.681] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.681] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x89ce520, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.681] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.693] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x89ce520, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.694] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.695] GetProcessHeap () returned 0x4e0000 [0099.695] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.695] GetProcessHeap () returned 0x4e0000 [0099.695] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.695] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8a0b5b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.695] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.714] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8a0b5b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.714] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.714] GetProcessHeap () returned 0x4e0000 [0099.714] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.714] GetProcessHeap () returned 0x4e0000 [0099.714] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.715] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8a48640, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.715] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.724] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8a48640, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.724] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.725] GetProcessHeap () returned 0x4e0000 [0099.725] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.725] GetProcessHeap () returned 0x4e0000 [0099.725] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.725] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8a856d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.725] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.736] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8a856d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.737] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.737] GetProcessHeap () returned 0x4e0000 [0099.737] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.737] GetProcessHeap () returned 0x4e0000 [0099.737] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.737] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8ac2760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.737] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.746] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8ac2760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.746] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.747] GetProcessHeap () returned 0x4e0000 [0099.747] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.747] GetProcessHeap () returned 0x4e0000 [0099.747] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.747] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8aff7f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.747] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.798] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8aff7f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.798] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.800] GetProcessHeap () returned 0x4e0000 [0099.800] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.800] GetProcessHeap () returned 0x4e0000 [0099.800] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.800] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8b3c880, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.800] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.810] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8b3c880, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.810] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.811] GetProcessHeap () returned 0x4e0000 [0099.811] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.811] GetProcessHeap () returned 0x4e0000 [0099.811] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.811] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8b79910, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.811] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.821] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8b79910, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.821] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.821] GetProcessHeap () returned 0x4e0000 [0099.822] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.822] GetProcessHeap () returned 0x4e0000 [0099.822] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.822] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8bb69a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.822] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.833] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8bb69a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.833] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.834] GetProcessHeap () returned 0x4e0000 [0099.834] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.834] GetProcessHeap () returned 0x4e0000 [0099.834] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.834] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8bf3a30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.834] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.851] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8bf3a30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.852] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.853] GetProcessHeap () returned 0x4e0000 [0099.853] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.853] GetProcessHeap () returned 0x4e0000 [0099.853] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.853] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8c30ac0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.853] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.863] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8c30ac0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.863] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.863] GetProcessHeap () returned 0x4e0000 [0099.863] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.863] GetProcessHeap () returned 0x4e0000 [0099.864] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.864] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8c6db50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.864] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.874] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8c6db50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.874] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.875] GetProcessHeap () returned 0x4e0000 [0099.875] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.875] GetProcessHeap () returned 0x4e0000 [0099.875] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.875] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8caabe0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.875] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.887] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8caabe0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.887] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.888] GetProcessHeap () returned 0x4e0000 [0099.888] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.888] GetProcessHeap () returned 0x4e0000 [0099.888] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.888] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8ce7c70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.888] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.905] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8ce7c70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.906] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.907] GetProcessHeap () returned 0x4e0000 [0099.907] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.907] GetProcessHeap () returned 0x4e0000 [0099.907] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.907] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8d24d00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.907] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.921] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8d24d00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.921] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.921] GetProcessHeap () returned 0x4e0000 [0099.921] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.921] GetProcessHeap () returned 0x4e0000 [0099.921] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.922] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8d61d90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.922] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.930] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8d61d90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.930] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.931] GetProcessHeap () returned 0x4e0000 [0099.931] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.931] GetProcessHeap () returned 0x4e0000 [0099.931] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.931] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8d9ee20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.931] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.940] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8d9ee20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.940] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.940] GetProcessHeap () returned 0x4e0000 [0099.940] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.940] GetProcessHeap () returned 0x4e0000 [0099.940] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.941] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8ddbeb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.941] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.948] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8ddbeb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.948] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.949] GetProcessHeap () returned 0x4e0000 [0099.949] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.949] GetProcessHeap () returned 0x4e0000 [0099.949] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.949] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8e18f40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.949] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.971] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8e18f40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.971] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.972] GetProcessHeap () returned 0x4e0000 [0099.972] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.972] GetProcessHeap () returned 0x4e0000 [0099.972] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.972] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8e55fd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.972] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.981] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8e55fd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.982] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.982] GetProcessHeap () returned 0x4e0000 [0099.982] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.982] GetProcessHeap () returned 0x4e0000 [0099.982] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.982] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8e93060, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.982] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0099.992] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8e93060, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.992] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0099.993] GetProcessHeap () returned 0x4e0000 [0099.993] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0099.993] GetProcessHeap () returned 0x4e0000 [0099.993] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0099.993] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8ed00f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.993] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.004] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8ed00f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.004] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.005] GetProcessHeap () returned 0x4e0000 [0100.005] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.005] GetProcessHeap () returned 0x4e0000 [0100.005] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.005] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8f0d180, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.005] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.023] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8f0d180, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.023] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.023] GetProcessHeap () returned 0x4e0000 [0100.023] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.023] GetProcessHeap () returned 0x4e0000 [0100.023] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.023] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8f4a210, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.024] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.033] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8f4a210, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.033] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.034] GetProcessHeap () returned 0x4e0000 [0100.034] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.034] GetProcessHeap () returned 0x4e0000 [0100.034] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.034] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8f872a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.034] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.046] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8f872a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.046] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.047] GetProcessHeap () returned 0x4e0000 [0100.047] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.047] GetProcessHeap () returned 0x4e0000 [0100.047] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.047] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8fc4330, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.047] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.055] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x8fc4330, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.055] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.056] GetProcessHeap () returned 0x4e0000 [0100.056] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.056] GetProcessHeap () returned 0x4e0000 [0100.056] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.056] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x90013c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.056] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.118] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x90013c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.118] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.119] GetProcessHeap () returned 0x4e0000 [0100.119] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.119] GetProcessHeap () returned 0x4e0000 [0100.119] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.119] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x903e450, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.119] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.143] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x903e450, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.144] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.145] GetProcessHeap () returned 0x4e0000 [0100.145] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.145] GetProcessHeap () returned 0x4e0000 [0100.145] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.145] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x907b4e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.145] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.155] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x907b4e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.155] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.156] GetProcessHeap () returned 0x4e0000 [0100.156] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.156] GetProcessHeap () returned 0x4e0000 [0100.156] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.156] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x90b8570, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.156] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.165] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x90b8570, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.165] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.166] GetProcessHeap () returned 0x4e0000 [0100.166] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.166] GetProcessHeap () returned 0x4e0000 [0100.166] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.166] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x90f5600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.166] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.183] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x90f5600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.183] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.184] GetProcessHeap () returned 0x4e0000 [0100.184] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.184] GetProcessHeap () returned 0x4e0000 [0100.184] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.185] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9132690, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.185] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.192] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9132690, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.193] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.193] GetProcessHeap () returned 0x4e0000 [0100.193] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.194] GetProcessHeap () returned 0x4e0000 [0100.194] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.194] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x916f720, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.194] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.202] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x916f720, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.202] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.202] GetProcessHeap () returned 0x4e0000 [0100.203] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.203] GetProcessHeap () returned 0x4e0000 [0100.203] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.203] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x91ac7b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.203] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.215] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x91ac7b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.216] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.216] GetProcessHeap () returned 0x4e0000 [0100.216] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.216] GetProcessHeap () returned 0x4e0000 [0100.216] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.216] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x91e9840, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.216] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.270] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x91e9840, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.270] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.282] GetProcessHeap () returned 0x4e0000 [0100.282] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.283] GetProcessHeap () returned 0x4e0000 [0100.283] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.283] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x92268d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.283] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.294] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x92268d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.294] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.295] GetProcessHeap () returned 0x4e0000 [0100.295] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.295] GetProcessHeap () returned 0x4e0000 [0100.295] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.295] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9263960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.295] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.307] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9263960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.307] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.308] GetProcessHeap () returned 0x4e0000 [0100.308] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.308] GetProcessHeap () returned 0x4e0000 [0100.308] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.308] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x92a09f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.308] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.317] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x92a09f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.317] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.318] GetProcessHeap () returned 0x4e0000 [0100.318] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.318] GetProcessHeap () returned 0x4e0000 [0100.318] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.318] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x92dda80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.318] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.326] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x92dda80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.326] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.327] GetProcessHeap () returned 0x4e0000 [0100.327] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.327] GetProcessHeap () returned 0x4e0000 [0100.327] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.327] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x931ab10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.327] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.343] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x931ab10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.343] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.343] GetProcessHeap () returned 0x4e0000 [0100.343] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.343] GetProcessHeap () returned 0x4e0000 [0100.343] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.343] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9357ba0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.344] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.357] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9357ba0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.357] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.358] GetProcessHeap () returned 0x4e0000 [0100.358] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.358] GetProcessHeap () returned 0x4e0000 [0100.358] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.358] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9394c30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.358] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.366] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9394c30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.366] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.367] GetProcessHeap () returned 0x4e0000 [0100.367] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.367] GetProcessHeap () returned 0x4e0000 [0100.367] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.367] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x93d1cc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.367] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.376] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x93d1cc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.376] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.377] GetProcessHeap () returned 0x4e0000 [0100.377] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.377] GetProcessHeap () returned 0x4e0000 [0100.377] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.377] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x940ed50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.377] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.395] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x940ed50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.395] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.396] GetProcessHeap () returned 0x4e0000 [0100.396] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.398] GetProcessHeap () returned 0x4e0000 [0100.398] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.400] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x944bde0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.400] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.409] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x944bde0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.409] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.409] GetProcessHeap () returned 0x4e0000 [0100.409] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.410] GetProcessHeap () returned 0x4e0000 [0100.410] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.410] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9488e70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.410] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.420] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9488e70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.420] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.421] GetProcessHeap () returned 0x4e0000 [0100.421] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.421] GetProcessHeap () returned 0x4e0000 [0100.421] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.421] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x94c5f00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.421] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.431] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x94c5f00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.431] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.432] GetProcessHeap () returned 0x4e0000 [0100.432] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.432] GetProcessHeap () returned 0x4e0000 [0100.432] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.432] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9502f90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.432] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.451] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9502f90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.451] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.451] GetProcessHeap () returned 0x4e0000 [0100.452] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.452] GetProcessHeap () returned 0x4e0000 [0100.452] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.452] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9540020, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.452] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.462] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9540020, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.463] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.463] GetProcessHeap () returned 0x4e0000 [0100.463] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.463] GetProcessHeap () returned 0x4e0000 [0100.463] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.463] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x957d0b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.463] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.473] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x957d0b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.473] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.474] GetProcessHeap () returned 0x4e0000 [0100.474] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.474] GetProcessHeap () returned 0x4e0000 [0100.474] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.474] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x95ba140, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.475] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.485] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x95ba140, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.485] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.486] GetProcessHeap () returned 0x4e0000 [0100.486] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.486] GetProcessHeap () returned 0x4e0000 [0100.486] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.486] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x95f71d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.486] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.506] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x95f71d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.506] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.508] GetProcessHeap () returned 0x4e0000 [0100.508] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.508] GetProcessHeap () returned 0x4e0000 [0100.508] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.508] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9634260, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.508] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.517] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9634260, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.517] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.518] GetProcessHeap () returned 0x4e0000 [0100.518] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.518] GetProcessHeap () returned 0x4e0000 [0100.518] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.518] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x96712f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.518] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.530] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x96712f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.530] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.530] GetProcessHeap () returned 0x4e0000 [0100.530] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.531] GetProcessHeap () returned 0x4e0000 [0100.531] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.531] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x96ae380, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.531] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.541] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x96ae380, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.541] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.541] GetProcessHeap () returned 0x4e0000 [0100.541] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.541] GetProcessHeap () returned 0x4e0000 [0100.541] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.541] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x96eb410, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.541] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.558] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x96eb410, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.558] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.560] GetProcessHeap () returned 0x4e0000 [0100.560] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.560] GetProcessHeap () returned 0x4e0000 [0100.560] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.560] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x97284a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.560] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.611] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x97284a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.611] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.612] GetProcessHeap () returned 0x4e0000 [0100.612] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.612] GetProcessHeap () returned 0x4e0000 [0100.612] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.612] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9765530, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.612] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.622] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9765530, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.622] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.623] GetProcessHeap () returned 0x4e0000 [0100.624] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.624] GetProcessHeap () returned 0x4e0000 [0100.625] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.625] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x97a25c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.625] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.633] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x97a25c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.633] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.634] GetProcessHeap () returned 0x4e0000 [0100.634] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.634] GetProcessHeap () returned 0x4e0000 [0100.634] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.634] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x97df650, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.634] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.644] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x97df650, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.644] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.645] GetProcessHeap () returned 0x4e0000 [0100.645] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.645] GetProcessHeap () returned 0x4e0000 [0100.645] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.645] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x981c6e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.645] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.668] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x981c6e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.668] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.668] GetProcessHeap () returned 0x4e0000 [0100.668] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.668] GetProcessHeap () returned 0x4e0000 [0100.669] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.669] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9859770, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.669] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.680] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9859770, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.680] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.681] GetProcessHeap () returned 0x4e0000 [0100.681] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.681] GetProcessHeap () returned 0x4e0000 [0100.681] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.681] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9896800, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.681] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.693] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9896800, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.693] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.694] GetProcessHeap () returned 0x4e0000 [0100.694] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.694] GetProcessHeap () returned 0x4e0000 [0100.694] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.694] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x98d3890, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.694] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.704] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x98d3890, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.704] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.704] GetProcessHeap () returned 0x4e0000 [0100.705] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.705] GetProcessHeap () returned 0x4e0000 [0100.705] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.705] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9910920, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.705] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.723] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9910920, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.723] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.724] GetProcessHeap () returned 0x4e0000 [0100.724] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.724] GetProcessHeap () returned 0x4e0000 [0100.724] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.724] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x994d9b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.724] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.734] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x994d9b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.734] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.735] GetProcessHeap () returned 0x4e0000 [0100.735] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.735] GetProcessHeap () returned 0x4e0000 [0100.735] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.735] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x998aa40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.735] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.752] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x998aa40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.752] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.752] GetProcessHeap () returned 0x4e0000 [0100.752] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.752] GetProcessHeap () returned 0x4e0000 [0100.753] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.753] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x99c7ad0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.753] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.763] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x99c7ad0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.763] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.763] GetProcessHeap () returned 0x4e0000 [0100.763] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.763] GetProcessHeap () returned 0x4e0000 [0100.763] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.764] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9a04b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.764] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.782] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9a04b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.782] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.783] GetProcessHeap () returned 0x4e0000 [0100.783] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.783] GetProcessHeap () returned 0x4e0000 [0100.783] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.783] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9a41bf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.783] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.821] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9a41bf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.822] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.822] GetProcessHeap () returned 0x4e0000 [0100.822] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.822] GetProcessHeap () returned 0x4e0000 [0100.822] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.822] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9a7ec80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.822] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.832] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9a7ec80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.833] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.833] GetProcessHeap () returned 0x4e0000 [0100.834] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.834] GetProcessHeap () returned 0x4e0000 [0100.834] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.834] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9abbd10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.834] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.844] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9abbd10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.844] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.844] GetProcessHeap () returned 0x4e0000 [0100.844] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.844] GetProcessHeap () returned 0x4e0000 [0100.844] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.844] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9af8da0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.845] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.887] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9af8da0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.887] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.889] GetProcessHeap () returned 0x4e0000 [0100.889] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.889] GetProcessHeap () returned 0x4e0000 [0100.889] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.889] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9b35e30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.889] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.899] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9b35e30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.899] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.900] GetProcessHeap () returned 0x4e0000 [0100.900] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.900] GetProcessHeap () returned 0x4e0000 [0100.900] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.900] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9b72ec0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.900] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.910] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9b72ec0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.910] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.911] GetProcessHeap () returned 0x4e0000 [0100.911] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.911] GetProcessHeap () returned 0x4e0000 [0100.911] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.911] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9baff50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.911] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.922] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9baff50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.922] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.922] GetProcessHeap () returned 0x4e0000 [0100.922] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.922] GetProcessHeap () returned 0x4e0000 [0100.923] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.923] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9becfe0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.923] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.944] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9becfe0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.944] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.946] GetProcessHeap () returned 0x4e0000 [0100.946] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.946] GetProcessHeap () returned 0x4e0000 [0100.946] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.946] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9c2a070, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.946] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.956] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9c2a070, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.956] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.956] GetProcessHeap () returned 0x4e0000 [0100.956] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.956] GetProcessHeap () returned 0x4e0000 [0100.956] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.957] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9c67100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.957] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.967] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9c67100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.967] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.967] GetProcessHeap () returned 0x4e0000 [0100.967] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.967] GetProcessHeap () returned 0x4e0000 [0100.967] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.968] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9ca4190, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.968] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.979] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9ca4190, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.979] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.980] GetProcessHeap () returned 0x4e0000 [0100.980] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.980] GetProcessHeap () returned 0x4e0000 [0100.980] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.980] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9ce1220, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.980] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0100.990] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9ce1220, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.990] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0100.991] GetProcessHeap () returned 0x4e0000 [0100.991] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0100.991] GetProcessHeap () returned 0x4e0000 [0100.991] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0100.991] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9d1e2b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.991] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0101.010] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9d1e2b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.010] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0101.011] GetProcessHeap () returned 0x4e0000 [0101.011] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0101.011] GetProcessHeap () returned 0x4e0000 [0101.011] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0101.011] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9d5b340, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.011] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0101.022] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9d5b340, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.022] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0101.023] GetProcessHeap () returned 0x4e0000 [0101.023] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0101.023] GetProcessHeap () returned 0x4e0000 [0101.023] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0101.023] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9d983d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.023] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0101.033] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9d983d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.033] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0101.034] GetProcessHeap () returned 0x4e0000 [0101.034] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0101.034] GetProcessHeap () returned 0x4e0000 [0101.034] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0101.034] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9dd5460, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.034] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0101.044] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9dd5460, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.044] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0101.044] GetProcessHeap () returned 0x4e0000 [0101.044] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0101.044] GetProcessHeap () returned 0x4e0000 [0101.045] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0101.045] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9e124f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.045] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0101.067] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9e124f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.068] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0101.068] GetProcessHeap () returned 0x4e0000 [0101.068] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0101.068] GetProcessHeap () returned 0x4e0000 [0101.068] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0101.068] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9e4f580, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.068] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0101.085] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9e4f580, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.085] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0101.085] GetProcessHeap () returned 0x4e0000 [0101.085] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0101.085] GetProcessHeap () returned 0x4e0000 [0101.085] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0101.085] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9e8c610, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.086] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0101.095] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9e8c610, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.095] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0101.096] GetProcessHeap () returned 0x4e0000 [0101.096] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0101.096] GetProcessHeap () returned 0x4e0000 [0101.096] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0101.096] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9ec96a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.096] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0101.106] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9ec96a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.106] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0101.106] GetProcessHeap () returned 0x4e0000 [0101.106] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0101.106] GetProcessHeap () returned 0x4e0000 [0101.107] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0101.107] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9f06730, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.107] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0101.126] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9f06730, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.126] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0101.127] GetProcessHeap () returned 0x4e0000 [0101.127] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0101.127] GetProcessHeap () returned 0x4e0000 [0101.127] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0101.127] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9f437c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.127] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0101.137] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9f437c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.137] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0101.137] GetProcessHeap () returned 0x4e0000 [0101.137] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0101.137] GetProcessHeap () returned 0x4e0000 [0101.138] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0101.138] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9f80850, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.138] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0101.148] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9f80850, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.148] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0101.148] GetProcessHeap () returned 0x4e0000 [0101.149] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0101.149] GetProcessHeap () returned 0x4e0000 [0101.149] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0101.149] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9fbd8e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.149] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0101.164] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9fbd8e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.164] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0101.164] GetProcessHeap () returned 0x4e0000 [0101.164] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0101.165] GetProcessHeap () returned 0x4e0000 [0101.165] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0101.165] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9ffa970, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.165] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0101.183] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x9ffa970, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.183] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0101.185] GetProcessHeap () returned 0x4e0000 [0101.185] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0101.185] GetProcessHeap () returned 0x4e0000 [0101.185] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0101.185] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xa037a00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.185] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0101.195] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xa037a00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.195] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0101.196] GetProcessHeap () returned 0x4e0000 [0101.196] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0101.196] GetProcessHeap () returned 0x4e0000 [0101.196] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0101.196] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xa074a90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.196] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0101.209] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xa074a90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.209] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0101.209] GetProcessHeap () returned 0x4e0000 [0101.209] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0101.210] GetProcessHeap () returned 0x4e0000 [0101.210] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0101.210] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xa0b1b20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.210] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0101.219] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xa0b1b20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.219] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0101.220] GetProcessHeap () returned 0x4e0000 [0101.220] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0101.220] GetProcessHeap () returned 0x4e0000 [0101.220] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1e848) returned 0x5098a0 [0101.220] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xa0eebb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.220] ReadFile (in: hFile=0xe8, lpBuffer=0x5098a0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesRead=0x24deab0*=0x1e848, lpOverlapped=0x0) returned 1 [0101.256] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0xa0eebb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.256] WriteFile (in: hFile=0xe8, lpBuffer=0x5098a0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x5098a0*, lpNumberOfBytesWritten=0x24deabc*=0x1e848, lpOverlapped=0x0) returned 1 [0101.258] GetProcessHeap () returned 0x4e0000 [0101.258] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5098a0 | out: hHeap=0x4e0000) returned 1 [0101.258] CloseHandle (hObject=0xe8) returned 1 [0101.803] GetProcessHeap () returned 0x4e0000 [0101.803] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0101.803] GetProcessHeap () returned 0x4e0000 [0101.803] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0101.804] GetProcessHeap () returned 0x4e0000 [0101.804] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0101.804] GetProcessHeap () returned 0x4e0000 [0101.804] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0101.804] lstrcpyW (in: lpString1=0x24de8a8, lpString2="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" | out: lpString1="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim") returned="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" [0101.804] lstrcatW (in: lpString1="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpString2=".NEPHILIM" | out: lpString1="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim.NEPHILIM") returned="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim.NEPHILIM" [0101.804] MoveFileW (lpExistingFileName="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\winre.wim"), lpNewFileName="C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim.NEPHILIM" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\winre.wim.nephilim")) returned 1 [0102.021] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0x6496a3c6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x64b0e1b9, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfa6eb761, ftLastWriteTime.dwHighDateTime=0x1cb88d1, nFileSizeHigh=0x0, nFileSizeLow=0xa160012, dwReserved0=0x20001e, dwReserved1=0x24df5e0, cFileName="Winre.wim", cAlternateFileName="")) returned 0 [0102.021] FindClose (in: hFindFile=0x5026e8 | out: hFindFile=0x5026e8) returned 1 [0102.022] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27c2fae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27c2fae0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x8a7b2e4f, dwReserved1=0x3c67b114, cFileName="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", cAlternateFileName="E9E239~1")) returned 0 [0102.022] FindClose (in: hFindFile=0x4ff0b8 | out: hFindFile=0x4ff0b8) returned 1 [0102.022] FindNextFileW (in: hFindFile=0x4ff078, lpFindFileData=0x24df808 | out: lpFindFileData=0x24df808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x56231c60, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0xa1602bc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa1602bc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="System Volume Information", cAlternateFileName="SYSTEM~1")) returned 1 [0102.022] lstrcmpiW (lpString1="System Volume Information", lpString2=".") returned 1 [0102.022] lstrcmpiW (lpString1="System Volume Information", lpString2="..") returned 1 [0102.022] lstrcmpiW (lpString1="System Volume Information", lpString2="...") returned 1 [0102.022] lstrcmpiW (lpString1="System Volume Information", lpString2="windows") returned -1 [0102.022] lstrcmpiW (lpString1="System Volume Information", lpString2="$RECYCLE.BIN") returned 1 [0102.022] lstrcmpiW (lpString1="System Volume Information", lpString2="rsa") returned 1 [0102.022] lstrcmpiW (lpString1="System Volume Information", lpString2="log") returned 1 [0102.022] lstrcmpiW (lpString1="System Volume Information", lpString2="NTDETECT.COM") returned 1 [0102.022] lstrcmpiW (lpString1="System Volume Information", lpString2="ntldr") returned 1 [0102.022] lstrcmpiW (lpString1="System Volume Information", lpString2="MSDOS.SYS") returned 1 [0102.023] lstrcmpiW (lpString1="System Volume Information", lpString2="IO.SYS") returned 1 [0102.023] lstrcmpiW (lpString1="System Volume Information", lpString2="boot.ini") returned 1 [0102.023] lstrcmpiW (lpString1="System Volume Information", lpString2="AUTOEXEC.BAT") returned 1 [0102.023] lstrcmpiW (lpString1="System Volume Information", lpString2="ntuser.dat") returned 1 [0102.023] lstrcmpiW (lpString1="System Volume Information", lpString2="desktop.ini") returned 1 [0102.023] lstrcmpiW (lpString1="System Volume Information", lpString2="CONFIG.SYS") returned 1 [0102.023] lstrcmpiW (lpString1="System Volume Information", lpString2="RECYCLER") returned 1 [0102.023] lstrcmpiW (lpString1="System Volume Information", lpString2="BOOTSECT.BAK") returned 1 [0102.023] lstrcmpiW (lpString1="System Volume Information", lpString2="bootmgr") returned 1 [0102.023] lstrcmpiW (lpString1="System Volume Information", lpString2="programdata") returned 1 [0102.023] lstrcmpiW (lpString1="System Volume Information", lpString2="appdata") returned 1 [0102.023] lstrcmpiW (lpString1="System Volume Information", lpString2="program files") returned 1 [0102.023] lstrcmpiW (lpString1="System Volume Information", lpString2="program files (x86)") returned 1 [0102.023] lstrcpyW (in: lpString1=0x24dfa58, lpString2="C:\\" | out: lpString1="C:\\") returned="C:\\" [0102.023] lstrcatW (in: lpString1="C:\\", lpString2="System Volume Information" | out: lpString1="C:\\System Volume Information") returned="C:\\System Volume Information" [0102.023] lstrcatW (in: lpString1="C:\\System Volume Information", lpString2="\\" | out: lpString1="C:\\System Volume Information\\") returned="C:\\System Volume Information\\" [0102.023] lstrcpyW (in: lpString1=0x24df5e0, lpString2="C:\\System Volume Information\\" | out: lpString1="C:\\System Volume Information\\") returned="C:\\System Volume Information\\" [0102.023] lstrcatW (in: lpString1="C:\\System Volume Information\\", lpString2="*.*" | out: lpString1="C:\\System Volume Information\\*.*") returned="C:\\System Volume Information\\*.*" [0102.023] FindFirstFileW (in: lpFileName="C:\\System Volume Information\\*.*", lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27c2fae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27c2fae0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x8a7b2e4f, dwReserved1=0x3c67b114, cFileName="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", cAlternateFileName="E9E239~1")) returned 0xffffffff [0102.024] FindNextFileW (in: hFindFile=0x4ff078, lpFindFileData=0x24df808 | out: lpFindFileData=0x24df808*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 1 [0102.024] lstrcmpiW (lpString1="Users", lpString2=".") returned 1 [0102.024] lstrcmpiW (lpString1="Users", lpString2="..") returned 1 [0102.024] lstrcmpiW (lpString1="Users", lpString2="...") returned 1 [0102.024] lstrcmpiW (lpString1="Users", lpString2="windows") returned -1 [0102.024] lstrcmpiW (lpString1="Users", lpString2="$RECYCLE.BIN") returned 1 [0102.024] lstrcmpiW (lpString1="Users", lpString2="rsa") returned 1 [0102.024] lstrcmpiW (lpString1="Users", lpString2="log") returned 1 [0102.024] lstrcmpiW (lpString1="Users", lpString2="NTDETECT.COM") returned 1 [0102.024] lstrcmpiW (lpString1="Users", lpString2="ntldr") returned 1 [0102.024] lstrcmpiW (lpString1="Users", lpString2="MSDOS.SYS") returned 1 [0102.024] lstrcmpiW (lpString1="Users", lpString2="IO.SYS") returned 1 [0102.024] lstrcmpiW (lpString1="Users", lpString2="boot.ini") returned 1 [0102.024] lstrcmpiW (lpString1="Users", lpString2="AUTOEXEC.BAT") returned 1 [0102.025] lstrcmpiW (lpString1="Users", lpString2="ntuser.dat") returned 1 [0102.025] lstrcmpiW (lpString1="Users", lpString2="desktop.ini") returned 1 [0102.025] lstrcmpiW (lpString1="Users", lpString2="CONFIG.SYS") returned 1 [0102.025] lstrcmpiW (lpString1="Users", lpString2="RECYCLER") returned 1 [0102.025] lstrcmpiW (lpString1="Users", lpString2="BOOTSECT.BAK") returned 1 [0102.025] lstrcmpiW (lpString1="Users", lpString2="bootmgr") returned 1 [0102.025] lstrcmpiW (lpString1="Users", lpString2="programdata") returned 1 [0102.025] lstrcmpiW (lpString1="Users", lpString2="appdata") returned 1 [0102.025] lstrcmpiW (lpString1="Users", lpString2="program files") returned 1 [0102.025] lstrcmpiW (lpString1="Users", lpString2="program files (x86)") returned 1 [0102.025] lstrcpyW (in: lpString1=0x24dfa58, lpString2="C:\\" | out: lpString1="C:\\") returned="C:\\" [0102.025] lstrcatW (in: lpString1="C:\\", lpString2="Users" | out: lpString1="C:\\Users") returned="C:\\Users" [0102.025] lstrcatW (in: lpString1="C:\\Users", lpString2="\\" | out: lpString1="C:\\Users\\") returned="C:\\Users\\" [0102.025] lstrcpyW (in: lpString1=0x24df5e0, lpString2="C:\\Users\\" | out: lpString1="C:\\Users\\") returned="C:\\Users\\" [0102.025] lstrcatW (in: lpString1="C:\\Users\\", lpString2="*.*" | out: lpString1="C:\\Users\\*.*") returned="C:\\Users\\*.*" [0102.025] FindFirstFileW (in: lpFileName="C:\\Users\\*.*", lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x8a7b2e4f, dwReserved1=0x3c67b114, cFileName=".", cAlternateFileName="")) returned 0x4ff0b8 [0102.025] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0102.025] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x8a7b2e4f, dwReserved1=0x3c67b114, cFileName="..", cAlternateFileName="")) returned 1 [0102.026] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0102.026] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0102.026] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x8a7b2e4f, dwReserved1=0x3c67b114, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 1 [0102.026] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2=".") returned 1 [0102.026] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="..") returned 1 [0102.026] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="...") returned 1 [0102.026] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="windows") returned -1 [0102.026] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="$RECYCLE.BIN") returned 1 [0102.026] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="rsa") returned -1 [0102.026] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="log") returned -1 [0102.026] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="NTDETECT.COM") returned -1 [0102.026] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="ntldr") returned -1 [0102.026] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="MSDOS.SYS") returned -1 [0102.026] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="IO.SYS") returned -1 [0102.026] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="boot.ini") returned -1 [0102.026] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="AUTOEXEC.BAT") returned -1 [0102.026] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="ntuser.dat") returned -1 [0102.026] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="desktop.ini") returned -1 [0102.026] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="CONFIG.SYS") returned -1 [0102.026] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="RECYCLER") returned -1 [0102.026] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="BOOTSECT.BAK") returned -1 [0102.026] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="bootmgr") returned -1 [0102.026] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="programdata") returned -1 [0102.026] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="appdata") returned -1 [0102.026] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="program files") returned -1 [0102.027] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="program files (x86)") returned -1 [0102.027] lstrcpyW (in: lpString1=0x24df3d8, lpString2="C:\\Users\\" | out: lpString1="C:\\Users\\") returned="C:\\Users\\" [0102.027] lstrcatW (in: lpString1="C:\\Users\\", lpString2="5p5NrGJn0jS HALPmcxz" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz" [0102.027] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" [0102.027] lstrcpyW (in: lpString1=0x24def60, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" [0102.027] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="*.*" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" [0102.027] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*", lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1a0018, dwReserved1=0x24df5e0, cFileName=".", cAlternateFileName="")) returned 0x5026e8 [0102.027] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0102.027] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1a0018, dwReserved1=0x24df5e0, cFileName="..", cAlternateFileName="")) returned 1 [0102.027] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0102.027] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0102.027] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xe9bbeade, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1a0018, dwReserved1=0x24df5e0, cFileName="AppData", cAlternateFileName="")) returned 1 [0102.027] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0102.027] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0102.027] lstrcmpiW (lpString1="AppData", lpString2="...") returned 1 [0102.027] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0102.028] lstrcmpiW (lpString1="AppData", lpString2="$RECYCLE.BIN") returned 1 [0102.028] lstrcmpiW (lpString1="AppData", lpString2="rsa") returned -1 [0102.028] lstrcmpiW (lpString1="AppData", lpString2="log") returned -1 [0102.028] lstrcmpiW (lpString1="AppData", lpString2="NTDETECT.COM") returned -1 [0102.028] lstrcmpiW (lpString1="AppData", lpString2="ntldr") returned -1 [0102.028] lstrcmpiW (lpString1="AppData", lpString2="MSDOS.SYS") returned -1 [0102.028] lstrcmpiW (lpString1="AppData", lpString2="IO.SYS") returned -1 [0102.028] lstrcmpiW (lpString1="AppData", lpString2="boot.ini") returned -1 [0102.028] lstrcmpiW (lpString1="AppData", lpString2="AUTOEXEC.BAT") returned -1 [0102.028] lstrcmpiW (lpString1="AppData", lpString2="ntuser.dat") returned -1 [0102.028] lstrcmpiW (lpString1="AppData", lpString2="desktop.ini") returned -1 [0102.028] lstrcmpiW (lpString1="AppData", lpString2="CONFIG.SYS") returned -1 [0102.028] lstrcmpiW (lpString1="AppData", lpString2="RECYCLER") returned -1 [0102.028] lstrcmpiW (lpString1="AppData", lpString2="BOOTSECT.BAK") returned -1 [0102.028] lstrcmpiW (lpString1="AppData", lpString2="bootmgr") returned -1 [0102.028] lstrcmpiW (lpString1="AppData", lpString2="programdata") returned -1 [0102.028] lstrcmpiW (lpString1="AppData", lpString2="appdata") returned 0 [0102.028] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29103b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29103b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29103b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0102.028] lstrcmpiW (lpString1="Application Data", lpString2=".") returned 1 [0102.028] lstrcmpiW (lpString1="Application Data", lpString2="..") returned 1 [0102.028] lstrcmpiW (lpString1="Application Data", lpString2="...") returned 1 [0102.028] lstrcmpiW (lpString1="Application Data", lpString2="windows") returned -1 [0102.028] lstrcmpiW (lpString1="Application Data", lpString2="$RECYCLE.BIN") returned 1 [0102.028] lstrcmpiW (lpString1="Application Data", lpString2="rsa") returned -1 [0102.028] lstrcmpiW (lpString1="Application Data", lpString2="log") returned -1 [0102.028] lstrcmpiW (lpString1="Application Data", lpString2="NTDETECT.COM") returned -1 [0102.029] lstrcmpiW (lpString1="Application Data", lpString2="ntldr") returned -1 [0102.029] lstrcmpiW (lpString1="Application Data", lpString2="MSDOS.SYS") returned -1 [0102.029] lstrcmpiW (lpString1="Application Data", lpString2="IO.SYS") returned -1 [0102.029] lstrcmpiW (lpString1="Application Data", lpString2="boot.ini") returned -1 [0102.029] lstrcmpiW (lpString1="Application Data", lpString2="AUTOEXEC.BAT") returned -1 [0102.029] lstrcmpiW (lpString1="Application Data", lpString2="ntuser.dat") returned -1 [0102.029] lstrcmpiW (lpString1="Application Data", lpString2="desktop.ini") returned -1 [0102.029] lstrcmpiW (lpString1="Application Data", lpString2="CONFIG.SYS") returned -1 [0102.029] lstrcmpiW (lpString1="Application Data", lpString2="RECYCLER") returned -1 [0102.029] lstrcmpiW (lpString1="Application Data", lpString2="BOOTSECT.BAK") returned -1 [0102.029] lstrcmpiW (lpString1="Application Data", lpString2="bootmgr") returned -1 [0102.029] lstrcmpiW (lpString1="Application Data", lpString2="programdata") returned -1 [0102.029] lstrcmpiW (lpString1="Application Data", lpString2="appdata") returned 1 [0102.029] lstrcmpiW (lpString1="Application Data", lpString2="program files") returned -1 [0102.029] lstrcmpiW (lpString1="Application Data", lpString2="program files (x86)") returned -1 [0102.029] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" [0102.029] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Application Data" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Application Data") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Application Data" [0102.029] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Application Data", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Application Data\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Application Data\\" [0102.029] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Application Data\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Application Data\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Application Data\\" [0102.029] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Application Data\\", lpString2="*.*" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Application Data\\*.*") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Application Data\\*.*" [0102.029] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Application Data\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x759bddc7, ftCreationTime.dwLowDateTime=0x24de81c, ftCreationTime.dwHighDateTime=0x208, ftLastAccessTime.dwLowDateTime=0x504e68, ftLastAccessTime.dwHighDateTime=0x24dfeb4, ftLastWriteTime.dwLowDateTime=0x77cb1ecd, ftLastWriteTime.dwHighDateTime=0x24de844, nFileSizeHigh=0xfffffffe, nFileSizeLow=0x21, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="Ȩ", cAlternateFileName="̀")) returned 0xffffffff [0102.030] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Contacts", cAlternateFileName="")) returned 1 [0102.031] lstrcmpiW (lpString1="Contacts", lpString2=".") returned 1 [0102.031] lstrcmpiW (lpString1="Contacts", lpString2="..") returned 1 [0102.031] lstrcmpiW (lpString1="Contacts", lpString2="...") returned 1 [0102.031] lstrcmpiW (lpString1="Contacts", lpString2="windows") returned -1 [0102.031] lstrcmpiW (lpString1="Contacts", lpString2="$RECYCLE.BIN") returned 1 [0102.031] lstrcmpiW (lpString1="Contacts", lpString2="rsa") returned -1 [0102.031] lstrcmpiW (lpString1="Contacts", lpString2="log") returned -1 [0102.031] lstrcmpiW (lpString1="Contacts", lpString2="NTDETECT.COM") returned -1 [0102.031] lstrcmpiW (lpString1="Contacts", lpString2="ntldr") returned -1 [0102.031] lstrcmpiW (lpString1="Contacts", lpString2="MSDOS.SYS") returned -1 [0102.031] lstrcmpiW (lpString1="Contacts", lpString2="IO.SYS") returned -1 [0102.031] lstrcmpiW (lpString1="Contacts", lpString2="boot.ini") returned 1 [0102.031] lstrcmpiW (lpString1="Contacts", lpString2="AUTOEXEC.BAT") returned 1 [0102.031] lstrcmpiW (lpString1="Contacts", lpString2="ntuser.dat") returned -1 [0102.031] lstrcmpiW (lpString1="Contacts", lpString2="desktop.ini") returned -1 [0102.031] lstrcmpiW (lpString1="Contacts", lpString2="CONFIG.SYS") returned 1 [0102.031] lstrcmpiW (lpString1="Contacts", lpString2="RECYCLER") returned -1 [0102.031] lstrcmpiW (lpString1="Contacts", lpString2="BOOTSECT.BAK") returned 1 [0102.031] lstrcmpiW (lpString1="Contacts", lpString2="bootmgr") returned 1 [0102.031] lstrcmpiW (lpString1="Contacts", lpString2="programdata") returned -1 [0102.031] lstrcmpiW (lpString1="Contacts", lpString2="appdata") returned 1 [0102.031] lstrcmpiW (lpString1="Contacts", lpString2="program files") returned -1 [0102.031] lstrcmpiW (lpString1="Contacts", lpString2="program files (x86)") returned -1 [0102.031] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" [0102.031] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Contacts" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" [0102.032] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\" [0102.032] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\" [0102.032] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\", lpString2="*.*" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*" [0102.032] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x502830 [0102.032] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0102.032] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0102.032] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0102.032] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0102.032] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ea7ef20, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2ea7ef20, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2ea7ef20, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x49a, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="Aclviho ASldjfl.contact", cAlternateFileName="ACLVIH~1.CON")) returned 1 [0102.032] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2=".") returned 1 [0102.032] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="..") returned 1 [0102.032] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="...") returned 1 [0102.032] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="windows") returned -1 [0102.032] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="$RECYCLE.BIN") returned 1 [0102.032] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="rsa") returned -1 [0102.032] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="log") returned -1 [0102.032] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="NTDETECT.COM") returned -1 [0102.032] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="ntldr") returned -1 [0102.033] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="MSDOS.SYS") returned -1 [0102.033] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="IO.SYS") returned -1 [0102.033] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="boot.ini") returned -1 [0102.033] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="AUTOEXEC.BAT") returned -1 [0102.033] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="ntuser.dat") returned -1 [0102.033] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="desktop.ini") returned -1 [0102.033] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="CONFIG.SYS") returned -1 [0102.033] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="RECYCLER") returned -1 [0102.033] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="BOOTSECT.BAK") returned -1 [0102.033] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="bootmgr") returned -1 [0102.033] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="programdata") returned -1 [0102.033] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="appdata") returned -1 [0102.033] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="program files") returned -1 [0102.033] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="program files (x86)") returned -1 [0102.033] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\" [0102.033] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\", lpString2="Aclviho ASldjfl.contact" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact" [0102.033] PathFindExtensionW (pszPath="Aclviho ASldjfl.contact") returned=".contact" [0102.033] lstrcmpiW (lpString1=".contact", lpString2=".exe") returned -1 [0102.033] lstrcmpiW (lpString1=".contact", lpString2=".log") returned -1 [0102.033] lstrcmpiW (lpString1=".contact", lpString2=".cab") returned 1 [0102.033] lstrcmpiW (lpString1=".contact", lpString2=".cmd") returned 1 [0102.033] lstrcmpiW (lpString1=".contact", lpString2=".com") returned 1 [0102.033] lstrcmpiW (lpString1=".contact", lpString2=".cpl") returned -1 [0102.034] lstrcmpiW (lpString1=".contact", lpString2=".ini") returned -1 [0102.034] lstrcmpiW (lpString1=".contact", lpString2=".dll") returned -1 [0102.034] lstrcmpiW (lpString1=".contact", lpString2=".url") returned -1 [0102.034] lstrcmpiW (lpString1=".contact", lpString2=".ttf") returned -1 [0102.034] lstrcmpiW (lpString1=".contact", lpString2=".mp3") returned -1 [0102.034] lstrcmpiW (lpString1=".contact", lpString2=".pif") returned -1 [0102.034] lstrcmpiW (lpString1=".contact", lpString2=".mp4") returned -1 [0102.034] lstrcmpiW (lpString1=".contact", lpString2=".NEPHILIM") returned -1 [0102.034] lstrcmpiW (lpString1=".contact", lpString2=".msi") returned -1 [0102.034] lstrcmpiW (lpString1=".contact", lpString2=".lnk") returned -1 [0102.034] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0102.034] lstrlenA (lpString="NEPHILIM") returned 8 [0102.034] GetProcessHeap () returned 0x4e0000 [0102.034] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x5074d8 [0102.034] lstrlenA (lpString="NEPHILIM") returned 8 [0102.035] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\aclviho asldjfl.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0102.038] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=1178) returned 1 [0102.038] GetProcessHeap () returned 0x4e0000 [0102.038] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.038] GetProcessHeap () returned 0x4e0000 [0102.038] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.038] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.039] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.039] GetProcessHeap () returned 0x4e0000 [0102.039] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.039] GetProcessHeap () returned 0x4e0000 [0102.039] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.039] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de208*=0x100) returned 1 [0102.040] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de204*=0x100) returned 1 [0102.040] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x49a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.040] SetLastError (dwErrCode=0x0) [0102.040] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.043] GetLastError () returned 0x0 [0102.043] GetLastError () returned 0x0 [0102.043] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x59a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.043] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.044] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x69a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.044] lstrlenA (lpString="NEPHILIM") returned 8 [0102.044] WriteFile (in: hFile=0xec, lpBuffer=0x5074d8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5074d8*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0102.044] GetProcessHeap () returned 0x4e0000 [0102.044] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x49a) returned 0x504e68 [0102.044] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.044] ReadFile (in: hFile=0xec, lpBuffer=0x504e68, nNumberOfBytesToRead=0x49a, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x504e68*, lpNumberOfBytesRead=0x24de430*=0x49a, lpOverlapped=0x0) returned 1 [0102.044] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.044] WriteFile (in: hFile=0xec, lpBuffer=0x504e68*, nNumberOfBytesToWrite=0x49a, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x504e68*, lpNumberOfBytesWritten=0x24de43c*=0x49a, lpOverlapped=0x0) returned 1 [0102.044] GetProcessHeap () returned 0x4e0000 [0102.044] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e68 | out: hHeap=0x4e0000) returned 1 [0102.044] CloseHandle (hObject=0xec) returned 1 [0102.052] GetProcessHeap () returned 0x4e0000 [0102.052] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.052] GetProcessHeap () returned 0x4e0000 [0102.052] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.052] GetProcessHeap () returned 0x4e0000 [0102.052] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.052] GetProcessHeap () returned 0x4e0000 [0102.052] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.053] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact" [0102.053] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact.NEPHILIM" [0102.053] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\aclviho asldjfl.contact"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\aclviho asldjfl.contact.nephilim")) returned 1 [0102.054] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf0fefd94, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x10b1e, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="Administrator.contact", cAlternateFileName="ADMINI~1.CON")) returned 1 [0102.054] lstrcmpiW (lpString1="Administrator.contact", lpString2=".") returned 1 [0102.054] lstrcmpiW (lpString1="Administrator.contact", lpString2="..") returned 1 [0102.054] lstrcmpiW (lpString1="Administrator.contact", lpString2="...") returned 1 [0102.054] lstrcmpiW (lpString1="Administrator.contact", lpString2="windows") returned -1 [0102.054] lstrcmpiW (lpString1="Administrator.contact", lpString2="$RECYCLE.BIN") returned 1 [0102.054] lstrcmpiW (lpString1="Administrator.contact", lpString2="rsa") returned -1 [0102.054] lstrcmpiW (lpString1="Administrator.contact", lpString2="log") returned -1 [0102.054] lstrcmpiW (lpString1="Administrator.contact", lpString2="NTDETECT.COM") returned -1 [0102.054] lstrcmpiW (lpString1="Administrator.contact", lpString2="ntldr") returned -1 [0102.054] lstrcmpiW (lpString1="Administrator.contact", lpString2="MSDOS.SYS") returned -1 [0102.054] lstrcmpiW (lpString1="Administrator.contact", lpString2="IO.SYS") returned -1 [0102.054] lstrcmpiW (lpString1="Administrator.contact", lpString2="boot.ini") returned -1 [0102.054] lstrcmpiW (lpString1="Administrator.contact", lpString2="AUTOEXEC.BAT") returned -1 [0102.054] lstrcmpiW (lpString1="Administrator.contact", lpString2="ntuser.dat") returned -1 [0102.054] lstrcmpiW (lpString1="Administrator.contact", lpString2="desktop.ini") returned -1 [0102.054] lstrcmpiW (lpString1="Administrator.contact", lpString2="CONFIG.SYS") returned -1 [0102.054] lstrcmpiW (lpString1="Administrator.contact", lpString2="RECYCLER") returned -1 [0102.054] lstrcmpiW (lpString1="Administrator.contact", lpString2="BOOTSECT.BAK") returned -1 [0102.054] lstrcmpiW (lpString1="Administrator.contact", lpString2="bootmgr") returned -1 [0102.054] lstrcmpiW (lpString1="Administrator.contact", lpString2="programdata") returned -1 [0102.054] lstrcmpiW (lpString1="Administrator.contact", lpString2="appdata") returned -1 [0102.055] lstrcmpiW (lpString1="Administrator.contact", lpString2="program files") returned -1 [0102.055] lstrcmpiW (lpString1="Administrator.contact", lpString2="program files (x86)") returned -1 [0102.055] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\" [0102.055] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\", lpString2="Administrator.contact" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact" [0102.055] PathFindExtensionW (pszPath="Administrator.contact") returned=".contact" [0102.055] lstrcmpiW (lpString1=".contact", lpString2=".exe") returned -1 [0102.055] lstrcmpiW (lpString1=".contact", lpString2=".log") returned -1 [0102.055] lstrcmpiW (lpString1=".contact", lpString2=".cab") returned 1 [0102.055] lstrcmpiW (lpString1=".contact", lpString2=".cmd") returned 1 [0102.055] lstrcmpiW (lpString1=".contact", lpString2=".com") returned 1 [0102.055] lstrcmpiW (lpString1=".contact", lpString2=".cpl") returned -1 [0102.055] lstrcmpiW (lpString1=".contact", lpString2=".ini") returned -1 [0102.055] lstrcmpiW (lpString1=".contact", lpString2=".dll") returned -1 [0102.055] lstrcmpiW (lpString1=".contact", lpString2=".url") returned -1 [0102.055] lstrcmpiW (lpString1=".contact", lpString2=".ttf") returned -1 [0102.055] lstrcmpiW (lpString1=".contact", lpString2=".mp3") returned -1 [0102.055] lstrcmpiW (lpString1=".contact", lpString2=".pif") returned -1 [0102.055] lstrcmpiW (lpString1=".contact", lpString2=".mp4") returned -1 [0102.055] lstrcmpiW (lpString1=".contact", lpString2=".NEPHILIM") returned -1 [0102.055] lstrcmpiW (lpString1=".contact", lpString2=".msi") returned -1 [0102.055] lstrcmpiW (lpString1=".contact", lpString2=".lnk") returned -1 [0102.055] lstrcmpiW (lpString1="Administrator.contact", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0102.056] lstrlenA (lpString="NEPHILIM") returned 8 [0102.056] GetProcessHeap () returned 0x4e0000 [0102.056] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x5074e8 [0102.056] lstrlenA (lpString="NEPHILIM") returned 8 [0102.056] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\administrator.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0102.056] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=68382) returned 1 [0102.056] GetProcessHeap () returned 0x4e0000 [0102.056] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.056] GetProcessHeap () returned 0x4e0000 [0102.056] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.056] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.056] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.057] GetProcessHeap () returned 0x4e0000 [0102.057] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.057] GetProcessHeap () returned 0x4e0000 [0102.057] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.057] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de208*=0x100) returned 1 [0102.057] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de204*=0x100) returned 1 [0102.057] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x10b1e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.057] SetLastError (dwErrCode=0x0) [0102.057] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.061] GetLastError () returned 0x0 [0102.061] GetLastError () returned 0x0 [0102.061] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x10c1e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.061] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.061] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x10d1e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.061] lstrlenA (lpString="NEPHILIM") returned 8 [0102.061] WriteFile (in: hFile=0xec, lpBuffer=0x5074e8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5074e8*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0102.061] GetProcessHeap () returned 0x4e0000 [0102.061] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10b1e) returned 0x50a8a8 [0102.061] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.061] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x10b1e, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x10b1e, lpOverlapped=0x0) returned 1 [0102.067] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.067] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x10b1e, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x10b1e, lpOverlapped=0x0) returned 1 [0102.068] GetProcessHeap () returned 0x4e0000 [0102.068] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0102.068] CloseHandle (hObject=0xec) returned 1 [0102.076] GetProcessHeap () returned 0x4e0000 [0102.076] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.076] GetProcessHeap () returned 0x4e0000 [0102.076] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.077] GetProcessHeap () returned 0x4e0000 [0102.077] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.077] GetProcessHeap () returned 0x4e0000 [0102.077] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.077] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact" [0102.077] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact.NEPHILIM" [0102.077] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\administrator.contact"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\administrator.contact.nephilim")) returned 1 [0102.078] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2eaa5080, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2eaa5080, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaa5080, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x493, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="asdlfk poopvy.contact", cAlternateFileName="ASDLFK~1.CON")) returned 1 [0102.078] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2=".") returned 1 [0102.078] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="..") returned 1 [0102.078] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="...") returned 1 [0102.078] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="windows") returned -1 [0102.078] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="$RECYCLE.BIN") returned 1 [0102.078] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="rsa") returned -1 [0102.078] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="log") returned -1 [0102.078] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="NTDETECT.COM") returned -1 [0102.078] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="ntldr") returned -1 [0102.078] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="MSDOS.SYS") returned -1 [0102.078] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="IO.SYS") returned -1 [0102.078] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="boot.ini") returned -1 [0102.078] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="AUTOEXEC.BAT") returned -1 [0102.078] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="ntuser.dat") returned -1 [0102.078] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="desktop.ini") returned -1 [0102.078] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="CONFIG.SYS") returned -1 [0102.078] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="RECYCLER") returned -1 [0102.078] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="BOOTSECT.BAK") returned -1 [0102.078] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="bootmgr") returned -1 [0102.078] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="programdata") returned -1 [0102.079] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="appdata") returned 1 [0102.079] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="program files") returned -1 [0102.079] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="program files (x86)") returned -1 [0102.079] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\" [0102.079] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\", lpString2="asdlfk poopvy.contact" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact" [0102.079] PathFindExtensionW (pszPath="asdlfk poopvy.contact") returned=".contact" [0102.079] lstrcmpiW (lpString1=".contact", lpString2=".exe") returned -1 [0102.079] lstrcmpiW (lpString1=".contact", lpString2=".log") returned -1 [0102.079] lstrcmpiW (lpString1=".contact", lpString2=".cab") returned 1 [0102.079] lstrcmpiW (lpString1=".contact", lpString2=".cmd") returned 1 [0102.079] lstrcmpiW (lpString1=".contact", lpString2=".com") returned 1 [0102.079] lstrcmpiW (lpString1=".contact", lpString2=".cpl") returned -1 [0102.079] lstrcmpiW (lpString1=".contact", lpString2=".ini") returned -1 [0102.079] lstrcmpiW (lpString1=".contact", lpString2=".dll") returned -1 [0102.079] lstrcmpiW (lpString1=".contact", lpString2=".url") returned -1 [0102.079] lstrcmpiW (lpString1=".contact", lpString2=".ttf") returned -1 [0102.079] lstrcmpiW (lpString1=".contact", lpString2=".mp3") returned -1 [0102.079] lstrcmpiW (lpString1=".contact", lpString2=".pif") returned -1 [0102.079] lstrcmpiW (lpString1=".contact", lpString2=".mp4") returned -1 [0102.079] lstrcmpiW (lpString1=".contact", lpString2=".NEPHILIM") returned -1 [0102.079] lstrcmpiW (lpString1=".contact", lpString2=".msi") returned -1 [0102.079] lstrcmpiW (lpString1=".contact", lpString2=".lnk") returned -1 [0102.079] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0102.079] lstrlenA (lpString="NEPHILIM") returned 8 [0102.080] GetProcessHeap () returned 0x4e0000 [0102.080] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x5074f8 [0102.080] lstrlenA (lpString="NEPHILIM") returned 8 [0102.080] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\asdlfk poopvy.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0102.080] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=1171) returned 1 [0102.080] GetProcessHeap () returned 0x4e0000 [0102.080] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.080] GetProcessHeap () returned 0x4e0000 [0102.080] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.080] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.080] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.080] GetProcessHeap () returned 0x4e0000 [0102.081] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.081] GetProcessHeap () returned 0x4e0000 [0102.081] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.081] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de208*=0x100) returned 1 [0102.081] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de204*=0x100) returned 1 [0102.081] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x493, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.081] SetLastError (dwErrCode=0x0) [0102.081] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.144] GetLastError () returned 0x0 [0102.144] GetLastError () returned 0x0 [0102.144] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x593, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.144] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.144] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x693, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.144] lstrlenA (lpString="NEPHILIM") returned 8 [0102.144] WriteFile (in: hFile=0xec, lpBuffer=0x5074f8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5074f8*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0102.144] GetProcessHeap () returned 0x4e0000 [0102.144] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x493) returned 0x504e68 [0102.144] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.144] ReadFile (in: hFile=0xec, lpBuffer=0x504e68, nNumberOfBytesToRead=0x493, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x504e68*, lpNumberOfBytesRead=0x24de430*=0x493, lpOverlapped=0x0) returned 1 [0102.144] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.144] WriteFile (in: hFile=0xec, lpBuffer=0x504e68*, nNumberOfBytesToWrite=0x493, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x504e68*, lpNumberOfBytesWritten=0x24de43c*=0x493, lpOverlapped=0x0) returned 1 [0102.145] GetProcessHeap () returned 0x4e0000 [0102.145] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e68 | out: hHeap=0x4e0000) returned 1 [0102.145] CloseHandle (hObject=0xec) returned 1 [0102.148] GetProcessHeap () returned 0x4e0000 [0102.148] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.148] GetProcessHeap () returned 0x4e0000 [0102.148] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.148] GetProcessHeap () returned 0x4e0000 [0102.148] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.148] GetProcessHeap () returned 0x4e0000 [0102.148] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.148] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact" [0102.148] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact.NEPHILIM" [0102.148] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\asdlfk poopvy.contact"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\asdlfk poopvy.contact.nephilim")) returned 1 [0102.150] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2eacb1e0, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2eacb1e0, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eacb1e0, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x499, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="chucu jadnvk.contact", cAlternateFileName="CHUCUJ~1.CON")) returned 1 [0102.150] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2=".") returned 1 [0102.150] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="..") returned 1 [0102.150] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="...") returned 1 [0102.150] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="windows") returned -1 [0102.150] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="$RECYCLE.BIN") returned 1 [0102.150] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="rsa") returned -1 [0102.150] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="log") returned -1 [0102.150] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="NTDETECT.COM") returned -1 [0102.150] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="ntldr") returned -1 [0102.150] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="MSDOS.SYS") returned -1 [0102.150] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="IO.SYS") returned -1 [0102.150] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="boot.ini") returned 1 [0102.150] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="AUTOEXEC.BAT") returned 1 [0102.150] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="ntuser.dat") returned -1 [0102.150] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="desktop.ini") returned -1 [0102.150] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="CONFIG.SYS") returned -1 [0102.151] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="RECYCLER") returned -1 [0102.151] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="BOOTSECT.BAK") returned 1 [0102.151] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="bootmgr") returned 1 [0102.151] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="programdata") returned -1 [0102.151] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="appdata") returned 1 [0102.151] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="program files") returned -1 [0102.151] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="program files (x86)") returned -1 [0102.151] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\" [0102.151] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\", lpString2="chucu jadnvk.contact" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact" [0102.151] PathFindExtensionW (pszPath="chucu jadnvk.contact") returned=".contact" [0102.151] lstrcmpiW (lpString1=".contact", lpString2=".exe") returned -1 [0102.151] lstrcmpiW (lpString1=".contact", lpString2=".log") returned -1 [0102.151] lstrcmpiW (lpString1=".contact", lpString2=".cab") returned 1 [0102.151] lstrcmpiW (lpString1=".contact", lpString2=".cmd") returned 1 [0102.151] lstrcmpiW (lpString1=".contact", lpString2=".com") returned 1 [0102.151] lstrcmpiW (lpString1=".contact", lpString2=".cpl") returned -1 [0102.151] lstrcmpiW (lpString1=".contact", lpString2=".ini") returned -1 [0102.151] lstrcmpiW (lpString1=".contact", lpString2=".dll") returned -1 [0102.151] lstrcmpiW (lpString1=".contact", lpString2=".url") returned -1 [0102.151] lstrcmpiW (lpString1=".contact", lpString2=".ttf") returned -1 [0102.151] lstrcmpiW (lpString1=".contact", lpString2=".mp3") returned -1 [0102.151] lstrcmpiW (lpString1=".contact", lpString2=".pif") returned -1 [0102.151] lstrcmpiW (lpString1=".contact", lpString2=".mp4") returned -1 [0102.151] lstrcmpiW (lpString1=".contact", lpString2=".NEPHILIM") returned -1 [0102.151] lstrcmpiW (lpString1=".contact", lpString2=".msi") returned -1 [0102.152] lstrcmpiW (lpString1=".contact", lpString2=".lnk") returned -1 [0102.152] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0102.152] lstrlenA (lpString="NEPHILIM") returned 8 [0102.152] GetProcessHeap () returned 0x4e0000 [0102.152] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x507508 [0102.152] lstrlenA (lpString="NEPHILIM") returned 8 [0102.152] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\chucu jadnvk.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0102.155] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=1177) returned 1 [0102.155] GetProcessHeap () returned 0x4e0000 [0102.155] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.155] GetProcessHeap () returned 0x4e0000 [0102.155] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.155] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.155] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.155] GetProcessHeap () returned 0x4e0000 [0102.155] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.155] GetProcessHeap () returned 0x4e0000 [0102.155] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.155] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de208*=0x100) returned 1 [0102.156] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de204*=0x100) returned 1 [0102.156] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x499, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.156] SetLastError (dwErrCode=0x0) [0102.156] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.162] GetLastError () returned 0x0 [0102.162] GetLastError () returned 0x0 [0102.162] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x599, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.162] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.162] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x699, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.162] lstrlenA (lpString="NEPHILIM") returned 8 [0102.162] WriteFile (in: hFile=0xec, lpBuffer=0x507508*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507508*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0102.162] GetProcessHeap () returned 0x4e0000 [0102.162] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x499) returned 0x504e68 [0102.162] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.163] ReadFile (in: hFile=0xec, lpBuffer=0x504e68, nNumberOfBytesToRead=0x499, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x504e68*, lpNumberOfBytesRead=0x24de430*=0x499, lpOverlapped=0x0) returned 1 [0102.163] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.163] WriteFile (in: hFile=0xec, lpBuffer=0x504e68*, nNumberOfBytesToWrite=0x499, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x504e68*, lpNumberOfBytesWritten=0x24de43c*=0x499, lpOverlapped=0x0) returned 1 [0102.163] GetProcessHeap () returned 0x4e0000 [0102.163] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e68 | out: hHeap=0x4e0000) returned 1 [0102.163] CloseHandle (hObject=0xec) returned 1 [0102.164] GetProcessHeap () returned 0x4e0000 [0102.164] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.164] GetProcessHeap () returned 0x4e0000 [0102.164] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.164] GetProcessHeap () returned 0x4e0000 [0102.164] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.164] GetProcessHeap () returned 0x4e0000 [0102.164] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.164] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact" [0102.164] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact.NEPHILIM" [0102.165] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\chucu jadnvk.contact"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\chucu jadnvk.contact.nephilim")) returned 1 [0102.165] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0102.165] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0102.165] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0102.166] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0102.166] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0102.166] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0102.166] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0102.166] lstrcmpiW (lpString1="desktop.ini", lpString2="log") returned -1 [0102.166] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0102.166] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0102.166] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0102.166] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0102.166] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0102.166] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0102.166] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0102.166] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0102.166] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2eaf1340, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x496, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="lulcit amkdfe.contact", cAlternateFileName="LULCIT~1.CON")) returned 1 [0102.166] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2=".") returned 1 [0102.166] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="..") returned 1 [0102.166] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="...") returned 1 [0102.166] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="windows") returned -1 [0102.166] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="$RECYCLE.BIN") returned 1 [0102.166] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="rsa") returned -1 [0102.166] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="log") returned 1 [0102.166] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="NTDETECT.COM") returned -1 [0102.166] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="ntldr") returned -1 [0102.166] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="MSDOS.SYS") returned -1 [0102.166] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="IO.SYS") returned 1 [0102.166] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="boot.ini") returned 1 [0102.167] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="AUTOEXEC.BAT") returned 1 [0102.167] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="ntuser.dat") returned -1 [0102.167] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="desktop.ini") returned 1 [0102.167] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="CONFIG.SYS") returned 1 [0102.167] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="RECYCLER") returned -1 [0102.167] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="BOOTSECT.BAK") returned 1 [0102.167] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="bootmgr") returned 1 [0102.167] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="programdata") returned -1 [0102.167] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="appdata") returned 1 [0102.167] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="program files") returned -1 [0102.167] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="program files (x86)") returned -1 [0102.167] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\" [0102.167] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\", lpString2="lulcit amkdfe.contact" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact" [0102.167] PathFindExtensionW (pszPath="lulcit amkdfe.contact") returned=".contact" [0102.167] lstrcmpiW (lpString1=".contact", lpString2=".exe") returned -1 [0102.167] lstrcmpiW (lpString1=".contact", lpString2=".log") returned -1 [0102.167] lstrcmpiW (lpString1=".contact", lpString2=".cab") returned 1 [0102.167] lstrcmpiW (lpString1=".contact", lpString2=".cmd") returned 1 [0102.167] lstrcmpiW (lpString1=".contact", lpString2=".com") returned 1 [0102.167] lstrcmpiW (lpString1=".contact", lpString2=".cpl") returned -1 [0102.167] lstrcmpiW (lpString1=".contact", lpString2=".ini") returned -1 [0102.167] lstrcmpiW (lpString1=".contact", lpString2=".dll") returned -1 [0102.167] lstrcmpiW (lpString1=".contact", lpString2=".url") returned -1 [0102.167] lstrcmpiW (lpString1=".contact", lpString2=".ttf") returned -1 [0102.168] lstrcmpiW (lpString1=".contact", lpString2=".mp3") returned -1 [0102.168] lstrcmpiW (lpString1=".contact", lpString2=".pif") returned -1 [0102.168] lstrcmpiW (lpString1=".contact", lpString2=".mp4") returned -1 [0102.168] lstrcmpiW (lpString1=".contact", lpString2=".NEPHILIM") returned -1 [0102.168] lstrcmpiW (lpString1=".contact", lpString2=".msi") returned -1 [0102.168] lstrcmpiW (lpString1=".contact", lpString2=".lnk") returned -1 [0102.168] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0102.168] lstrlenA (lpString="NEPHILIM") returned 8 [0102.168] GetProcessHeap () returned 0x4e0000 [0102.168] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x507518 [0102.168] lstrlenA (lpString="NEPHILIM") returned 8 [0102.168] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\lulcit amkdfe.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0102.171] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=1174) returned 1 [0102.171] GetProcessHeap () returned 0x4e0000 [0102.171] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.171] GetProcessHeap () returned 0x4e0000 [0102.171] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.171] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.171] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.171] GetProcessHeap () returned 0x4e0000 [0102.171] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.171] GetProcessHeap () returned 0x4e0000 [0102.171] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.171] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de208*=0x100) returned 1 [0102.172] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de204*=0x100) returned 1 [0102.172] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x496, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.172] SetLastError (dwErrCode=0x0) [0102.172] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.175] GetLastError () returned 0x0 [0102.175] GetLastError () returned 0x0 [0102.175] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x596, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.175] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.176] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x696, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.176] lstrlenA (lpString="NEPHILIM") returned 8 [0102.176] WriteFile (in: hFile=0xec, lpBuffer=0x507518*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507518*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0102.176] GetProcessHeap () returned 0x4e0000 [0102.177] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x496) returned 0x504e68 [0102.177] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.177] ReadFile (in: hFile=0xec, lpBuffer=0x504e68, nNumberOfBytesToRead=0x496, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x504e68*, lpNumberOfBytesRead=0x24de430*=0x496, lpOverlapped=0x0) returned 1 [0102.177] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.177] WriteFile (in: hFile=0xec, lpBuffer=0x504e68*, nNumberOfBytesToWrite=0x496, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x504e68*, lpNumberOfBytesWritten=0x24de43c*=0x496, lpOverlapped=0x0) returned 1 [0102.177] GetProcessHeap () returned 0x4e0000 [0102.178] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e68 | out: hHeap=0x4e0000) returned 1 [0102.178] CloseHandle (hObject=0xec) returned 1 [0102.183] GetProcessHeap () returned 0x4e0000 [0102.184] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.184] GetProcessHeap () returned 0x4e0000 [0102.184] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.184] GetProcessHeap () returned 0x4e0000 [0102.184] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.184] GetProcessHeap () returned 0x4e0000 [0102.184] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.184] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact" [0102.184] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact.NEPHILIM" [0102.184] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\lulcit amkdfe.contact"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\lulcit amkdfe.contact.nephilim")) returned 1 [0102.185] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2eaf1340, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x494, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="sikvnb huvuib.contact", cAlternateFileName="SIKVNB~1.CON")) returned 1 [0102.186] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2=".") returned 1 [0102.186] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="..") returned 1 [0102.186] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="...") returned 1 [0102.186] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="windows") returned -1 [0102.186] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="$RECYCLE.BIN") returned 1 [0102.186] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="rsa") returned 1 [0102.186] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="log") returned 1 [0102.186] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="NTDETECT.COM") returned 1 [0102.186] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="ntldr") returned 1 [0102.186] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="MSDOS.SYS") returned 1 [0102.186] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="IO.SYS") returned 1 [0102.186] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="boot.ini") returned 1 [0102.186] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="AUTOEXEC.BAT") returned 1 [0102.186] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="ntuser.dat") returned 1 [0102.186] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="desktop.ini") returned 1 [0102.187] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="CONFIG.SYS") returned 1 [0102.187] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="RECYCLER") returned 1 [0102.187] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="BOOTSECT.BAK") returned 1 [0102.187] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="bootmgr") returned 1 [0102.187] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="programdata") returned 1 [0102.187] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="appdata") returned 1 [0102.187] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="program files") returned 1 [0102.187] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="program files (x86)") returned 1 [0102.187] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\" [0102.187] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\", lpString2="sikvnb huvuib.contact" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact" [0102.198] PathFindExtensionW (pszPath="sikvnb huvuib.contact") returned=".contact" [0102.198] lstrcmpiW (lpString1=".contact", lpString2=".exe") returned -1 [0102.198] lstrcmpiW (lpString1=".contact", lpString2=".log") returned -1 [0102.198] lstrcmpiW (lpString1=".contact", lpString2=".cab") returned 1 [0102.198] lstrcmpiW (lpString1=".contact", lpString2=".cmd") returned 1 [0102.198] lstrcmpiW (lpString1=".contact", lpString2=".com") returned 1 [0102.198] lstrcmpiW (lpString1=".contact", lpString2=".cpl") returned -1 [0102.198] lstrcmpiW (lpString1=".contact", lpString2=".ini") returned -1 [0102.198] lstrcmpiW (lpString1=".contact", lpString2=".dll") returned -1 [0102.198] lstrcmpiW (lpString1=".contact", lpString2=".url") returned -1 [0102.198] lstrcmpiW (lpString1=".contact", lpString2=".ttf") returned -1 [0102.198] lstrcmpiW (lpString1=".contact", lpString2=".mp3") returned -1 [0102.198] lstrcmpiW (lpString1=".contact", lpString2=".pif") returned -1 [0102.198] lstrcmpiW (lpString1=".contact", lpString2=".mp4") returned -1 [0102.198] lstrcmpiW (lpString1=".contact", lpString2=".NEPHILIM") returned -1 [0102.198] lstrcmpiW (lpString1=".contact", lpString2=".msi") returned -1 [0102.198] lstrcmpiW (lpString1=".contact", lpString2=".lnk") returned -1 [0102.198] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0102.198] lstrlenA (lpString="NEPHILIM") returned 8 [0102.198] GetProcessHeap () returned 0x4e0000 [0102.198] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x507528 [0102.199] lstrlenA (lpString="NEPHILIM") returned 8 [0102.199] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\sikvnb huvuib.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0102.202] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=1172) returned 1 [0102.202] GetProcessHeap () returned 0x4e0000 [0102.202] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.202] GetProcessHeap () returned 0x4e0000 [0102.202] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.202] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.202] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.202] GetProcessHeap () returned 0x4e0000 [0102.202] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.203] GetProcessHeap () returned 0x4e0000 [0102.203] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.203] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de208*=0x100) returned 1 [0102.203] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de204*=0x100) returned 1 [0102.203] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x494, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.203] SetLastError (dwErrCode=0x0) [0102.203] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.207] GetLastError () returned 0x0 [0102.207] GetLastError () returned 0x0 [0102.207] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x594, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.207] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.207] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x694, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.207] lstrlenA (lpString="NEPHILIM") returned 8 [0102.207] WriteFile (in: hFile=0xec, lpBuffer=0x507528*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507528*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0102.207] GetProcessHeap () returned 0x4e0000 [0102.207] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x494) returned 0x504e68 [0102.207] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.207] ReadFile (in: hFile=0xec, lpBuffer=0x504e68, nNumberOfBytesToRead=0x494, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x504e68*, lpNumberOfBytesRead=0x24de430*=0x494, lpOverlapped=0x0) returned 1 [0102.207] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.207] WriteFile (in: hFile=0xec, lpBuffer=0x504e68*, nNumberOfBytesToWrite=0x494, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x504e68*, lpNumberOfBytesWritten=0x24de43c*=0x494, lpOverlapped=0x0) returned 1 [0102.208] GetProcessHeap () returned 0x4e0000 [0102.208] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e68 | out: hHeap=0x4e0000) returned 1 [0102.208] CloseHandle (hObject=0xec) returned 1 [0102.216] GetProcessHeap () returned 0x4e0000 [0102.216] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.216] GetProcessHeap () returned 0x4e0000 [0102.216] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.216] GetProcessHeap () returned 0x4e0000 [0102.216] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.216] GetProcessHeap () returned 0x4e0000 [0102.216] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.216] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact" [0102.216] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact.NEPHILIM" [0102.216] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\sikvnb huvuib.contact"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\sikvnb huvuib.contact.nephilim")) returned 1 [0102.217] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2eaf1340, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x494, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="sikvnb huvuib.contact", cAlternateFileName="SIKVNB~1.CON")) returned 0 [0102.217] FindClose (in: hFindFile=0x502830 | out: hFindFile=0x502830) returned 1 [0102.217] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29103b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29103b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29103b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Cookies", cAlternateFileName="")) returned 1 [0102.217] lstrcmpiW (lpString1="Cookies", lpString2=".") returned 1 [0102.217] lstrcmpiW (lpString1="Cookies", lpString2="..") returned 1 [0102.217] lstrcmpiW (lpString1="Cookies", lpString2="...") returned 1 [0102.217] lstrcmpiW (lpString1="Cookies", lpString2="windows") returned -1 [0102.217] lstrcmpiW (lpString1="Cookies", lpString2="$RECYCLE.BIN") returned 1 [0102.217] lstrcmpiW (lpString1="Cookies", lpString2="rsa") returned -1 [0102.217] lstrcmpiW (lpString1="Cookies", lpString2="log") returned -1 [0102.217] lstrcmpiW (lpString1="Cookies", lpString2="NTDETECT.COM") returned -1 [0102.217] lstrcmpiW (lpString1="Cookies", lpString2="ntldr") returned -1 [0102.217] lstrcmpiW (lpString1="Cookies", lpString2="MSDOS.SYS") returned -1 [0102.218] lstrcmpiW (lpString1="Cookies", lpString2="IO.SYS") returned -1 [0102.218] lstrcmpiW (lpString1="Cookies", lpString2="boot.ini") returned 1 [0102.218] lstrcmpiW (lpString1="Cookies", lpString2="AUTOEXEC.BAT") returned 1 [0102.218] lstrcmpiW (lpString1="Cookies", lpString2="ntuser.dat") returned -1 [0102.218] lstrcmpiW (lpString1="Cookies", lpString2="desktop.ini") returned -1 [0102.218] lstrcmpiW (lpString1="Cookies", lpString2="CONFIG.SYS") returned 1 [0102.218] lstrcmpiW (lpString1="Cookies", lpString2="RECYCLER") returned -1 [0102.218] lstrcmpiW (lpString1="Cookies", lpString2="BOOTSECT.BAK") returned 1 [0102.218] lstrcmpiW (lpString1="Cookies", lpString2="bootmgr") returned 1 [0102.218] lstrcmpiW (lpString1="Cookies", lpString2="programdata") returned -1 [0102.218] lstrcmpiW (lpString1="Cookies", lpString2="appdata") returned 1 [0102.218] lstrcmpiW (lpString1="Cookies", lpString2="program files") returned -1 [0102.218] lstrcmpiW (lpString1="Cookies", lpString2="program files (x86)") returned -1 [0102.218] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" [0102.218] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Cookies" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Cookies") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Cookies" [0102.218] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Cookies", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Cookies\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Cookies\\" [0102.218] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Cookies\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Cookies\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Cookies\\" [0102.218] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Cookies\\", lpString2="*.*" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Cookies\\*.*") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Cookies\\*.*" [0102.218] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Cookies\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2eaf1340, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x494, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="sikvnb huvuib.contact", cAlternateFileName="SIKVNB~1.CON")) returned 0xffffffff [0102.219] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xc99a3120, ftLastAccessTime.dwHighDateTime=0x1d607de, ftLastWriteTime.dwLowDateTime=0xc99a3120, ftLastWriteTime.dwHighDateTime=0x1d607de, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0102.219] lstrcmpiW (lpString1="Desktop", lpString2=".") returned 1 [0102.219] lstrcmpiW (lpString1="Desktop", lpString2="..") returned 1 [0102.219] lstrcmpiW (lpString1="Desktop", lpString2="...") returned 1 [0102.219] lstrcmpiW (lpString1="Desktop", lpString2="windows") returned -1 [0102.219] lstrcmpiW (lpString1="Desktop", lpString2="$RECYCLE.BIN") returned 1 [0102.219] lstrcmpiW (lpString1="Desktop", lpString2="rsa") returned -1 [0102.219] lstrcmpiW (lpString1="Desktop", lpString2="log") returned -1 [0102.219] lstrcmpiW (lpString1="Desktop", lpString2="NTDETECT.COM") returned -1 [0102.219] lstrcmpiW (lpString1="Desktop", lpString2="ntldr") returned -1 [0102.219] lstrcmpiW (lpString1="Desktop", lpString2="MSDOS.SYS") returned -1 [0102.219] lstrcmpiW (lpString1="Desktop", lpString2="IO.SYS") returned -1 [0102.219] lstrcmpiW (lpString1="Desktop", lpString2="boot.ini") returned 1 [0102.219] lstrcmpiW (lpString1="Desktop", lpString2="AUTOEXEC.BAT") returned 1 [0102.219] lstrcmpiW (lpString1="Desktop", lpString2="ntuser.dat") returned -1 [0102.219] lstrcmpiW (lpString1="Desktop", lpString2="desktop.ini") returned -1 [0102.219] lstrcmpiW (lpString1="Desktop", lpString2="CONFIG.SYS") returned 1 [0102.219] lstrcmpiW (lpString1="Desktop", lpString2="RECYCLER") returned -1 [0102.220] lstrcmpiW (lpString1="Desktop", lpString2="BOOTSECT.BAK") returned 1 [0102.220] lstrcmpiW (lpString1="Desktop", lpString2="bootmgr") returned 1 [0102.220] lstrcmpiW (lpString1="Desktop", lpString2="programdata") returned -1 [0102.220] lstrcmpiW (lpString1="Desktop", lpString2="appdata") returned 1 [0102.220] lstrcmpiW (lpString1="Desktop", lpString2="program files") returned -1 [0102.220] lstrcmpiW (lpString1="Desktop", lpString2="program files (x86)") returned -1 [0102.220] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" [0102.220] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Desktop" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0102.220] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0102.220] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0102.220] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="*.*" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" [0102.220] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xc99a3120, ftLastAccessTime.dwHighDateTime=0x1d607de, ftLastWriteTime.dwLowDateTime=0xc99a3120, ftLastWriteTime.dwHighDateTime=0x1d607de, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x502830 [0102.220] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0102.220] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xc99a3120, ftLastAccessTime.dwHighDateTime=0x1d607de, ftLastWriteTime.dwLowDateTime=0xc99a3120, ftLastWriteTime.dwHighDateTime=0x1d607de, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0102.220] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0102.220] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0102.221] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3e04530, ftCreationTime.dwHighDateTime=0x1d5e007, ftLastAccessTime.dwLowDateTime=0x75fe7600, ftLastAccessTime.dwHighDateTime=0x1d5e468, ftLastWriteTime.dwLowDateTime=0x75fe7600, ftLastWriteTime.dwHighDateTime=0x1d5e468, nFileSizeHigh=0x0, nFileSizeLow=0x29c3, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="-eRoGn44FLd7nVa_qp.swf", cAlternateFileName="-EROGN~1.SWF")) returned 1 [0102.221] lstrcmpiW (lpString1="-eRoGn44FLd7nVa_qp.swf", lpString2=".") returned 1 [0102.221] lstrcmpiW (lpString1="-eRoGn44FLd7nVa_qp.swf", lpString2="..") returned 1 [0102.221] lstrcmpiW (lpString1="-eRoGn44FLd7nVa_qp.swf", lpString2="...") returned 1 [0102.221] lstrcmpiW (lpString1="-eRoGn44FLd7nVa_qp.swf", lpString2="windows") returned -1 [0102.221] lstrcmpiW (lpString1="-eRoGn44FLd7nVa_qp.swf", lpString2="$RECYCLE.BIN") returned 1 [0102.221] lstrcmpiW (lpString1="-eRoGn44FLd7nVa_qp.swf", lpString2="rsa") returned -1 [0102.253] lstrcmpiW (lpString1="-eRoGn44FLd7nVa_qp.swf", lpString2="log") returned -1 [0102.253] lstrcmpiW (lpString1="-eRoGn44FLd7nVa_qp.swf", lpString2="NTDETECT.COM") returned -1 [0102.253] lstrcmpiW (lpString1="-eRoGn44FLd7nVa_qp.swf", lpString2="ntldr") returned -1 [0102.254] lstrcmpiW (lpString1="-eRoGn44FLd7nVa_qp.swf", lpString2="MSDOS.SYS") returned -1 [0102.254] lstrcmpiW (lpString1="-eRoGn44FLd7nVa_qp.swf", lpString2="IO.SYS") returned -1 [0102.254] lstrcmpiW (lpString1="-eRoGn44FLd7nVa_qp.swf", lpString2="boot.ini") returned 1 [0102.254] lstrcmpiW (lpString1="-eRoGn44FLd7nVa_qp.swf", lpString2="AUTOEXEC.BAT") returned 1 [0102.254] lstrcmpiW (lpString1="-eRoGn44FLd7nVa_qp.swf", lpString2="ntuser.dat") returned -1 [0102.254] lstrcmpiW (lpString1="-eRoGn44FLd7nVa_qp.swf", lpString2="desktop.ini") returned 1 [0102.254] lstrcmpiW (lpString1="-eRoGn44FLd7nVa_qp.swf", lpString2="CONFIG.SYS") returned 1 [0102.254] lstrcmpiW (lpString1="-eRoGn44FLd7nVa_qp.swf", lpString2="RECYCLER") returned -1 [0102.254] lstrcmpiW (lpString1="-eRoGn44FLd7nVa_qp.swf", lpString2="BOOTSECT.BAK") returned 1 [0102.269] lstrcmpiW (lpString1="-eRoGn44FLd7nVa_qp.swf", lpString2="bootmgr") returned 1 [0102.270] lstrcmpiW (lpString1="-eRoGn44FLd7nVa_qp.swf", lpString2="programdata") returned -1 [0102.270] lstrcmpiW (lpString1="-eRoGn44FLd7nVa_qp.swf", lpString2="appdata") returned 1 [0102.270] lstrcmpiW (lpString1="-eRoGn44FLd7nVa_qp.swf", lpString2="program files") returned -1 [0102.270] lstrcmpiW (lpString1="-eRoGn44FLd7nVa_qp.swf", lpString2="program files (x86)") returned -1 [0102.270] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0102.270] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="-eRoGn44FLd7nVa_qp.swf" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-eRoGn44FLd7nVa_qp.swf") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-eRoGn44FLd7nVa_qp.swf" [0102.270] PathFindExtensionW (pszPath="-eRoGn44FLd7nVa_qp.swf") returned=".swf" [0102.270] lstrcmpiW (lpString1=".swf", lpString2=".exe") returned 1 [0102.270] lstrcmpiW (lpString1=".swf", lpString2=".log") returned 1 [0102.270] lstrcmpiW (lpString1=".swf", lpString2=".cab") returned 1 [0102.270] lstrcmpiW (lpString1=".swf", lpString2=".cmd") returned 1 [0102.270] lstrcmpiW (lpString1=".swf", lpString2=".com") returned 1 [0102.270] lstrcmpiW (lpString1=".swf", lpString2=".cpl") returned 1 [0102.270] lstrcmpiW (lpString1=".swf", lpString2=".ini") returned 1 [0102.270] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0102.270] lstrcmpiW (lpString1=".swf", lpString2=".url") returned -1 [0102.270] lstrcmpiW (lpString1=".swf", lpString2=".ttf") returned -1 [0102.270] lstrcmpiW (lpString1=".swf", lpString2=".mp3") returned 1 [0102.271] lstrcmpiW (lpString1=".swf", lpString2=".pif") returned 1 [0102.271] lstrcmpiW (lpString1=".swf", lpString2=".mp4") returned 1 [0102.271] lstrcmpiW (lpString1=".swf", lpString2=".NEPHILIM") returned 1 [0102.271] lstrcmpiW (lpString1=".swf", lpString2=".msi") returned 1 [0102.271] lstrcmpiW (lpString1=".swf", lpString2=".lnk") returned 1 [0102.271] lstrcmpiW (lpString1="-eRoGn44FLd7nVa_qp.swf", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0102.271] lstrlenA (lpString="NEPHILIM") returned 8 [0102.271] GetProcessHeap () returned 0x4e0000 [0102.271] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x507538 [0102.271] lstrlenA (lpString="NEPHILIM") returned 8 [0102.271] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-eRoGn44FLd7nVa_qp.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\-erogn44fld7nva_qp.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0102.271] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=10691) returned 1 [0102.271] GetProcessHeap () returned 0x4e0000 [0102.271] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.271] GetProcessHeap () returned 0x4e0000 [0102.271] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.271] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.272] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.272] GetProcessHeap () returned 0x4e0000 [0102.272] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.272] GetProcessHeap () returned 0x4e0000 [0102.272] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.272] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de208*=0x100) returned 1 [0102.272] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de204*=0x100) returned 1 [0102.272] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x29c3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.272] SetLastError (dwErrCode=0x0) [0102.272] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.274] GetLastError () returned 0x0 [0102.274] GetLastError () returned 0x0 [0102.274] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x2ac3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.274] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.274] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x2bc3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.274] lstrlenA (lpString="NEPHILIM") returned 8 [0102.274] WriteFile (in: hFile=0xec, lpBuffer=0x507538*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507538*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0102.274] GetProcessHeap () returned 0x4e0000 [0102.274] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x29c3) returned 0x50a8a8 [0102.274] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.274] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x29c3, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x29c3, lpOverlapped=0x0) returned 1 [0102.275] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.275] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x29c3, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x29c3, lpOverlapped=0x0) returned 1 [0102.275] GetProcessHeap () returned 0x4e0000 [0102.275] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0102.275] CloseHandle (hObject=0xec) returned 1 [0102.305] GetProcessHeap () returned 0x4e0000 [0102.305] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.305] GetProcessHeap () returned 0x4e0000 [0102.306] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.306] GetProcessHeap () returned 0x4e0000 [0102.306] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.306] GetProcessHeap () returned 0x4e0000 [0102.306] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.306] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-eRoGn44FLd7nVa_qp.swf" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-eRoGn44FLd7nVa_qp.swf") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-eRoGn44FLd7nVa_qp.swf" [0102.306] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-eRoGn44FLd7nVa_qp.swf", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-eRoGn44FLd7nVa_qp.swf.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-eRoGn44FLd7nVa_qp.swf.NEPHILIM" [0102.306] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-eRoGn44FLd7nVa_qp.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\-erogn44fld7nva_qp.swf"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-eRoGn44FLd7nVa_qp.swf.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\-erogn44fld7nva_qp.swf.nephilim")) returned 1 [0102.308] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x373dc840, ftCreationTime.dwHighDateTime=0x1d5e3d6, ftLastAccessTime.dwLowDateTime=0xe6e9ed90, ftLastAccessTime.dwHighDateTime=0x1d5e3af, ftLastWriteTime.dwLowDateTime=0xe6e9ed90, ftLastWriteTime.dwHighDateTime=0x1d5e3af, nFileSizeHigh=0x0, nFileSizeLow=0x16ae0, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="2EdVR2BdL_UJ_Tb.wav", cAlternateFileName="2EDVR2~1.WAV")) returned 1 [0102.308] lstrcmpiW (lpString1="2EdVR2BdL_UJ_Tb.wav", lpString2=".") returned 1 [0102.308] lstrcmpiW (lpString1="2EdVR2BdL_UJ_Tb.wav", lpString2="..") returned 1 [0102.309] lstrcmpiW (lpString1="2EdVR2BdL_UJ_Tb.wav", lpString2="...") returned 1 [0102.309] lstrcmpiW (lpString1="2EdVR2BdL_UJ_Tb.wav", lpString2="windows") returned -1 [0102.309] lstrcmpiW (lpString1="2EdVR2BdL_UJ_Tb.wav", lpString2="$RECYCLE.BIN") returned 1 [0102.309] lstrcmpiW (lpString1="2EdVR2BdL_UJ_Tb.wav", lpString2="rsa") returned -1 [0102.309] lstrcmpiW (lpString1="2EdVR2BdL_UJ_Tb.wav", lpString2="log") returned -1 [0102.309] lstrcmpiW (lpString1="2EdVR2BdL_UJ_Tb.wav", lpString2="NTDETECT.COM") returned -1 [0102.309] lstrcmpiW (lpString1="2EdVR2BdL_UJ_Tb.wav", lpString2="ntldr") returned -1 [0102.309] lstrcmpiW (lpString1="2EdVR2BdL_UJ_Tb.wav", lpString2="MSDOS.SYS") returned -1 [0102.309] lstrcmpiW (lpString1="2EdVR2BdL_UJ_Tb.wav", lpString2="IO.SYS") returned -1 [0102.309] lstrcmpiW (lpString1="2EdVR2BdL_UJ_Tb.wav", lpString2="boot.ini") returned -1 [0102.309] lstrcmpiW (lpString1="2EdVR2BdL_UJ_Tb.wav", lpString2="AUTOEXEC.BAT") returned -1 [0102.309] lstrcmpiW (lpString1="2EdVR2BdL_UJ_Tb.wav", lpString2="ntuser.dat") returned -1 [0102.309] lstrcmpiW (lpString1="2EdVR2BdL_UJ_Tb.wav", lpString2="desktop.ini") returned -1 [0102.309] lstrcmpiW (lpString1="2EdVR2BdL_UJ_Tb.wav", lpString2="CONFIG.SYS") returned -1 [0102.310] lstrcmpiW (lpString1="2EdVR2BdL_UJ_Tb.wav", lpString2="RECYCLER") returned -1 [0102.310] lstrcmpiW (lpString1="2EdVR2BdL_UJ_Tb.wav", lpString2="BOOTSECT.BAK") returned -1 [0102.310] lstrcmpiW (lpString1="2EdVR2BdL_UJ_Tb.wav", lpString2="bootmgr") returned -1 [0102.310] lstrcmpiW (lpString1="2EdVR2BdL_UJ_Tb.wav", lpString2="programdata") returned -1 [0102.310] lstrcmpiW (lpString1="2EdVR2BdL_UJ_Tb.wav", lpString2="appdata") returned -1 [0102.310] lstrcmpiW (lpString1="2EdVR2BdL_UJ_Tb.wav", lpString2="program files") returned -1 [0102.310] lstrcmpiW (lpString1="2EdVR2BdL_UJ_Tb.wav", lpString2="program files (x86)") returned -1 [0102.310] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0102.310] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="2EdVR2BdL_UJ_Tb.wav" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2EdVR2BdL_UJ_Tb.wav") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2EdVR2BdL_UJ_Tb.wav" [0102.310] PathFindExtensionW (pszPath="2EdVR2BdL_UJ_Tb.wav") returned=".wav" [0102.310] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0102.310] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0102.310] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0102.310] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0102.310] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0102.310] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0102.310] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0102.310] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0102.310] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0102.310] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0102.310] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0102.310] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0102.310] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0102.310] lstrcmpiW (lpString1=".wav", lpString2=".NEPHILIM") returned 1 [0102.310] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0102.310] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0102.311] lstrcmpiW (lpString1="2EdVR2BdL_UJ_Tb.wav", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0102.311] lstrlenA (lpString="NEPHILIM") returned 8 [0102.311] GetProcessHeap () returned 0x4e0000 [0102.311] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x507548 [0102.311] lstrlenA (lpString="NEPHILIM") returned 8 [0102.311] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2EdVR2BdL_UJ_Tb.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2edvr2bdl_uj_tb.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0102.314] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=92896) returned 1 [0102.314] GetProcessHeap () returned 0x4e0000 [0102.314] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.314] GetProcessHeap () returned 0x4e0000 [0102.314] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.314] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.314] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.314] GetProcessHeap () returned 0x4e0000 [0102.314] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.315] GetProcessHeap () returned 0x4e0000 [0102.315] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.315] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de208*=0x100) returned 1 [0102.315] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de204*=0x100) returned 1 [0102.315] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x16ae0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.315] SetLastError (dwErrCode=0x0) [0102.315] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.317] GetLastError () returned 0x0 [0102.317] GetLastError () returned 0x0 [0102.317] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x16be0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.317] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.317] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x16ce0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.317] lstrlenA (lpString="NEPHILIM") returned 8 [0102.317] WriteFile (in: hFile=0xec, lpBuffer=0x507548*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507548*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0102.317] GetProcessHeap () returned 0x4e0000 [0102.317] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x16ae0) returned 0x50a8a8 [0102.317] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.317] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x16ae0, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x16ae0, lpOverlapped=0x0) returned 1 [0102.324] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.324] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x16ae0, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x16ae0, lpOverlapped=0x0) returned 1 [0102.324] GetProcessHeap () returned 0x4e0000 [0102.325] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0102.325] CloseHandle (hObject=0xec) returned 1 [0102.331] GetProcessHeap () returned 0x4e0000 [0102.331] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.332] GetProcessHeap () returned 0x4e0000 [0102.332] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.332] GetProcessHeap () returned 0x4e0000 [0102.332] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.332] GetProcessHeap () returned 0x4e0000 [0102.332] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.332] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2EdVR2BdL_UJ_Tb.wav" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2EdVR2BdL_UJ_Tb.wav") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2EdVR2BdL_UJ_Tb.wav" [0102.332] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2EdVR2BdL_UJ_Tb.wav", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2EdVR2BdL_UJ_Tb.wav.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2EdVR2BdL_UJ_Tb.wav.NEPHILIM" [0102.332] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2EdVR2BdL_UJ_Tb.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2edvr2bdl_uj_tb.wav"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2EdVR2BdL_UJ_Tb.wav.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2edvr2bdl_uj_tb.wav.nephilim")) returned 1 [0102.334] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa76a6d80, ftCreationTime.dwHighDateTime=0x1d5d7b5, ftLastAccessTime.dwLowDateTime=0x7c7bc390, ftLastAccessTime.dwHighDateTime=0x1d5e6e6, ftLastWriteTime.dwLowDateTime=0x7c7bc390, ftLastWriteTime.dwHighDateTime=0x1d5e6e6, nFileSizeHigh=0x0, nFileSizeLow=0x593f, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="5gGooh5YlZqE-cuHf7.ppt", cAlternateFileName="5GGOOH~1.PPT")) returned 1 [0102.334] lstrcmpiW (lpString1="5gGooh5YlZqE-cuHf7.ppt", lpString2=".") returned 1 [0102.334] lstrcmpiW (lpString1="5gGooh5YlZqE-cuHf7.ppt", lpString2="..") returned 1 [0102.334] lstrcmpiW (lpString1="5gGooh5YlZqE-cuHf7.ppt", lpString2="...") returned 1 [0102.334] lstrcmpiW (lpString1="5gGooh5YlZqE-cuHf7.ppt", lpString2="windows") returned -1 [0102.334] lstrcmpiW (lpString1="5gGooh5YlZqE-cuHf7.ppt", lpString2="$RECYCLE.BIN") returned 1 [0102.334] lstrcmpiW (lpString1="5gGooh5YlZqE-cuHf7.ppt", lpString2="rsa") returned -1 [0102.334] lstrcmpiW (lpString1="5gGooh5YlZqE-cuHf7.ppt", lpString2="log") returned -1 [0102.334] lstrcmpiW (lpString1="5gGooh5YlZqE-cuHf7.ppt", lpString2="NTDETECT.COM") returned -1 [0102.334] lstrcmpiW (lpString1="5gGooh5YlZqE-cuHf7.ppt", lpString2="ntldr") returned -1 [0102.334] lstrcmpiW (lpString1="5gGooh5YlZqE-cuHf7.ppt", lpString2="MSDOS.SYS") returned -1 [0102.334] lstrcmpiW (lpString1="5gGooh5YlZqE-cuHf7.ppt", lpString2="IO.SYS") returned -1 [0102.334] lstrcmpiW (lpString1="5gGooh5YlZqE-cuHf7.ppt", lpString2="boot.ini") returned -1 [0102.334] lstrcmpiW (lpString1="5gGooh5YlZqE-cuHf7.ppt", lpString2="AUTOEXEC.BAT") returned -1 [0102.334] lstrcmpiW (lpString1="5gGooh5YlZqE-cuHf7.ppt", lpString2="ntuser.dat") returned -1 [0102.335] lstrcmpiW (lpString1="5gGooh5YlZqE-cuHf7.ppt", lpString2="desktop.ini") returned -1 [0102.335] lstrcmpiW (lpString1="5gGooh5YlZqE-cuHf7.ppt", lpString2="CONFIG.SYS") returned -1 [0102.335] lstrcmpiW (lpString1="5gGooh5YlZqE-cuHf7.ppt", lpString2="RECYCLER") returned -1 [0102.335] lstrcmpiW (lpString1="5gGooh5YlZqE-cuHf7.ppt", lpString2="BOOTSECT.BAK") returned -1 [0102.335] lstrcmpiW (lpString1="5gGooh5YlZqE-cuHf7.ppt", lpString2="bootmgr") returned -1 [0102.335] lstrcmpiW (lpString1="5gGooh5YlZqE-cuHf7.ppt", lpString2="programdata") returned -1 [0102.335] lstrcmpiW (lpString1="5gGooh5YlZqE-cuHf7.ppt", lpString2="appdata") returned -1 [0102.335] lstrcmpiW (lpString1="5gGooh5YlZqE-cuHf7.ppt", lpString2="program files") returned -1 [0102.335] lstrcmpiW (lpString1="5gGooh5YlZqE-cuHf7.ppt", lpString2="program files (x86)") returned -1 [0102.335] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0102.335] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="5gGooh5YlZqE-cuHf7.ppt" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5gGooh5YlZqE-cuHf7.ppt") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5gGooh5YlZqE-cuHf7.ppt" [0102.335] PathFindExtensionW (pszPath="5gGooh5YlZqE-cuHf7.ppt") returned=".ppt" [0102.335] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0102.335] lstrcmpiW (lpString1=".ppt", lpString2=".log") returned 1 [0102.335] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0102.335] lstrcmpiW (lpString1=".ppt", lpString2=".cmd") returned 1 [0102.335] lstrcmpiW (lpString1=".ppt", lpString2=".com") returned 1 [0102.335] lstrcmpiW (lpString1=".ppt", lpString2=".cpl") returned 1 [0102.335] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0102.335] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0102.335] lstrcmpiW (lpString1=".ppt", lpString2=".url") returned -1 [0102.335] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0102.335] lstrcmpiW (lpString1=".ppt", lpString2=".mp3") returned 1 [0102.336] lstrcmpiW (lpString1=".ppt", lpString2=".pif") returned 1 [0102.336] lstrcmpiW (lpString1=".ppt", lpString2=".mp4") returned 1 [0102.336] lstrcmpiW (lpString1=".ppt", lpString2=".NEPHILIM") returned 1 [0102.336] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0102.336] lstrcmpiW (lpString1=".ppt", lpString2=".lnk") returned 1 [0102.336] lstrcmpiW (lpString1="5gGooh5YlZqE-cuHf7.ppt", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0102.336] lstrlenA (lpString="NEPHILIM") returned 8 [0102.336] GetProcessHeap () returned 0x4e0000 [0102.336] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x507558 [0102.336] lstrlenA (lpString="NEPHILIM") returned 8 [0102.336] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5gGooh5YlZqE-cuHf7.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\5ggooh5ylzqe-cuhf7.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0102.336] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=22847) returned 1 [0102.336] GetProcessHeap () returned 0x4e0000 [0102.336] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.336] GetProcessHeap () returned 0x4e0000 [0102.336] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.336] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.336] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.336] GetProcessHeap () returned 0x4e0000 [0102.337] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.337] GetProcessHeap () returned 0x4e0000 [0102.337] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.337] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de208*=0x100) returned 1 [0102.337] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de204*=0x100) returned 1 [0102.337] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x593f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.337] SetLastError (dwErrCode=0x0) [0102.337] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.339] GetLastError () returned 0x0 [0102.339] GetLastError () returned 0x0 [0102.339] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x5a3f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.339] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.339] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x5b3f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.339] lstrlenA (lpString="NEPHILIM") returned 8 [0102.339] WriteFile (in: hFile=0xec, lpBuffer=0x507558*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507558*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0102.339] GetProcessHeap () returned 0x4e0000 [0102.339] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x593f) returned 0x50a8a8 [0102.339] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.339] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x593f, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x593f, lpOverlapped=0x0) returned 1 [0102.341] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.341] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x593f, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x593f, lpOverlapped=0x0) returned 1 [0102.341] GetProcessHeap () returned 0x4e0000 [0102.341] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0102.341] CloseHandle (hObject=0xec) returned 1 [0102.348] GetProcessHeap () returned 0x4e0000 [0102.348] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.348] GetProcessHeap () returned 0x4e0000 [0102.348] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.348] GetProcessHeap () returned 0x4e0000 [0102.348] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.348] GetProcessHeap () returned 0x4e0000 [0102.348] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.348] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5gGooh5YlZqE-cuHf7.ppt" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5gGooh5YlZqE-cuHf7.ppt") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5gGooh5YlZqE-cuHf7.ppt" [0102.348] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5gGooh5YlZqE-cuHf7.ppt", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5gGooh5YlZqE-cuHf7.ppt.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5gGooh5YlZqE-cuHf7.ppt.NEPHILIM" [0102.348] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5gGooh5YlZqE-cuHf7.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\5ggooh5ylzqe-cuhf7.ppt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5gGooh5YlZqE-cuHf7.ppt.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\5ggooh5ylzqe-cuhf7.ppt.nephilim")) returned 1 [0102.351] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47cdc1c0, ftCreationTime.dwHighDateTime=0x1d5dc32, ftLastAccessTime.dwLowDateTime=0xcc2216c0, ftLastAccessTime.dwHighDateTime=0x1d5e7e9, ftLastWriteTime.dwLowDateTime=0xcc2216c0, ftLastWriteTime.dwHighDateTime=0x1d5e7e9, nFileSizeHigh=0x0, nFileSizeLow=0x1064c, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="5xj5V13qcS 7 Q S.xls", cAlternateFileName="5XJ5V1~1.XLS")) returned 1 [0102.351] lstrcmpiW (lpString1="5xj5V13qcS 7 Q S.xls", lpString2=".") returned 1 [0102.351] lstrcmpiW (lpString1="5xj5V13qcS 7 Q S.xls", lpString2="..") returned 1 [0102.351] lstrcmpiW (lpString1="5xj5V13qcS 7 Q S.xls", lpString2="...") returned 1 [0102.351] lstrcmpiW (lpString1="5xj5V13qcS 7 Q S.xls", lpString2="windows") returned -1 [0102.351] lstrcmpiW (lpString1="5xj5V13qcS 7 Q S.xls", lpString2="$RECYCLE.BIN") returned 1 [0102.351] lstrcmpiW (lpString1="5xj5V13qcS 7 Q S.xls", lpString2="rsa") returned -1 [0102.351] lstrcmpiW (lpString1="5xj5V13qcS 7 Q S.xls", lpString2="log") returned -1 [0102.351] lstrcmpiW (lpString1="5xj5V13qcS 7 Q S.xls", lpString2="NTDETECT.COM") returned -1 [0102.351] lstrcmpiW (lpString1="5xj5V13qcS 7 Q S.xls", lpString2="ntldr") returned -1 [0102.351] lstrcmpiW (lpString1="5xj5V13qcS 7 Q S.xls", lpString2="MSDOS.SYS") returned -1 [0102.351] lstrcmpiW (lpString1="5xj5V13qcS 7 Q S.xls", lpString2="IO.SYS") returned -1 [0102.351] lstrcmpiW (lpString1="5xj5V13qcS 7 Q S.xls", lpString2="boot.ini") returned -1 [0102.351] lstrcmpiW (lpString1="5xj5V13qcS 7 Q S.xls", lpString2="AUTOEXEC.BAT") returned -1 [0102.352] lstrcmpiW (lpString1="5xj5V13qcS 7 Q S.xls", lpString2="ntuser.dat") returned -1 [0102.352] lstrcmpiW (lpString1="5xj5V13qcS 7 Q S.xls", lpString2="desktop.ini") returned -1 [0102.352] lstrcmpiW (lpString1="5xj5V13qcS 7 Q S.xls", lpString2="CONFIG.SYS") returned -1 [0102.352] lstrcmpiW (lpString1="5xj5V13qcS 7 Q S.xls", lpString2="RECYCLER") returned -1 [0102.352] lstrcmpiW (lpString1="5xj5V13qcS 7 Q S.xls", lpString2="BOOTSECT.BAK") returned -1 [0102.352] lstrcmpiW (lpString1="5xj5V13qcS 7 Q S.xls", lpString2="bootmgr") returned -1 [0102.352] lstrcmpiW (lpString1="5xj5V13qcS 7 Q S.xls", lpString2="programdata") returned -1 [0102.352] lstrcmpiW (lpString1="5xj5V13qcS 7 Q S.xls", lpString2="appdata") returned -1 [0102.352] lstrcmpiW (lpString1="5xj5V13qcS 7 Q S.xls", lpString2="program files") returned -1 [0102.352] lstrcmpiW (lpString1="5xj5V13qcS 7 Q S.xls", lpString2="program files (x86)") returned -1 [0102.352] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0102.352] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="5xj5V13qcS 7 Q S.xls" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5xj5V13qcS 7 Q S.xls") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5xj5V13qcS 7 Q S.xls" [0102.352] PathFindExtensionW (pszPath="5xj5V13qcS 7 Q S.xls") returned=".xls" [0102.352] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0102.352] lstrcmpiW (lpString1=".xls", lpString2=".log") returned 1 [0102.352] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0102.352] lstrcmpiW (lpString1=".xls", lpString2=".cmd") returned 1 [0102.352] lstrcmpiW (lpString1=".xls", lpString2=".com") returned 1 [0102.352] lstrcmpiW (lpString1=".xls", lpString2=".cpl") returned 1 [0102.352] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0102.352] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0102.353] lstrcmpiW (lpString1=".xls", lpString2=".url") returned 1 [0102.353] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0102.353] lstrcmpiW (lpString1=".xls", lpString2=".mp3") returned 1 [0102.353] lstrcmpiW (lpString1=".xls", lpString2=".pif") returned 1 [0102.353] lstrcmpiW (lpString1=".xls", lpString2=".mp4") returned 1 [0102.353] lstrcmpiW (lpString1=".xls", lpString2=".NEPHILIM") returned 1 [0102.353] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0102.353] lstrcmpiW (lpString1=".xls", lpString2=".lnk") returned 1 [0102.353] lstrcmpiW (lpString1="5xj5V13qcS 7 Q S.xls", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0102.353] lstrlenA (lpString="NEPHILIM") returned 8 [0102.353] GetProcessHeap () returned 0x4e0000 [0102.353] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x507568 [0102.353] lstrlenA (lpString="NEPHILIM") returned 8 [0102.353] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5xj5V13qcS 7 Q S.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\5xj5v13qcs 7 q s.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0102.354] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=67148) returned 1 [0102.354] GetProcessHeap () returned 0x4e0000 [0102.354] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.354] GetProcessHeap () returned 0x4e0000 [0102.354] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.354] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.354] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.354] GetProcessHeap () returned 0x4e0000 [0102.354] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.354] GetProcessHeap () returned 0x4e0000 [0102.354] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.354] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de208*=0x100) returned 1 [0102.354] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de204*=0x100) returned 1 [0102.355] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x1064c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.355] SetLastError (dwErrCode=0x0) [0102.355] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.356] GetLastError () returned 0x0 [0102.356] GetLastError () returned 0x0 [0102.356] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x1074c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.356] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.356] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x1084c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.356] lstrlenA (lpString="NEPHILIM") returned 8 [0102.356] WriteFile (in: hFile=0xec, lpBuffer=0x507568*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507568*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0102.356] GetProcessHeap () returned 0x4e0000 [0102.356] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1064c) returned 0x50a8a8 [0102.356] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.357] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x1064c, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x1064c, lpOverlapped=0x0) returned 1 [0102.362] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.362] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x1064c, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x1064c, lpOverlapped=0x0) returned 1 [0102.363] GetProcessHeap () returned 0x4e0000 [0102.363] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0102.363] CloseHandle (hObject=0xec) returned 1 [0102.365] GetProcessHeap () returned 0x4e0000 [0102.365] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.365] GetProcessHeap () returned 0x4e0000 [0102.365] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.365] GetProcessHeap () returned 0x4e0000 [0102.365] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.365] GetProcessHeap () returned 0x4e0000 [0102.365] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.365] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5xj5V13qcS 7 Q S.xls" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5xj5V13qcS 7 Q S.xls") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5xj5V13qcS 7 Q S.xls" [0102.365] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5xj5V13qcS 7 Q S.xls", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5xj5V13qcS 7 Q S.xls.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5xj5V13qcS 7 Q S.xls.NEPHILIM" [0102.365] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5xj5V13qcS 7 Q S.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\5xj5v13qcs 7 q s.xls"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5xj5V13qcS 7 Q S.xls.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\5xj5v13qcs 7 q s.xls.nephilim")) returned 1 [0102.367] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x245fa240, ftCreationTime.dwHighDateTime=0x1d5e0b4, ftLastAccessTime.dwLowDateTime=0x683d6360, ftLastAccessTime.dwHighDateTime=0x1d5e60b, ftLastWriteTime.dwLowDateTime=0x683d6360, ftLastWriteTime.dwHighDateTime=0x1d5e60b, nFileSizeHigh=0x0, nFileSizeLow=0x1339b, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="6YiZIyLqE12kEJALh.png", cAlternateFileName="6YIZIY~1.PNG")) returned 1 [0102.367] lstrcmpiW (lpString1="6YiZIyLqE12kEJALh.png", lpString2=".") returned 1 [0102.367] lstrcmpiW (lpString1="6YiZIyLqE12kEJALh.png", lpString2="..") returned 1 [0102.367] lstrcmpiW (lpString1="6YiZIyLqE12kEJALh.png", lpString2="...") returned 1 [0102.367] lstrcmpiW (lpString1="6YiZIyLqE12kEJALh.png", lpString2="windows") returned -1 [0102.367] lstrcmpiW (lpString1="6YiZIyLqE12kEJALh.png", lpString2="$RECYCLE.BIN") returned 1 [0102.367] lstrcmpiW (lpString1="6YiZIyLqE12kEJALh.png", lpString2="rsa") returned -1 [0102.367] lstrcmpiW (lpString1="6YiZIyLqE12kEJALh.png", lpString2="log") returned -1 [0102.368] lstrcmpiW (lpString1="6YiZIyLqE12kEJALh.png", lpString2="NTDETECT.COM") returned -1 [0102.368] lstrcmpiW (lpString1="6YiZIyLqE12kEJALh.png", lpString2="ntldr") returned -1 [0102.368] lstrcmpiW (lpString1="6YiZIyLqE12kEJALh.png", lpString2="MSDOS.SYS") returned -1 [0102.368] lstrcmpiW (lpString1="6YiZIyLqE12kEJALh.png", lpString2="IO.SYS") returned -1 [0102.368] lstrcmpiW (lpString1="6YiZIyLqE12kEJALh.png", lpString2="boot.ini") returned -1 [0102.368] lstrcmpiW (lpString1="6YiZIyLqE12kEJALh.png", lpString2="AUTOEXEC.BAT") returned -1 [0102.368] lstrcmpiW (lpString1="6YiZIyLqE12kEJALh.png", lpString2="ntuser.dat") returned -1 [0102.368] lstrcmpiW (lpString1="6YiZIyLqE12kEJALh.png", lpString2="desktop.ini") returned -1 [0102.368] lstrcmpiW (lpString1="6YiZIyLqE12kEJALh.png", lpString2="CONFIG.SYS") returned -1 [0102.368] lstrcmpiW (lpString1="6YiZIyLqE12kEJALh.png", lpString2="RECYCLER") returned -1 [0102.368] lstrcmpiW (lpString1="6YiZIyLqE12kEJALh.png", lpString2="BOOTSECT.BAK") returned -1 [0102.368] lstrcmpiW (lpString1="6YiZIyLqE12kEJALh.png", lpString2="bootmgr") returned -1 [0102.368] lstrcmpiW (lpString1="6YiZIyLqE12kEJALh.png", lpString2="programdata") returned -1 [0102.368] lstrcmpiW (lpString1="6YiZIyLqE12kEJALh.png", lpString2="appdata") returned -1 [0102.368] lstrcmpiW (lpString1="6YiZIyLqE12kEJALh.png", lpString2="program files") returned -1 [0102.368] lstrcmpiW (lpString1="6YiZIyLqE12kEJALh.png", lpString2="program files (x86)") returned -1 [0102.368] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0102.368] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="6YiZIyLqE12kEJALh.png" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\6YiZIyLqE12kEJALh.png") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\6YiZIyLqE12kEJALh.png" [0102.368] PathFindExtensionW (pszPath="6YiZIyLqE12kEJALh.png") returned=".png" [0102.368] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0102.368] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0102.368] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0102.368] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0102.368] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0102.369] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0102.369] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0102.369] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0102.369] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0102.369] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0102.369] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0102.369] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0102.369] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0102.369] lstrcmpiW (lpString1=".png", lpString2=".NEPHILIM") returned 1 [0102.369] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0102.369] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0102.369] lstrcmpiW (lpString1="6YiZIyLqE12kEJALh.png", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0102.369] lstrlenA (lpString="NEPHILIM") returned 8 [0102.369] GetProcessHeap () returned 0x4e0000 [0102.369] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x507578 [0102.369] lstrlenA (lpString="NEPHILIM") returned 8 [0102.369] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\6YiZIyLqE12kEJALh.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\6yiziylqe12kejalh.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0102.369] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=78747) returned 1 [0102.369] GetProcessHeap () returned 0x4e0000 [0102.369] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.370] GetProcessHeap () returned 0x4e0000 [0102.370] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.370] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.370] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.370] GetProcessHeap () returned 0x4e0000 [0102.370] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.370] GetProcessHeap () returned 0x4e0000 [0102.370] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.370] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de208*=0x100) returned 1 [0102.370] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de204*=0x100) returned 1 [0102.370] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x1339b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.371] SetLastError (dwErrCode=0x0) [0102.371] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.372] GetLastError () returned 0x0 [0102.372] GetLastError () returned 0x0 [0102.372] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x1349b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.372] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.372] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x1359b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.372] lstrlenA (lpString="NEPHILIM") returned 8 [0102.372] WriteFile (in: hFile=0xec, lpBuffer=0x507578*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507578*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0102.372] GetProcessHeap () returned 0x4e0000 [0102.372] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1339b) returned 0x50a8a8 [0102.372] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.372] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x1339b, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x1339b, lpOverlapped=0x0) returned 1 [0102.378] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.378] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x1339b, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x1339b, lpOverlapped=0x0) returned 1 [0102.379] GetProcessHeap () returned 0x4e0000 [0102.379] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0102.379] CloseHandle (hObject=0xec) returned 1 [0102.387] GetProcessHeap () returned 0x4e0000 [0102.387] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.387] GetProcessHeap () returned 0x4e0000 [0102.387] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.387] GetProcessHeap () returned 0x4e0000 [0102.387] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.387] GetProcessHeap () returned 0x4e0000 [0102.387] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.387] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\6YiZIyLqE12kEJALh.png" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\6YiZIyLqE12kEJALh.png") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\6YiZIyLqE12kEJALh.png" [0102.387] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\6YiZIyLqE12kEJALh.png", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\6YiZIyLqE12kEJALh.png.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\6YiZIyLqE12kEJALh.png.NEPHILIM" [0102.387] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\6YiZIyLqE12kEJALh.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\6yiziylqe12kejalh.png"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\6YiZIyLqE12kEJALh.png.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\6yiziylqe12kejalh.png.nephilim")) returned 1 [0102.389] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0704980, ftCreationTime.dwHighDateTime=0x1d5de72, ftLastAccessTime.dwLowDateTime=0x8b351040, ftLastAccessTime.dwHighDateTime=0x1d5e5f0, ftLastWriteTime.dwLowDateTime=0x8b351040, ftLastWriteTime.dwHighDateTime=0x1d5e5f0, nFileSizeHigh=0x0, nFileSizeLow=0x5630, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="8A9bHvCD-3ZG-MFX j.mp3", cAlternateFileName="8A9BHV~1.MP3")) returned 1 [0102.389] lstrcmpiW (lpString1="8A9bHvCD-3ZG-MFX j.mp3", lpString2=".") returned 1 [0102.389] lstrcmpiW (lpString1="8A9bHvCD-3ZG-MFX j.mp3", lpString2="..") returned 1 [0102.389] lstrcmpiW (lpString1="8A9bHvCD-3ZG-MFX j.mp3", lpString2="...") returned 1 [0102.389] lstrcmpiW (lpString1="8A9bHvCD-3ZG-MFX j.mp3", lpString2="windows") returned -1 [0102.390] lstrcmpiW (lpString1="8A9bHvCD-3ZG-MFX j.mp3", lpString2="$RECYCLE.BIN") returned 1 [0102.390] lstrcmpiW (lpString1="8A9bHvCD-3ZG-MFX j.mp3", lpString2="rsa") returned -1 [0102.390] lstrcmpiW (lpString1="8A9bHvCD-3ZG-MFX j.mp3", lpString2="log") returned -1 [0102.390] lstrcmpiW (lpString1="8A9bHvCD-3ZG-MFX j.mp3", lpString2="NTDETECT.COM") returned -1 [0102.390] lstrcmpiW (lpString1="8A9bHvCD-3ZG-MFX j.mp3", lpString2="ntldr") returned -1 [0102.390] lstrcmpiW (lpString1="8A9bHvCD-3ZG-MFX j.mp3", lpString2="MSDOS.SYS") returned -1 [0102.390] lstrcmpiW (lpString1="8A9bHvCD-3ZG-MFX j.mp3", lpString2="IO.SYS") returned -1 [0102.390] lstrcmpiW (lpString1="8A9bHvCD-3ZG-MFX j.mp3", lpString2="boot.ini") returned -1 [0102.390] lstrcmpiW (lpString1="8A9bHvCD-3ZG-MFX j.mp3", lpString2="AUTOEXEC.BAT") returned -1 [0102.390] lstrcmpiW (lpString1="8A9bHvCD-3ZG-MFX j.mp3", lpString2="ntuser.dat") returned -1 [0102.390] lstrcmpiW (lpString1="8A9bHvCD-3ZG-MFX j.mp3", lpString2="desktop.ini") returned -1 [0102.390] lstrcmpiW (lpString1="8A9bHvCD-3ZG-MFX j.mp3", lpString2="CONFIG.SYS") returned -1 [0102.390] lstrcmpiW (lpString1="8A9bHvCD-3ZG-MFX j.mp3", lpString2="RECYCLER") returned -1 [0102.390] lstrcmpiW (lpString1="8A9bHvCD-3ZG-MFX j.mp3", lpString2="BOOTSECT.BAK") returned -1 [0102.390] lstrcmpiW (lpString1="8A9bHvCD-3ZG-MFX j.mp3", lpString2="bootmgr") returned -1 [0102.390] lstrcmpiW (lpString1="8A9bHvCD-3ZG-MFX j.mp3", lpString2="programdata") returned -1 [0102.390] lstrcmpiW (lpString1="8A9bHvCD-3ZG-MFX j.mp3", lpString2="appdata") returned -1 [0102.390] lstrcmpiW (lpString1="8A9bHvCD-3ZG-MFX j.mp3", lpString2="program files") returned -1 [0102.390] lstrcmpiW (lpString1="8A9bHvCD-3ZG-MFX j.mp3", lpString2="program files (x86)") returned -1 [0102.390] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0102.390] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="8A9bHvCD-3ZG-MFX j.mp3" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8A9bHvCD-3ZG-MFX j.mp3") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8A9bHvCD-3ZG-MFX j.mp3" [0102.390] PathFindExtensionW (pszPath="8A9bHvCD-3ZG-MFX j.mp3") returned=".mp3" [0102.390] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0102.390] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0102.390] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0102.391] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0102.391] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0102.391] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0102.391] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0102.391] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0102.391] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0102.391] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0102.391] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0102.391] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecd52c20, ftCreationTime.dwHighDateTime=0x1d5df0d, ftLastAccessTime.dwLowDateTime=0x4e3a4e90, ftLastAccessTime.dwHighDateTime=0x1d5e423, ftLastWriteTime.dwLowDateTime=0x4e3a4e90, ftLastWriteTime.dwHighDateTime=0x1d5e423, nFileSizeHigh=0x0, nFileSizeLow=0xe2ad, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="9NiLQvf6.png", cAlternateFileName="")) returned 1 [0102.391] lstrcmpiW (lpString1="9NiLQvf6.png", lpString2=".") returned 1 [0102.391] lstrcmpiW (lpString1="9NiLQvf6.png", lpString2="..") returned 1 [0102.391] lstrcmpiW (lpString1="9NiLQvf6.png", lpString2="...") returned 1 [0102.391] lstrcmpiW (lpString1="9NiLQvf6.png", lpString2="windows") returned -1 [0102.391] lstrcmpiW (lpString1="9NiLQvf6.png", lpString2="$RECYCLE.BIN") returned 1 [0102.391] lstrcmpiW (lpString1="9NiLQvf6.png", lpString2="rsa") returned -1 [0102.391] lstrcmpiW (lpString1="9NiLQvf6.png", lpString2="log") returned -1 [0102.391] lstrcmpiW (lpString1="9NiLQvf6.png", lpString2="NTDETECT.COM") returned -1 [0102.391] lstrcmpiW (lpString1="9NiLQvf6.png", lpString2="ntldr") returned -1 [0102.391] lstrcmpiW (lpString1="9NiLQvf6.png", lpString2="MSDOS.SYS") returned -1 [0102.391] lstrcmpiW (lpString1="9NiLQvf6.png", lpString2="IO.SYS") returned -1 [0102.391] lstrcmpiW (lpString1="9NiLQvf6.png", lpString2="boot.ini") returned -1 [0102.391] lstrcmpiW (lpString1="9NiLQvf6.png", lpString2="AUTOEXEC.BAT") returned -1 [0102.391] lstrcmpiW (lpString1="9NiLQvf6.png", lpString2="ntuser.dat") returned -1 [0102.391] lstrcmpiW (lpString1="9NiLQvf6.png", lpString2="desktop.ini") returned -1 [0102.391] lstrcmpiW (lpString1="9NiLQvf6.png", lpString2="CONFIG.SYS") returned -1 [0102.391] lstrcmpiW (lpString1="9NiLQvf6.png", lpString2="RECYCLER") returned -1 [0102.392] lstrcmpiW (lpString1="9NiLQvf6.png", lpString2="BOOTSECT.BAK") returned -1 [0102.392] lstrcmpiW (lpString1="9NiLQvf6.png", lpString2="bootmgr") returned -1 [0102.392] lstrcmpiW (lpString1="9NiLQvf6.png", lpString2="programdata") returned -1 [0102.392] lstrcmpiW (lpString1="9NiLQvf6.png", lpString2="appdata") returned -1 [0102.392] lstrcmpiW (lpString1="9NiLQvf6.png", lpString2="program files") returned -1 [0102.392] lstrcmpiW (lpString1="9NiLQvf6.png", lpString2="program files (x86)") returned -1 [0102.392] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0102.392] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="9NiLQvf6.png" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9NiLQvf6.png") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9NiLQvf6.png" [0102.392] PathFindExtensionW (pszPath="9NiLQvf6.png") returned=".png" [0102.392] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0102.392] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0102.392] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0102.392] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0102.392] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0102.392] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0102.392] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0102.392] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0102.392] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0102.392] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0102.392] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0102.392] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0102.392] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0102.392] lstrcmpiW (lpString1=".png", lpString2=".NEPHILIM") returned 1 [0102.393] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0102.393] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0102.393] lstrcmpiW (lpString1="9NiLQvf6.png", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0102.393] lstrlenA (lpString="NEPHILIM") returned 8 [0102.393] GetProcessHeap () returned 0x4e0000 [0102.393] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x507588 [0102.393] lstrlenA (lpString="NEPHILIM") returned 8 [0102.393] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9NiLQvf6.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\9nilqvf6.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0102.393] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=58029) returned 1 [0102.393] GetProcessHeap () returned 0x4e0000 [0102.393] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.394] GetProcessHeap () returned 0x4e0000 [0102.394] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.394] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.394] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.394] GetProcessHeap () returned 0x4e0000 [0102.394] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.394] GetProcessHeap () returned 0x4e0000 [0102.394] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.394] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de208*=0x100) returned 1 [0102.394] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de204*=0x100) returned 1 [0102.394] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xe2ad, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.394] SetLastError (dwErrCode=0x0) [0102.395] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.396] GetLastError () returned 0x0 [0102.396] GetLastError () returned 0x0 [0102.396] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xe3ad, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.396] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.396] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xe4ad, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.396] lstrlenA (lpString="NEPHILIM") returned 8 [0102.396] WriteFile (in: hFile=0xec, lpBuffer=0x507588*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507588*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0102.396] GetProcessHeap () returned 0x4e0000 [0102.396] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xe2ad) returned 0x50a8a8 [0102.396] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.396] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0xe2ad, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0xe2ad, lpOverlapped=0x0) returned 1 [0102.400] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.400] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0xe2ad, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0xe2ad, lpOverlapped=0x0) returned 1 [0102.401] GetProcessHeap () returned 0x4e0000 [0102.401] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0102.401] CloseHandle (hObject=0xec) returned 1 [0102.404] GetProcessHeap () returned 0x4e0000 [0102.405] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.405] GetProcessHeap () returned 0x4e0000 [0102.405] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.405] GetProcessHeap () returned 0x4e0000 [0102.405] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.405] GetProcessHeap () returned 0x4e0000 [0102.405] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.405] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9NiLQvf6.png" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9NiLQvf6.png") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9NiLQvf6.png" [0102.405] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9NiLQvf6.png", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9NiLQvf6.png.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9NiLQvf6.png.NEPHILIM" [0102.405] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9NiLQvf6.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\9nilqvf6.png"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9NiLQvf6.png.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\9nilqvf6.png.nephilim")) returned 1 [0102.407] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b376c0, ftCreationTime.dwHighDateTime=0x1d5dd97, ftLastAccessTime.dwLowDateTime=0x551a77f0, ftLastAccessTime.dwHighDateTime=0x1d5dbb1, ftLastWriteTime.dwLowDateTime=0x551a77f0, ftLastWriteTime.dwHighDateTime=0x1d5dbb1, nFileSizeHigh=0x0, nFileSizeLow=0x8ea, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="A7T35tKnCX.mp4", cAlternateFileName="A7T35T~1.MP4")) returned 1 [0102.407] lstrcmpiW (lpString1="A7T35tKnCX.mp4", lpString2=".") returned 1 [0102.407] lstrcmpiW (lpString1="A7T35tKnCX.mp4", lpString2="..") returned 1 [0102.407] lstrcmpiW (lpString1="A7T35tKnCX.mp4", lpString2="...") returned 1 [0102.407] lstrcmpiW (lpString1="A7T35tKnCX.mp4", lpString2="windows") returned -1 [0102.407] lstrcmpiW (lpString1="A7T35tKnCX.mp4", lpString2="$RECYCLE.BIN") returned 1 [0102.407] lstrcmpiW (lpString1="A7T35tKnCX.mp4", lpString2="rsa") returned -1 [0102.407] lstrcmpiW (lpString1="A7T35tKnCX.mp4", lpString2="log") returned -1 [0102.407] lstrcmpiW (lpString1="A7T35tKnCX.mp4", lpString2="NTDETECT.COM") returned -1 [0102.407] lstrcmpiW (lpString1="A7T35tKnCX.mp4", lpString2="ntldr") returned -1 [0102.407] lstrcmpiW (lpString1="A7T35tKnCX.mp4", lpString2="MSDOS.SYS") returned -1 [0102.407] lstrcmpiW (lpString1="A7T35tKnCX.mp4", lpString2="IO.SYS") returned -1 [0102.407] lstrcmpiW (lpString1="A7T35tKnCX.mp4", lpString2="boot.ini") returned -1 [0102.407] lstrcmpiW (lpString1="A7T35tKnCX.mp4", lpString2="AUTOEXEC.BAT") returned -1 [0102.407] lstrcmpiW (lpString1="A7T35tKnCX.mp4", lpString2="ntuser.dat") returned -1 [0102.407] lstrcmpiW (lpString1="A7T35tKnCX.mp4", lpString2="desktop.ini") returned -1 [0102.408] lstrcmpiW (lpString1="A7T35tKnCX.mp4", lpString2="CONFIG.SYS") returned -1 [0102.408] lstrcmpiW (lpString1="A7T35tKnCX.mp4", lpString2="RECYCLER") returned -1 [0102.408] lstrcmpiW (lpString1="A7T35tKnCX.mp4", lpString2="BOOTSECT.BAK") returned -1 [0102.408] lstrcmpiW (lpString1="A7T35tKnCX.mp4", lpString2="bootmgr") returned -1 [0102.408] lstrcmpiW (lpString1="A7T35tKnCX.mp4", lpString2="programdata") returned -1 [0102.408] lstrcmpiW (lpString1="A7T35tKnCX.mp4", lpString2="appdata") returned -1 [0102.408] lstrcmpiW (lpString1="A7T35tKnCX.mp4", lpString2="program files") returned -1 [0102.408] lstrcmpiW (lpString1="A7T35tKnCX.mp4", lpString2="program files (x86)") returned -1 [0102.408] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0102.408] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="A7T35tKnCX.mp4" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\A7T35tKnCX.mp4") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\A7T35tKnCX.mp4" [0102.408] PathFindExtensionW (pszPath="A7T35tKnCX.mp4") returned=".mp4" [0102.408] lstrcmpiW (lpString1=".mp4", lpString2=".exe") returned 1 [0102.408] lstrcmpiW (lpString1=".mp4", lpString2=".log") returned 1 [0102.408] lstrcmpiW (lpString1=".mp4", lpString2=".cab") returned 1 [0102.408] lstrcmpiW (lpString1=".mp4", lpString2=".cmd") returned 1 [0102.408] lstrcmpiW (lpString1=".mp4", lpString2=".com") returned 1 [0102.408] lstrcmpiW (lpString1=".mp4", lpString2=".cpl") returned 1 [0102.408] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0102.408] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0102.408] lstrcmpiW (lpString1=".mp4", lpString2=".url") returned -1 [0102.408] lstrcmpiW (lpString1=".mp4", lpString2=".ttf") returned -1 [0102.408] lstrcmpiW (lpString1=".mp4", lpString2=".mp3") returned 1 [0102.408] lstrcmpiW (lpString1=".mp4", lpString2=".pif") returned -1 [0102.408] lstrcmpiW (lpString1=".mp4", lpString2=".mp4") returned 0 [0102.409] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0102.409] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0102.409] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0102.409] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0102.409] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0102.409] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0102.409] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0102.409] lstrcmpiW (lpString1="desktop.ini", lpString2="log") returned -1 [0102.409] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0102.409] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0102.409] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0102.409] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0102.409] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0102.409] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0102.409] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0102.409] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0102.409] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c236380, ftCreationTime.dwHighDateTime=0x1d5e388, ftLastAccessTime.dwLowDateTime=0x1d034e90, ftLastAccessTime.dwHighDateTime=0x1d5da81, ftLastWriteTime.dwLowDateTime=0x1d034e90, ftLastWriteTime.dwHighDateTime=0x1d5da81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="EK1PloBl6twa", cAlternateFileName="EK1PLO~1")) returned 1 [0102.409] lstrcmpiW (lpString1="EK1PloBl6twa", lpString2=".") returned 1 [0102.409] lstrcmpiW (lpString1="EK1PloBl6twa", lpString2="..") returned 1 [0102.409] lstrcmpiW (lpString1="EK1PloBl6twa", lpString2="...") returned 1 [0102.409] lstrcmpiW (lpString1="EK1PloBl6twa", lpString2="windows") returned -1 [0102.409] lstrcmpiW (lpString1="EK1PloBl6twa", lpString2="$RECYCLE.BIN") returned 1 [0102.409] lstrcmpiW (lpString1="EK1PloBl6twa", lpString2="rsa") returned -1 [0102.409] lstrcmpiW (lpString1="EK1PloBl6twa", lpString2="log") returned -1 [0102.409] lstrcmpiW (lpString1="EK1PloBl6twa", lpString2="NTDETECT.COM") returned -1 [0102.410] lstrcmpiW (lpString1="EK1PloBl6twa", lpString2="ntldr") returned -1 [0102.410] lstrcmpiW (lpString1="EK1PloBl6twa", lpString2="MSDOS.SYS") returned -1 [0102.410] lstrcmpiW (lpString1="EK1PloBl6twa", lpString2="IO.SYS") returned -1 [0102.410] lstrcmpiW (lpString1="EK1PloBl6twa", lpString2="boot.ini") returned 1 [0102.410] lstrcmpiW (lpString1="EK1PloBl6twa", lpString2="AUTOEXEC.BAT") returned 1 [0102.410] lstrcmpiW (lpString1="EK1PloBl6twa", lpString2="ntuser.dat") returned -1 [0102.410] lstrcmpiW (lpString1="EK1PloBl6twa", lpString2="desktop.ini") returned 1 [0102.410] lstrcmpiW (lpString1="EK1PloBl6twa", lpString2="CONFIG.SYS") returned 1 [0102.410] lstrcmpiW (lpString1="EK1PloBl6twa", lpString2="RECYCLER") returned -1 [0102.410] lstrcmpiW (lpString1="EK1PloBl6twa", lpString2="BOOTSECT.BAK") returned 1 [0102.410] lstrcmpiW (lpString1="EK1PloBl6twa", lpString2="bootmgr") returned 1 [0102.410] lstrcmpiW (lpString1="EK1PloBl6twa", lpString2="programdata") returned -1 [0102.410] lstrcmpiW (lpString1="EK1PloBl6twa", lpString2="appdata") returned 1 [0102.410] lstrcmpiW (lpString1="EK1PloBl6twa", lpString2="program files") returned -1 [0102.410] lstrcmpiW (lpString1="EK1PloBl6twa", lpString2="program files (x86)") returned -1 [0102.410] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0102.410] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="EK1PloBl6twa" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa" [0102.410] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\" [0102.410] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\" [0102.410] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\", lpString2="*.*" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\*.*") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\*.*" [0102.410] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c236380, ftCreationTime.dwHighDateTime=0x1d5e388, ftLastAccessTime.dwLowDateTime=0x1d034e90, ftLastAccessTime.dwHighDateTime=0x1d5da81, ftLastWriteTime.dwLowDateTime=0x1d034e90, ftLastWriteTime.dwHighDateTime=0x1d5da81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24dddac, dwReserved1=0xd378f4ac, cFileName=".", cAlternateFileName="")) returned 0x502870 [0102.411] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0102.411] FindNextFileW (in: hFindFile=0x502870, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c236380, ftCreationTime.dwHighDateTime=0x1d5e388, ftLastAccessTime.dwLowDateTime=0x1d034e90, ftLastAccessTime.dwHighDateTime=0x1d5da81, ftLastWriteTime.dwLowDateTime=0x1d034e90, ftLastWriteTime.dwHighDateTime=0x1d5da81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24dddac, dwReserved1=0xd378f4ac, cFileName="..", cAlternateFileName="")) returned 1 [0102.411] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0102.411] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0102.411] FindNextFileW (in: hFindFile=0x502870, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb89b570, ftCreationTime.dwHighDateTime=0x1d5e615, ftLastAccessTime.dwLowDateTime=0x992f660, ftLastAccessTime.dwHighDateTime=0x1d5db5f, ftLastWriteTime.dwLowDateTime=0x992f660, ftLastWriteTime.dwHighDateTime=0x1d5db5f, nFileSizeHigh=0x0, nFileSizeLow=0xbccc, dwReserved0=0x24dddac, dwReserved1=0xd378f4ac, cFileName="-4 E8t.gif", cAlternateFileName="-4E8T~1.GIF")) returned 1 [0102.411] lstrcmpiW (lpString1="-4 E8t.gif", lpString2=".") returned 1 [0102.411] lstrcmpiW (lpString1="-4 E8t.gif", lpString2="..") returned 1 [0102.411] lstrcmpiW (lpString1="-4 E8t.gif", lpString2="...") returned 1 [0102.411] lstrcmpiW (lpString1="-4 E8t.gif", lpString2="windows") returned -1 [0102.411] lstrcmpiW (lpString1="-4 E8t.gif", lpString2="$RECYCLE.BIN") returned 1 [0102.411] lstrcmpiW (lpString1="-4 E8t.gif", lpString2="rsa") returned -1 [0102.411] lstrcmpiW (lpString1="-4 E8t.gif", lpString2="log") returned -1 [0102.411] lstrcmpiW (lpString1="-4 E8t.gif", lpString2="NTDETECT.COM") returned -1 [0102.411] lstrcmpiW (lpString1="-4 E8t.gif", lpString2="ntldr") returned -1 [0102.411] lstrcmpiW (lpString1="-4 E8t.gif", lpString2="MSDOS.SYS") returned -1 [0102.411] lstrcmpiW (lpString1="-4 E8t.gif", lpString2="IO.SYS") returned -1 [0102.411] lstrcmpiW (lpString1="-4 E8t.gif", lpString2="boot.ini") returned -1 [0102.412] lstrcmpiW (lpString1="-4 E8t.gif", lpString2="AUTOEXEC.BAT") returned -1 [0102.412] lstrcmpiW (lpString1="-4 E8t.gif", lpString2="ntuser.dat") returned -1 [0102.412] lstrcmpiW (lpString1="-4 E8t.gif", lpString2="desktop.ini") returned -1 [0102.412] lstrcmpiW (lpString1="-4 E8t.gif", lpString2="CONFIG.SYS") returned -1 [0102.412] lstrcmpiW (lpString1="-4 E8t.gif", lpString2="RECYCLER") returned -1 [0102.412] lstrcmpiW (lpString1="-4 E8t.gif", lpString2="BOOTSECT.BAK") returned -1 [0102.412] lstrcmpiW (lpString1="-4 E8t.gif", lpString2="bootmgr") returned -1 [0102.412] lstrcmpiW (lpString1="-4 E8t.gif", lpString2="programdata") returned -1 [0102.412] lstrcmpiW (lpString1="-4 E8t.gif", lpString2="appdata") returned -1 [0102.412] lstrcmpiW (lpString1="-4 E8t.gif", lpString2="program files") returned -1 [0102.412] lstrcmpiW (lpString1="-4 E8t.gif", lpString2="program files (x86)") returned -1 [0102.412] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\" [0102.412] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\", lpString2="-4 E8t.gif" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\-4 E8t.gif") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\-4 E8t.gif" [0102.412] PathFindExtensionW (pszPath="-4 E8t.gif") returned=".gif" [0102.412] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0102.412] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0102.412] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0102.412] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0102.412] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0102.412] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0102.412] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0102.412] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0102.412] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0102.412] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0102.412] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0102.412] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0102.412] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0102.413] lstrcmpiW (lpString1=".gif", lpString2=".NEPHILIM") returned -1 [0102.413] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0102.413] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0102.413] lstrcmpiW (lpString1="-4 E8t.gif", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0102.413] lstrlenA (lpString="NEPHILIM") returned 8 [0102.413] GetProcessHeap () returned 0x4e0000 [0102.413] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x507598 [0102.413] lstrlenA (lpString="NEPHILIM") returned 8 [0102.413] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\-4 E8t.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\-4 e8t.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0102.413] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=48332) returned 1 [0102.413] GetProcessHeap () returned 0x4e0000 [0102.413] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.413] GetProcessHeap () returned 0x4e0000 [0102.413] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.413] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.413] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.413] GetProcessHeap () returned 0x4e0000 [0102.413] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.413] GetProcessHeap () returned 0x4e0000 [0102.413] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.413] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0102.414] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0102.414] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xbccc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.414] SetLastError (dwErrCode=0x0) [0102.414] WriteFile (in: hFile=0xf0, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0102.415] GetLastError () returned 0x0 [0102.415] GetLastError () returned 0x0 [0102.415] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xbdcc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.415] WriteFile (in: hFile=0xf0, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0102.415] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xbecc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.415] lstrlenA (lpString="NEPHILIM") returned 8 [0102.415] WriteFile (in: hFile=0xf0, lpBuffer=0x507598*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x507598*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0102.415] GetProcessHeap () returned 0x4e0000 [0102.415] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xbccc) returned 0x50b8b0 [0102.416] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.416] ReadFile (in: hFile=0xf0, lpBuffer=0x50b8b0, nNumberOfBytesToRead=0xbccc, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50b8b0*, lpNumberOfBytesRead=0x24dddb0*=0xbccc, lpOverlapped=0x0) returned 1 [0102.419] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.419] WriteFile (in: hFile=0xf0, lpBuffer=0x50b8b0*, nNumberOfBytesToWrite=0xbccc, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50b8b0*, lpNumberOfBytesWritten=0x24dddbc*=0xbccc, lpOverlapped=0x0) returned 1 [0102.419] GetProcessHeap () returned 0x4e0000 [0102.419] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50b8b0 | out: hHeap=0x4e0000) returned 1 [0102.419] CloseHandle (hObject=0xf0) returned 1 [0102.428] GetProcessHeap () returned 0x4e0000 [0102.428] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.428] GetProcessHeap () returned 0x4e0000 [0102.428] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.428] GetProcessHeap () returned 0x4e0000 [0102.428] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.428] GetProcessHeap () returned 0x4e0000 [0102.429] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.429] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\-4 E8t.gif" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\-4 E8t.gif") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\-4 E8t.gif" [0102.429] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\-4 E8t.gif", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\-4 E8t.gif.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\-4 E8t.gif.NEPHILIM" [0102.429] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\-4 E8t.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\-4 e8t.gif"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\-4 E8t.gif.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\-4 e8t.gif.nephilim")) returned 1 [0102.431] FindNextFileW (in: hFindFile=0x502870, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31b04200, ftCreationTime.dwHighDateTime=0x1d5df20, ftLastAccessTime.dwLowDateTime=0x70ea7130, ftLastAccessTime.dwHighDateTime=0x1d5d93e, ftLastWriteTime.dwLowDateTime=0x70ea7130, ftLastWriteTime.dwHighDateTime=0x1d5d93e, nFileSizeHigh=0x0, nFileSizeLow=0x1674f, dwReserved0=0x24dddac, dwReserved1=0xd378f4ac, cFileName="2bvLjbvdge S.mp4", cAlternateFileName="2BVLJB~1.MP4")) returned 1 [0102.431] lstrcmpiW (lpString1="2bvLjbvdge S.mp4", lpString2=".") returned 1 [0102.431] lstrcmpiW (lpString1="2bvLjbvdge S.mp4", lpString2="..") returned 1 [0102.431] lstrcmpiW (lpString1="2bvLjbvdge S.mp4", lpString2="...") returned 1 [0102.431] lstrcmpiW (lpString1="2bvLjbvdge S.mp4", lpString2="windows") returned -1 [0102.431] lstrcmpiW (lpString1="2bvLjbvdge S.mp4", lpString2="$RECYCLE.BIN") returned 1 [0102.431] lstrcmpiW (lpString1="2bvLjbvdge S.mp4", lpString2="rsa") returned -1 [0102.431] lstrcmpiW (lpString1="2bvLjbvdge S.mp4", lpString2="log") returned -1 [0102.431] lstrcmpiW (lpString1="2bvLjbvdge S.mp4", lpString2="NTDETECT.COM") returned -1 [0102.431] lstrcmpiW (lpString1="2bvLjbvdge S.mp4", lpString2="ntldr") returned -1 [0102.431] lstrcmpiW (lpString1="2bvLjbvdge S.mp4", lpString2="MSDOS.SYS") returned -1 [0102.431] lstrcmpiW (lpString1="2bvLjbvdge S.mp4", lpString2="IO.SYS") returned -1 [0102.431] lstrcmpiW (lpString1="2bvLjbvdge S.mp4", lpString2="boot.ini") returned -1 [0102.431] lstrcmpiW (lpString1="2bvLjbvdge S.mp4", lpString2="AUTOEXEC.BAT") returned -1 [0102.431] lstrcmpiW (lpString1="2bvLjbvdge S.mp4", lpString2="ntuser.dat") returned -1 [0102.431] lstrcmpiW (lpString1="2bvLjbvdge S.mp4", lpString2="desktop.ini") returned -1 [0102.431] lstrcmpiW (lpString1="2bvLjbvdge S.mp4", lpString2="CONFIG.SYS") returned -1 [0102.431] lstrcmpiW (lpString1="2bvLjbvdge S.mp4", lpString2="RECYCLER") returned -1 [0102.431] lstrcmpiW (lpString1="2bvLjbvdge S.mp4", lpString2="BOOTSECT.BAK") returned -1 [0102.431] lstrcmpiW (lpString1="2bvLjbvdge S.mp4", lpString2="bootmgr") returned -1 [0102.431] lstrcmpiW (lpString1="2bvLjbvdge S.mp4", lpString2="programdata") returned -1 [0102.431] lstrcmpiW (lpString1="2bvLjbvdge S.mp4", lpString2="appdata") returned -1 [0102.431] lstrcmpiW (lpString1="2bvLjbvdge S.mp4", lpString2="program files") returned -1 [0102.431] lstrcmpiW (lpString1="2bvLjbvdge S.mp4", lpString2="program files (x86)") returned -1 [0102.431] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\" [0102.432] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\", lpString2="2bvLjbvdge S.mp4" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\2bvLjbvdge S.mp4") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\2bvLjbvdge S.mp4" [0102.432] PathFindExtensionW (pszPath="2bvLjbvdge S.mp4") returned=".mp4" [0102.432] lstrcmpiW (lpString1=".mp4", lpString2=".exe") returned 1 [0102.432] lstrcmpiW (lpString1=".mp4", lpString2=".log") returned 1 [0102.432] lstrcmpiW (lpString1=".mp4", lpString2=".cab") returned 1 [0102.432] lstrcmpiW (lpString1=".mp4", lpString2=".cmd") returned 1 [0102.432] lstrcmpiW (lpString1=".mp4", lpString2=".com") returned 1 [0102.432] lstrcmpiW (lpString1=".mp4", lpString2=".cpl") returned 1 [0102.432] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0102.432] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0102.432] lstrcmpiW (lpString1=".mp4", lpString2=".url") returned -1 [0102.432] lstrcmpiW (lpString1=".mp4", lpString2=".ttf") returned -1 [0102.432] lstrcmpiW (lpString1=".mp4", lpString2=".mp3") returned 1 [0102.432] lstrcmpiW (lpString1=".mp4", lpString2=".pif") returned -1 [0102.432] lstrcmpiW (lpString1=".mp4", lpString2=".mp4") returned 0 [0102.432] FindNextFileW (in: hFindFile=0x502870, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52f2d660, ftCreationTime.dwHighDateTime=0x1d5dc48, ftLastAccessTime.dwLowDateTime=0x34da96b0, ftLastAccessTime.dwHighDateTime=0x1d5e2e0, ftLastWriteTime.dwLowDateTime=0x34da96b0, ftLastWriteTime.dwHighDateTime=0x1d5e2e0, nFileSizeHigh=0x0, nFileSizeLow=0x10a75, dwReserved0=0x24dddac, dwReserved1=0xd378f4ac, cFileName="6RCGO0Nm5.wav", cAlternateFileName="6RCGO0~1.WAV")) returned 1 [0102.432] lstrcmpiW (lpString1="6RCGO0Nm5.wav", lpString2=".") returned 1 [0102.432] lstrcmpiW (lpString1="6RCGO0Nm5.wav", lpString2="..") returned 1 [0102.432] lstrcmpiW (lpString1="6RCGO0Nm5.wav", lpString2="...") returned 1 [0102.432] lstrcmpiW (lpString1="6RCGO0Nm5.wav", lpString2="windows") returned -1 [0102.432] lstrcmpiW (lpString1="6RCGO0Nm5.wav", lpString2="$RECYCLE.BIN") returned 1 [0102.432] lstrcmpiW (lpString1="6RCGO0Nm5.wav", lpString2="rsa") returned -1 [0102.432] lstrcmpiW (lpString1="6RCGO0Nm5.wav", lpString2="log") returned -1 [0102.432] lstrcmpiW (lpString1="6RCGO0Nm5.wav", lpString2="NTDETECT.COM") returned -1 [0102.432] lstrcmpiW (lpString1="6RCGO0Nm5.wav", lpString2="ntldr") returned -1 [0102.432] lstrcmpiW (lpString1="6RCGO0Nm5.wav", lpString2="MSDOS.SYS") returned -1 [0102.432] lstrcmpiW (lpString1="6RCGO0Nm5.wav", lpString2="IO.SYS") returned -1 [0102.432] lstrcmpiW (lpString1="6RCGO0Nm5.wav", lpString2="boot.ini") returned -1 [0102.432] lstrcmpiW (lpString1="6RCGO0Nm5.wav", lpString2="AUTOEXEC.BAT") returned -1 [0102.432] lstrcmpiW (lpString1="6RCGO0Nm5.wav", lpString2="ntuser.dat") returned -1 [0102.432] lstrcmpiW (lpString1="6RCGO0Nm5.wav", lpString2="desktop.ini") returned -1 [0102.433] lstrcmpiW (lpString1="6RCGO0Nm5.wav", lpString2="CONFIG.SYS") returned -1 [0102.433] lstrcmpiW (lpString1="6RCGO0Nm5.wav", lpString2="RECYCLER") returned -1 [0102.433] lstrcmpiW (lpString1="6RCGO0Nm5.wav", lpString2="BOOTSECT.BAK") returned -1 [0102.433] lstrcmpiW (lpString1="6RCGO0Nm5.wav", lpString2="bootmgr") returned -1 [0102.433] lstrcmpiW (lpString1="6RCGO0Nm5.wav", lpString2="programdata") returned -1 [0102.433] lstrcmpiW (lpString1="6RCGO0Nm5.wav", lpString2="appdata") returned -1 [0102.433] lstrcmpiW (lpString1="6RCGO0Nm5.wav", lpString2="program files") returned -1 [0102.433] lstrcmpiW (lpString1="6RCGO0Nm5.wav", lpString2="program files (x86)") returned -1 [0102.433] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\" [0102.433] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\", lpString2="6RCGO0Nm5.wav" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\6RCGO0Nm5.wav") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\6RCGO0Nm5.wav" [0102.433] PathFindExtensionW (pszPath="6RCGO0Nm5.wav") returned=".wav" [0102.433] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0102.433] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0102.433] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0102.433] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0102.433] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0102.433] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0102.433] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0102.433] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0102.433] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0102.433] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0102.433] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0102.433] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0102.433] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0102.433] lstrcmpiW (lpString1=".wav", lpString2=".NEPHILIM") returned 1 [0102.433] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0102.433] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0102.433] lstrcmpiW (lpString1="6RCGO0Nm5.wav", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0102.433] lstrlenA (lpString="NEPHILIM") returned 8 [0102.433] GetProcessHeap () returned 0x4e0000 [0102.433] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x5075a8 [0102.433] lstrlenA (lpString="NEPHILIM") returned 8 [0102.433] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\6RCGO0Nm5.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\6rcgo0nm5.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0102.434] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=68213) returned 1 [0102.434] GetProcessHeap () returned 0x4e0000 [0102.434] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.434] GetProcessHeap () returned 0x4e0000 [0102.434] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.434] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.434] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.434] GetProcessHeap () returned 0x4e0000 [0102.434] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.434] GetProcessHeap () returned 0x4e0000 [0102.434] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.434] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0102.434] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0102.435] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x10a75, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.435] SetLastError (dwErrCode=0x0) [0102.435] WriteFile (in: hFile=0xf0, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0102.436] GetLastError () returned 0x0 [0102.436] GetLastError () returned 0x0 [0102.436] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x10b75, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.436] WriteFile (in: hFile=0xf0, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0102.436] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x10c75, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.436] lstrlenA (lpString="NEPHILIM") returned 8 [0102.436] WriteFile (in: hFile=0xf0, lpBuffer=0x5075a8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x5075a8*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0102.436] GetProcessHeap () returned 0x4e0000 [0102.436] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10a75) returned 0x50b8b0 [0102.436] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.436] ReadFile (in: hFile=0xf0, lpBuffer=0x50b8b0, nNumberOfBytesToRead=0x10a75, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50b8b0*, lpNumberOfBytesRead=0x24dddb0*=0x10a75, lpOverlapped=0x0) returned 1 [0102.440] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.440] WriteFile (in: hFile=0xf0, lpBuffer=0x50b8b0*, nNumberOfBytesToWrite=0x10a75, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50b8b0*, lpNumberOfBytesWritten=0x24dddbc*=0x10a75, lpOverlapped=0x0) returned 1 [0102.440] GetProcessHeap () returned 0x4e0000 [0102.440] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50b8b0 | out: hHeap=0x4e0000) returned 1 [0102.440] CloseHandle (hObject=0xf0) returned 1 [0102.442] GetProcessHeap () returned 0x4e0000 [0102.442] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.442] GetProcessHeap () returned 0x4e0000 [0102.442] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.442] GetProcessHeap () returned 0x4e0000 [0102.442] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.442] GetProcessHeap () returned 0x4e0000 [0102.442] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.442] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\6RCGO0Nm5.wav" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\6RCGO0Nm5.wav") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\6RCGO0Nm5.wav" [0102.442] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\6RCGO0Nm5.wav", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\6RCGO0Nm5.wav.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\6RCGO0Nm5.wav.NEPHILIM" [0102.443] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\6RCGO0Nm5.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\6rcgo0nm5.wav"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\6RCGO0Nm5.wav.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\6rcgo0nm5.wav.nephilim")) returned 1 [0102.444] FindNextFileW (in: hFindFile=0x502870, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f3c2680, ftCreationTime.dwHighDateTime=0x1d5d9a2, ftLastAccessTime.dwLowDateTime=0xc69ab3b0, ftLastAccessTime.dwHighDateTime=0x1d5df51, ftLastWriteTime.dwLowDateTime=0xc69ab3b0, ftLastWriteTime.dwHighDateTime=0x1d5df51, nFileSizeHigh=0x0, nFileSizeLow=0x5ab8, dwReserved0=0x24dddac, dwReserved1=0xd378f4ac, cFileName="blyObdpvqdZs GX.odp", cAlternateFileName="BLYOBD~1.ODP")) returned 1 [0102.444] lstrcmpiW (lpString1="blyObdpvqdZs GX.odp", lpString2=".") returned 1 [0102.444] lstrcmpiW (lpString1="blyObdpvqdZs GX.odp", lpString2="..") returned 1 [0102.444] lstrcmpiW (lpString1="blyObdpvqdZs GX.odp", lpString2="...") returned 1 [0102.444] lstrcmpiW (lpString1="blyObdpvqdZs GX.odp", lpString2="windows") returned -1 [0102.444] lstrcmpiW (lpString1="blyObdpvqdZs GX.odp", lpString2="$RECYCLE.BIN") returned 1 [0102.444] lstrcmpiW (lpString1="blyObdpvqdZs GX.odp", lpString2="rsa") returned -1 [0102.444] lstrcmpiW (lpString1="blyObdpvqdZs GX.odp", lpString2="log") returned -1 [0102.444] lstrcmpiW (lpString1="blyObdpvqdZs GX.odp", lpString2="NTDETECT.COM") returned -1 [0102.444] lstrcmpiW (lpString1="blyObdpvqdZs GX.odp", lpString2="ntldr") returned -1 [0102.444] lstrcmpiW (lpString1="blyObdpvqdZs GX.odp", lpString2="MSDOS.SYS") returned -1 [0102.444] lstrcmpiW (lpString1="blyObdpvqdZs GX.odp", lpString2="IO.SYS") returned -1 [0102.444] lstrcmpiW (lpString1="blyObdpvqdZs GX.odp", lpString2="boot.ini") returned -1 [0102.444] lstrcmpiW (lpString1="blyObdpvqdZs GX.odp", lpString2="AUTOEXEC.BAT") returned 1 [0102.444] lstrcmpiW (lpString1="blyObdpvqdZs GX.odp", lpString2="ntuser.dat") returned -1 [0102.444] lstrcmpiW (lpString1="blyObdpvqdZs GX.odp", lpString2="desktop.ini") returned -1 [0102.444] lstrcmpiW (lpString1="blyObdpvqdZs GX.odp", lpString2="CONFIG.SYS") returned -1 [0102.444] lstrcmpiW (lpString1="blyObdpvqdZs GX.odp", lpString2="RECYCLER") returned -1 [0102.444] lstrcmpiW (lpString1="blyObdpvqdZs GX.odp", lpString2="BOOTSECT.BAK") returned -1 [0102.444] lstrcmpiW (lpString1="blyObdpvqdZs GX.odp", lpString2="bootmgr") returned -1 [0102.445] lstrcmpiW (lpString1="blyObdpvqdZs GX.odp", lpString2="programdata") returned -1 [0102.445] lstrcmpiW (lpString1="blyObdpvqdZs GX.odp", lpString2="appdata") returned 1 [0102.445] lstrcmpiW (lpString1="blyObdpvqdZs GX.odp", lpString2="program files") returned -1 [0102.445] lstrcmpiW (lpString1="blyObdpvqdZs GX.odp", lpString2="program files (x86)") returned -1 [0102.445] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\" [0102.445] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\", lpString2="blyObdpvqdZs GX.odp" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\blyObdpvqdZs GX.odp") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\blyObdpvqdZs GX.odp" [0102.445] PathFindExtensionW (pszPath="blyObdpvqdZs GX.odp") returned=".odp" [0102.445] lstrcmpiW (lpString1=".odp", lpString2=".exe") returned 1 [0102.445] lstrcmpiW (lpString1=".odp", lpString2=".log") returned 1 [0102.445] lstrcmpiW (lpString1=".odp", lpString2=".cab") returned 1 [0102.445] lstrcmpiW (lpString1=".odp", lpString2=".cmd") returned 1 [0102.445] lstrcmpiW (lpString1=".odp", lpString2=".com") returned 1 [0102.445] lstrcmpiW (lpString1=".odp", lpString2=".cpl") returned 1 [0102.445] lstrcmpiW (lpString1=".odp", lpString2=".ini") returned 1 [0102.445] lstrcmpiW (lpString1=".odp", lpString2=".dll") returned 1 [0102.445] lstrcmpiW (lpString1=".odp", lpString2=".url") returned -1 [0102.445] lstrcmpiW (lpString1=".odp", lpString2=".ttf") returned -1 [0102.445] lstrcmpiW (lpString1=".odp", lpString2=".mp3") returned 1 [0102.445] lstrcmpiW (lpString1=".odp", lpString2=".pif") returned -1 [0102.445] lstrcmpiW (lpString1=".odp", lpString2=".mp4") returned 1 [0102.445] lstrcmpiW (lpString1=".odp", lpString2=".NEPHILIM") returned 1 [0102.445] lstrcmpiW (lpString1=".odp", lpString2=".msi") returned 1 [0102.445] lstrcmpiW (lpString1=".odp", lpString2=".lnk") returned 1 [0102.445] lstrcmpiW (lpString1="blyObdpvqdZs GX.odp", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0102.446] lstrlenA (lpString="NEPHILIM") returned 8 [0102.446] GetProcessHeap () returned 0x4e0000 [0102.446] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x5075b8 [0102.446] lstrlenA (lpString="NEPHILIM") returned 8 [0102.446] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\blyObdpvqdZs GX.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\blyobdpvqdzs gx.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0102.446] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=23224) returned 1 [0102.446] GetProcessHeap () returned 0x4e0000 [0102.446] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.446] GetProcessHeap () returned 0x4e0000 [0102.446] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.446] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.446] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.446] GetProcessHeap () returned 0x4e0000 [0102.446] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.446] GetProcessHeap () returned 0x4e0000 [0102.446] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.446] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0102.447] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0102.447] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x5ab8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.447] SetLastError (dwErrCode=0x0) [0102.447] WriteFile (in: hFile=0xf0, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0102.448] GetLastError () returned 0x0 [0102.448] GetLastError () returned 0x0 [0102.448] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x5bb8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.448] WriteFile (in: hFile=0xf0, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0102.449] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x5cb8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.449] lstrlenA (lpString="NEPHILIM") returned 8 [0102.449] WriteFile (in: hFile=0xf0, lpBuffer=0x5075b8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x5075b8*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0102.449] GetProcessHeap () returned 0x4e0000 [0102.449] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x5ab8) returned 0x50b8b0 [0102.449] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.449] ReadFile (in: hFile=0xf0, lpBuffer=0x50b8b0, nNumberOfBytesToRead=0x5ab8, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50b8b0*, lpNumberOfBytesRead=0x24dddb0*=0x5ab8, lpOverlapped=0x0) returned 1 [0102.450] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.451] WriteFile (in: hFile=0xf0, lpBuffer=0x50b8b0*, nNumberOfBytesToWrite=0x5ab8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50b8b0*, lpNumberOfBytesWritten=0x24dddbc*=0x5ab8, lpOverlapped=0x0) returned 1 [0102.451] GetProcessHeap () returned 0x4e0000 [0102.451] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50b8b0 | out: hHeap=0x4e0000) returned 1 [0102.451] CloseHandle (hObject=0xf0) returned 1 [0102.455] GetProcessHeap () returned 0x4e0000 [0102.455] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.455] GetProcessHeap () returned 0x4e0000 [0102.455] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.455] GetProcessHeap () returned 0x4e0000 [0102.455] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.455] GetProcessHeap () returned 0x4e0000 [0102.455] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.455] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\blyObdpvqdZs GX.odp" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\blyObdpvqdZs GX.odp") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\blyObdpvqdZs GX.odp" [0102.455] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\blyObdpvqdZs GX.odp", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\blyObdpvqdZs GX.odp.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\blyObdpvqdZs GX.odp.NEPHILIM" [0102.455] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\blyObdpvqdZs GX.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\blyobdpvqdzs gx.odp"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\blyObdpvqdZs GX.odp.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\blyobdpvqdzs gx.odp.nephilim")) returned 1 [0102.457] FindNextFileW (in: hFindFile=0x502870, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb4502550, ftCreationTime.dwHighDateTime=0x1d5e81b, ftLastAccessTime.dwLowDateTime=0x6b0760, ftLastAccessTime.dwHighDateTime=0x1d5dfd5, ftLastWriteTime.dwLowDateTime=0x6b0760, ftLastWriteTime.dwHighDateTime=0x1d5dfd5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24dddac, dwReserved1=0xd378f4ac, cFileName="bqgDuyQBRz9", cAlternateFileName="BQGDUY~1")) returned 1 [0102.457] lstrcmpiW (lpString1="bqgDuyQBRz9", lpString2=".") returned 1 [0102.457] lstrcmpiW (lpString1="bqgDuyQBRz9", lpString2="..") returned 1 [0102.457] lstrcmpiW (lpString1="bqgDuyQBRz9", lpString2="...") returned 1 [0102.457] lstrcmpiW (lpString1="bqgDuyQBRz9", lpString2="windows") returned -1 [0102.457] lstrcmpiW (lpString1="bqgDuyQBRz9", lpString2="$RECYCLE.BIN") returned 1 [0102.457] lstrcmpiW (lpString1="bqgDuyQBRz9", lpString2="rsa") returned -1 [0102.457] lstrcmpiW (lpString1="bqgDuyQBRz9", lpString2="log") returned -1 [0102.457] lstrcmpiW (lpString1="bqgDuyQBRz9", lpString2="NTDETECT.COM") returned -1 [0102.457] lstrcmpiW (lpString1="bqgDuyQBRz9", lpString2="ntldr") returned -1 [0102.457] lstrcmpiW (lpString1="bqgDuyQBRz9", lpString2="MSDOS.SYS") returned -1 [0102.457] lstrcmpiW (lpString1="bqgDuyQBRz9", lpString2="IO.SYS") returned -1 [0102.457] lstrcmpiW (lpString1="bqgDuyQBRz9", lpString2="boot.ini") returned 1 [0102.457] lstrcmpiW (lpString1="bqgDuyQBRz9", lpString2="AUTOEXEC.BAT") returned 1 [0102.457] lstrcmpiW (lpString1="bqgDuyQBRz9", lpString2="ntuser.dat") returned -1 [0102.457] lstrcmpiW (lpString1="bqgDuyQBRz9", lpString2="desktop.ini") returned -1 [0102.457] lstrcmpiW (lpString1="bqgDuyQBRz9", lpString2="CONFIG.SYS") returned -1 [0102.457] lstrcmpiW (lpString1="bqgDuyQBRz9", lpString2="RECYCLER") returned -1 [0102.457] lstrcmpiW (lpString1="bqgDuyQBRz9", lpString2="BOOTSECT.BAK") returned 1 [0102.457] lstrcmpiW (lpString1="bqgDuyQBRz9", lpString2="bootmgr") returned 1 [0102.457] lstrcmpiW (lpString1="bqgDuyQBRz9", lpString2="programdata") returned -1 [0102.457] lstrcmpiW (lpString1="bqgDuyQBRz9", lpString2="appdata") returned 1 [0102.457] lstrcmpiW (lpString1="bqgDuyQBRz9", lpString2="program files") returned -1 [0102.457] lstrcmpiW (lpString1="bqgDuyQBRz9", lpString2="program files (x86)") returned -1 [0102.457] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\" [0102.458] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\", lpString2="bqgDuyQBRz9" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9" [0102.458] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\" [0102.458] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\" [0102.458] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\", lpString2="*.*" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\*.*") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\*.*" [0102.458] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb4502550, ftCreationTime.dwHighDateTime=0x1d5e81b, ftLastAccessTime.dwLowDateTime=0x6b0760, ftLastAccessTime.dwHighDateTime=0x1d5dfd5, ftLastWriteTime.dwLowDateTime=0x6b0760, ftLastWriteTime.dwHighDateTime=0x1d5dfd5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24dd72c, dwReserved1=0xda4df441, cFileName=".", cAlternateFileName="")) returned 0x5028b0 [0102.458] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0102.458] FindNextFileW (in: hFindFile=0x5028b0, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb4502550, ftCreationTime.dwHighDateTime=0x1d5e81b, ftLastAccessTime.dwLowDateTime=0x6b0760, ftLastAccessTime.dwHighDateTime=0x1d5dfd5, ftLastWriteTime.dwLowDateTime=0x6b0760, ftLastWriteTime.dwHighDateTime=0x1d5dfd5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24dd72c, dwReserved1=0xda4df441, cFileName="..", cAlternateFileName="")) returned 1 [0102.458] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0102.458] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0102.458] FindNextFileW (in: hFindFile=0x5028b0, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbb690a90, ftCreationTime.dwHighDateTime=0x1d5e6ff, ftLastAccessTime.dwLowDateTime=0xcbe8d3a0, ftLastAccessTime.dwHighDateTime=0x1d5dfac, ftLastWriteTime.dwLowDateTime=0xcbe8d3a0, ftLastWriteTime.dwHighDateTime=0x1d5dfac, nFileSizeHigh=0x0, nFileSizeLow=0x672e, dwReserved0=0x24dd72c, dwReserved1=0xda4df441, cFileName="1Ggrolu.m4a", cAlternateFileName="")) returned 1 [0102.458] lstrcmpiW (lpString1="1Ggrolu.m4a", lpString2=".") returned 1 [0102.458] lstrcmpiW (lpString1="1Ggrolu.m4a", lpString2="..") returned 1 [0102.458] lstrcmpiW (lpString1="1Ggrolu.m4a", lpString2="...") returned 1 [0102.458] lstrcmpiW (lpString1="1Ggrolu.m4a", lpString2="windows") returned -1 [0102.458] lstrcmpiW (lpString1="1Ggrolu.m4a", lpString2="$RECYCLE.BIN") returned 1 [0102.458] lstrcmpiW (lpString1="1Ggrolu.m4a", lpString2="rsa") returned -1 [0102.458] lstrcmpiW (lpString1="1Ggrolu.m4a", lpString2="log") returned -1 [0102.458] lstrcmpiW (lpString1="1Ggrolu.m4a", lpString2="NTDETECT.COM") returned -1 [0102.459] lstrcmpiW (lpString1="1Ggrolu.m4a", lpString2="ntldr") returned -1 [0102.459] lstrcmpiW (lpString1="1Ggrolu.m4a", lpString2="MSDOS.SYS") returned -1 [0102.459] lstrcmpiW (lpString1="1Ggrolu.m4a", lpString2="IO.SYS") returned -1 [0102.459] lstrcmpiW (lpString1="1Ggrolu.m4a", lpString2="boot.ini") returned -1 [0102.459] lstrcmpiW (lpString1="1Ggrolu.m4a", lpString2="AUTOEXEC.BAT") returned -1 [0102.459] lstrcmpiW (lpString1="1Ggrolu.m4a", lpString2="ntuser.dat") returned -1 [0102.459] lstrcmpiW (lpString1="1Ggrolu.m4a", lpString2="desktop.ini") returned -1 [0102.459] lstrcmpiW (lpString1="1Ggrolu.m4a", lpString2="CONFIG.SYS") returned -1 [0102.459] lstrcmpiW (lpString1="1Ggrolu.m4a", lpString2="RECYCLER") returned -1 [0102.459] lstrcmpiW (lpString1="1Ggrolu.m4a", lpString2="BOOTSECT.BAK") returned -1 [0102.459] lstrcmpiW (lpString1="1Ggrolu.m4a", lpString2="bootmgr") returned -1 [0102.459] lstrcmpiW (lpString1="1Ggrolu.m4a", lpString2="programdata") returned -1 [0102.459] lstrcmpiW (lpString1="1Ggrolu.m4a", lpString2="appdata") returned -1 [0102.459] lstrcmpiW (lpString1="1Ggrolu.m4a", lpString2="program files") returned -1 [0102.459] lstrcmpiW (lpString1="1Ggrolu.m4a", lpString2="program files (x86)") returned -1 [0102.459] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\" [0102.459] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\", lpString2="1Ggrolu.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\1Ggrolu.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\1Ggrolu.m4a" [0102.459] PathFindExtensionW (pszPath="1Ggrolu.m4a") returned=".m4a" [0102.459] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0102.459] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0102.459] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0102.459] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0102.459] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0102.459] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0102.459] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0102.459] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0102.459] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0102.460] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0102.460] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0102.460] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0102.460] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0102.460] lstrcmpiW (lpString1=".m4a", lpString2=".NEPHILIM") returned -1 [0102.460] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0102.460] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0102.460] lstrcmpiW (lpString1="1Ggrolu.m4a", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0102.460] lstrlenA (lpString="NEPHILIM") returned 8 [0102.460] GetProcessHeap () returned 0x4e0000 [0102.460] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x5075c8 [0102.460] lstrlenA (lpString="NEPHILIM") returned 8 [0102.460] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\1Ggrolu.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\bqgduyqbrz9\\1ggrolu.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0102.460] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=26414) returned 1 [0102.460] GetProcessHeap () returned 0x4e0000 [0102.460] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.460] GetProcessHeap () returned 0x4e0000 [0102.460] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.460] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.460] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.460] GetProcessHeap () returned 0x4e0000 [0102.460] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.460] GetProcessHeap () returned 0x4e0000 [0102.460] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.460] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24dd508*=0x100) returned 1 [0102.461] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24dd504*=0x100) returned 1 [0102.461] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x672e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.461] SetLastError (dwErrCode=0x0) [0102.461] WriteFile (in: hFile=0xf4, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0102.462] GetLastError () returned 0x0 [0102.462] GetLastError () returned 0x0 [0102.462] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x682e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.462] WriteFile (in: hFile=0xf4, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0102.462] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x692e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.462] lstrlenA (lpString="NEPHILIM") returned 8 [0102.462] WriteFile (in: hFile=0xf4, lpBuffer=0x5075c8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x5075c8*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0102.462] GetProcessHeap () returned 0x4e0000 [0102.462] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x672e) returned 0x50c8b8 [0102.462] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.462] ReadFile (in: hFile=0xf4, lpBuffer=0x50c8b8, nNumberOfBytesToRead=0x672e, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x50c8b8*, lpNumberOfBytesRead=0x24dd730*=0x672e, lpOverlapped=0x0) returned 1 [0102.464] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.464] WriteFile (in: hFile=0xf4, lpBuffer=0x50c8b8*, nNumberOfBytesToWrite=0x672e, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50c8b8*, lpNumberOfBytesWritten=0x24dd73c*=0x672e, lpOverlapped=0x0) returned 1 [0102.464] GetProcessHeap () returned 0x4e0000 [0102.464] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50c8b8 | out: hHeap=0x4e0000) returned 1 [0102.464] CloseHandle (hObject=0xf4) returned 1 [0102.468] GetProcessHeap () returned 0x4e0000 [0102.468] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.468] GetProcessHeap () returned 0x4e0000 [0102.468] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.468] GetProcessHeap () returned 0x4e0000 [0102.468] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.468] GetProcessHeap () returned 0x4e0000 [0102.468] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.468] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\1Ggrolu.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\1Ggrolu.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\1Ggrolu.m4a" [0102.468] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\1Ggrolu.m4a", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\1Ggrolu.m4a.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\1Ggrolu.m4a.NEPHILIM" [0102.468] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\1Ggrolu.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\bqgduyqbrz9\\1ggrolu.m4a"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\1Ggrolu.m4a.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\bqgduyqbrz9\\1ggrolu.m4a.nephilim")) returned 1 [0102.470] FindNextFileW (in: hFindFile=0x5028b0, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb6ee0660, ftCreationTime.dwHighDateTime=0x1d5d830, ftLastAccessTime.dwLowDateTime=0xdc6e0610, ftLastAccessTime.dwHighDateTime=0x1d5e3ed, ftLastWriteTime.dwLowDateTime=0xdc6e0610, ftLastWriteTime.dwHighDateTime=0x1d5e3ed, nFileSizeHigh=0x0, nFileSizeLow=0xcc77, dwReserved0=0x24dd72c, dwReserved1=0xda4df441, cFileName="3 dCejF0.bmp", cAlternateFileName="3DCEJF~1.BMP")) returned 1 [0102.470] lstrcmpiW (lpString1="3 dCejF0.bmp", lpString2=".") returned 1 [0102.470] lstrcmpiW (lpString1="3 dCejF0.bmp", lpString2="..") returned 1 [0102.470] lstrcmpiW (lpString1="3 dCejF0.bmp", lpString2="...") returned 1 [0102.470] lstrcmpiW (lpString1="3 dCejF0.bmp", lpString2="windows") returned -1 [0102.470] lstrcmpiW (lpString1="3 dCejF0.bmp", lpString2="$RECYCLE.BIN") returned 1 [0102.470] lstrcmpiW (lpString1="3 dCejF0.bmp", lpString2="rsa") returned -1 [0102.470] lstrcmpiW (lpString1="3 dCejF0.bmp", lpString2="log") returned -1 [0102.470] lstrcmpiW (lpString1="3 dCejF0.bmp", lpString2="NTDETECT.COM") returned -1 [0102.470] lstrcmpiW (lpString1="3 dCejF0.bmp", lpString2="ntldr") returned -1 [0102.470] lstrcmpiW (lpString1="3 dCejF0.bmp", lpString2="MSDOS.SYS") returned -1 [0102.470] lstrcmpiW (lpString1="3 dCejF0.bmp", lpString2="IO.SYS") returned -1 [0102.470] lstrcmpiW (lpString1="3 dCejF0.bmp", lpString2="boot.ini") returned -1 [0102.470] lstrcmpiW (lpString1="3 dCejF0.bmp", lpString2="AUTOEXEC.BAT") returned -1 [0102.470] lstrcmpiW (lpString1="3 dCejF0.bmp", lpString2="ntuser.dat") returned -1 [0102.470] lstrcmpiW (lpString1="3 dCejF0.bmp", lpString2="desktop.ini") returned -1 [0102.471] lstrcmpiW (lpString1="3 dCejF0.bmp", lpString2="CONFIG.SYS") returned -1 [0102.471] lstrcmpiW (lpString1="3 dCejF0.bmp", lpString2="RECYCLER") returned -1 [0102.471] lstrcmpiW (lpString1="3 dCejF0.bmp", lpString2="BOOTSECT.BAK") returned -1 [0102.471] lstrcmpiW (lpString1="3 dCejF0.bmp", lpString2="bootmgr") returned -1 [0102.471] lstrcmpiW (lpString1="3 dCejF0.bmp", lpString2="programdata") returned -1 [0102.471] lstrcmpiW (lpString1="3 dCejF0.bmp", lpString2="appdata") returned -1 [0102.471] lstrcmpiW (lpString1="3 dCejF0.bmp", lpString2="program files") returned -1 [0102.471] lstrcmpiW (lpString1="3 dCejF0.bmp", lpString2="program files (x86)") returned -1 [0102.471] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\" [0102.471] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\", lpString2="3 dCejF0.bmp" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\3 dCejF0.bmp") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\3 dCejF0.bmp" [0102.472] PathFindExtensionW (pszPath="3 dCejF0.bmp") returned=".bmp" [0102.472] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0102.472] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0102.472] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0102.472] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0102.472] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0102.472] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0102.472] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0102.472] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0102.472] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0102.472] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0102.472] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0102.472] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0102.472] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0102.472] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0102.472] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0102.472] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0102.472] lstrcmpiW (lpString1="3 dCejF0.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0102.472] lstrlenA (lpString="NEPHILIM") returned 8 [0102.472] GetProcessHeap () returned 0x4e0000 [0102.472] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x5075d8 [0102.472] lstrlenA (lpString="NEPHILIM") returned 8 [0102.473] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\3 dCejF0.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\bqgduyqbrz9\\3 dcejf0.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0102.473] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=52343) returned 1 [0102.473] GetProcessHeap () returned 0x4e0000 [0102.473] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.473] GetProcessHeap () returned 0x4e0000 [0102.474] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.474] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.474] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.474] GetProcessHeap () returned 0x4e0000 [0102.474] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.474] GetProcessHeap () returned 0x4e0000 [0102.474] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.474] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24dd508*=0x100) returned 1 [0102.474] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24dd504*=0x100) returned 1 [0102.474] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xcc77, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.474] SetLastError (dwErrCode=0x0) [0102.474] WriteFile (in: hFile=0xf4, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0102.476] GetLastError () returned 0x0 [0102.476] GetLastError () returned 0x0 [0102.476] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xcd77, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.476] WriteFile (in: hFile=0xf4, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0102.476] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xce77, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.476] lstrlenA (lpString="NEPHILIM") returned 8 [0102.476] WriteFile (in: hFile=0xf4, lpBuffer=0x5075d8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x5075d8*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0102.476] GetProcessHeap () returned 0x4e0000 [0102.476] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xcc77) returned 0x50c8b8 [0102.476] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.476] ReadFile (in: hFile=0xf4, lpBuffer=0x50c8b8, nNumberOfBytesToRead=0xcc77, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x50c8b8*, lpNumberOfBytesRead=0x24dd730*=0xcc77, lpOverlapped=0x0) returned 1 [0102.480] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.480] WriteFile (in: hFile=0xf4, lpBuffer=0x50c8b8*, nNumberOfBytesToWrite=0xcc77, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50c8b8*, lpNumberOfBytesWritten=0x24dd73c*=0xcc77, lpOverlapped=0x0) returned 1 [0102.481] GetProcessHeap () returned 0x4e0000 [0102.481] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50c8b8 | out: hHeap=0x4e0000) returned 1 [0102.481] CloseHandle (hObject=0xf4) returned 1 [0102.482] GetProcessHeap () returned 0x4e0000 [0102.483] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.483] GetProcessHeap () returned 0x4e0000 [0102.483] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.483] GetProcessHeap () returned 0x4e0000 [0102.483] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.483] GetProcessHeap () returned 0x4e0000 [0102.483] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.483] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\3 dCejF0.bmp" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\3 dCejF0.bmp") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\3 dCejF0.bmp" [0102.483] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\3 dCejF0.bmp", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\3 dCejF0.bmp.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\3 dCejF0.bmp.NEPHILIM" [0102.483] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\3 dCejF0.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\bqgduyqbrz9\\3 dcejf0.bmp"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\3 dCejF0.bmp.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\bqgduyqbrz9\\3 dcejf0.bmp.nephilim")) returned 1 [0102.484] FindNextFileW (in: hFindFile=0x5028b0, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9e46aba0, ftCreationTime.dwHighDateTime=0x1d5dff9, ftLastAccessTime.dwLowDateTime=0xca23fbc0, ftLastAccessTime.dwHighDateTime=0x1d5e3d6, ftLastWriteTime.dwLowDateTime=0xca23fbc0, ftLastWriteTime.dwHighDateTime=0x1d5e3d6, nFileSizeHigh=0x0, nFileSizeLow=0x355d, dwReserved0=0x24dd72c, dwReserved1=0xda4df441, cFileName="3qEcmCilX86.avi", cAlternateFileName="3QECMC~1.AVI")) returned 1 [0102.484] lstrcmpiW (lpString1="3qEcmCilX86.avi", lpString2=".") returned 1 [0102.484] lstrcmpiW (lpString1="3qEcmCilX86.avi", lpString2="..") returned 1 [0102.484] lstrcmpiW (lpString1="3qEcmCilX86.avi", lpString2="...") returned 1 [0102.484] lstrcmpiW (lpString1="3qEcmCilX86.avi", lpString2="windows") returned -1 [0102.484] lstrcmpiW (lpString1="3qEcmCilX86.avi", lpString2="$RECYCLE.BIN") returned 1 [0102.484] lstrcmpiW (lpString1="3qEcmCilX86.avi", lpString2="rsa") returned -1 [0102.484] lstrcmpiW (lpString1="3qEcmCilX86.avi", lpString2="log") returned -1 [0102.484] lstrcmpiW (lpString1="3qEcmCilX86.avi", lpString2="NTDETECT.COM") returned -1 [0102.484] lstrcmpiW (lpString1="3qEcmCilX86.avi", lpString2="ntldr") returned -1 [0102.484] lstrcmpiW (lpString1="3qEcmCilX86.avi", lpString2="MSDOS.SYS") returned -1 [0102.484] lstrcmpiW (lpString1="3qEcmCilX86.avi", lpString2="IO.SYS") returned -1 [0102.484] lstrcmpiW (lpString1="3qEcmCilX86.avi", lpString2="boot.ini") returned -1 [0102.484] lstrcmpiW (lpString1="3qEcmCilX86.avi", lpString2="AUTOEXEC.BAT") returned -1 [0102.484] lstrcmpiW (lpString1="3qEcmCilX86.avi", lpString2="ntuser.dat") returned -1 [0102.484] lstrcmpiW (lpString1="3qEcmCilX86.avi", lpString2="desktop.ini") returned -1 [0102.485] lstrcmpiW (lpString1="3qEcmCilX86.avi", lpString2="CONFIG.SYS") returned -1 [0102.485] lstrcmpiW (lpString1="3qEcmCilX86.avi", lpString2="RECYCLER") returned -1 [0102.485] lstrcmpiW (lpString1="3qEcmCilX86.avi", lpString2="BOOTSECT.BAK") returned -1 [0102.485] lstrcmpiW (lpString1="3qEcmCilX86.avi", lpString2="bootmgr") returned -1 [0102.485] lstrcmpiW (lpString1="3qEcmCilX86.avi", lpString2="programdata") returned -1 [0102.485] lstrcmpiW (lpString1="3qEcmCilX86.avi", lpString2="appdata") returned -1 [0102.485] lstrcmpiW (lpString1="3qEcmCilX86.avi", lpString2="program files") returned -1 [0102.485] lstrcmpiW (lpString1="3qEcmCilX86.avi", lpString2="program files (x86)") returned -1 [0102.485] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\" [0102.485] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\", lpString2="3qEcmCilX86.avi" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\3qEcmCilX86.avi") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\3qEcmCilX86.avi" [0102.485] PathFindExtensionW (pszPath="3qEcmCilX86.avi") returned=".avi" [0102.485] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0102.485] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0102.485] lstrcmpiW (lpString1=".avi", lpString2=".cab") returned -1 [0102.485] lstrcmpiW (lpString1=".avi", lpString2=".cmd") returned -1 [0102.485] lstrcmpiW (lpString1=".avi", lpString2=".com") returned -1 [0102.485] lstrcmpiW (lpString1=".avi", lpString2=".cpl") returned -1 [0102.485] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0102.485] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0102.485] lstrcmpiW (lpString1=".avi", lpString2=".url") returned -1 [0102.485] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0102.485] lstrcmpiW (lpString1=".avi", lpString2=".mp3") returned -1 [0102.485] lstrcmpiW (lpString1=".avi", lpString2=".pif") returned -1 [0102.485] lstrcmpiW (lpString1=".avi", lpString2=".mp4") returned -1 [0102.485] lstrcmpiW (lpString1=".avi", lpString2=".NEPHILIM") returned -1 [0102.485] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0102.486] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0102.486] lstrcmpiW (lpString1="3qEcmCilX86.avi", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0102.486] lstrlenA (lpString="NEPHILIM") returned 8 [0102.486] GetProcessHeap () returned 0x4e0000 [0102.486] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x5075e8 [0102.486] lstrlenA (lpString="NEPHILIM") returned 8 [0102.486] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\3qEcmCilX86.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\bqgduyqbrz9\\3qecmcilx86.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0102.486] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=13661) returned 1 [0102.487] GetProcessHeap () returned 0x4e0000 [0102.487] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.487] GetProcessHeap () returned 0x4e0000 [0102.487] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.487] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.487] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.487] GetProcessHeap () returned 0x4e0000 [0102.487] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.487] GetProcessHeap () returned 0x4e0000 [0102.487] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.487] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24dd508*=0x100) returned 1 [0102.487] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24dd504*=0x100) returned 1 [0102.488] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x355d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.488] SetLastError (dwErrCode=0x0) [0102.488] WriteFile (in: hFile=0xf4, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0102.489] GetLastError () returned 0x0 [0102.489] GetLastError () returned 0x0 [0102.489] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x365d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.489] WriteFile (in: hFile=0xf4, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0102.489] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x375d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.489] lstrlenA (lpString="NEPHILIM") returned 8 [0102.489] WriteFile (in: hFile=0xf4, lpBuffer=0x5075e8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x5075e8*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0102.489] GetProcessHeap () returned 0x4e0000 [0102.489] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x355d) returned 0x50c8b8 [0102.489] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.489] ReadFile (in: hFile=0xf4, lpBuffer=0x50c8b8, nNumberOfBytesToRead=0x355d, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x50c8b8*, lpNumberOfBytesRead=0x24dd730*=0x355d, lpOverlapped=0x0) returned 1 [0102.491] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.491] WriteFile (in: hFile=0xf4, lpBuffer=0x50c8b8*, nNumberOfBytesToWrite=0x355d, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50c8b8*, lpNumberOfBytesWritten=0x24dd73c*=0x355d, lpOverlapped=0x0) returned 1 [0102.491] GetProcessHeap () returned 0x4e0000 [0102.491] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50c8b8 | out: hHeap=0x4e0000) returned 1 [0102.491] CloseHandle (hObject=0xf4) returned 1 [0102.493] GetProcessHeap () returned 0x4e0000 [0102.493] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.493] GetProcessHeap () returned 0x4e0000 [0102.493] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.493] GetProcessHeap () returned 0x4e0000 [0102.493] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.493] GetProcessHeap () returned 0x4e0000 [0102.493] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.493] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\3qEcmCilX86.avi" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\3qEcmCilX86.avi") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\3qEcmCilX86.avi" [0102.493] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\3qEcmCilX86.avi", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\3qEcmCilX86.avi.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\3qEcmCilX86.avi.NEPHILIM" [0102.493] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\3qEcmCilX86.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\bqgduyqbrz9\\3qecmcilx86.avi"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\3qEcmCilX86.avi.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\bqgduyqbrz9\\3qecmcilx86.avi.nephilim")) returned 1 [0102.494] FindNextFileW (in: hFindFile=0x5028b0, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f91a290, ftCreationTime.dwHighDateTime=0x1d5df59, ftLastAccessTime.dwLowDateTime=0xfe512570, ftLastAccessTime.dwHighDateTime=0x1d5e2b0, ftLastWriteTime.dwLowDateTime=0xfe512570, ftLastWriteTime.dwHighDateTime=0x1d5e2b0, nFileSizeHigh=0x0, nFileSizeLow=0x6cf9, dwReserved0=0x24dd72c, dwReserved1=0xda4df441, cFileName="cBZLPQiVKzi.avi", cAlternateFileName="CBZLPQ~1.AVI")) returned 1 [0102.494] lstrcmpiW (lpString1="cBZLPQiVKzi.avi", lpString2=".") returned 1 [0102.494] lstrcmpiW (lpString1="cBZLPQiVKzi.avi", lpString2="..") returned 1 [0102.494] lstrcmpiW (lpString1="cBZLPQiVKzi.avi", lpString2="...") returned 1 [0102.494] lstrcmpiW (lpString1="cBZLPQiVKzi.avi", lpString2="windows") returned -1 [0102.494] lstrcmpiW (lpString1="cBZLPQiVKzi.avi", lpString2="$RECYCLE.BIN") returned 1 [0102.494] lstrcmpiW (lpString1="cBZLPQiVKzi.avi", lpString2="rsa") returned -1 [0102.494] lstrcmpiW (lpString1="cBZLPQiVKzi.avi", lpString2="log") returned -1 [0102.494] lstrcmpiW (lpString1="cBZLPQiVKzi.avi", lpString2="NTDETECT.COM") returned -1 [0102.494] lstrcmpiW (lpString1="cBZLPQiVKzi.avi", lpString2="ntldr") returned -1 [0102.494] lstrcmpiW (lpString1="cBZLPQiVKzi.avi", lpString2="MSDOS.SYS") returned -1 [0102.494] lstrcmpiW (lpString1="cBZLPQiVKzi.avi", lpString2="IO.SYS") returned -1 [0102.494] lstrcmpiW (lpString1="cBZLPQiVKzi.avi", lpString2="boot.ini") returned 1 [0102.494] lstrcmpiW (lpString1="cBZLPQiVKzi.avi", lpString2="AUTOEXEC.BAT") returned 1 [0102.494] lstrcmpiW (lpString1="cBZLPQiVKzi.avi", lpString2="ntuser.dat") returned -1 [0102.494] lstrcmpiW (lpString1="cBZLPQiVKzi.avi", lpString2="desktop.ini") returned -1 [0102.494] lstrcmpiW (lpString1="cBZLPQiVKzi.avi", lpString2="CONFIG.SYS") returned -1 [0102.494] lstrcmpiW (lpString1="cBZLPQiVKzi.avi", lpString2="RECYCLER") returned -1 [0102.494] lstrcmpiW (lpString1="cBZLPQiVKzi.avi", lpString2="BOOTSECT.BAK") returned 1 [0102.494] lstrcmpiW (lpString1="cBZLPQiVKzi.avi", lpString2="bootmgr") returned 1 [0102.494] lstrcmpiW (lpString1="cBZLPQiVKzi.avi", lpString2="programdata") returned -1 [0102.494] lstrcmpiW (lpString1="cBZLPQiVKzi.avi", lpString2="appdata") returned 1 [0102.495] lstrcmpiW (lpString1="cBZLPQiVKzi.avi", lpString2="program files") returned -1 [0102.495] lstrcmpiW (lpString1="cBZLPQiVKzi.avi", lpString2="program files (x86)") returned -1 [0102.495] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\" [0102.495] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\", lpString2="cBZLPQiVKzi.avi" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\cBZLPQiVKzi.avi") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\cBZLPQiVKzi.avi" [0102.495] PathFindExtensionW (pszPath="cBZLPQiVKzi.avi") returned=".avi" [0102.495] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0102.495] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0102.495] lstrcmpiW (lpString1=".avi", lpString2=".cab") returned -1 [0102.495] lstrcmpiW (lpString1=".avi", lpString2=".cmd") returned -1 [0102.495] lstrcmpiW (lpString1=".avi", lpString2=".com") returned -1 [0102.495] lstrcmpiW (lpString1=".avi", lpString2=".cpl") returned -1 [0102.495] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0102.495] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0102.495] lstrcmpiW (lpString1=".avi", lpString2=".url") returned -1 [0102.495] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0102.495] lstrcmpiW (lpString1=".avi", lpString2=".mp3") returned -1 [0102.495] lstrcmpiW (lpString1=".avi", lpString2=".pif") returned -1 [0102.495] lstrcmpiW (lpString1=".avi", lpString2=".mp4") returned -1 [0102.495] lstrcmpiW (lpString1=".avi", lpString2=".NEPHILIM") returned -1 [0102.495] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0102.495] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0102.495] lstrcmpiW (lpString1="cBZLPQiVKzi.avi", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0102.495] lstrlenA (lpString="NEPHILIM") returned 8 [0102.495] GetProcessHeap () returned 0x4e0000 [0102.495] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x5075f8 [0102.495] lstrlenA (lpString="NEPHILIM") returned 8 [0102.495] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\cBZLPQiVKzi.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\bqgduyqbrz9\\cbzlpqivkzi.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0102.496] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=27897) returned 1 [0102.496] GetProcessHeap () returned 0x4e0000 [0102.496] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.496] GetProcessHeap () returned 0x4e0000 [0102.496] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.496] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.496] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.496] GetProcessHeap () returned 0x4e0000 [0102.496] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.496] GetProcessHeap () returned 0x4e0000 [0102.496] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.496] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24dd508*=0x100) returned 1 [0102.496] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24dd504*=0x100) returned 1 [0102.497] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x6cf9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.497] SetLastError (dwErrCode=0x0) [0102.497] WriteFile (in: hFile=0xf4, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0102.498] GetLastError () returned 0x0 [0102.498] GetLastError () returned 0x0 [0102.498] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x6df9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.498] WriteFile (in: hFile=0xf4, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0102.498] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x6ef9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.498] lstrlenA (lpString="NEPHILIM") returned 8 [0102.498] WriteFile (in: hFile=0xf4, lpBuffer=0x5075f8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x5075f8*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0102.499] GetProcessHeap () returned 0x4e0000 [0102.499] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x6cf9) returned 0x50c8b8 [0102.499] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.499] ReadFile (in: hFile=0xf4, lpBuffer=0x50c8b8, nNumberOfBytesToRead=0x6cf9, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x50c8b8*, lpNumberOfBytesRead=0x24dd730*=0x6cf9, lpOverlapped=0x0) returned 1 [0102.501] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.501] WriteFile (in: hFile=0xf4, lpBuffer=0x50c8b8*, nNumberOfBytesToWrite=0x6cf9, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50c8b8*, lpNumberOfBytesWritten=0x24dd73c*=0x6cf9, lpOverlapped=0x0) returned 1 [0102.501] GetProcessHeap () returned 0x4e0000 [0102.501] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50c8b8 | out: hHeap=0x4e0000) returned 1 [0102.501] CloseHandle (hObject=0xf4) returned 1 [0102.516] GetProcessHeap () returned 0x4e0000 [0102.516] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.516] GetProcessHeap () returned 0x4e0000 [0102.517] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.517] GetProcessHeap () returned 0x4e0000 [0102.517] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.517] GetProcessHeap () returned 0x4e0000 [0102.517] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.517] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\cBZLPQiVKzi.avi" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\cBZLPQiVKzi.avi") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\cBZLPQiVKzi.avi" [0102.517] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\cBZLPQiVKzi.avi", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\cBZLPQiVKzi.avi.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\cBZLPQiVKzi.avi.NEPHILIM" [0102.517] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\cBZLPQiVKzi.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\bqgduyqbrz9\\cbzlpqivkzi.avi"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\cBZLPQiVKzi.avi.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\bqgduyqbrz9\\cbzlpqivkzi.avi.nephilim")) returned 1 [0102.518] FindNextFileW (in: hFindFile=0x5028b0, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee835fe0, ftCreationTime.dwHighDateTime=0x1d5dee2, ftLastAccessTime.dwLowDateTime=0xbbaba3f0, ftLastAccessTime.dwHighDateTime=0x1d5d87c, ftLastWriteTime.dwLowDateTime=0xbbaba3f0, ftLastWriteTime.dwHighDateTime=0x1d5d87c, nFileSizeHigh=0x0, nFileSizeLow=0x10a13, dwReserved0=0x24dd72c, dwReserved1=0xda4df441, cFileName="DuLgLrKLZzvMA8zkvh51.m4a", cAlternateFileName="DULGLR~1.M4A")) returned 1 [0102.518] lstrcmpiW (lpString1="DuLgLrKLZzvMA8zkvh51.m4a", lpString2=".") returned 1 [0102.518] lstrcmpiW (lpString1="DuLgLrKLZzvMA8zkvh51.m4a", lpString2="..") returned 1 [0102.518] lstrcmpiW (lpString1="DuLgLrKLZzvMA8zkvh51.m4a", lpString2="...") returned 1 [0102.518] lstrcmpiW (lpString1="DuLgLrKLZzvMA8zkvh51.m4a", lpString2="windows") returned -1 [0102.518] lstrcmpiW (lpString1="DuLgLrKLZzvMA8zkvh51.m4a", lpString2="$RECYCLE.BIN") returned 1 [0102.518] lstrcmpiW (lpString1="DuLgLrKLZzvMA8zkvh51.m4a", lpString2="rsa") returned -1 [0102.518] lstrcmpiW (lpString1="DuLgLrKLZzvMA8zkvh51.m4a", lpString2="log") returned -1 [0102.518] lstrcmpiW (lpString1="DuLgLrKLZzvMA8zkvh51.m4a", lpString2="NTDETECT.COM") returned -1 [0102.518] lstrcmpiW (lpString1="DuLgLrKLZzvMA8zkvh51.m4a", lpString2="ntldr") returned -1 [0102.518] lstrcmpiW (lpString1="DuLgLrKLZzvMA8zkvh51.m4a", lpString2="MSDOS.SYS") returned -1 [0102.518] lstrcmpiW (lpString1="DuLgLrKLZzvMA8zkvh51.m4a", lpString2="IO.SYS") returned -1 [0102.518] lstrcmpiW (lpString1="DuLgLrKLZzvMA8zkvh51.m4a", lpString2="boot.ini") returned 1 [0102.519] lstrcmpiW (lpString1="DuLgLrKLZzvMA8zkvh51.m4a", lpString2="AUTOEXEC.BAT") returned 1 [0102.519] lstrcmpiW (lpString1="DuLgLrKLZzvMA8zkvh51.m4a", lpString2="ntuser.dat") returned -1 [0102.519] lstrcmpiW (lpString1="DuLgLrKLZzvMA8zkvh51.m4a", lpString2="desktop.ini") returned 1 [0102.519] lstrcmpiW (lpString1="DuLgLrKLZzvMA8zkvh51.m4a", lpString2="CONFIG.SYS") returned 1 [0102.519] lstrcmpiW (lpString1="DuLgLrKLZzvMA8zkvh51.m4a", lpString2="RECYCLER") returned -1 [0102.519] lstrcmpiW (lpString1="DuLgLrKLZzvMA8zkvh51.m4a", lpString2="BOOTSECT.BAK") returned 1 [0102.519] lstrcmpiW (lpString1="DuLgLrKLZzvMA8zkvh51.m4a", lpString2="bootmgr") returned 1 [0102.519] lstrcmpiW (lpString1="DuLgLrKLZzvMA8zkvh51.m4a", lpString2="programdata") returned -1 [0102.519] lstrcmpiW (lpString1="DuLgLrKLZzvMA8zkvh51.m4a", lpString2="appdata") returned 1 [0102.519] lstrcmpiW (lpString1="DuLgLrKLZzvMA8zkvh51.m4a", lpString2="program files") returned -1 [0102.519] lstrcmpiW (lpString1="DuLgLrKLZzvMA8zkvh51.m4a", lpString2="program files (x86)") returned -1 [0102.519] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\" [0102.519] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\", lpString2="DuLgLrKLZzvMA8zkvh51.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\DuLgLrKLZzvMA8zkvh51.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\DuLgLrKLZzvMA8zkvh51.m4a" [0102.519] PathFindExtensionW (pszPath="DuLgLrKLZzvMA8zkvh51.m4a") returned=".m4a" [0102.519] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0102.519] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0102.519] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0102.519] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0102.519] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0102.519] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0102.519] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0102.519] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0102.519] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0102.519] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0102.519] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0102.519] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0102.520] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0102.520] lstrcmpiW (lpString1=".m4a", lpString2=".NEPHILIM") returned -1 [0102.520] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0102.520] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0102.520] lstrcmpiW (lpString1="DuLgLrKLZzvMA8zkvh51.m4a", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0102.520] lstrlenA (lpString="NEPHILIM") returned 8 [0102.520] GetProcessHeap () returned 0x4e0000 [0102.520] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x507608 [0102.520] lstrlenA (lpString="NEPHILIM") returned 8 [0102.520] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\DuLgLrKLZzvMA8zkvh51.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\bqgduyqbrz9\\dulglrklzzvma8zkvh51.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0102.520] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=68115) returned 1 [0102.520] GetProcessHeap () returned 0x4e0000 [0102.520] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.520] GetProcessHeap () returned 0x4e0000 [0102.520] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.520] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.520] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.520] GetProcessHeap () returned 0x4e0000 [0102.520] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.520] GetProcessHeap () returned 0x4e0000 [0102.520] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.521] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24dd508*=0x100) returned 1 [0102.521] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24dd504*=0x100) returned 1 [0102.521] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x10a13, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.521] SetLastError (dwErrCode=0x0) [0102.521] WriteFile (in: hFile=0xf4, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0102.522] GetLastError () returned 0x0 [0102.522] GetLastError () returned 0x0 [0102.522] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x10b13, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.522] WriteFile (in: hFile=0xf4, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0102.523] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x10c13, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.523] lstrlenA (lpString="NEPHILIM") returned 8 [0102.523] WriteFile (in: hFile=0xf4, lpBuffer=0x507608*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x507608*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0102.523] GetProcessHeap () returned 0x4e0000 [0102.523] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10a13) returned 0x50c8b8 [0102.523] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.523] ReadFile (in: hFile=0xf4, lpBuffer=0x50c8b8, nNumberOfBytesToRead=0x10a13, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x50c8b8*, lpNumberOfBytesRead=0x24dd730*=0x10a13, lpOverlapped=0x0) returned 1 [0102.527] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.527] WriteFile (in: hFile=0xf4, lpBuffer=0x50c8b8*, nNumberOfBytesToWrite=0x10a13, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50c8b8*, lpNumberOfBytesWritten=0x24dd73c*=0x10a13, lpOverlapped=0x0) returned 1 [0102.527] GetProcessHeap () returned 0x4e0000 [0102.527] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50c8b8 | out: hHeap=0x4e0000) returned 1 [0102.527] CloseHandle (hObject=0xf4) returned 1 [0102.529] GetProcessHeap () returned 0x4e0000 [0102.529] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.529] GetProcessHeap () returned 0x4e0000 [0102.529] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.529] GetProcessHeap () returned 0x4e0000 [0102.529] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.529] GetProcessHeap () returned 0x4e0000 [0102.529] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.529] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\DuLgLrKLZzvMA8zkvh51.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\DuLgLrKLZzvMA8zkvh51.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\DuLgLrKLZzvMA8zkvh51.m4a" [0102.529] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\DuLgLrKLZzvMA8zkvh51.m4a", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\DuLgLrKLZzvMA8zkvh51.m4a.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\DuLgLrKLZzvMA8zkvh51.m4a.NEPHILIM" [0102.529] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\DuLgLrKLZzvMA8zkvh51.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\bqgduyqbrz9\\dulglrklzzvma8zkvh51.m4a"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\DuLgLrKLZzvMA8zkvh51.m4a.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\bqgduyqbrz9\\dulglrklzzvma8zkvh51.m4a.nephilim")) returned 1 [0102.530] FindNextFileW (in: hFindFile=0x5028b0, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3abcfd10, ftCreationTime.dwHighDateTime=0x1d5e77d, ftLastAccessTime.dwLowDateTime=0x2d1afea0, ftLastAccessTime.dwHighDateTime=0x1d5df71, ftLastWriteTime.dwLowDateTime=0x2d1afea0, ftLastWriteTime.dwHighDateTime=0x1d5df71, nFileSizeHigh=0x0, nFileSizeLow=0x154de, dwReserved0=0x24dd72c, dwReserved1=0xda4df441, cFileName="hFVeHDPy.swf", cAlternateFileName="")) returned 1 [0102.530] lstrcmpiW (lpString1="hFVeHDPy.swf", lpString2=".") returned 1 [0102.530] lstrcmpiW (lpString1="hFVeHDPy.swf", lpString2="..") returned 1 [0102.530] lstrcmpiW (lpString1="hFVeHDPy.swf", lpString2="...") returned 1 [0102.530] lstrcmpiW (lpString1="hFVeHDPy.swf", lpString2="windows") returned -1 [0102.530] lstrcmpiW (lpString1="hFVeHDPy.swf", lpString2="$RECYCLE.BIN") returned 1 [0102.530] lstrcmpiW (lpString1="hFVeHDPy.swf", lpString2="rsa") returned -1 [0102.530] lstrcmpiW (lpString1="hFVeHDPy.swf", lpString2="log") returned -1 [0102.530] lstrcmpiW (lpString1="hFVeHDPy.swf", lpString2="NTDETECT.COM") returned -1 [0102.530] lstrcmpiW (lpString1="hFVeHDPy.swf", lpString2="ntldr") returned -1 [0102.530] lstrcmpiW (lpString1="hFVeHDPy.swf", lpString2="MSDOS.SYS") returned -1 [0102.530] lstrcmpiW (lpString1="hFVeHDPy.swf", lpString2="IO.SYS") returned -1 [0102.530] lstrcmpiW (lpString1="hFVeHDPy.swf", lpString2="boot.ini") returned 1 [0102.530] lstrcmpiW (lpString1="hFVeHDPy.swf", lpString2="AUTOEXEC.BAT") returned 1 [0102.530] lstrcmpiW (lpString1="hFVeHDPy.swf", lpString2="ntuser.dat") returned -1 [0102.530] lstrcmpiW (lpString1="hFVeHDPy.swf", lpString2="desktop.ini") returned 1 [0102.530] lstrcmpiW (lpString1="hFVeHDPy.swf", lpString2="CONFIG.SYS") returned 1 [0102.530] lstrcmpiW (lpString1="hFVeHDPy.swf", lpString2="RECYCLER") returned -1 [0102.530] lstrcmpiW (lpString1="hFVeHDPy.swf", lpString2="BOOTSECT.BAK") returned 1 [0102.530] lstrcmpiW (lpString1="hFVeHDPy.swf", lpString2="bootmgr") returned 1 [0102.531] lstrcmpiW (lpString1="hFVeHDPy.swf", lpString2="programdata") returned -1 [0102.531] lstrcmpiW (lpString1="hFVeHDPy.swf", lpString2="appdata") returned 1 [0102.531] lstrcmpiW (lpString1="hFVeHDPy.swf", lpString2="program files") returned -1 [0102.531] lstrcmpiW (lpString1="hFVeHDPy.swf", lpString2="program files (x86)") returned -1 [0102.531] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\" [0102.531] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\", lpString2="hFVeHDPy.swf" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\hFVeHDPy.swf") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\hFVeHDPy.swf" [0102.531] PathFindExtensionW (pszPath="hFVeHDPy.swf") returned=".swf" [0102.531] lstrcmpiW (lpString1=".swf", lpString2=".exe") returned 1 [0102.531] lstrcmpiW (lpString1=".swf", lpString2=".log") returned 1 [0102.531] lstrcmpiW (lpString1=".swf", lpString2=".cab") returned 1 [0102.531] lstrcmpiW (lpString1=".swf", lpString2=".cmd") returned 1 [0102.531] lstrcmpiW (lpString1=".swf", lpString2=".com") returned 1 [0102.531] lstrcmpiW (lpString1=".swf", lpString2=".cpl") returned 1 [0102.531] lstrcmpiW (lpString1=".swf", lpString2=".ini") returned 1 [0102.531] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0102.531] lstrcmpiW (lpString1=".swf", lpString2=".url") returned -1 [0102.531] lstrcmpiW (lpString1=".swf", lpString2=".ttf") returned -1 [0102.531] lstrcmpiW (lpString1=".swf", lpString2=".mp3") returned 1 [0102.531] lstrcmpiW (lpString1=".swf", lpString2=".pif") returned 1 [0102.531] lstrcmpiW (lpString1=".swf", lpString2=".mp4") returned 1 [0102.531] lstrcmpiW (lpString1=".swf", lpString2=".NEPHILIM") returned 1 [0102.531] lstrcmpiW (lpString1=".swf", lpString2=".msi") returned 1 [0102.531] lstrcmpiW (lpString1=".swf", lpString2=".lnk") returned 1 [0102.531] lstrcmpiW (lpString1="hFVeHDPy.swf", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0102.531] lstrlenA (lpString="NEPHILIM") returned 8 [0102.531] GetProcessHeap () returned 0x4e0000 [0102.531] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x507618 [0102.531] lstrlenA (lpString="NEPHILIM") returned 8 [0102.531] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\hFVeHDPy.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\bqgduyqbrz9\\hfvehdpy.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0102.532] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=87262) returned 1 [0102.532] GetProcessHeap () returned 0x4e0000 [0102.532] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.532] GetProcessHeap () returned 0x4e0000 [0102.532] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.532] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.532] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.532] GetProcessHeap () returned 0x4e0000 [0102.532] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.532] GetProcessHeap () returned 0x4e0000 [0102.532] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.532] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24dd508*=0x100) returned 1 [0102.532] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24dd504*=0x100) returned 1 [0102.532] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x154de, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.532] SetLastError (dwErrCode=0x0) [0102.532] WriteFile (in: hFile=0xf4, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0102.533] GetLastError () returned 0x0 [0102.533] GetLastError () returned 0x0 [0102.533] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x155de, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.533] WriteFile (in: hFile=0xf4, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0102.534] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x156de, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.534] lstrlenA (lpString="NEPHILIM") returned 8 [0102.534] WriteFile (in: hFile=0xf4, lpBuffer=0x507618*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x507618*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0102.534] GetProcessHeap () returned 0x4e0000 [0102.534] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x154de) returned 0x50c8b8 [0102.534] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.534] ReadFile (in: hFile=0xf4, lpBuffer=0x50c8b8, nNumberOfBytesToRead=0x154de, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x50c8b8*, lpNumberOfBytesRead=0x24dd730*=0x154de, lpOverlapped=0x0) returned 1 [0102.539] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.539] WriteFile (in: hFile=0xf4, lpBuffer=0x50c8b8*, nNumberOfBytesToWrite=0x154de, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50c8b8*, lpNumberOfBytesWritten=0x24dd73c*=0x154de, lpOverlapped=0x0) returned 1 [0102.539] GetProcessHeap () returned 0x4e0000 [0102.539] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50c8b8 | out: hHeap=0x4e0000) returned 1 [0102.539] CloseHandle (hObject=0xf4) returned 1 [0102.544] GetProcessHeap () returned 0x4e0000 [0102.544] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.544] GetProcessHeap () returned 0x4e0000 [0102.544] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.544] GetProcessHeap () returned 0x4e0000 [0102.544] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.544] GetProcessHeap () returned 0x4e0000 [0102.544] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.544] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\hFVeHDPy.swf" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\hFVeHDPy.swf") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\hFVeHDPy.swf" [0102.544] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\hFVeHDPy.swf", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\hFVeHDPy.swf.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\hFVeHDPy.swf.NEPHILIM" [0102.544] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\hFVeHDPy.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\bqgduyqbrz9\\hfvehdpy.swf"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\hFVeHDPy.swf.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\bqgduyqbrz9\\hfvehdpy.swf.nephilim")) returned 1 [0102.545] FindNextFileW (in: hFindFile=0x5028b0, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f33a7d0, ftCreationTime.dwHighDateTime=0x1d5dd82, ftLastAccessTime.dwLowDateTime=0x382a6450, ftLastAccessTime.dwHighDateTime=0x1d5de06, ftLastWriteTime.dwLowDateTime=0x382a6450, ftLastWriteTime.dwHighDateTime=0x1d5de06, nFileSizeHigh=0x0, nFileSizeLow=0x896f, dwReserved0=0x24dd72c, dwReserved1=0xda4df441, cFileName="hm2zh8j mw-aJUtk8IAy.bmp", cAlternateFileName="HM2ZH8~1.BMP")) returned 1 [0102.545] lstrcmpiW (lpString1="hm2zh8j mw-aJUtk8IAy.bmp", lpString2=".") returned 1 [0102.545] lstrcmpiW (lpString1="hm2zh8j mw-aJUtk8IAy.bmp", lpString2="..") returned 1 [0102.546] lstrcmpiW (lpString1="hm2zh8j mw-aJUtk8IAy.bmp", lpString2="...") returned 1 [0102.546] lstrcmpiW (lpString1="hm2zh8j mw-aJUtk8IAy.bmp", lpString2="windows") returned -1 [0102.546] lstrcmpiW (lpString1="hm2zh8j mw-aJUtk8IAy.bmp", lpString2="$RECYCLE.BIN") returned 1 [0102.546] lstrcmpiW (lpString1="hm2zh8j mw-aJUtk8IAy.bmp", lpString2="rsa") returned -1 [0102.546] lstrcmpiW (lpString1="hm2zh8j mw-aJUtk8IAy.bmp", lpString2="log") returned -1 [0102.546] lstrcmpiW (lpString1="hm2zh8j mw-aJUtk8IAy.bmp", lpString2="NTDETECT.COM") returned -1 [0102.546] lstrcmpiW (lpString1="hm2zh8j mw-aJUtk8IAy.bmp", lpString2="ntldr") returned -1 [0102.546] lstrcmpiW (lpString1="hm2zh8j mw-aJUtk8IAy.bmp", lpString2="MSDOS.SYS") returned -1 [0102.546] lstrcmpiW (lpString1="hm2zh8j mw-aJUtk8IAy.bmp", lpString2="IO.SYS") returned -1 [0102.546] lstrcmpiW (lpString1="hm2zh8j mw-aJUtk8IAy.bmp", lpString2="boot.ini") returned 1 [0102.546] lstrcmpiW (lpString1="hm2zh8j mw-aJUtk8IAy.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0102.546] lstrcmpiW (lpString1="hm2zh8j mw-aJUtk8IAy.bmp", lpString2="ntuser.dat") returned -1 [0102.546] lstrcmpiW (lpString1="hm2zh8j mw-aJUtk8IAy.bmp", lpString2="desktop.ini") returned 1 [0102.546] lstrcmpiW (lpString1="hm2zh8j mw-aJUtk8IAy.bmp", lpString2="CONFIG.SYS") returned 1 [0102.546] lstrcmpiW (lpString1="hm2zh8j mw-aJUtk8IAy.bmp", lpString2="RECYCLER") returned -1 [0102.546] lstrcmpiW (lpString1="hm2zh8j mw-aJUtk8IAy.bmp", lpString2="BOOTSECT.BAK") returned 1 [0102.546] lstrcmpiW (lpString1="hm2zh8j mw-aJUtk8IAy.bmp", lpString2="bootmgr") returned 1 [0102.546] lstrcmpiW (lpString1="hm2zh8j mw-aJUtk8IAy.bmp", lpString2="programdata") returned -1 [0102.546] lstrcmpiW (lpString1="hm2zh8j mw-aJUtk8IAy.bmp", lpString2="appdata") returned 1 [0102.546] lstrcmpiW (lpString1="hm2zh8j mw-aJUtk8IAy.bmp", lpString2="program files") returned -1 [0102.546] lstrcmpiW (lpString1="hm2zh8j mw-aJUtk8IAy.bmp", lpString2="program files (x86)") returned -1 [0102.546] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\" [0102.546] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\", lpString2="hm2zh8j mw-aJUtk8IAy.bmp" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\hm2zh8j mw-aJUtk8IAy.bmp") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\hm2zh8j mw-aJUtk8IAy.bmp" [0102.546] PathFindExtensionW (pszPath="hm2zh8j mw-aJUtk8IAy.bmp") returned=".bmp" [0102.546] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0102.547] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0102.547] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0102.547] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0102.547] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0102.547] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0102.547] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0102.547] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0102.547] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0102.547] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0102.547] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0102.547] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0102.547] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0102.547] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0102.547] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0102.547] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0102.547] lstrcmpiW (lpString1="hm2zh8j mw-aJUtk8IAy.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0102.547] lstrlenA (lpString="NEPHILIM") returned 8 [0102.547] GetProcessHeap () returned 0x4e0000 [0102.547] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x507628 [0102.547] lstrlenA (lpString="NEPHILIM") returned 8 [0102.547] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\hm2zh8j mw-aJUtk8IAy.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\bqgduyqbrz9\\hm2zh8j mw-ajutk8iay.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0102.548] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=35183) returned 1 [0102.548] GetProcessHeap () returned 0x4e0000 [0102.548] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.548] GetProcessHeap () returned 0x4e0000 [0102.548] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.548] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.548] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.548] GetProcessHeap () returned 0x4e0000 [0102.548] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.548] GetProcessHeap () returned 0x4e0000 [0102.548] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.548] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24dd508*=0x100) returned 1 [0102.548] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24dd504*=0x100) returned 1 [0102.549] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x896f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.549] SetLastError (dwErrCode=0x0) [0102.550] WriteFile (in: hFile=0xf4, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0102.551] GetLastError () returned 0x0 [0102.551] GetLastError () returned 0x0 [0102.551] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x8a6f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.551] WriteFile (in: hFile=0xf4, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0102.551] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x8b6f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.551] lstrlenA (lpString="NEPHILIM") returned 8 [0102.551] WriteFile (in: hFile=0xf4, lpBuffer=0x507628*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x507628*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0102.551] GetProcessHeap () returned 0x4e0000 [0102.551] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x896f) returned 0x50c8b8 [0102.551] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.551] ReadFile (in: hFile=0xf4, lpBuffer=0x50c8b8, nNumberOfBytesToRead=0x896f, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x50c8b8*, lpNumberOfBytesRead=0x24dd730*=0x896f, lpOverlapped=0x0) returned 1 [0102.554] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.554] WriteFile (in: hFile=0xf4, lpBuffer=0x50c8b8*, nNumberOfBytesToWrite=0x896f, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50c8b8*, lpNumberOfBytesWritten=0x24dd73c*=0x896f, lpOverlapped=0x0) returned 1 [0102.554] GetProcessHeap () returned 0x4e0000 [0102.554] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50c8b8 | out: hHeap=0x4e0000) returned 1 [0102.554] CloseHandle (hObject=0xf4) returned 1 [0102.556] GetProcessHeap () returned 0x4e0000 [0102.556] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.556] GetProcessHeap () returned 0x4e0000 [0102.556] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.556] GetProcessHeap () returned 0x4e0000 [0102.556] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.556] GetProcessHeap () returned 0x4e0000 [0102.556] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.556] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\hm2zh8j mw-aJUtk8IAy.bmp" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\hm2zh8j mw-aJUtk8IAy.bmp") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\hm2zh8j mw-aJUtk8IAy.bmp" [0102.556] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\hm2zh8j mw-aJUtk8IAy.bmp", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\hm2zh8j mw-aJUtk8IAy.bmp.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\hm2zh8j mw-aJUtk8IAy.bmp.NEPHILIM" [0102.556] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\hm2zh8j mw-aJUtk8IAy.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\bqgduyqbrz9\\hm2zh8j mw-ajutk8iay.bmp"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\hm2zh8j mw-aJUtk8IAy.bmp.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\bqgduyqbrz9\\hm2zh8j mw-ajutk8iay.bmp.nephilim")) returned 1 [0102.557] FindNextFileW (in: hFindFile=0x5028b0, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a002720, ftCreationTime.dwHighDateTime=0x1d5dad6, ftLastAccessTime.dwLowDateTime=0x83fa7840, ftLastAccessTime.dwHighDateTime=0x1d5e395, ftLastWriteTime.dwLowDateTime=0x83fa7840, ftLastWriteTime.dwHighDateTime=0x1d5e395, nFileSizeHigh=0x0, nFileSizeLow=0x8a3b, dwReserved0=0x24dd72c, dwReserved1=0xda4df441, cFileName="htiG am4A1I.png", cAlternateFileName="HTIGAM~1.PNG")) returned 1 [0102.557] lstrcmpiW (lpString1="htiG am4A1I.png", lpString2=".") returned 1 [0102.557] lstrcmpiW (lpString1="htiG am4A1I.png", lpString2="..") returned 1 [0102.557] lstrcmpiW (lpString1="htiG am4A1I.png", lpString2="...") returned 1 [0102.557] lstrcmpiW (lpString1="htiG am4A1I.png", lpString2="windows") returned -1 [0102.557] lstrcmpiW (lpString1="htiG am4A1I.png", lpString2="$RECYCLE.BIN") returned 1 [0102.557] lstrcmpiW (lpString1="htiG am4A1I.png", lpString2="rsa") returned -1 [0102.557] lstrcmpiW (lpString1="htiG am4A1I.png", lpString2="log") returned -1 [0102.558] lstrcmpiW (lpString1="htiG am4A1I.png", lpString2="NTDETECT.COM") returned -1 [0102.558] lstrcmpiW (lpString1="htiG am4A1I.png", lpString2="ntldr") returned -1 [0102.558] lstrcmpiW (lpString1="htiG am4A1I.png", lpString2="MSDOS.SYS") returned -1 [0102.558] lstrcmpiW (lpString1="htiG am4A1I.png", lpString2="IO.SYS") returned -1 [0102.558] lstrcmpiW (lpString1="htiG am4A1I.png", lpString2="boot.ini") returned 1 [0102.558] lstrcmpiW (lpString1="htiG am4A1I.png", lpString2="AUTOEXEC.BAT") returned 1 [0102.558] lstrcmpiW (lpString1="htiG am4A1I.png", lpString2="ntuser.dat") returned -1 [0102.558] lstrcmpiW (lpString1="htiG am4A1I.png", lpString2="desktop.ini") returned 1 [0102.558] lstrcmpiW (lpString1="htiG am4A1I.png", lpString2="CONFIG.SYS") returned 1 [0102.558] lstrcmpiW (lpString1="htiG am4A1I.png", lpString2="RECYCLER") returned -1 [0102.558] lstrcmpiW (lpString1="htiG am4A1I.png", lpString2="BOOTSECT.BAK") returned 1 [0102.558] lstrcmpiW (lpString1="htiG am4A1I.png", lpString2="bootmgr") returned 1 [0102.558] lstrcmpiW (lpString1="htiG am4A1I.png", lpString2="programdata") returned -1 [0102.558] lstrcmpiW (lpString1="htiG am4A1I.png", lpString2="appdata") returned 1 [0102.558] lstrcmpiW (lpString1="htiG am4A1I.png", lpString2="program files") returned -1 [0102.558] lstrcmpiW (lpString1="htiG am4A1I.png", lpString2="program files (x86)") returned -1 [0102.558] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\" [0102.558] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\", lpString2="htiG am4A1I.png" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\htiG am4A1I.png") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\htiG am4A1I.png" [0102.558] PathFindExtensionW (pszPath="htiG am4A1I.png") returned=".png" [0102.558] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0102.558] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0102.558] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0102.558] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0102.558] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0102.558] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0102.558] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0102.559] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0102.559] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0102.559] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0102.559] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0102.559] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0102.559] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0102.559] lstrcmpiW (lpString1=".png", lpString2=".NEPHILIM") returned 1 [0102.559] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0102.559] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0102.559] lstrcmpiW (lpString1="htiG am4A1I.png", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0102.559] lstrlenA (lpString="NEPHILIM") returned 8 [0102.559] GetProcessHeap () returned 0x4e0000 [0102.559] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x507638 [0102.559] lstrlenA (lpString="NEPHILIM") returned 8 [0102.559] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\htiG am4A1I.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\bqgduyqbrz9\\htig am4a1i.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0102.559] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=35387) returned 1 [0102.559] GetProcessHeap () returned 0x4e0000 [0102.559] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.559] GetProcessHeap () returned 0x4e0000 [0102.559] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.560] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.560] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.560] GetProcessHeap () returned 0x4e0000 [0102.560] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.560] GetProcessHeap () returned 0x4e0000 [0102.560] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.560] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24dd508*=0x100) returned 1 [0102.560] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24dd504*=0x100) returned 1 [0102.560] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x8a3b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.560] SetLastError (dwErrCode=0x0) [0102.560] WriteFile (in: hFile=0xf4, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0102.561] GetLastError () returned 0x0 [0102.562] GetLastError () returned 0x0 [0102.562] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x8b3b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.562] WriteFile (in: hFile=0xf4, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0102.562] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x8c3b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.562] lstrlenA (lpString="NEPHILIM") returned 8 [0102.562] WriteFile (in: hFile=0xf4, lpBuffer=0x507638*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x507638*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0102.562] GetProcessHeap () returned 0x4e0000 [0102.562] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8a3b) returned 0x50c8b8 [0102.562] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.562] ReadFile (in: hFile=0xf4, lpBuffer=0x50c8b8, nNumberOfBytesToRead=0x8a3b, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x50c8b8*, lpNumberOfBytesRead=0x24dd730*=0x8a3b, lpOverlapped=0x0) returned 1 [0102.564] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.565] WriteFile (in: hFile=0xf4, lpBuffer=0x50c8b8*, nNumberOfBytesToWrite=0x8a3b, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50c8b8*, lpNumberOfBytesWritten=0x24dd73c*=0x8a3b, lpOverlapped=0x0) returned 1 [0102.565] GetProcessHeap () returned 0x4e0000 [0102.565] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50c8b8 | out: hHeap=0x4e0000) returned 1 [0102.565] CloseHandle (hObject=0xf4) returned 1 [0102.568] GetProcessHeap () returned 0x4e0000 [0102.568] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.568] GetProcessHeap () returned 0x4e0000 [0102.568] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.568] GetProcessHeap () returned 0x4e0000 [0102.568] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.568] GetProcessHeap () returned 0x4e0000 [0102.568] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.568] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\htiG am4A1I.png" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\htiG am4A1I.png") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\htiG am4A1I.png" [0102.568] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\htiG am4A1I.png", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\htiG am4A1I.png.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\htiG am4A1I.png.NEPHILIM" [0102.569] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\htiG am4A1I.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\bqgduyqbrz9\\htig am4a1i.png"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\htiG am4A1I.png.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\bqgduyqbrz9\\htig am4a1i.png.nephilim")) returned 1 [0102.569] FindNextFileW (in: hFindFile=0x5028b0, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33bf4d60, ftCreationTime.dwHighDateTime=0x1d5e2b9, ftLastAccessTime.dwLowDateTime=0xb345c7d0, ftLastAccessTime.dwHighDateTime=0x1d5e4c6, ftLastWriteTime.dwLowDateTime=0xb345c7d0, ftLastWriteTime.dwHighDateTime=0x1d5e4c6, nFileSizeHigh=0x0, nFileSizeLow=0x7eaf, dwReserved0=0x24dd72c, dwReserved1=0xda4df441, cFileName="vJaeefq21JE0D1c.m4a", cAlternateFileName="VJAEEF~1.M4A")) returned 1 [0102.569] lstrcmpiW (lpString1="vJaeefq21JE0D1c.m4a", lpString2=".") returned 1 [0102.569] lstrcmpiW (lpString1="vJaeefq21JE0D1c.m4a", lpString2="..") returned 1 [0102.569] lstrcmpiW (lpString1="vJaeefq21JE0D1c.m4a", lpString2="...") returned 1 [0102.569] lstrcmpiW (lpString1="vJaeefq21JE0D1c.m4a", lpString2="windows") returned -1 [0102.570] lstrcmpiW (lpString1="vJaeefq21JE0D1c.m4a", lpString2="$RECYCLE.BIN") returned 1 [0102.570] lstrcmpiW (lpString1="vJaeefq21JE0D1c.m4a", lpString2="rsa") returned 1 [0102.570] lstrcmpiW (lpString1="vJaeefq21JE0D1c.m4a", lpString2="log") returned 1 [0102.570] lstrcmpiW (lpString1="vJaeefq21JE0D1c.m4a", lpString2="NTDETECT.COM") returned 1 [0102.570] lstrcmpiW (lpString1="vJaeefq21JE0D1c.m4a", lpString2="ntldr") returned 1 [0102.570] lstrcmpiW (lpString1="vJaeefq21JE0D1c.m4a", lpString2="MSDOS.SYS") returned 1 [0102.570] lstrcmpiW (lpString1="vJaeefq21JE0D1c.m4a", lpString2="IO.SYS") returned 1 [0102.570] lstrcmpiW (lpString1="vJaeefq21JE0D1c.m4a", lpString2="boot.ini") returned 1 [0102.570] lstrcmpiW (lpString1="vJaeefq21JE0D1c.m4a", lpString2="AUTOEXEC.BAT") returned 1 [0102.570] lstrcmpiW (lpString1="vJaeefq21JE0D1c.m4a", lpString2="ntuser.dat") returned 1 [0102.570] lstrcmpiW (lpString1="vJaeefq21JE0D1c.m4a", lpString2="desktop.ini") returned 1 [0102.570] lstrcmpiW (lpString1="vJaeefq21JE0D1c.m4a", lpString2="CONFIG.SYS") returned 1 [0102.570] lstrcmpiW (lpString1="vJaeefq21JE0D1c.m4a", lpString2="RECYCLER") returned 1 [0102.570] lstrcmpiW (lpString1="vJaeefq21JE0D1c.m4a", lpString2="BOOTSECT.BAK") returned 1 [0102.570] lstrcmpiW (lpString1="vJaeefq21JE0D1c.m4a", lpString2="bootmgr") returned 1 [0102.570] lstrcmpiW (lpString1="vJaeefq21JE0D1c.m4a", lpString2="programdata") returned 1 [0102.570] lstrcmpiW (lpString1="vJaeefq21JE0D1c.m4a", lpString2="appdata") returned 1 [0102.570] lstrcmpiW (lpString1="vJaeefq21JE0D1c.m4a", lpString2="program files") returned 1 [0102.570] lstrcmpiW (lpString1="vJaeefq21JE0D1c.m4a", lpString2="program files (x86)") returned 1 [0102.570] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\" [0102.570] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\", lpString2="vJaeefq21JE0D1c.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\vJaeefq21JE0D1c.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\vJaeefq21JE0D1c.m4a" [0102.570] PathFindExtensionW (pszPath="vJaeefq21JE0D1c.m4a") returned=".m4a" [0102.570] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0102.570] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0102.571] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0102.571] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0102.571] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0102.571] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0102.571] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0102.571] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0102.571] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0102.571] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0102.571] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0102.571] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0102.571] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0102.571] lstrcmpiW (lpString1=".m4a", lpString2=".NEPHILIM") returned -1 [0102.571] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0102.571] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0102.571] lstrcmpiW (lpString1="vJaeefq21JE0D1c.m4a", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0102.571] lstrlenA (lpString="NEPHILIM") returned 8 [0102.571] GetProcessHeap () returned 0x4e0000 [0102.571] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x507648 [0102.571] lstrlenA (lpString="NEPHILIM") returned 8 [0102.571] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\vJaeefq21JE0D1c.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\bqgduyqbrz9\\vjaeefq21je0d1c.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0102.572] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=32431) returned 1 [0102.572] GetProcessHeap () returned 0x4e0000 [0102.572] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.572] GetProcessHeap () returned 0x4e0000 [0102.572] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.572] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.572] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.572] GetProcessHeap () returned 0x4e0000 [0102.572] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.572] GetProcessHeap () returned 0x4e0000 [0102.572] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.572] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24dd508*=0x100) returned 1 [0102.572] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24dd504*=0x100) returned 1 [0102.573] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x7eaf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.573] SetLastError (dwErrCode=0x0) [0102.573] WriteFile (in: hFile=0xf4, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0102.574] GetLastError () returned 0x0 [0102.574] GetLastError () returned 0x0 [0102.574] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x7faf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.574] WriteFile (in: hFile=0xf4, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0102.575] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x80af, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.575] lstrlenA (lpString="NEPHILIM") returned 8 [0102.575] WriteFile (in: hFile=0xf4, lpBuffer=0x507648*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x507648*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0102.575] GetProcessHeap () returned 0x4e0000 [0102.575] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x7eaf) returned 0x50c8b8 [0102.575] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.575] ReadFile (in: hFile=0xf4, lpBuffer=0x50c8b8, nNumberOfBytesToRead=0x7eaf, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x50c8b8*, lpNumberOfBytesRead=0x24dd730*=0x7eaf, lpOverlapped=0x0) returned 1 [0102.577] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.577] WriteFile (in: hFile=0xf4, lpBuffer=0x50c8b8*, nNumberOfBytesToWrite=0x7eaf, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50c8b8*, lpNumberOfBytesWritten=0x24dd73c*=0x7eaf, lpOverlapped=0x0) returned 1 [0102.577] GetProcessHeap () returned 0x4e0000 [0102.577] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50c8b8 | out: hHeap=0x4e0000) returned 1 [0102.578] CloseHandle (hObject=0xf4) returned 1 [0102.580] GetProcessHeap () returned 0x4e0000 [0102.580] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.580] GetProcessHeap () returned 0x4e0000 [0102.580] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.580] GetProcessHeap () returned 0x4e0000 [0102.580] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.580] GetProcessHeap () returned 0x4e0000 [0102.580] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.581] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\vJaeefq21JE0D1c.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\vJaeefq21JE0D1c.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\vJaeefq21JE0D1c.m4a" [0102.581] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\vJaeefq21JE0D1c.m4a", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\vJaeefq21JE0D1c.m4a.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\vJaeefq21JE0D1c.m4a.NEPHILIM" [0102.581] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\vJaeefq21JE0D1c.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\bqgduyqbrz9\\vjaeefq21je0d1c.m4a"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\vJaeefq21JE0D1c.m4a.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\bqgduyqbrz9\\vjaeefq21je0d1c.m4a.nephilim")) returned 1 [0102.581] FindNextFileW (in: hFindFile=0x5028b0, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x297772d0, ftCreationTime.dwHighDateTime=0x1d5db23, ftLastAccessTime.dwLowDateTime=0xb8433200, ftLastAccessTime.dwHighDateTime=0x1d5dc55, ftLastWriteTime.dwLowDateTime=0xb8433200, ftLastWriteTime.dwHighDateTime=0x1d5dc55, nFileSizeHigh=0x0, nFileSizeLow=0x17b38, dwReserved0=0x24dd72c, dwReserved1=0xda4df441, cFileName="_6VHfFjcxfJE.jpg", cAlternateFileName="_6VHFF~1.JPG")) returned 1 [0102.582] lstrcmpiW (lpString1="_6VHfFjcxfJE.jpg", lpString2=".") returned 1 [0102.582] lstrcmpiW (lpString1="_6VHfFjcxfJE.jpg", lpString2="..") returned 1 [0102.582] lstrcmpiW (lpString1="_6VHfFjcxfJE.jpg", lpString2="...") returned 1 [0102.582] lstrcmpiW (lpString1="_6VHfFjcxfJE.jpg", lpString2="windows") returned -1 [0102.582] lstrcmpiW (lpString1="_6VHfFjcxfJE.jpg", lpString2="$RECYCLE.BIN") returned 1 [0102.582] lstrcmpiW (lpString1="_6VHfFjcxfJE.jpg", lpString2="rsa") returned -1 [0102.582] lstrcmpiW (lpString1="_6VHfFjcxfJE.jpg", lpString2="log") returned -1 [0102.582] lstrcmpiW (lpString1="_6VHfFjcxfJE.jpg", lpString2="NTDETECT.COM") returned -1 [0102.582] lstrcmpiW (lpString1="_6VHfFjcxfJE.jpg", lpString2="ntldr") returned -1 [0102.582] lstrcmpiW (lpString1="_6VHfFjcxfJE.jpg", lpString2="MSDOS.SYS") returned -1 [0102.582] lstrcmpiW (lpString1="_6VHfFjcxfJE.jpg", lpString2="IO.SYS") returned -1 [0102.582] lstrcmpiW (lpString1="_6VHfFjcxfJE.jpg", lpString2="boot.ini") returned -1 [0102.582] lstrcmpiW (lpString1="_6VHfFjcxfJE.jpg", lpString2="AUTOEXEC.BAT") returned -1 [0102.582] lstrcmpiW (lpString1="_6VHfFjcxfJE.jpg", lpString2="ntuser.dat") returned -1 [0102.582] lstrcmpiW (lpString1="_6VHfFjcxfJE.jpg", lpString2="desktop.ini") returned -1 [0102.582] lstrcmpiW (lpString1="_6VHfFjcxfJE.jpg", lpString2="CONFIG.SYS") returned -1 [0102.582] lstrcmpiW (lpString1="_6VHfFjcxfJE.jpg", lpString2="RECYCLER") returned -1 [0102.582] lstrcmpiW (lpString1="_6VHfFjcxfJE.jpg", lpString2="BOOTSECT.BAK") returned -1 [0102.582] lstrcmpiW (lpString1="_6VHfFjcxfJE.jpg", lpString2="bootmgr") returned -1 [0102.582] lstrcmpiW (lpString1="_6VHfFjcxfJE.jpg", lpString2="programdata") returned -1 [0102.582] lstrcmpiW (lpString1="_6VHfFjcxfJE.jpg", lpString2="appdata") returned -1 [0102.582] lstrcmpiW (lpString1="_6VHfFjcxfJE.jpg", lpString2="program files") returned -1 [0102.582] lstrcmpiW (lpString1="_6VHfFjcxfJE.jpg", lpString2="program files (x86)") returned -1 [0102.582] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\" [0102.582] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\", lpString2="_6VHfFjcxfJE.jpg" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\_6VHfFjcxfJE.jpg") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\_6VHfFjcxfJE.jpg" [0102.583] PathFindExtensionW (pszPath="_6VHfFjcxfJE.jpg") returned=".jpg" [0102.583] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0102.583] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0102.583] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0102.583] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0102.583] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0102.583] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0102.583] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0102.583] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0102.583] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0102.583] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0102.583] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0102.583] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0102.583] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0102.583] lstrcmpiW (lpString1=".jpg", lpString2=".NEPHILIM") returned -1 [0102.583] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0102.583] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0102.583] lstrcmpiW (lpString1="_6VHfFjcxfJE.jpg", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0102.583] lstrlenA (lpString="NEPHILIM") returned 8 [0102.583] GetProcessHeap () returned 0x4e0000 [0102.583] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x507658 [0102.583] lstrlenA (lpString="NEPHILIM") returned 8 [0102.583] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\_6VHfFjcxfJE.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\bqgduyqbrz9\\_6vhffjcxfje.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0102.584] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=97080) returned 1 [0102.584] GetProcessHeap () returned 0x4e0000 [0102.584] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.584] GetProcessHeap () returned 0x4e0000 [0102.584] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.584] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.584] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.584] GetProcessHeap () returned 0x4e0000 [0102.584] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.584] GetProcessHeap () returned 0x4e0000 [0102.584] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.584] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24dd508*=0x100) returned 1 [0102.584] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24dd504*=0x100) returned 1 [0102.585] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x17b38, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.585] SetLastError (dwErrCode=0x0) [0102.585] WriteFile (in: hFile=0xf4, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0102.586] GetLastError () returned 0x0 [0102.586] GetLastError () returned 0x0 [0102.586] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x17c38, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.586] WriteFile (in: hFile=0xf4, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0102.586] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x17d38, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.586] lstrlenA (lpString="NEPHILIM") returned 8 [0102.586] WriteFile (in: hFile=0xf4, lpBuffer=0x507658*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x507658*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0102.586] GetProcessHeap () returned 0x4e0000 [0102.586] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x17b38) returned 0x50c8b8 [0102.586] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.586] ReadFile (in: hFile=0xf4, lpBuffer=0x50c8b8, nNumberOfBytesToRead=0x17b38, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x50c8b8*, lpNumberOfBytesRead=0x24dd730*=0x17b38, lpOverlapped=0x0) returned 1 [0102.593] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.593] WriteFile (in: hFile=0xf4, lpBuffer=0x50c8b8*, nNumberOfBytesToWrite=0x17b38, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50c8b8*, lpNumberOfBytesWritten=0x24dd73c*=0x17b38, lpOverlapped=0x0) returned 1 [0102.593] GetProcessHeap () returned 0x4e0000 [0102.593] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50c8b8 | out: hHeap=0x4e0000) returned 1 [0102.593] CloseHandle (hObject=0xf4) returned 1 [0102.596] GetProcessHeap () returned 0x4e0000 [0102.596] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.596] GetProcessHeap () returned 0x4e0000 [0102.596] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.596] GetProcessHeap () returned 0x4e0000 [0102.596] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.596] GetProcessHeap () returned 0x4e0000 [0102.596] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.597] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\_6VHfFjcxfJE.jpg" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\_6VHfFjcxfJE.jpg") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\_6VHfFjcxfJE.jpg" [0102.597] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\_6VHfFjcxfJE.jpg", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\_6VHfFjcxfJE.jpg.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\_6VHfFjcxfJE.jpg.NEPHILIM" [0102.597] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\_6VHfFjcxfJE.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\bqgduyqbrz9\\_6vhffjcxfje.jpg"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\_6VHfFjcxfJE.jpg.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\bqgduyqbrz9\\_6vhffjcxfje.jpg.nephilim")) returned 1 [0102.597] FindNextFileW (in: hFindFile=0x5028b0, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd43ff800, ftCreationTime.dwHighDateTime=0x1d5d86b, ftLastAccessTime.dwLowDateTime=0xdd317d40, ftLastAccessTime.dwHighDateTime=0x1d5e4d6, ftLastWriteTime.dwLowDateTime=0xdd317d40, ftLastWriteTime.dwHighDateTime=0x1d5e4d6, nFileSizeHigh=0x0, nFileSizeLow=0x80ad, dwReserved0=0x24dd72c, dwReserved1=0xda4df441, cFileName="_FTV DAHnCvzZz4gyY.png", cAlternateFileName="_FTVDA~1.PNG")) returned 1 [0102.598] lstrcmpiW (lpString1="_FTV DAHnCvzZz4gyY.png", lpString2=".") returned 1 [0102.598] lstrcmpiW (lpString1="_FTV DAHnCvzZz4gyY.png", lpString2="..") returned 1 [0102.598] lstrcmpiW (lpString1="_FTV DAHnCvzZz4gyY.png", lpString2="...") returned 1 [0102.598] lstrcmpiW (lpString1="_FTV DAHnCvzZz4gyY.png", lpString2="windows") returned -1 [0102.598] lstrcmpiW (lpString1="_FTV DAHnCvzZz4gyY.png", lpString2="$RECYCLE.BIN") returned 1 [0102.598] lstrcmpiW (lpString1="_FTV DAHnCvzZz4gyY.png", lpString2="rsa") returned -1 [0102.598] lstrcmpiW (lpString1="_FTV DAHnCvzZz4gyY.png", lpString2="log") returned -1 [0102.598] lstrcmpiW (lpString1="_FTV DAHnCvzZz4gyY.png", lpString2="NTDETECT.COM") returned -1 [0102.598] lstrcmpiW (lpString1="_FTV DAHnCvzZz4gyY.png", lpString2="ntldr") returned -1 [0102.598] lstrcmpiW (lpString1="_FTV DAHnCvzZz4gyY.png", lpString2="MSDOS.SYS") returned -1 [0102.598] lstrcmpiW (lpString1="_FTV DAHnCvzZz4gyY.png", lpString2="IO.SYS") returned -1 [0102.598] lstrcmpiW (lpString1="_FTV DAHnCvzZz4gyY.png", lpString2="boot.ini") returned -1 [0102.598] lstrcmpiW (lpString1="_FTV DAHnCvzZz4gyY.png", lpString2="AUTOEXEC.BAT") returned -1 [0102.598] lstrcmpiW (lpString1="_FTV DAHnCvzZz4gyY.png", lpString2="ntuser.dat") returned -1 [0102.598] lstrcmpiW (lpString1="_FTV DAHnCvzZz4gyY.png", lpString2="desktop.ini") returned -1 [0102.598] lstrcmpiW (lpString1="_FTV DAHnCvzZz4gyY.png", lpString2="CONFIG.SYS") returned -1 [0102.598] lstrcmpiW (lpString1="_FTV DAHnCvzZz4gyY.png", lpString2="RECYCLER") returned -1 [0102.598] lstrcmpiW (lpString1="_FTV DAHnCvzZz4gyY.png", lpString2="BOOTSECT.BAK") returned -1 [0102.598] lstrcmpiW (lpString1="_FTV DAHnCvzZz4gyY.png", lpString2="bootmgr") returned -1 [0102.598] lstrcmpiW (lpString1="_FTV DAHnCvzZz4gyY.png", lpString2="programdata") returned -1 [0102.598] lstrcmpiW (lpString1="_FTV DAHnCvzZz4gyY.png", lpString2="appdata") returned -1 [0102.598] lstrcmpiW (lpString1="_FTV DAHnCvzZz4gyY.png", lpString2="program files") returned -1 [0102.598] lstrcmpiW (lpString1="_FTV DAHnCvzZz4gyY.png", lpString2="program files (x86)") returned -1 [0102.598] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\" [0102.599] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\", lpString2="_FTV DAHnCvzZz4gyY.png" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\_FTV DAHnCvzZz4gyY.png") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\_FTV DAHnCvzZz4gyY.png" [0102.599] PathFindExtensionW (pszPath="_FTV DAHnCvzZz4gyY.png") returned=".png" [0102.599] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0102.599] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0102.599] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0102.599] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0102.599] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0102.599] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0102.599] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0102.599] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0102.599] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0102.599] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0102.599] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0102.599] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0102.599] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0102.599] lstrcmpiW (lpString1=".png", lpString2=".NEPHILIM") returned 1 [0102.599] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0102.599] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0102.599] lstrcmpiW (lpString1="_FTV DAHnCvzZz4gyY.png", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0102.599] lstrlenA (lpString="NEPHILIM") returned 8 [0102.599] GetProcessHeap () returned 0x4e0000 [0102.599] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x507668 [0102.599] lstrlenA (lpString="NEPHILIM") returned 8 [0102.599] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\_FTV DAHnCvzZz4gyY.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\bqgduyqbrz9\\_ftv dahncvzzz4gyy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0102.600] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=32941) returned 1 [0102.600] GetProcessHeap () returned 0x4e0000 [0102.600] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.600] GetProcessHeap () returned 0x4e0000 [0102.600] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.600] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.600] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.600] GetProcessHeap () returned 0x4e0000 [0102.600] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.600] GetProcessHeap () returned 0x4e0000 [0102.600] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.600] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24dd508*=0x100) returned 1 [0102.600] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24dd504*=0x100) returned 1 [0102.601] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x80ad, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.601] SetLastError (dwErrCode=0x0) [0102.601] WriteFile (in: hFile=0xf4, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0102.602] GetLastError () returned 0x0 [0102.602] GetLastError () returned 0x0 [0102.602] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x81ad, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.602] WriteFile (in: hFile=0xf4, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0102.602] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x82ad, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.602] lstrlenA (lpString="NEPHILIM") returned 8 [0102.602] WriteFile (in: hFile=0xf4, lpBuffer=0x507668*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x507668*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0102.602] GetProcessHeap () returned 0x4e0000 [0102.602] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x80ad) returned 0x50c8b8 [0102.602] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.602] ReadFile (in: hFile=0xf4, lpBuffer=0x50c8b8, nNumberOfBytesToRead=0x80ad, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x50c8b8*, lpNumberOfBytesRead=0x24dd730*=0x80ad, lpOverlapped=0x0) returned 1 [0102.605] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.605] WriteFile (in: hFile=0xf4, lpBuffer=0x50c8b8*, nNumberOfBytesToWrite=0x80ad, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50c8b8*, lpNumberOfBytesWritten=0x24dd73c*=0x80ad, lpOverlapped=0x0) returned 1 [0102.605] GetProcessHeap () returned 0x4e0000 [0102.605] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50c8b8 | out: hHeap=0x4e0000) returned 1 [0102.605] CloseHandle (hObject=0xf4) returned 1 [0102.608] GetProcessHeap () returned 0x4e0000 [0102.608] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.608] GetProcessHeap () returned 0x4e0000 [0102.608] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.608] GetProcessHeap () returned 0x4e0000 [0102.608] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.608] GetProcessHeap () returned 0x4e0000 [0102.608] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.608] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\_FTV DAHnCvzZz4gyY.png" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\_FTV DAHnCvzZz4gyY.png") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\_FTV DAHnCvzZz4gyY.png" [0102.608] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\_FTV DAHnCvzZz4gyY.png", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\_FTV DAHnCvzZz4gyY.png.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\_FTV DAHnCvzZz4gyY.png.NEPHILIM" [0102.608] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\_FTV DAHnCvzZz4gyY.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\bqgduyqbrz9\\_ftv dahncvzzz4gyy.png"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\bqgDuyQBRz9\\_FTV DAHnCvzZz4gyY.png.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\bqgduyqbrz9\\_ftv dahncvzzz4gyy.png.nephilim")) returned 1 [0102.609] FindNextFileW (in: hFindFile=0x5028b0, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd43ff800, ftCreationTime.dwHighDateTime=0x1d5d86b, ftLastAccessTime.dwLowDateTime=0xdd317d40, ftLastAccessTime.dwHighDateTime=0x1d5e4d6, ftLastWriteTime.dwLowDateTime=0xdd317d40, ftLastWriteTime.dwHighDateTime=0x1d5e4d6, nFileSizeHigh=0x0, nFileSizeLow=0x80ad, dwReserved0=0x24dd72c, dwReserved1=0xda4df441, cFileName="_FTV DAHnCvzZz4gyY.png", cAlternateFileName="_FTVDA~1.PNG")) returned 0 [0102.610] FindClose (in: hFindFile=0x5028b0 | out: hFindFile=0x5028b0) returned 1 [0102.610] FindNextFileW (in: hFindFile=0x502870, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa6558b00, ftCreationTime.dwHighDateTime=0x1d5da3a, ftLastAccessTime.dwLowDateTime=0x69ff1210, ftLastAccessTime.dwHighDateTime=0x1d5e4c2, ftLastWriteTime.dwLowDateTime=0x69ff1210, ftLastWriteTime.dwHighDateTime=0x1d5e4c2, nFileSizeHigh=0x0, nFileSizeLow=0x13be9, dwReserved0=0x24dddac, dwReserved1=0xd378f4ac, cFileName="E5FuYVZ0G8cLufpKE.swf", cAlternateFileName="E5FUYV~1.SWF")) returned 1 [0102.610] lstrcmpiW (lpString1="E5FuYVZ0G8cLufpKE.swf", lpString2=".") returned 1 [0102.610] lstrcmpiW (lpString1="E5FuYVZ0G8cLufpKE.swf", lpString2="..") returned 1 [0102.610] lstrcmpiW (lpString1="E5FuYVZ0G8cLufpKE.swf", lpString2="...") returned 1 [0102.610] lstrcmpiW (lpString1="E5FuYVZ0G8cLufpKE.swf", lpString2="windows") returned -1 [0102.610] lstrcmpiW (lpString1="E5FuYVZ0G8cLufpKE.swf", lpString2="$RECYCLE.BIN") returned 1 [0102.610] lstrcmpiW (lpString1="E5FuYVZ0G8cLufpKE.swf", lpString2="rsa") returned -1 [0102.610] lstrcmpiW (lpString1="E5FuYVZ0G8cLufpKE.swf", lpString2="log") returned -1 [0102.610] lstrcmpiW (lpString1="E5FuYVZ0G8cLufpKE.swf", lpString2="NTDETECT.COM") returned -1 [0102.610] lstrcmpiW (lpString1="E5FuYVZ0G8cLufpKE.swf", lpString2="ntldr") returned -1 [0102.610] lstrcmpiW (lpString1="E5FuYVZ0G8cLufpKE.swf", lpString2="MSDOS.SYS") returned -1 [0102.610] lstrcmpiW (lpString1="E5FuYVZ0G8cLufpKE.swf", lpString2="IO.SYS") returned -1 [0102.610] lstrcmpiW (lpString1="E5FuYVZ0G8cLufpKE.swf", lpString2="boot.ini") returned 1 [0102.610] lstrcmpiW (lpString1="E5FuYVZ0G8cLufpKE.swf", lpString2="AUTOEXEC.BAT") returned 1 [0102.610] lstrcmpiW (lpString1="E5FuYVZ0G8cLufpKE.swf", lpString2="ntuser.dat") returned -1 [0102.610] lstrcmpiW (lpString1="E5FuYVZ0G8cLufpKE.swf", lpString2="desktop.ini") returned 1 [0102.610] lstrcmpiW (lpString1="E5FuYVZ0G8cLufpKE.swf", lpString2="CONFIG.SYS") returned 1 [0102.610] lstrcmpiW (lpString1="E5FuYVZ0G8cLufpKE.swf", lpString2="RECYCLER") returned -1 [0102.610] lstrcmpiW (lpString1="E5FuYVZ0G8cLufpKE.swf", lpString2="BOOTSECT.BAK") returned 1 [0102.610] lstrcmpiW (lpString1="E5FuYVZ0G8cLufpKE.swf", lpString2="bootmgr") returned 1 [0102.611] lstrcmpiW (lpString1="E5FuYVZ0G8cLufpKE.swf", lpString2="programdata") returned -1 [0102.611] lstrcmpiW (lpString1="E5FuYVZ0G8cLufpKE.swf", lpString2="appdata") returned 1 [0102.611] lstrcmpiW (lpString1="E5FuYVZ0G8cLufpKE.swf", lpString2="program files") returned -1 [0102.611] lstrcmpiW (lpString1="E5FuYVZ0G8cLufpKE.swf", lpString2="program files (x86)") returned -1 [0102.611] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\" [0102.611] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\", lpString2="E5FuYVZ0G8cLufpKE.swf" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\E5FuYVZ0G8cLufpKE.swf") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\E5FuYVZ0G8cLufpKE.swf" [0102.611] PathFindExtensionW (pszPath="E5FuYVZ0G8cLufpKE.swf") returned=".swf" [0102.611] lstrcmpiW (lpString1=".swf", lpString2=".exe") returned 1 [0102.611] lstrcmpiW (lpString1=".swf", lpString2=".log") returned 1 [0102.611] lstrcmpiW (lpString1=".swf", lpString2=".cab") returned 1 [0102.611] lstrcmpiW (lpString1=".swf", lpString2=".cmd") returned 1 [0102.612] lstrcmpiW (lpString1=".swf", lpString2=".com") returned 1 [0102.612] lstrcmpiW (lpString1=".swf", lpString2=".cpl") returned 1 [0102.612] lstrcmpiW (lpString1=".swf", lpString2=".ini") returned 1 [0102.612] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0102.612] lstrcmpiW (lpString1=".swf", lpString2=".url") returned -1 [0102.612] lstrcmpiW (lpString1=".swf", lpString2=".ttf") returned -1 [0102.612] lstrcmpiW (lpString1=".swf", lpString2=".mp3") returned 1 [0102.612] lstrcmpiW (lpString1=".swf", lpString2=".pif") returned 1 [0102.612] lstrcmpiW (lpString1=".swf", lpString2=".mp4") returned 1 [0102.612] lstrcmpiW (lpString1=".swf", lpString2=".NEPHILIM") returned 1 [0102.612] lstrcmpiW (lpString1=".swf", lpString2=".msi") returned 1 [0102.612] lstrcmpiW (lpString1=".swf", lpString2=".lnk") returned 1 [0102.612] lstrcmpiW (lpString1="E5FuYVZ0G8cLufpKE.swf", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0102.612] lstrlenA (lpString="NEPHILIM") returned 8 [0102.612] GetProcessHeap () returned 0x4e0000 [0102.612] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x507678 [0102.612] lstrlenA (lpString="NEPHILIM") returned 8 [0102.612] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\E5FuYVZ0G8cLufpKE.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\e5fuyvz0g8clufpke.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0102.612] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=80873) returned 1 [0102.613] GetProcessHeap () returned 0x4e0000 [0102.613] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.613] GetProcessHeap () returned 0x4e0000 [0102.613] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.613] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.613] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.613] GetProcessHeap () returned 0x4e0000 [0102.613] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.613] GetProcessHeap () returned 0x4e0000 [0102.613] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.613] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0102.613] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0102.613] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x13be9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.614] SetLastError (dwErrCode=0x0) [0102.614] WriteFile (in: hFile=0xf0, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0102.615] GetLastError () returned 0x0 [0102.615] GetLastError () returned 0x0 [0102.615] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x13ce9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.615] WriteFile (in: hFile=0xf0, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0102.615] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x13de9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.615] lstrlenA (lpString="NEPHILIM") returned 8 [0102.615] WriteFile (in: hFile=0xf0, lpBuffer=0x507678*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x507678*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0102.615] GetProcessHeap () returned 0x4e0000 [0102.615] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x13be9) returned 0x50b8b0 [0102.615] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.615] ReadFile (in: hFile=0xf0, lpBuffer=0x50b8b0, nNumberOfBytesToRead=0x13be9, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50b8b0*, lpNumberOfBytesRead=0x24dddb0*=0x13be9, lpOverlapped=0x0) returned 1 [0102.621] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.621] WriteFile (in: hFile=0xf0, lpBuffer=0x50b8b0*, nNumberOfBytesToWrite=0x13be9, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50b8b0*, lpNumberOfBytesWritten=0x24dddbc*=0x13be9, lpOverlapped=0x0) returned 1 [0102.621] GetProcessHeap () returned 0x4e0000 [0102.622] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50b8b0 | out: hHeap=0x4e0000) returned 1 [0102.622] CloseHandle (hObject=0xf0) returned 1 [0102.624] GetProcessHeap () returned 0x4e0000 [0102.624] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.624] GetProcessHeap () returned 0x4e0000 [0102.624] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.624] GetProcessHeap () returned 0x4e0000 [0102.624] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.624] GetProcessHeap () returned 0x4e0000 [0102.624] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.624] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\E5FuYVZ0G8cLufpKE.swf" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\E5FuYVZ0G8cLufpKE.swf") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\E5FuYVZ0G8cLufpKE.swf" [0102.624] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\E5FuYVZ0G8cLufpKE.swf", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\E5FuYVZ0G8cLufpKE.swf.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\E5FuYVZ0G8cLufpKE.swf.NEPHILIM" [0102.624] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\E5FuYVZ0G8cLufpKE.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\e5fuyvz0g8clufpke.swf"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\E5FuYVZ0G8cLufpKE.swf.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\e5fuyvz0g8clufpke.swf.nephilim")) returned 1 [0102.626] FindNextFileW (in: hFindFile=0x502870, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5fea7440, ftCreationTime.dwHighDateTime=0x1d5e305, ftLastAccessTime.dwLowDateTime=0x18287ed0, ftLastAccessTime.dwHighDateTime=0x1d5ddd4, ftLastWriteTime.dwLowDateTime=0x18287ed0, ftLastWriteTime.dwHighDateTime=0x1d5ddd4, nFileSizeHigh=0x0, nFileSizeLow=0x18225, dwReserved0=0x24dddac, dwReserved1=0xd378f4ac, cFileName="fGcTTu5.avi", cAlternateFileName="")) returned 1 [0102.626] lstrcmpiW (lpString1="fGcTTu5.avi", lpString2=".") returned 1 [0102.626] lstrcmpiW (lpString1="fGcTTu5.avi", lpString2="..") returned 1 [0102.626] lstrcmpiW (lpString1="fGcTTu5.avi", lpString2="...") returned 1 [0102.626] lstrcmpiW (lpString1="fGcTTu5.avi", lpString2="windows") returned -1 [0102.626] lstrcmpiW (lpString1="fGcTTu5.avi", lpString2="$RECYCLE.BIN") returned 1 [0102.626] lstrcmpiW (lpString1="fGcTTu5.avi", lpString2="rsa") returned -1 [0102.626] lstrcmpiW (lpString1="fGcTTu5.avi", lpString2="log") returned -1 [0102.626] lstrcmpiW (lpString1="fGcTTu5.avi", lpString2="NTDETECT.COM") returned -1 [0102.626] lstrcmpiW (lpString1="fGcTTu5.avi", lpString2="ntldr") returned -1 [0102.626] lstrcmpiW (lpString1="fGcTTu5.avi", lpString2="MSDOS.SYS") returned -1 [0102.626] lstrcmpiW (lpString1="fGcTTu5.avi", lpString2="IO.SYS") returned -1 [0102.626] lstrcmpiW (lpString1="fGcTTu5.avi", lpString2="boot.ini") returned 1 [0102.626] lstrcmpiW (lpString1="fGcTTu5.avi", lpString2="AUTOEXEC.BAT") returned 1 [0102.626] lstrcmpiW (lpString1="fGcTTu5.avi", lpString2="ntuser.dat") returned -1 [0102.626] lstrcmpiW (lpString1="fGcTTu5.avi", lpString2="desktop.ini") returned 1 [0102.626] lstrcmpiW (lpString1="fGcTTu5.avi", lpString2="CONFIG.SYS") returned 1 [0102.626] lstrcmpiW (lpString1="fGcTTu5.avi", lpString2="RECYCLER") returned -1 [0102.626] lstrcmpiW (lpString1="fGcTTu5.avi", lpString2="BOOTSECT.BAK") returned 1 [0102.626] lstrcmpiW (lpString1="fGcTTu5.avi", lpString2="bootmgr") returned 1 [0102.626] lstrcmpiW (lpString1="fGcTTu5.avi", lpString2="programdata") returned -1 [0102.626] lstrcmpiW (lpString1="fGcTTu5.avi", lpString2="appdata") returned 1 [0102.626] lstrcmpiW (lpString1="fGcTTu5.avi", lpString2="program files") returned -1 [0102.626] lstrcmpiW (lpString1="fGcTTu5.avi", lpString2="program files (x86)") returned -1 [0102.626] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\" [0102.627] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\", lpString2="fGcTTu5.avi" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\fGcTTu5.avi") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\fGcTTu5.avi" [0102.627] PathFindExtensionW (pszPath="fGcTTu5.avi") returned=".avi" [0102.627] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0102.627] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0102.627] lstrcmpiW (lpString1=".avi", lpString2=".cab") returned -1 [0102.627] lstrcmpiW (lpString1=".avi", lpString2=".cmd") returned -1 [0102.627] lstrcmpiW (lpString1=".avi", lpString2=".com") returned -1 [0102.627] lstrcmpiW (lpString1=".avi", lpString2=".cpl") returned -1 [0102.627] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0102.627] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0102.627] lstrcmpiW (lpString1=".avi", lpString2=".url") returned -1 [0102.627] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0102.627] lstrcmpiW (lpString1=".avi", lpString2=".mp3") returned -1 [0102.627] lstrcmpiW (lpString1=".avi", lpString2=".pif") returned -1 [0102.627] lstrcmpiW (lpString1=".avi", lpString2=".mp4") returned -1 [0102.627] lstrcmpiW (lpString1=".avi", lpString2=".NEPHILIM") returned -1 [0102.627] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0102.627] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0102.627] lstrcmpiW (lpString1="fGcTTu5.avi", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0102.627] lstrlenA (lpString="NEPHILIM") returned 8 [0102.627] GetProcessHeap () returned 0x4e0000 [0102.627] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x507688 [0102.627] lstrlenA (lpString="NEPHILIM") returned 8 [0102.628] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\fGcTTu5.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\fgcttu5.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0102.628] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=98853) returned 1 [0102.628] GetProcessHeap () returned 0x4e0000 [0102.628] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.628] GetProcessHeap () returned 0x4e0000 [0102.628] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.628] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.628] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.628] GetProcessHeap () returned 0x4e0000 [0102.628] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.628] GetProcessHeap () returned 0x4e0000 [0102.628] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.628] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0102.629] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0102.629] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x18225, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.629] SetLastError (dwErrCode=0x0) [0102.629] WriteFile (in: hFile=0xf0, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0102.630] GetLastError () returned 0x0 [0102.630] GetLastError () returned 0x0 [0102.630] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x18325, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.630] WriteFile (in: hFile=0xf0, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0102.630] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x18425, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.631] lstrlenA (lpString="NEPHILIM") returned 8 [0102.631] WriteFile (in: hFile=0xf0, lpBuffer=0x507688*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x507688*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0102.631] GetProcessHeap () returned 0x4e0000 [0102.631] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x18225) returned 0x50b8b0 [0102.631] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.631] ReadFile (in: hFile=0xf0, lpBuffer=0x50b8b0, nNumberOfBytesToRead=0x18225, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50b8b0*, lpNumberOfBytesRead=0x24dddb0*=0x18225, lpOverlapped=0x0) returned 1 [0102.637] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.637] WriteFile (in: hFile=0xf0, lpBuffer=0x50b8b0*, nNumberOfBytesToWrite=0x18225, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50b8b0*, lpNumberOfBytesWritten=0x24dddbc*=0x18225, lpOverlapped=0x0) returned 1 [0102.638] GetProcessHeap () returned 0x4e0000 [0102.638] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50b8b0 | out: hHeap=0x4e0000) returned 1 [0102.638] CloseHandle (hObject=0xf0) returned 1 [0102.640] GetProcessHeap () returned 0x4e0000 [0102.640] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.640] GetProcessHeap () returned 0x4e0000 [0102.640] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.640] GetProcessHeap () returned 0x4e0000 [0102.640] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.640] GetProcessHeap () returned 0x4e0000 [0102.640] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.640] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\fGcTTu5.avi" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\fGcTTu5.avi") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\fGcTTu5.avi" [0102.640] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\fGcTTu5.avi", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\fGcTTu5.avi.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\fGcTTu5.avi.NEPHILIM" [0102.640] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\fGcTTu5.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\fgcttu5.avi"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\fGcTTu5.avi.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\fgcttu5.avi.nephilim")) returned 1 [0102.642] FindNextFileW (in: hFindFile=0x502870, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdcef2390, ftCreationTime.dwHighDateTime=0x1d5e5c7, ftLastAccessTime.dwLowDateTime=0x5cee10e0, ftLastAccessTime.dwHighDateTime=0x1d5dde6, ftLastWriteTime.dwLowDateTime=0x5cee10e0, ftLastWriteTime.dwHighDateTime=0x1d5dde6, nFileSizeHigh=0x0, nFileSizeLow=0x51b4, dwReserved0=0x24dddac, dwReserved1=0xd378f4ac, cFileName="MUTXgqR7U X4H.pps", cAlternateFileName="MUTXGQ~1.PPS")) returned 1 [0102.642] lstrcmpiW (lpString1="MUTXgqR7U X4H.pps", lpString2=".") returned 1 [0102.642] lstrcmpiW (lpString1="MUTXgqR7U X4H.pps", lpString2="..") returned 1 [0102.642] lstrcmpiW (lpString1="MUTXgqR7U X4H.pps", lpString2="...") returned 1 [0102.642] lstrcmpiW (lpString1="MUTXgqR7U X4H.pps", lpString2="windows") returned -1 [0102.642] lstrcmpiW (lpString1="MUTXgqR7U X4H.pps", lpString2="$RECYCLE.BIN") returned 1 [0102.642] lstrcmpiW (lpString1="MUTXgqR7U X4H.pps", lpString2="rsa") returned -1 [0102.642] lstrcmpiW (lpString1="MUTXgqR7U X4H.pps", lpString2="log") returned 1 [0102.642] lstrcmpiW (lpString1="MUTXgqR7U X4H.pps", lpString2="NTDETECT.COM") returned -1 [0102.642] lstrcmpiW (lpString1="MUTXgqR7U X4H.pps", lpString2="ntldr") returned -1 [0102.642] lstrcmpiW (lpString1="MUTXgqR7U X4H.pps", lpString2="MSDOS.SYS") returned 1 [0102.642] lstrcmpiW (lpString1="MUTXgqR7U X4H.pps", lpString2="IO.SYS") returned 1 [0102.642] lstrcmpiW (lpString1="MUTXgqR7U X4H.pps", lpString2="boot.ini") returned 1 [0102.643] lstrcmpiW (lpString1="MUTXgqR7U X4H.pps", lpString2="AUTOEXEC.BAT") returned 1 [0102.643] lstrcmpiW (lpString1="MUTXgqR7U X4H.pps", lpString2="ntuser.dat") returned -1 [0102.643] lstrcmpiW (lpString1="MUTXgqR7U X4H.pps", lpString2="desktop.ini") returned 1 [0102.643] lstrcmpiW (lpString1="MUTXgqR7U X4H.pps", lpString2="CONFIG.SYS") returned 1 [0102.643] lstrcmpiW (lpString1="MUTXgqR7U X4H.pps", lpString2="RECYCLER") returned -1 [0102.643] lstrcmpiW (lpString1="MUTXgqR7U X4H.pps", lpString2="BOOTSECT.BAK") returned 1 [0102.643] lstrcmpiW (lpString1="MUTXgqR7U X4H.pps", lpString2="bootmgr") returned 1 [0102.643] lstrcmpiW (lpString1="MUTXgqR7U X4H.pps", lpString2="programdata") returned -1 [0102.643] lstrcmpiW (lpString1="MUTXgqR7U X4H.pps", lpString2="appdata") returned 1 [0102.643] lstrcmpiW (lpString1="MUTXgqR7U X4H.pps", lpString2="program files") returned -1 [0102.643] lstrcmpiW (lpString1="MUTXgqR7U X4H.pps", lpString2="program files (x86)") returned -1 [0102.643] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\" [0102.658] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\", lpString2="MUTXgqR7U X4H.pps" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\MUTXgqR7U X4H.pps") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\MUTXgqR7U X4H.pps" [0102.658] PathFindExtensionW (pszPath="MUTXgqR7U X4H.pps") returned=".pps" [0102.658] lstrcmpiW (lpString1=".pps", lpString2=".exe") returned 1 [0102.658] lstrcmpiW (lpString1=".pps", lpString2=".log") returned 1 [0102.658] lstrcmpiW (lpString1=".pps", lpString2=".cab") returned 1 [0102.658] lstrcmpiW (lpString1=".pps", lpString2=".cmd") returned 1 [0102.658] lstrcmpiW (lpString1=".pps", lpString2=".com") returned 1 [0102.658] lstrcmpiW (lpString1=".pps", lpString2=".cpl") returned 1 [0102.658] lstrcmpiW (lpString1=".pps", lpString2=".ini") returned 1 [0102.659] lstrcmpiW (lpString1=".pps", lpString2=".dll") returned 1 [0102.659] lstrcmpiW (lpString1=".pps", lpString2=".url") returned -1 [0102.659] lstrcmpiW (lpString1=".pps", lpString2=".ttf") returned -1 [0102.659] lstrcmpiW (lpString1=".pps", lpString2=".mp3") returned 1 [0102.659] lstrcmpiW (lpString1=".pps", lpString2=".pif") returned 1 [0102.659] lstrcmpiW (lpString1=".pps", lpString2=".mp4") returned 1 [0102.659] lstrcmpiW (lpString1=".pps", lpString2=".NEPHILIM") returned 1 [0102.659] lstrcmpiW (lpString1=".pps", lpString2=".msi") returned 1 [0102.659] lstrcmpiW (lpString1=".pps", lpString2=".lnk") returned 1 [0102.659] lstrcmpiW (lpString1="MUTXgqR7U X4H.pps", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0102.659] lstrlenA (lpString="NEPHILIM") returned 8 [0102.659] GetProcessHeap () returned 0x4e0000 [0102.659] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x507698 [0102.659] lstrlenA (lpString="NEPHILIM") returned 8 [0102.659] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\MUTXgqR7U X4H.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\mutxgqr7u x4h.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0102.659] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=20916) returned 1 [0102.660] GetProcessHeap () returned 0x4e0000 [0102.660] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.660] GetProcessHeap () returned 0x4e0000 [0102.660] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.660] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.660] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.660] GetProcessHeap () returned 0x4e0000 [0102.660] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.660] GetProcessHeap () returned 0x4e0000 [0102.660] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.660] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0102.660] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0102.660] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x51b4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.661] SetLastError (dwErrCode=0x0) [0102.661] WriteFile (in: hFile=0xf0, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0102.662] GetLastError () returned 0x0 [0102.662] GetLastError () returned 0x0 [0102.662] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x52b4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.662] WriteFile (in: hFile=0xf0, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0102.662] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x53b4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.662] lstrlenA (lpString="NEPHILIM") returned 8 [0102.662] WriteFile (in: hFile=0xf0, lpBuffer=0x507698*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x507698*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0102.662] GetProcessHeap () returned 0x4e0000 [0102.662] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x51b4) returned 0x50b8b0 [0102.662] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.662] ReadFile (in: hFile=0xf0, lpBuffer=0x50b8b0, nNumberOfBytesToRead=0x51b4, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50b8b0*, lpNumberOfBytesRead=0x24dddb0*=0x51b4, lpOverlapped=0x0) returned 1 [0102.664] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.664] WriteFile (in: hFile=0xf0, lpBuffer=0x50b8b0*, nNumberOfBytesToWrite=0x51b4, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50b8b0*, lpNumberOfBytesWritten=0x24dddbc*=0x51b4, lpOverlapped=0x0) returned 1 [0102.664] GetProcessHeap () returned 0x4e0000 [0102.664] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50b8b0 | out: hHeap=0x4e0000) returned 1 [0102.664] CloseHandle (hObject=0xf0) returned 1 [0102.665] GetProcessHeap () returned 0x4e0000 [0102.666] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.666] GetProcessHeap () returned 0x4e0000 [0102.666] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.666] GetProcessHeap () returned 0x4e0000 [0102.666] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.666] GetProcessHeap () returned 0x4e0000 [0102.666] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.666] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\MUTXgqR7U X4H.pps" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\MUTXgqR7U X4H.pps") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\MUTXgqR7U X4H.pps" [0102.666] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\MUTXgqR7U X4H.pps", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\MUTXgqR7U X4H.pps.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\MUTXgqR7U X4H.pps.NEPHILIM" [0102.666] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\MUTXgqR7U X4H.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\mutxgqr7u x4h.pps"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\MUTXgqR7U X4H.pps.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\mutxgqr7u x4h.pps.nephilim")) returned 1 [0102.667] FindNextFileW (in: hFindFile=0x502870, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf5fdc8d0, ftCreationTime.dwHighDateTime=0x1d5d962, ftLastAccessTime.dwLowDateTime=0x8515a060, ftLastAccessTime.dwHighDateTime=0x1d5e020, ftLastWriteTime.dwLowDateTime=0x8515a060, ftLastWriteTime.dwHighDateTime=0x1d5e020, nFileSizeHigh=0x0, nFileSizeLow=0xd40, dwReserved0=0x24dddac, dwReserved1=0xd378f4ac, cFileName="ncQ3OCF5RA9oNgsYxb.wav", cAlternateFileName="NCQ3OC~1.WAV")) returned 1 [0102.667] lstrcmpiW (lpString1="ncQ3OCF5RA9oNgsYxb.wav", lpString2=".") returned 1 [0102.668] lstrcmpiW (lpString1="ncQ3OCF5RA9oNgsYxb.wav", lpString2="..") returned 1 [0102.668] lstrcmpiW (lpString1="ncQ3OCF5RA9oNgsYxb.wav", lpString2="...") returned 1 [0102.668] lstrcmpiW (lpString1="ncQ3OCF5RA9oNgsYxb.wav", lpString2="windows") returned -1 [0102.668] lstrcmpiW (lpString1="ncQ3OCF5RA9oNgsYxb.wav", lpString2="$RECYCLE.BIN") returned 1 [0102.668] lstrcmpiW (lpString1="ncQ3OCF5RA9oNgsYxb.wav", lpString2="rsa") returned -1 [0102.668] lstrcmpiW (lpString1="ncQ3OCF5RA9oNgsYxb.wav", lpString2="log") returned 1 [0102.668] lstrcmpiW (lpString1="ncQ3OCF5RA9oNgsYxb.wav", lpString2="NTDETECT.COM") returned -1 [0102.668] lstrcmpiW (lpString1="ncQ3OCF5RA9oNgsYxb.wav", lpString2="ntldr") returned -1 [0102.668] lstrcmpiW (lpString1="ncQ3OCF5RA9oNgsYxb.wav", lpString2="MSDOS.SYS") returned 1 [0102.668] lstrcmpiW (lpString1="ncQ3OCF5RA9oNgsYxb.wav", lpString2="IO.SYS") returned 1 [0102.668] lstrcmpiW (lpString1="ncQ3OCF5RA9oNgsYxb.wav", lpString2="boot.ini") returned 1 [0102.668] lstrcmpiW (lpString1="ncQ3OCF5RA9oNgsYxb.wav", lpString2="AUTOEXEC.BAT") returned 1 [0102.668] lstrcmpiW (lpString1="ncQ3OCF5RA9oNgsYxb.wav", lpString2="ntuser.dat") returned -1 [0102.668] lstrcmpiW (lpString1="ncQ3OCF5RA9oNgsYxb.wav", lpString2="desktop.ini") returned 1 [0102.668] lstrcmpiW (lpString1="ncQ3OCF5RA9oNgsYxb.wav", lpString2="CONFIG.SYS") returned 1 [0102.668] lstrcmpiW (lpString1="ncQ3OCF5RA9oNgsYxb.wav", lpString2="RECYCLER") returned -1 [0102.668] lstrcmpiW (lpString1="ncQ3OCF5RA9oNgsYxb.wav", lpString2="BOOTSECT.BAK") returned 1 [0102.668] lstrcmpiW (lpString1="ncQ3OCF5RA9oNgsYxb.wav", lpString2="bootmgr") returned 1 [0102.668] lstrcmpiW (lpString1="ncQ3OCF5RA9oNgsYxb.wav", lpString2="programdata") returned -1 [0102.668] lstrcmpiW (lpString1="ncQ3OCF5RA9oNgsYxb.wav", lpString2="appdata") returned 1 [0102.668] lstrcmpiW (lpString1="ncQ3OCF5RA9oNgsYxb.wav", lpString2="program files") returned -1 [0102.668] lstrcmpiW (lpString1="ncQ3OCF5RA9oNgsYxb.wav", lpString2="program files (x86)") returned -1 [0102.668] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\" [0102.668] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\", lpString2="ncQ3OCF5RA9oNgsYxb.wav" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\ncQ3OCF5RA9oNgsYxb.wav") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\ncQ3OCF5RA9oNgsYxb.wav" [0102.668] PathFindExtensionW (pszPath="ncQ3OCF5RA9oNgsYxb.wav") returned=".wav" [0102.669] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0102.669] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0102.669] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0102.669] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0102.669] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0102.669] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0102.669] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0102.669] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0102.669] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0102.669] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0102.669] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0102.669] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0102.669] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0102.669] lstrcmpiW (lpString1=".wav", lpString2=".NEPHILIM") returned 1 [0102.669] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0102.669] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0102.669] lstrcmpiW (lpString1="ncQ3OCF5RA9oNgsYxb.wav", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0102.669] lstrlenA (lpString="NEPHILIM") returned 8 [0102.669] GetProcessHeap () returned 0x4e0000 [0102.669] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x5076a8 [0102.669] lstrlenA (lpString="NEPHILIM") returned 8 [0102.669] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\ncQ3OCF5RA9oNgsYxb.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\ncq3ocf5ra9ongsyxb.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0102.670] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=3392) returned 1 [0102.670] GetProcessHeap () returned 0x4e0000 [0102.670] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.670] GetProcessHeap () returned 0x4e0000 [0102.670] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.670] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.670] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.670] GetProcessHeap () returned 0x4e0000 [0102.670] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.670] GetProcessHeap () returned 0x4e0000 [0102.670] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.670] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0102.670] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0102.671] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xd40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.671] SetLastError (dwErrCode=0x0) [0102.671] WriteFile (in: hFile=0xf0, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0102.672] GetLastError () returned 0x0 [0102.672] GetLastError () returned 0x0 [0102.672] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xe40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.672] WriteFile (in: hFile=0xf0, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0102.672] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xf40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.672] lstrlenA (lpString="NEPHILIM") returned 8 [0102.672] WriteFile (in: hFile=0xf0, lpBuffer=0x5076a8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x5076a8*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0102.672] GetProcessHeap () returned 0x4e0000 [0102.672] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xd40) returned 0x50b8b0 [0102.672] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.672] ReadFile (in: hFile=0xf0, lpBuffer=0x50b8b0, nNumberOfBytesToRead=0xd40, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50b8b0*, lpNumberOfBytesRead=0x24dddb0*=0xd40, lpOverlapped=0x0) returned 1 [0102.673] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.673] WriteFile (in: hFile=0xf0, lpBuffer=0x50b8b0*, nNumberOfBytesToWrite=0xd40, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50b8b0*, lpNumberOfBytesWritten=0x24dddbc*=0xd40, lpOverlapped=0x0) returned 1 [0102.673] GetProcessHeap () returned 0x4e0000 [0102.673] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50b8b0 | out: hHeap=0x4e0000) returned 1 [0102.673] CloseHandle (hObject=0xf0) returned 1 [0102.674] GetProcessHeap () returned 0x4e0000 [0102.674] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.675] GetProcessHeap () returned 0x4e0000 [0102.675] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.675] GetProcessHeap () returned 0x4e0000 [0102.675] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.675] GetProcessHeap () returned 0x4e0000 [0102.675] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.675] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\ncQ3OCF5RA9oNgsYxb.wav" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\ncQ3OCF5RA9oNgsYxb.wav") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\ncQ3OCF5RA9oNgsYxb.wav" [0102.675] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\ncQ3OCF5RA9oNgsYxb.wav", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\ncQ3OCF5RA9oNgsYxb.wav.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\ncQ3OCF5RA9oNgsYxb.wav.NEPHILIM" [0102.675] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\ncQ3OCF5RA9oNgsYxb.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\ncq3ocf5ra9ongsyxb.wav"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\ncQ3OCF5RA9oNgsYxb.wav.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\ncq3ocf5ra9ongsyxb.wav.nephilim")) returned 1 [0102.676] FindNextFileW (in: hFindFile=0x502870, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe931a870, ftCreationTime.dwHighDateTime=0x1d5d8df, ftLastAccessTime.dwLowDateTime=0xcb815f30, ftLastAccessTime.dwHighDateTime=0x1d5d91d, ftLastWriteTime.dwLowDateTime=0xcb815f30, ftLastWriteTime.dwHighDateTime=0x1d5d91d, nFileSizeHigh=0x0, nFileSizeLow=0x11dfd, dwReserved0=0x24dddac, dwReserved1=0xd378f4ac, cFileName="OrESP.m4a", cAlternateFileName="")) returned 1 [0102.676] lstrcmpiW (lpString1="OrESP.m4a", lpString2=".") returned 1 [0102.676] lstrcmpiW (lpString1="OrESP.m4a", lpString2="..") returned 1 [0102.676] lstrcmpiW (lpString1="OrESP.m4a", lpString2="...") returned 1 [0102.676] lstrcmpiW (lpString1="OrESP.m4a", lpString2="windows") returned -1 [0102.676] lstrcmpiW (lpString1="OrESP.m4a", lpString2="$RECYCLE.BIN") returned 1 [0102.676] lstrcmpiW (lpString1="OrESP.m4a", lpString2="rsa") returned -1 [0102.676] lstrcmpiW (lpString1="OrESP.m4a", lpString2="log") returned 1 [0102.676] lstrcmpiW (lpString1="OrESP.m4a", lpString2="NTDETECT.COM") returned 1 [0102.676] lstrcmpiW (lpString1="OrESP.m4a", lpString2="ntldr") returned 1 [0102.676] lstrcmpiW (lpString1="OrESP.m4a", lpString2="MSDOS.SYS") returned 1 [0102.676] lstrcmpiW (lpString1="OrESP.m4a", lpString2="IO.SYS") returned 1 [0102.676] lstrcmpiW (lpString1="OrESP.m4a", lpString2="boot.ini") returned 1 [0102.676] lstrcmpiW (lpString1="OrESP.m4a", lpString2="AUTOEXEC.BAT") returned 1 [0102.676] lstrcmpiW (lpString1="OrESP.m4a", lpString2="ntuser.dat") returned 1 [0102.676] lstrcmpiW (lpString1="OrESP.m4a", lpString2="desktop.ini") returned 1 [0102.676] lstrcmpiW (lpString1="OrESP.m4a", lpString2="CONFIG.SYS") returned 1 [0102.676] lstrcmpiW (lpString1="OrESP.m4a", lpString2="RECYCLER") returned -1 [0102.677] lstrcmpiW (lpString1="OrESP.m4a", lpString2="BOOTSECT.BAK") returned 1 [0102.677] lstrcmpiW (lpString1="OrESP.m4a", lpString2="bootmgr") returned 1 [0102.677] lstrcmpiW (lpString1="OrESP.m4a", lpString2="programdata") returned -1 [0102.677] lstrcmpiW (lpString1="OrESP.m4a", lpString2="appdata") returned 1 [0102.677] lstrcmpiW (lpString1="OrESP.m4a", lpString2="program files") returned -1 [0102.677] lstrcmpiW (lpString1="OrESP.m4a", lpString2="program files (x86)") returned -1 [0102.677] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\" [0102.677] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\", lpString2="OrESP.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\OrESP.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\OrESP.m4a" [0102.677] PathFindExtensionW (pszPath="OrESP.m4a") returned=".m4a" [0102.677] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0102.677] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0102.677] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0102.677] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0102.677] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0102.677] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0102.677] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0102.677] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0102.677] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0102.677] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0102.677] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0102.677] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0102.677] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0102.677] lstrcmpiW (lpString1=".m4a", lpString2=".NEPHILIM") returned -1 [0102.677] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0102.677] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0102.677] lstrcmpiW (lpString1="OrESP.m4a", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0102.677] lstrlenA (lpString="NEPHILIM") returned 8 [0102.677] GetProcessHeap () returned 0x4e0000 [0102.677] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x5076b8 [0102.677] lstrlenA (lpString="NEPHILIM") returned 8 [0102.678] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\OrESP.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\oresp.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0102.678] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=73213) returned 1 [0102.678] GetProcessHeap () returned 0x4e0000 [0102.678] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.678] GetProcessHeap () returned 0x4e0000 [0102.678] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.678] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.678] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.678] GetProcessHeap () returned 0x4e0000 [0102.678] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.678] GetProcessHeap () returned 0x4e0000 [0102.678] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.678] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0102.678] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0102.678] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x11dfd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.679] SetLastError (dwErrCode=0x0) [0102.679] WriteFile (in: hFile=0xf0, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0102.680] GetLastError () returned 0x0 [0102.680] GetLastError () returned 0x0 [0102.680] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x11efd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.680] WriteFile (in: hFile=0xf0, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0102.680] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x11ffd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.680] lstrlenA (lpString="NEPHILIM") returned 8 [0102.680] WriteFile (in: hFile=0xf0, lpBuffer=0x5076b8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x5076b8*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0102.680] GetProcessHeap () returned 0x4e0000 [0102.680] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x11dfd) returned 0x50b8b0 [0102.680] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.680] ReadFile (in: hFile=0xf0, lpBuffer=0x50b8b0, nNumberOfBytesToRead=0x11dfd, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50b8b0*, lpNumberOfBytesRead=0x24dddb0*=0x11dfd, lpOverlapped=0x0) returned 1 [0102.685] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.685] WriteFile (in: hFile=0xf0, lpBuffer=0x50b8b0*, nNumberOfBytesToWrite=0x11dfd, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50b8b0*, lpNumberOfBytesWritten=0x24dddbc*=0x11dfd, lpOverlapped=0x0) returned 1 [0102.685] GetProcessHeap () returned 0x4e0000 [0102.685] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50b8b0 | out: hHeap=0x4e0000) returned 1 [0102.685] CloseHandle (hObject=0xf0) returned 1 [0102.687] GetProcessHeap () returned 0x4e0000 [0102.687] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.687] GetProcessHeap () returned 0x4e0000 [0102.687] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.687] GetProcessHeap () returned 0x4e0000 [0102.687] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.687] GetProcessHeap () returned 0x4e0000 [0102.687] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.687] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\OrESP.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\OrESP.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\OrESP.m4a" [0102.687] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\OrESP.m4a", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\OrESP.m4a.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\OrESP.m4a.NEPHILIM" [0102.687] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\OrESP.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\oresp.m4a"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\OrESP.m4a.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\oresp.m4a.nephilim")) returned 1 [0102.689] FindNextFileW (in: hFindFile=0x502870, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4b704ae0, ftCreationTime.dwHighDateTime=0x1d5d927, ftLastAccessTime.dwLowDateTime=0x849a5fc0, ftLastAccessTime.dwHighDateTime=0x1d5e13a, ftLastWriteTime.dwLowDateTime=0x849a5fc0, ftLastWriteTime.dwHighDateTime=0x1d5e13a, nFileSizeHigh=0x0, nFileSizeLow=0x9ca9, dwReserved0=0x24dddac, dwReserved1=0xd378f4ac, cFileName="yDv-xMox2 BshIi9.bmp", cAlternateFileName="YDV-XM~1.BMP")) returned 1 [0102.689] lstrcmpiW (lpString1="yDv-xMox2 BshIi9.bmp", lpString2=".") returned 1 [0102.689] lstrcmpiW (lpString1="yDv-xMox2 BshIi9.bmp", lpString2="..") returned 1 [0102.689] lstrcmpiW (lpString1="yDv-xMox2 BshIi9.bmp", lpString2="...") returned 1 [0102.689] lstrcmpiW (lpString1="yDv-xMox2 BshIi9.bmp", lpString2="windows") returned 1 [0102.689] lstrcmpiW (lpString1="yDv-xMox2 BshIi9.bmp", lpString2="$RECYCLE.BIN") returned 1 [0102.689] lstrcmpiW (lpString1="yDv-xMox2 BshIi9.bmp", lpString2="rsa") returned 1 [0102.689] lstrcmpiW (lpString1="yDv-xMox2 BshIi9.bmp", lpString2="log") returned 1 [0102.689] lstrcmpiW (lpString1="yDv-xMox2 BshIi9.bmp", lpString2="NTDETECT.COM") returned 1 [0102.689] lstrcmpiW (lpString1="yDv-xMox2 BshIi9.bmp", lpString2="ntldr") returned 1 [0102.689] lstrcmpiW (lpString1="yDv-xMox2 BshIi9.bmp", lpString2="MSDOS.SYS") returned 1 [0102.689] lstrcmpiW (lpString1="yDv-xMox2 BshIi9.bmp", lpString2="IO.SYS") returned 1 [0102.689] lstrcmpiW (lpString1="yDv-xMox2 BshIi9.bmp", lpString2="boot.ini") returned 1 [0102.689] lstrcmpiW (lpString1="yDv-xMox2 BshIi9.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0102.689] lstrcmpiW (lpString1="yDv-xMox2 BshIi9.bmp", lpString2="ntuser.dat") returned 1 [0102.689] lstrcmpiW (lpString1="yDv-xMox2 BshIi9.bmp", lpString2="desktop.ini") returned 1 [0102.689] lstrcmpiW (lpString1="yDv-xMox2 BshIi9.bmp", lpString2="CONFIG.SYS") returned 1 [0102.689] lstrcmpiW (lpString1="yDv-xMox2 BshIi9.bmp", lpString2="RECYCLER") returned 1 [0102.689] lstrcmpiW (lpString1="yDv-xMox2 BshIi9.bmp", lpString2="BOOTSECT.BAK") returned 1 [0102.689] lstrcmpiW (lpString1="yDv-xMox2 BshIi9.bmp", lpString2="bootmgr") returned 1 [0102.689] lstrcmpiW (lpString1="yDv-xMox2 BshIi9.bmp", lpString2="programdata") returned 1 [0102.689] lstrcmpiW (lpString1="yDv-xMox2 BshIi9.bmp", lpString2="appdata") returned 1 [0102.690] lstrcmpiW (lpString1="yDv-xMox2 BshIi9.bmp", lpString2="program files") returned 1 [0102.690] lstrcmpiW (lpString1="yDv-xMox2 BshIi9.bmp", lpString2="program files (x86)") returned 1 [0102.690] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\" [0102.690] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\", lpString2="yDv-xMox2 BshIi9.bmp" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\yDv-xMox2 BshIi9.bmp") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\yDv-xMox2 BshIi9.bmp" [0102.690] PathFindExtensionW (pszPath="yDv-xMox2 BshIi9.bmp") returned=".bmp" [0102.690] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0102.690] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0102.690] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0102.690] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0102.690] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0102.690] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0102.690] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0102.690] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0102.690] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0102.690] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0102.690] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0102.690] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0102.690] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0102.690] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0102.690] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0102.690] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0102.690] lstrcmpiW (lpString1="yDv-xMox2 BshIi9.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0102.690] lstrlenA (lpString="NEPHILIM") returned 8 [0102.690] GetProcessHeap () returned 0x4e0000 [0102.690] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x5076c8 [0102.690] lstrlenA (lpString="NEPHILIM") returned 8 [0102.690] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\yDv-xMox2 BshIi9.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\ydv-xmox2 bshii9.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0102.691] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=40105) returned 1 [0102.691] GetProcessHeap () returned 0x4e0000 [0102.691] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.691] GetProcessHeap () returned 0x4e0000 [0102.691] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.691] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.691] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.691] GetProcessHeap () returned 0x4e0000 [0102.691] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.691] GetProcessHeap () returned 0x4e0000 [0102.691] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.691] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0102.691] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0102.691] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x9ca9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.691] SetLastError (dwErrCode=0x0) [0102.691] WriteFile (in: hFile=0xf0, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0102.692] GetLastError () returned 0x0 [0102.692] GetLastError () returned 0x0 [0102.692] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x9da9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.693] WriteFile (in: hFile=0xf0, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0102.693] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x9ea9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.693] lstrlenA (lpString="NEPHILIM") returned 8 [0102.693] WriteFile (in: hFile=0xf0, lpBuffer=0x5076c8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x5076c8*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0102.693] GetProcessHeap () returned 0x4e0000 [0102.693] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x9ca9) returned 0x50b8b0 [0102.693] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.693] ReadFile (in: hFile=0xf0, lpBuffer=0x50b8b0, nNumberOfBytesToRead=0x9ca9, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50b8b0*, lpNumberOfBytesRead=0x24dddb0*=0x9ca9, lpOverlapped=0x0) returned 1 [0102.695] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.695] WriteFile (in: hFile=0xf0, lpBuffer=0x50b8b0*, nNumberOfBytesToWrite=0x9ca9, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50b8b0*, lpNumberOfBytesWritten=0x24dddbc*=0x9ca9, lpOverlapped=0x0) returned 1 [0102.695] GetProcessHeap () returned 0x4e0000 [0102.695] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50b8b0 | out: hHeap=0x4e0000) returned 1 [0102.696] CloseHandle (hObject=0xf0) returned 1 [0102.697] GetProcessHeap () returned 0x4e0000 [0102.697] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.697] GetProcessHeap () returned 0x4e0000 [0102.697] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.697] GetProcessHeap () returned 0x4e0000 [0102.697] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.697] GetProcessHeap () returned 0x4e0000 [0102.697] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.697] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\yDv-xMox2 BshIi9.bmp" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\yDv-xMox2 BshIi9.bmp") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\yDv-xMox2 BshIi9.bmp" [0102.697] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\yDv-xMox2 BshIi9.bmp", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\yDv-xMox2 BshIi9.bmp.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\yDv-xMox2 BshIi9.bmp.NEPHILIM" [0102.697] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\yDv-xMox2 BshIi9.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\ydv-xmox2 bshii9.bmp"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EK1PloBl6twa\\yDv-xMox2 BshIi9.bmp.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ek1plobl6twa\\ydv-xmox2 bshii9.bmp.nephilim")) returned 1 [0102.699] FindNextFileW (in: hFindFile=0x502870, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4b704ae0, ftCreationTime.dwHighDateTime=0x1d5d927, ftLastAccessTime.dwLowDateTime=0x849a5fc0, ftLastAccessTime.dwHighDateTime=0x1d5e13a, ftLastWriteTime.dwLowDateTime=0x849a5fc0, ftLastWriteTime.dwHighDateTime=0x1d5e13a, nFileSizeHigh=0x0, nFileSizeLow=0x9ca9, dwReserved0=0x24dddac, dwReserved1=0xd378f4ac, cFileName="yDv-xMox2 BshIi9.bmp", cAlternateFileName="YDV-XM~1.BMP")) returned 0 [0102.699] FindClose (in: hFindFile=0x502870 | out: hFindFile=0x502870) returned 1 [0102.699] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18e9b1b0, ftCreationTime.dwHighDateTime=0x1d5e584, ftLastAccessTime.dwLowDateTime=0x4d057700, ftLastAccessTime.dwHighDateTime=0x1d5e763, ftLastWriteTime.dwLowDateTime=0x4d057700, ftLastWriteTime.dwHighDateTime=0x1d5e763, nFileSizeHigh=0x0, nFileSizeLow=0x17466, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="EXwvyT0tN2ZHn.avi", cAlternateFileName="EXWVYT~1.AVI")) returned 1 [0102.699] lstrcmpiW (lpString1="EXwvyT0tN2ZHn.avi", lpString2=".") returned 1 [0102.699] lstrcmpiW (lpString1="EXwvyT0tN2ZHn.avi", lpString2="..") returned 1 [0102.699] lstrcmpiW (lpString1="EXwvyT0tN2ZHn.avi", lpString2="...") returned 1 [0102.699] lstrcmpiW (lpString1="EXwvyT0tN2ZHn.avi", lpString2="windows") returned -1 [0102.699] lstrcmpiW (lpString1="EXwvyT0tN2ZHn.avi", lpString2="$RECYCLE.BIN") returned 1 [0102.699] lstrcmpiW (lpString1="EXwvyT0tN2ZHn.avi", lpString2="rsa") returned -1 [0102.699] lstrcmpiW (lpString1="EXwvyT0tN2ZHn.avi", lpString2="log") returned -1 [0102.699] lstrcmpiW (lpString1="EXwvyT0tN2ZHn.avi", lpString2="NTDETECT.COM") returned -1 [0102.699] lstrcmpiW (lpString1="EXwvyT0tN2ZHn.avi", lpString2="ntldr") returned -1 [0102.699] lstrcmpiW (lpString1="EXwvyT0tN2ZHn.avi", lpString2="MSDOS.SYS") returned -1 [0102.699] lstrcmpiW (lpString1="EXwvyT0tN2ZHn.avi", lpString2="IO.SYS") returned -1 [0102.699] lstrcmpiW (lpString1="EXwvyT0tN2ZHn.avi", lpString2="boot.ini") returned 1 [0102.699] lstrcmpiW (lpString1="EXwvyT0tN2ZHn.avi", lpString2="AUTOEXEC.BAT") returned 1 [0102.699] lstrcmpiW (lpString1="EXwvyT0tN2ZHn.avi", lpString2="ntuser.dat") returned -1 [0102.699] lstrcmpiW (lpString1="EXwvyT0tN2ZHn.avi", lpString2="desktop.ini") returned 1 [0102.699] lstrcmpiW (lpString1="EXwvyT0tN2ZHn.avi", lpString2="CONFIG.SYS") returned 1 [0102.699] lstrcmpiW (lpString1="EXwvyT0tN2ZHn.avi", lpString2="RECYCLER") returned -1 [0102.700] lstrcmpiW (lpString1="EXwvyT0tN2ZHn.avi", lpString2="BOOTSECT.BAK") returned 1 [0102.700] lstrcmpiW (lpString1="EXwvyT0tN2ZHn.avi", lpString2="bootmgr") returned 1 [0102.700] lstrcmpiW (lpString1="EXwvyT0tN2ZHn.avi", lpString2="programdata") returned -1 [0102.700] lstrcmpiW (lpString1="EXwvyT0tN2ZHn.avi", lpString2="appdata") returned 1 [0102.700] lstrcmpiW (lpString1="EXwvyT0tN2ZHn.avi", lpString2="program files") returned -1 [0102.700] lstrcmpiW (lpString1="EXwvyT0tN2ZHn.avi", lpString2="program files (x86)") returned -1 [0102.700] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0102.700] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="EXwvyT0tN2ZHn.avi" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EXwvyT0tN2ZHn.avi") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EXwvyT0tN2ZHn.avi" [0102.700] PathFindExtensionW (pszPath="EXwvyT0tN2ZHn.avi") returned=".avi" [0102.700] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0102.700] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0102.700] lstrcmpiW (lpString1=".avi", lpString2=".cab") returned -1 [0102.700] lstrcmpiW (lpString1=".avi", lpString2=".cmd") returned -1 [0102.700] lstrcmpiW (lpString1=".avi", lpString2=".com") returned -1 [0102.700] lstrcmpiW (lpString1=".avi", lpString2=".cpl") returned -1 [0102.700] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0102.700] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0102.700] lstrcmpiW (lpString1=".avi", lpString2=".url") returned -1 [0102.700] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0102.700] lstrcmpiW (lpString1=".avi", lpString2=".mp3") returned -1 [0102.700] lstrcmpiW (lpString1=".avi", lpString2=".pif") returned -1 [0102.700] lstrcmpiW (lpString1=".avi", lpString2=".mp4") returned -1 [0102.701] lstrcmpiW (lpString1=".avi", lpString2=".NEPHILIM") returned -1 [0102.701] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0102.701] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0102.701] lstrcmpiW (lpString1="EXwvyT0tN2ZHn.avi", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0102.701] lstrlenA (lpString="NEPHILIM") returned 8 [0102.701] GetProcessHeap () returned 0x4e0000 [0102.701] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x5076d8 [0102.701] lstrlenA (lpString="NEPHILIM") returned 8 [0102.701] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EXwvyT0tN2ZHn.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\exwvyt0tn2zhn.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0102.701] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=95334) returned 1 [0102.701] GetProcessHeap () returned 0x4e0000 [0102.701] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.701] GetProcessHeap () returned 0x4e0000 [0102.701] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.701] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.701] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.702] GetProcessHeap () returned 0x4e0000 [0102.702] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.702] GetProcessHeap () returned 0x4e0000 [0102.702] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.702] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de208*=0x100) returned 1 [0102.702] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de204*=0x100) returned 1 [0102.702] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x17466, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.702] SetLastError (dwErrCode=0x0) [0102.702] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.703] GetLastError () returned 0x0 [0102.703] GetLastError () returned 0x0 [0102.703] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x17566, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.704] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.704] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x17666, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.704] lstrlenA (lpString="NEPHILIM") returned 8 [0102.704] WriteFile (in: hFile=0xec, lpBuffer=0x5076d8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5076d8*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0102.704] GetProcessHeap () returned 0x4e0000 [0102.704] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x17466) returned 0x50a8a8 [0102.704] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.704] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x17466, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x17466, lpOverlapped=0x0) returned 1 [0102.711] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.711] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x17466, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x17466, lpOverlapped=0x0) returned 1 [0102.711] GetProcessHeap () returned 0x4e0000 [0102.711] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0102.711] CloseHandle (hObject=0xec) returned 1 [0102.719] GetProcessHeap () returned 0x4e0000 [0102.720] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.720] GetProcessHeap () returned 0x4e0000 [0102.720] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.720] GetProcessHeap () returned 0x4e0000 [0102.720] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.720] GetProcessHeap () returned 0x4e0000 [0102.720] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.720] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EXwvyT0tN2ZHn.avi" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EXwvyT0tN2ZHn.avi") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EXwvyT0tN2ZHn.avi" [0102.720] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EXwvyT0tN2ZHn.avi", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EXwvyT0tN2ZHn.avi.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EXwvyT0tN2ZHn.avi.NEPHILIM" [0102.720] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EXwvyT0tN2ZHn.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\exwvyt0tn2zhn.avi"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EXwvyT0tN2ZHn.avi.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\exwvyt0tn2zhn.avi.nephilim")) returned 1 [0102.722] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbb5fab40, ftCreationTime.dwHighDateTime=0x1d5d7d6, ftLastAccessTime.dwLowDateTime=0xffc6c5b0, ftLastAccessTime.dwHighDateTime=0x1d5e5f6, ftLastWriteTime.dwLowDateTime=0xffc6c5b0, ftLastWriteTime.dwHighDateTime=0x1d5e5f6, nFileSizeHigh=0x0, nFileSizeLow=0xeeab, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="GE01OUqBptfFXilp.mp3", cAlternateFileName="GE01OU~1.MP3")) returned 1 [0102.722] lstrcmpiW (lpString1="GE01OUqBptfFXilp.mp3", lpString2=".") returned 1 [0102.722] lstrcmpiW (lpString1="GE01OUqBptfFXilp.mp3", lpString2="..") returned 1 [0102.722] lstrcmpiW (lpString1="GE01OUqBptfFXilp.mp3", lpString2="...") returned 1 [0102.722] lstrcmpiW (lpString1="GE01OUqBptfFXilp.mp3", lpString2="windows") returned -1 [0102.722] lstrcmpiW (lpString1="GE01OUqBptfFXilp.mp3", lpString2="$RECYCLE.BIN") returned 1 [0102.722] lstrcmpiW (lpString1="GE01OUqBptfFXilp.mp3", lpString2="rsa") returned -1 [0102.722] lstrcmpiW (lpString1="GE01OUqBptfFXilp.mp3", lpString2="log") returned -1 [0102.722] lstrcmpiW (lpString1="GE01OUqBptfFXilp.mp3", lpString2="NTDETECT.COM") returned -1 [0102.722] lstrcmpiW (lpString1="GE01OUqBptfFXilp.mp3", lpString2="ntldr") returned -1 [0102.722] lstrcmpiW (lpString1="GE01OUqBptfFXilp.mp3", lpString2="MSDOS.SYS") returned -1 [0102.722] lstrcmpiW (lpString1="GE01OUqBptfFXilp.mp3", lpString2="IO.SYS") returned -1 [0102.722] lstrcmpiW (lpString1="GE01OUqBptfFXilp.mp3", lpString2="boot.ini") returned 1 [0102.722] lstrcmpiW (lpString1="GE01OUqBptfFXilp.mp3", lpString2="AUTOEXEC.BAT") returned 1 [0102.722] lstrcmpiW (lpString1="GE01OUqBptfFXilp.mp3", lpString2="ntuser.dat") returned -1 [0102.722] lstrcmpiW (lpString1="GE01OUqBptfFXilp.mp3", lpString2="desktop.ini") returned 1 [0102.722] lstrcmpiW (lpString1="GE01OUqBptfFXilp.mp3", lpString2="CONFIG.SYS") returned 1 [0102.722] lstrcmpiW (lpString1="GE01OUqBptfFXilp.mp3", lpString2="RECYCLER") returned -1 [0102.722] lstrcmpiW (lpString1="GE01OUqBptfFXilp.mp3", lpString2="BOOTSECT.BAK") returned 1 [0102.722] lstrcmpiW (lpString1="GE01OUqBptfFXilp.mp3", lpString2="bootmgr") returned 1 [0102.723] lstrcmpiW (lpString1="GE01OUqBptfFXilp.mp3", lpString2="programdata") returned -1 [0102.723] lstrcmpiW (lpString1="GE01OUqBptfFXilp.mp3", lpString2="appdata") returned 1 [0102.723] lstrcmpiW (lpString1="GE01OUqBptfFXilp.mp3", lpString2="program files") returned -1 [0102.723] lstrcmpiW (lpString1="GE01OUqBptfFXilp.mp3", lpString2="program files (x86)") returned -1 [0102.723] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0102.723] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="GE01OUqBptfFXilp.mp3" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GE01OUqBptfFXilp.mp3") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GE01OUqBptfFXilp.mp3" [0102.723] PathFindExtensionW (pszPath="GE01OUqBptfFXilp.mp3") returned=".mp3" [0102.723] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0102.723] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0102.723] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0102.723] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0102.723] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0102.723] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0102.723] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0102.723] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0102.723] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0102.723] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0102.723] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0102.723] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5947f440, ftCreationTime.dwHighDateTime=0x1d5e270, ftLastAccessTime.dwLowDateTime=0xf94e4cb0, ftLastAccessTime.dwHighDateTime=0x1d5dd2e, ftLastWriteTime.dwLowDateTime=0xf94e4cb0, ftLastWriteTime.dwHighDateTime=0x1d5dd2e, nFileSizeHigh=0x0, nFileSizeLow=0xe040, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="gLmMSD2.jpg", cAlternateFileName="")) returned 1 [0102.723] lstrcmpiW (lpString1="gLmMSD2.jpg", lpString2=".") returned 1 [0102.723] lstrcmpiW (lpString1="gLmMSD2.jpg", lpString2="..") returned 1 [0102.723] lstrcmpiW (lpString1="gLmMSD2.jpg", lpString2="...") returned 1 [0102.723] lstrcmpiW (lpString1="gLmMSD2.jpg", lpString2="windows") returned -1 [0102.723] lstrcmpiW (lpString1="gLmMSD2.jpg", lpString2="$RECYCLE.BIN") returned 1 [0102.723] lstrcmpiW (lpString1="gLmMSD2.jpg", lpString2="rsa") returned -1 [0102.724] lstrcmpiW (lpString1="gLmMSD2.jpg", lpString2="log") returned -1 [0102.724] lstrcmpiW (lpString1="gLmMSD2.jpg", lpString2="NTDETECT.COM") returned -1 [0102.724] lstrcmpiW (lpString1="gLmMSD2.jpg", lpString2="ntldr") returned -1 [0102.724] lstrcmpiW (lpString1="gLmMSD2.jpg", lpString2="MSDOS.SYS") returned -1 [0102.724] lstrcmpiW (lpString1="gLmMSD2.jpg", lpString2="IO.SYS") returned -1 [0102.724] lstrcmpiW (lpString1="gLmMSD2.jpg", lpString2="boot.ini") returned 1 [0102.724] lstrcmpiW (lpString1="gLmMSD2.jpg", lpString2="AUTOEXEC.BAT") returned 1 [0102.724] lstrcmpiW (lpString1="gLmMSD2.jpg", lpString2="ntuser.dat") returned -1 [0102.724] lstrcmpiW (lpString1="gLmMSD2.jpg", lpString2="desktop.ini") returned 1 [0102.724] lstrcmpiW (lpString1="gLmMSD2.jpg", lpString2="CONFIG.SYS") returned 1 [0102.724] lstrcmpiW (lpString1="gLmMSD2.jpg", lpString2="RECYCLER") returned -1 [0102.724] lstrcmpiW (lpString1="gLmMSD2.jpg", lpString2="BOOTSECT.BAK") returned 1 [0102.724] lstrcmpiW (lpString1="gLmMSD2.jpg", lpString2="bootmgr") returned 1 [0102.724] lstrcmpiW (lpString1="gLmMSD2.jpg", lpString2="programdata") returned -1 [0102.724] lstrcmpiW (lpString1="gLmMSD2.jpg", lpString2="appdata") returned 1 [0102.724] lstrcmpiW (lpString1="gLmMSD2.jpg", lpString2="program files") returned -1 [0102.724] lstrcmpiW (lpString1="gLmMSD2.jpg", lpString2="program files (x86)") returned -1 [0102.724] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0102.724] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="gLmMSD2.jpg" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\gLmMSD2.jpg") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\gLmMSD2.jpg" [0102.724] PathFindExtensionW (pszPath="gLmMSD2.jpg") returned=".jpg" [0102.724] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0102.724] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0102.724] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0102.724] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0102.724] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0102.725] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0102.725] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0102.725] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0102.725] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0102.725] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0102.725] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0102.725] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0102.725] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0102.725] lstrcmpiW (lpString1=".jpg", lpString2=".NEPHILIM") returned -1 [0102.725] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0102.725] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0102.725] lstrcmpiW (lpString1="gLmMSD2.jpg", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0102.725] lstrlenA (lpString="NEPHILIM") returned 8 [0102.725] GetProcessHeap () returned 0x4e0000 [0102.725] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x5076e8 [0102.725] lstrlenA (lpString="NEPHILIM") returned 8 [0102.725] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\gLmMSD2.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\glmmsd2.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0102.725] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=57408) returned 1 [0102.725] GetProcessHeap () returned 0x4e0000 [0102.726] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.726] GetProcessHeap () returned 0x4e0000 [0102.726] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.726] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.726] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.726] GetProcessHeap () returned 0x4e0000 [0102.726] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.726] GetProcessHeap () returned 0x4e0000 [0102.726] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.726] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de208*=0x100) returned 1 [0102.726] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de204*=0x100) returned 1 [0102.726] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xe040, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.726] SetLastError (dwErrCode=0x0) [0102.726] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.728] GetLastError () returned 0x0 [0102.728] GetLastError () returned 0x0 [0102.728] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xe140, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.728] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.728] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xe240, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.728] lstrlenA (lpString="NEPHILIM") returned 8 [0102.728] WriteFile (in: hFile=0xec, lpBuffer=0x5076e8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5076e8*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0102.728] GetProcessHeap () returned 0x4e0000 [0102.728] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xe040) returned 0x50a8a8 [0102.728] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.728] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0xe040, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0xe040, lpOverlapped=0x0) returned 1 [0102.732] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.732] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0xe040, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0xe040, lpOverlapped=0x0) returned 1 [0102.732] GetProcessHeap () returned 0x4e0000 [0102.732] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0102.732] CloseHandle (hObject=0xec) returned 1 [0102.741] GetProcessHeap () returned 0x4e0000 [0102.741] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.741] GetProcessHeap () returned 0x4e0000 [0102.741] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.741] GetProcessHeap () returned 0x4e0000 [0102.741] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.741] GetProcessHeap () returned 0x4e0000 [0102.741] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.741] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\gLmMSD2.jpg" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\gLmMSD2.jpg") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\gLmMSD2.jpg" [0102.741] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\gLmMSD2.jpg", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\gLmMSD2.jpg.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\gLmMSD2.jpg.NEPHILIM" [0102.741] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\gLmMSD2.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\glmmsd2.jpg"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\gLmMSD2.jpg.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\glmmsd2.jpg.nephilim")) returned 1 [0102.743] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95addc70, ftCreationTime.dwHighDateTime=0x1d5e22e, ftLastAccessTime.dwLowDateTime=0xf009a720, ftLastAccessTime.dwHighDateTime=0x1d5dd34, ftLastWriteTime.dwLowDateTime=0xf009a720, ftLastWriteTime.dwHighDateTime=0x1d5dd34, nFileSizeHigh=0x0, nFileSizeLow=0x10fee, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="gZVRIOE.mp4", cAlternateFileName="")) returned 1 [0102.743] lstrcmpiW (lpString1="gZVRIOE.mp4", lpString2=".") returned 1 [0102.743] lstrcmpiW (lpString1="gZVRIOE.mp4", lpString2="..") returned 1 [0102.743] lstrcmpiW (lpString1="gZVRIOE.mp4", lpString2="...") returned 1 [0102.743] lstrcmpiW (lpString1="gZVRIOE.mp4", lpString2="windows") returned -1 [0102.743] lstrcmpiW (lpString1="gZVRIOE.mp4", lpString2="$RECYCLE.BIN") returned 1 [0102.743] lstrcmpiW (lpString1="gZVRIOE.mp4", lpString2="rsa") returned -1 [0102.743] lstrcmpiW (lpString1="gZVRIOE.mp4", lpString2="log") returned -1 [0102.743] lstrcmpiW (lpString1="gZVRIOE.mp4", lpString2="NTDETECT.COM") returned -1 [0102.743] lstrcmpiW (lpString1="gZVRIOE.mp4", lpString2="ntldr") returned -1 [0102.743] lstrcmpiW (lpString1="gZVRIOE.mp4", lpString2="MSDOS.SYS") returned -1 [0102.744] lstrcmpiW (lpString1="gZVRIOE.mp4", lpString2="IO.SYS") returned -1 [0102.744] lstrcmpiW (lpString1="gZVRIOE.mp4", lpString2="boot.ini") returned 1 [0102.744] lstrcmpiW (lpString1="gZVRIOE.mp4", lpString2="AUTOEXEC.BAT") returned 1 [0102.744] lstrcmpiW (lpString1="gZVRIOE.mp4", lpString2="ntuser.dat") returned -1 [0102.744] lstrcmpiW (lpString1="gZVRIOE.mp4", lpString2="desktop.ini") returned 1 [0102.744] lstrcmpiW (lpString1="gZVRIOE.mp4", lpString2="CONFIG.SYS") returned 1 [0102.744] lstrcmpiW (lpString1="gZVRIOE.mp4", lpString2="RECYCLER") returned -1 [0102.744] lstrcmpiW (lpString1="gZVRIOE.mp4", lpString2="BOOTSECT.BAK") returned 1 [0102.744] lstrcmpiW (lpString1="gZVRIOE.mp4", lpString2="bootmgr") returned 1 [0102.744] lstrcmpiW (lpString1="gZVRIOE.mp4", lpString2="programdata") returned -1 [0102.744] lstrcmpiW (lpString1="gZVRIOE.mp4", lpString2="appdata") returned 1 [0102.744] lstrcmpiW (lpString1="gZVRIOE.mp4", lpString2="program files") returned -1 [0102.744] lstrcmpiW (lpString1="gZVRIOE.mp4", lpString2="program files (x86)") returned -1 [0102.744] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0102.744] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="gZVRIOE.mp4" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\gZVRIOE.mp4") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\gZVRIOE.mp4" [0102.744] PathFindExtensionW (pszPath="gZVRIOE.mp4") returned=".mp4" [0102.744] lstrcmpiW (lpString1=".mp4", lpString2=".exe") returned 1 [0102.744] lstrcmpiW (lpString1=".mp4", lpString2=".log") returned 1 [0102.744] lstrcmpiW (lpString1=".mp4", lpString2=".cab") returned 1 [0102.744] lstrcmpiW (lpString1=".mp4", lpString2=".cmd") returned 1 [0102.744] lstrcmpiW (lpString1=".mp4", lpString2=".com") returned 1 [0102.744] lstrcmpiW (lpString1=".mp4", lpString2=".cpl") returned 1 [0102.744] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0102.744] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0102.744] lstrcmpiW (lpString1=".mp4", lpString2=".url") returned -1 [0102.744] lstrcmpiW (lpString1=".mp4", lpString2=".ttf") returned -1 [0102.744] lstrcmpiW (lpString1=".mp4", lpString2=".mp3") returned 1 [0102.744] lstrcmpiW (lpString1=".mp4", lpString2=".pif") returned -1 [0102.744] lstrcmpiW (lpString1=".mp4", lpString2=".mp4") returned 0 [0102.744] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf3f7d60, ftCreationTime.dwHighDateTime=0x1d5de19, ftLastAccessTime.dwLowDateTime=0x63b70cf0, ftLastAccessTime.dwHighDateTime=0x1d5e413, ftLastWriteTime.dwLowDateTime=0x63b70cf0, ftLastWriteTime.dwHighDateTime=0x1d5e413, nFileSizeHigh=0x0, nFileSizeLow=0x23fd, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="hGwQTJ18XX9LQhvrOhr4.gif", cAlternateFileName="HGWQTJ~1.GIF")) returned 1 [0102.744] lstrcmpiW (lpString1="hGwQTJ18XX9LQhvrOhr4.gif", lpString2=".") returned 1 [0102.744] lstrcmpiW (lpString1="hGwQTJ18XX9LQhvrOhr4.gif", lpString2="..") returned 1 [0102.745] lstrcmpiW (lpString1="hGwQTJ18XX9LQhvrOhr4.gif", lpString2="...") returned 1 [0102.745] lstrcmpiW (lpString1="hGwQTJ18XX9LQhvrOhr4.gif", lpString2="windows") returned -1 [0102.745] lstrcmpiW (lpString1="hGwQTJ18XX9LQhvrOhr4.gif", lpString2="$RECYCLE.BIN") returned 1 [0102.745] lstrcmpiW (lpString1="hGwQTJ18XX9LQhvrOhr4.gif", lpString2="rsa") returned -1 [0102.745] lstrcmpiW (lpString1="hGwQTJ18XX9LQhvrOhr4.gif", lpString2="log") returned -1 [0102.745] lstrcmpiW (lpString1="hGwQTJ18XX9LQhvrOhr4.gif", lpString2="NTDETECT.COM") returned -1 [0102.745] lstrcmpiW (lpString1="hGwQTJ18XX9LQhvrOhr4.gif", lpString2="ntldr") returned -1 [0102.745] lstrcmpiW (lpString1="hGwQTJ18XX9LQhvrOhr4.gif", lpString2="MSDOS.SYS") returned -1 [0102.745] lstrcmpiW (lpString1="hGwQTJ18XX9LQhvrOhr4.gif", lpString2="IO.SYS") returned -1 [0102.745] lstrcmpiW (lpString1="hGwQTJ18XX9LQhvrOhr4.gif", lpString2="boot.ini") returned 1 [0102.745] lstrcmpiW (lpString1="hGwQTJ18XX9LQhvrOhr4.gif", lpString2="AUTOEXEC.BAT") returned 1 [0102.745] lstrcmpiW (lpString1="hGwQTJ18XX9LQhvrOhr4.gif", lpString2="ntuser.dat") returned -1 [0102.745] lstrcmpiW (lpString1="hGwQTJ18XX9LQhvrOhr4.gif", lpString2="desktop.ini") returned 1 [0102.745] lstrcmpiW (lpString1="hGwQTJ18XX9LQhvrOhr4.gif", lpString2="CONFIG.SYS") returned 1 [0102.745] lstrcmpiW (lpString1="hGwQTJ18XX9LQhvrOhr4.gif", lpString2="RECYCLER") returned -1 [0102.745] lstrcmpiW (lpString1="hGwQTJ18XX9LQhvrOhr4.gif", lpString2="BOOTSECT.BAK") returned 1 [0102.745] lstrcmpiW (lpString1="hGwQTJ18XX9LQhvrOhr4.gif", lpString2="bootmgr") returned 1 [0102.745] lstrcmpiW (lpString1="hGwQTJ18XX9LQhvrOhr4.gif", lpString2="programdata") returned -1 [0102.745] lstrcmpiW (lpString1="hGwQTJ18XX9LQhvrOhr4.gif", lpString2="appdata") returned 1 [0102.745] lstrcmpiW (lpString1="hGwQTJ18XX9LQhvrOhr4.gif", lpString2="program files") returned -1 [0102.745] lstrcmpiW (lpString1="hGwQTJ18XX9LQhvrOhr4.gif", lpString2="program files (x86)") returned -1 [0102.745] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0102.745] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="hGwQTJ18XX9LQhvrOhr4.gif" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hGwQTJ18XX9LQhvrOhr4.gif") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hGwQTJ18XX9LQhvrOhr4.gif" [0102.745] PathFindExtensionW (pszPath="hGwQTJ18XX9LQhvrOhr4.gif") returned=".gif" [0102.745] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0102.745] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0102.745] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0102.745] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0102.745] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0102.745] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0102.745] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0102.746] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0102.746] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0102.746] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0102.746] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0102.746] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0102.746] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0102.746] lstrcmpiW (lpString1=".gif", lpString2=".NEPHILIM") returned -1 [0102.746] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0102.746] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0102.746] lstrcmpiW (lpString1="hGwQTJ18XX9LQhvrOhr4.gif", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0102.746] lstrlenA (lpString="NEPHILIM") returned 8 [0102.746] GetProcessHeap () returned 0x4e0000 [0102.746] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x5076f8 [0102.746] lstrlenA (lpString="NEPHILIM") returned 8 [0102.746] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hGwQTJ18XX9LQhvrOhr4.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\hgwqtj18xx9lqhvrohr4.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0102.746] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=9213) returned 1 [0102.746] GetProcessHeap () returned 0x4e0000 [0102.746] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.746] GetProcessHeap () returned 0x4e0000 [0102.746] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.747] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.747] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.747] GetProcessHeap () returned 0x4e0000 [0102.747] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.747] GetProcessHeap () returned 0x4e0000 [0102.747] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.747] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de208*=0x100) returned 1 [0102.747] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de204*=0x100) returned 1 [0102.747] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x23fd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.747] SetLastError (dwErrCode=0x0) [0102.747] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.748] GetLastError () returned 0x0 [0102.748] GetLastError () returned 0x0 [0102.748] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x24fd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.749] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.749] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x25fd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.749] lstrlenA (lpString="NEPHILIM") returned 8 [0102.749] WriteFile (in: hFile=0xec, lpBuffer=0x5076f8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5076f8*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0102.749] GetProcessHeap () returned 0x4e0000 [0102.749] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x23fd) returned 0x50a8a8 [0102.749] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.749] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x23fd, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x23fd, lpOverlapped=0x0) returned 1 [0102.750] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.750] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x23fd, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x23fd, lpOverlapped=0x0) returned 1 [0102.750] GetProcessHeap () returned 0x4e0000 [0102.750] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0102.750] CloseHandle (hObject=0xec) returned 1 [0102.756] GetProcessHeap () returned 0x4e0000 [0102.756] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.756] GetProcessHeap () returned 0x4e0000 [0102.756] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.756] GetProcessHeap () returned 0x4e0000 [0102.756] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.756] GetProcessHeap () returned 0x4e0000 [0102.756] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.756] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hGwQTJ18XX9LQhvrOhr4.gif" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hGwQTJ18XX9LQhvrOhr4.gif") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hGwQTJ18XX9LQhvrOhr4.gif" [0102.756] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hGwQTJ18XX9LQhvrOhr4.gif", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hGwQTJ18XX9LQhvrOhr4.gif.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hGwQTJ18XX9LQhvrOhr4.gif.NEPHILIM" [0102.756] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hGwQTJ18XX9LQhvrOhr4.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\hgwqtj18xx9lqhvrohr4.gif"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hGwQTJ18XX9LQhvrOhr4.gif.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\hgwqtj18xx9lqhvrohr4.gif.nephilim")) returned 1 [0102.758] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2e7bf60, ftCreationTime.dwHighDateTime=0x1d5e6e1, ftLastAccessTime.dwLowDateTime=0xcf819b50, ftLastAccessTime.dwHighDateTime=0x1d5e1dc, ftLastWriteTime.dwLowDateTime=0xcf819b50, ftLastWriteTime.dwHighDateTime=0x1d5e1dc, nFileSizeHigh=0x0, nFileSizeLow=0x15f39, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="jTSz6i43R3GDFLBpinoR.mp3", cAlternateFileName="JTSZ6I~1.MP3")) returned 1 [0102.758] lstrcmpiW (lpString1="jTSz6i43R3GDFLBpinoR.mp3", lpString2=".") returned 1 [0102.758] lstrcmpiW (lpString1="jTSz6i43R3GDFLBpinoR.mp3", lpString2="..") returned 1 [0102.758] lstrcmpiW (lpString1="jTSz6i43R3GDFLBpinoR.mp3", lpString2="...") returned 1 [0102.758] lstrcmpiW (lpString1="jTSz6i43R3GDFLBpinoR.mp3", lpString2="windows") returned -1 [0102.758] lstrcmpiW (lpString1="jTSz6i43R3GDFLBpinoR.mp3", lpString2="$RECYCLE.BIN") returned 1 [0102.758] lstrcmpiW (lpString1="jTSz6i43R3GDFLBpinoR.mp3", lpString2="rsa") returned -1 [0102.758] lstrcmpiW (lpString1="jTSz6i43R3GDFLBpinoR.mp3", lpString2="log") returned -1 [0102.758] lstrcmpiW (lpString1="jTSz6i43R3GDFLBpinoR.mp3", lpString2="NTDETECT.COM") returned -1 [0102.758] lstrcmpiW (lpString1="jTSz6i43R3GDFLBpinoR.mp3", lpString2="ntldr") returned -1 [0102.759] lstrcmpiW (lpString1="jTSz6i43R3GDFLBpinoR.mp3", lpString2="MSDOS.SYS") returned -1 [0102.759] lstrcmpiW (lpString1="jTSz6i43R3GDFLBpinoR.mp3", lpString2="IO.SYS") returned 1 [0102.759] lstrcmpiW (lpString1="jTSz6i43R3GDFLBpinoR.mp3", lpString2="boot.ini") returned 1 [0102.759] lstrcmpiW (lpString1="jTSz6i43R3GDFLBpinoR.mp3", lpString2="AUTOEXEC.BAT") returned 1 [0102.759] lstrcmpiW (lpString1="jTSz6i43R3GDFLBpinoR.mp3", lpString2="ntuser.dat") returned -1 [0102.759] lstrcmpiW (lpString1="jTSz6i43R3GDFLBpinoR.mp3", lpString2="desktop.ini") returned 1 [0102.759] lstrcmpiW (lpString1="jTSz6i43R3GDFLBpinoR.mp3", lpString2="CONFIG.SYS") returned 1 [0102.759] lstrcmpiW (lpString1="jTSz6i43R3GDFLBpinoR.mp3", lpString2="RECYCLER") returned -1 [0102.759] lstrcmpiW (lpString1="jTSz6i43R3GDFLBpinoR.mp3", lpString2="BOOTSECT.BAK") returned 1 [0102.759] lstrcmpiW (lpString1="jTSz6i43R3GDFLBpinoR.mp3", lpString2="bootmgr") returned 1 [0102.759] lstrcmpiW (lpString1="jTSz6i43R3GDFLBpinoR.mp3", lpString2="programdata") returned -1 [0102.759] lstrcmpiW (lpString1="jTSz6i43R3GDFLBpinoR.mp3", lpString2="appdata") returned 1 [0102.759] lstrcmpiW (lpString1="jTSz6i43R3GDFLBpinoR.mp3", lpString2="program files") returned -1 [0102.759] lstrcmpiW (lpString1="jTSz6i43R3GDFLBpinoR.mp3", lpString2="program files (x86)") returned -1 [0102.759] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0102.759] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="jTSz6i43R3GDFLBpinoR.mp3" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jTSz6i43R3GDFLBpinoR.mp3") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jTSz6i43R3GDFLBpinoR.mp3" [0102.759] PathFindExtensionW (pszPath="jTSz6i43R3GDFLBpinoR.mp3") returned=".mp3" [0102.759] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0102.759] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0102.759] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0102.759] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0102.759] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0102.759] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0102.759] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0102.759] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0102.759] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0102.759] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0102.759] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0102.759] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6dd21560, ftCreationTime.dwHighDateTime=0x1d5e0d8, ftLastAccessTime.dwLowDateTime=0xfc504df0, ftLastAccessTime.dwHighDateTime=0x1d5e314, ftLastWriteTime.dwLowDateTime=0xfc504df0, ftLastWriteTime.dwHighDateTime=0x1d5e314, nFileSizeHigh=0x0, nFileSizeLow=0x9a52, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="jYb8h7NZa.xlsx", cAlternateFileName="JYB8H7~1.XLS")) returned 1 [0102.759] lstrcmpiW (lpString1="jYb8h7NZa.xlsx", lpString2=".") returned 1 [0102.759] lstrcmpiW (lpString1="jYb8h7NZa.xlsx", lpString2="..") returned 1 [0102.760] lstrcmpiW (lpString1="jYb8h7NZa.xlsx", lpString2="...") returned 1 [0102.760] lstrcmpiW (lpString1="jYb8h7NZa.xlsx", lpString2="windows") returned -1 [0102.760] lstrcmpiW (lpString1="jYb8h7NZa.xlsx", lpString2="$RECYCLE.BIN") returned 1 [0102.760] lstrcmpiW (lpString1="jYb8h7NZa.xlsx", lpString2="rsa") returned -1 [0102.760] lstrcmpiW (lpString1="jYb8h7NZa.xlsx", lpString2="log") returned -1 [0102.760] lstrcmpiW (lpString1="jYb8h7NZa.xlsx", lpString2="NTDETECT.COM") returned -1 [0102.760] lstrcmpiW (lpString1="jYb8h7NZa.xlsx", lpString2="ntldr") returned -1 [0102.760] lstrcmpiW (lpString1="jYb8h7NZa.xlsx", lpString2="MSDOS.SYS") returned -1 [0102.760] lstrcmpiW (lpString1="jYb8h7NZa.xlsx", lpString2="IO.SYS") returned 1 [0102.760] lstrcmpiW (lpString1="jYb8h7NZa.xlsx", lpString2="boot.ini") returned 1 [0102.760] lstrcmpiW (lpString1="jYb8h7NZa.xlsx", lpString2="AUTOEXEC.BAT") returned 1 [0102.760] lstrcmpiW (lpString1="jYb8h7NZa.xlsx", lpString2="ntuser.dat") returned -1 [0102.760] lstrcmpiW (lpString1="jYb8h7NZa.xlsx", lpString2="desktop.ini") returned 1 [0102.760] lstrcmpiW (lpString1="jYb8h7NZa.xlsx", lpString2="CONFIG.SYS") returned 1 [0102.760] lstrcmpiW (lpString1="jYb8h7NZa.xlsx", lpString2="RECYCLER") returned -1 [0102.760] lstrcmpiW (lpString1="jYb8h7NZa.xlsx", lpString2="BOOTSECT.BAK") returned 1 [0102.760] lstrcmpiW (lpString1="jYb8h7NZa.xlsx", lpString2="bootmgr") returned 1 [0102.760] lstrcmpiW (lpString1="jYb8h7NZa.xlsx", lpString2="programdata") returned -1 [0102.760] lstrcmpiW (lpString1="jYb8h7NZa.xlsx", lpString2="appdata") returned 1 [0102.760] lstrcmpiW (lpString1="jYb8h7NZa.xlsx", lpString2="program files") returned -1 [0102.760] lstrcmpiW (lpString1="jYb8h7NZa.xlsx", lpString2="program files (x86)") returned -1 [0102.760] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0102.760] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="jYb8h7NZa.xlsx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jYb8h7NZa.xlsx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jYb8h7NZa.xlsx" [0102.760] PathFindExtensionW (pszPath="jYb8h7NZa.xlsx") returned=".xlsx" [0102.760] lstrcmpiW (lpString1=".xlsx", lpString2=".exe") returned 1 [0102.760] lstrcmpiW (lpString1=".xlsx", lpString2=".log") returned 1 [0102.760] lstrcmpiW (lpString1=".xlsx", lpString2=".cab") returned 1 [0102.760] lstrcmpiW (lpString1=".xlsx", lpString2=".cmd") returned 1 [0102.760] lstrcmpiW (lpString1=".xlsx", lpString2=".com") returned 1 [0102.761] lstrcmpiW (lpString1=".xlsx", lpString2=".cpl") returned 1 [0102.761] lstrcmpiW (lpString1=".xlsx", lpString2=".ini") returned 1 [0102.761] lstrcmpiW (lpString1=".xlsx", lpString2=".dll") returned 1 [0102.761] lstrcmpiW (lpString1=".xlsx", lpString2=".url") returned 1 [0102.761] lstrcmpiW (lpString1=".xlsx", lpString2=".ttf") returned 1 [0102.761] lstrcmpiW (lpString1=".xlsx", lpString2=".mp3") returned 1 [0102.761] lstrcmpiW (lpString1=".xlsx", lpString2=".pif") returned 1 [0102.761] lstrcmpiW (lpString1=".xlsx", lpString2=".mp4") returned 1 [0102.761] lstrcmpiW (lpString1=".xlsx", lpString2=".NEPHILIM") returned 1 [0102.761] lstrcmpiW (lpString1=".xlsx", lpString2=".msi") returned 1 [0102.761] lstrcmpiW (lpString1=".xlsx", lpString2=".lnk") returned 1 [0102.761] lstrcmpiW (lpString1="jYb8h7NZa.xlsx", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0102.761] lstrlenA (lpString="NEPHILIM") returned 8 [0102.761] GetProcessHeap () returned 0x4e0000 [0102.761] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x507708 [0102.761] lstrlenA (lpString="NEPHILIM") returned 8 [0102.761] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jYb8h7NZa.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\jyb8h7nza.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0102.761] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=39506) returned 1 [0102.761] GetProcessHeap () returned 0x4e0000 [0102.761] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.761] GetProcessHeap () returned 0x4e0000 [0102.761] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.761] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.761] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.762] GetProcessHeap () returned 0x4e0000 [0102.762] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.762] GetProcessHeap () returned 0x4e0000 [0102.762] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.762] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de208*=0x100) returned 1 [0102.762] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de204*=0x100) returned 1 [0102.762] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x9a52, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.762] SetLastError (dwErrCode=0x0) [0102.762] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.763] GetLastError () returned 0x0 [0102.763] GetLastError () returned 0x0 [0102.763] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x9b52, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.763] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.763] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x9c52, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.763] lstrlenA (lpString="NEPHILIM") returned 8 [0102.763] WriteFile (in: hFile=0xec, lpBuffer=0x507708*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507708*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0102.764] GetProcessHeap () returned 0x4e0000 [0102.764] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x9a52) returned 0x50a8a8 [0102.764] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.764] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x9a52, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x9a52, lpOverlapped=0x0) returned 1 [0102.766] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.766] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x9a52, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x9a52, lpOverlapped=0x0) returned 1 [0102.767] GetProcessHeap () returned 0x4e0000 [0102.767] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0102.767] CloseHandle (hObject=0xec) returned 1 [0102.772] GetProcessHeap () returned 0x4e0000 [0102.772] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.772] GetProcessHeap () returned 0x4e0000 [0102.773] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.773] GetProcessHeap () returned 0x4e0000 [0102.773] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.773] GetProcessHeap () returned 0x4e0000 [0102.773] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.773] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jYb8h7NZa.xlsx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jYb8h7NZa.xlsx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jYb8h7NZa.xlsx" [0102.773] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jYb8h7NZa.xlsx", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jYb8h7NZa.xlsx.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jYb8h7NZa.xlsx.NEPHILIM" [0102.773] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jYb8h7NZa.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\jyb8h7nza.xlsx"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jYb8h7NZa.xlsx.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\jyb8h7nza.xlsx.nephilim")) returned 1 [0102.775] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d2f7f50, ftCreationTime.dwHighDateTime=0x1d5db78, ftLastAccessTime.dwLowDateTime=0x9c194df0, ftLastAccessTime.dwHighDateTime=0x1d5da5f, ftLastWriteTime.dwLowDateTime=0x9c194df0, ftLastWriteTime.dwHighDateTime=0x1d5da5f, nFileSizeHigh=0x0, nFileSizeLow=0xd71b, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="m6lsgqQLLU_h4iMbv.mp3", cAlternateFileName="M6LSGQ~1.MP3")) returned 1 [0102.775] lstrcmpiW (lpString1="m6lsgqQLLU_h4iMbv.mp3", lpString2=".") returned 1 [0102.775] lstrcmpiW (lpString1="m6lsgqQLLU_h4iMbv.mp3", lpString2="..") returned 1 [0102.775] lstrcmpiW (lpString1="m6lsgqQLLU_h4iMbv.mp3", lpString2="...") returned 1 [0102.775] lstrcmpiW (lpString1="m6lsgqQLLU_h4iMbv.mp3", lpString2="windows") returned -1 [0102.775] lstrcmpiW (lpString1="m6lsgqQLLU_h4iMbv.mp3", lpString2="$RECYCLE.BIN") returned 1 [0102.775] lstrcmpiW (lpString1="m6lsgqQLLU_h4iMbv.mp3", lpString2="rsa") returned -1 [0102.775] lstrcmpiW (lpString1="m6lsgqQLLU_h4iMbv.mp3", lpString2="log") returned 1 [0102.775] lstrcmpiW (lpString1="m6lsgqQLLU_h4iMbv.mp3", lpString2="NTDETECT.COM") returned -1 [0102.775] lstrcmpiW (lpString1="m6lsgqQLLU_h4iMbv.mp3", lpString2="ntldr") returned -1 [0102.775] lstrcmpiW (lpString1="m6lsgqQLLU_h4iMbv.mp3", lpString2="MSDOS.SYS") returned -1 [0102.775] lstrcmpiW (lpString1="m6lsgqQLLU_h4iMbv.mp3", lpString2="IO.SYS") returned 1 [0102.775] lstrcmpiW (lpString1="m6lsgqQLLU_h4iMbv.mp3", lpString2="boot.ini") returned 1 [0102.775] lstrcmpiW (lpString1="m6lsgqQLLU_h4iMbv.mp3", lpString2="AUTOEXEC.BAT") returned 1 [0102.775] lstrcmpiW (lpString1="m6lsgqQLLU_h4iMbv.mp3", lpString2="ntuser.dat") returned -1 [0102.775] lstrcmpiW (lpString1="m6lsgqQLLU_h4iMbv.mp3", lpString2="desktop.ini") returned 1 [0102.775] lstrcmpiW (lpString1="m6lsgqQLLU_h4iMbv.mp3", lpString2="CONFIG.SYS") returned 1 [0102.775] lstrcmpiW (lpString1="m6lsgqQLLU_h4iMbv.mp3", lpString2="RECYCLER") returned -1 [0102.775] lstrcmpiW (lpString1="m6lsgqQLLU_h4iMbv.mp3", lpString2="BOOTSECT.BAK") returned 1 [0102.776] lstrcmpiW (lpString1="m6lsgqQLLU_h4iMbv.mp3", lpString2="bootmgr") returned 1 [0102.776] lstrcmpiW (lpString1="m6lsgqQLLU_h4iMbv.mp3", lpString2="programdata") returned -1 [0102.776] lstrcmpiW (lpString1="m6lsgqQLLU_h4iMbv.mp3", lpString2="appdata") returned 1 [0102.776] lstrcmpiW (lpString1="m6lsgqQLLU_h4iMbv.mp3", lpString2="program files") returned -1 [0102.776] lstrcmpiW (lpString1="m6lsgqQLLU_h4iMbv.mp3", lpString2="program files (x86)") returned -1 [0102.776] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0102.776] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="m6lsgqQLLU_h4iMbv.mp3" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\m6lsgqQLLU_h4iMbv.mp3") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\m6lsgqQLLU_h4iMbv.mp3" [0102.776] PathFindExtensionW (pszPath="m6lsgqQLLU_h4iMbv.mp3") returned=".mp3" [0102.776] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0102.776] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0102.776] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0102.776] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0102.776] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0102.776] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0102.776] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0102.776] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0102.776] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0102.776] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0102.776] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0102.776] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1def68a0, ftCreationTime.dwHighDateTime=0x1d5d7d6, ftLastAccessTime.dwLowDateTime=0x45ec0f0, ftLastAccessTime.dwHighDateTime=0x1d5e1b0, ftLastWriteTime.dwLowDateTime=0x45ec0f0, ftLastWriteTime.dwHighDateTime=0x1d5e1b0, nFileSizeHigh=0x0, nFileSizeLow=0x1542b, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="qfuBovT6z3h.mp3", cAlternateFileName="QFUBOV~1.MP3")) returned 1 [0102.776] lstrcmpiW (lpString1="qfuBovT6z3h.mp3", lpString2=".") returned 1 [0102.776] lstrcmpiW (lpString1="qfuBovT6z3h.mp3", lpString2="..") returned 1 [0102.776] lstrcmpiW (lpString1="qfuBovT6z3h.mp3", lpString2="...") returned 1 [0102.776] lstrcmpiW (lpString1="qfuBovT6z3h.mp3", lpString2="windows") returned -1 [0102.776] lstrcmpiW (lpString1="qfuBovT6z3h.mp3", lpString2="$RECYCLE.BIN") returned 1 [0102.776] lstrcmpiW (lpString1="qfuBovT6z3h.mp3", lpString2="rsa") returned -1 [0102.776] lstrcmpiW (lpString1="qfuBovT6z3h.mp3", lpString2="log") returned 1 [0102.776] lstrcmpiW (lpString1="qfuBovT6z3h.mp3", lpString2="NTDETECT.COM") returned 1 [0102.776] lstrcmpiW (lpString1="qfuBovT6z3h.mp3", lpString2="ntldr") returned 1 [0102.776] lstrcmpiW (lpString1="qfuBovT6z3h.mp3", lpString2="MSDOS.SYS") returned 1 [0102.776] lstrcmpiW (lpString1="qfuBovT6z3h.mp3", lpString2="IO.SYS") returned 1 [0102.776] lstrcmpiW (lpString1="qfuBovT6z3h.mp3", lpString2="boot.ini") returned 1 [0102.777] lstrcmpiW (lpString1="qfuBovT6z3h.mp3", lpString2="AUTOEXEC.BAT") returned 1 [0102.777] lstrcmpiW (lpString1="qfuBovT6z3h.mp3", lpString2="ntuser.dat") returned 1 [0102.777] lstrcmpiW (lpString1="qfuBovT6z3h.mp3", lpString2="desktop.ini") returned 1 [0102.777] lstrcmpiW (lpString1="qfuBovT6z3h.mp3", lpString2="CONFIG.SYS") returned 1 [0102.777] lstrcmpiW (lpString1="qfuBovT6z3h.mp3", lpString2="RECYCLER") returned -1 [0102.777] lstrcmpiW (lpString1="qfuBovT6z3h.mp3", lpString2="BOOTSECT.BAK") returned 1 [0102.777] lstrcmpiW (lpString1="qfuBovT6z3h.mp3", lpString2="bootmgr") returned 1 [0102.777] lstrcmpiW (lpString1="qfuBovT6z3h.mp3", lpString2="programdata") returned 1 [0102.777] lstrcmpiW (lpString1="qfuBovT6z3h.mp3", lpString2="appdata") returned 1 [0102.777] lstrcmpiW (lpString1="qfuBovT6z3h.mp3", lpString2="program files") returned 1 [0102.777] lstrcmpiW (lpString1="qfuBovT6z3h.mp3", lpString2="program files (x86)") returned 1 [0102.777] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0102.777] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="qfuBovT6z3h.mp3" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qfuBovT6z3h.mp3") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qfuBovT6z3h.mp3" [0102.777] PathFindExtensionW (pszPath="qfuBovT6z3h.mp3") returned=".mp3" [0102.777] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0102.777] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0102.777] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0102.777] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0102.777] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0102.777] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0102.777] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0102.777] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0102.777] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0102.777] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0102.777] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0102.777] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6874c5f0, ftCreationTime.dwHighDateTime=0x1d5e04b, ftLastAccessTime.dwLowDateTime=0xdc614900, ftLastAccessTime.dwHighDateTime=0x1d5dbe3, ftLastWriteTime.dwLowDateTime=0xdc614900, ftLastWriteTime.dwHighDateTime=0x1d5dbe3, nFileSizeHigh=0x0, nFileSizeLow=0x3380, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="RChbU4tjhigJsWd.m4a", cAlternateFileName="RCHBU4~1.M4A")) returned 1 [0102.777] lstrcmpiW (lpString1="RChbU4tjhigJsWd.m4a", lpString2=".") returned 1 [0102.777] lstrcmpiW (lpString1="RChbU4tjhigJsWd.m4a", lpString2="..") returned 1 [0102.777] lstrcmpiW (lpString1="RChbU4tjhigJsWd.m4a", lpString2="...") returned 1 [0102.777] lstrcmpiW (lpString1="RChbU4tjhigJsWd.m4a", lpString2="windows") returned -1 [0102.778] lstrcmpiW (lpString1="RChbU4tjhigJsWd.m4a", lpString2="$RECYCLE.BIN") returned 1 [0102.778] lstrcmpiW (lpString1="RChbU4tjhigJsWd.m4a", lpString2="rsa") returned -1 [0102.778] lstrcmpiW (lpString1="RChbU4tjhigJsWd.m4a", lpString2="log") returned 1 [0102.778] lstrcmpiW (lpString1="RChbU4tjhigJsWd.m4a", lpString2="NTDETECT.COM") returned 1 [0102.778] lstrcmpiW (lpString1="RChbU4tjhigJsWd.m4a", lpString2="ntldr") returned 1 [0102.778] lstrcmpiW (lpString1="RChbU4tjhigJsWd.m4a", lpString2="MSDOS.SYS") returned 1 [0102.778] lstrcmpiW (lpString1="RChbU4tjhigJsWd.m4a", lpString2="IO.SYS") returned 1 [0102.778] lstrcmpiW (lpString1="RChbU4tjhigJsWd.m4a", lpString2="boot.ini") returned 1 [0102.778] lstrcmpiW (lpString1="RChbU4tjhigJsWd.m4a", lpString2="AUTOEXEC.BAT") returned 1 [0102.778] lstrcmpiW (lpString1="RChbU4tjhigJsWd.m4a", lpString2="ntuser.dat") returned 1 [0102.778] lstrcmpiW (lpString1="RChbU4tjhigJsWd.m4a", lpString2="desktop.ini") returned 1 [0102.778] lstrcmpiW (lpString1="RChbU4tjhigJsWd.m4a", lpString2="CONFIG.SYS") returned 1 [0102.778] lstrcmpiW (lpString1="RChbU4tjhigJsWd.m4a", lpString2="RECYCLER") returned -1 [0102.778] lstrcmpiW (lpString1="RChbU4tjhigJsWd.m4a", lpString2="BOOTSECT.BAK") returned 1 [0102.778] lstrcmpiW (lpString1="RChbU4tjhigJsWd.m4a", lpString2="bootmgr") returned 1 [0102.778] lstrcmpiW (lpString1="RChbU4tjhigJsWd.m4a", lpString2="programdata") returned 1 [0102.778] lstrcmpiW (lpString1="RChbU4tjhigJsWd.m4a", lpString2="appdata") returned 1 [0102.778] lstrcmpiW (lpString1="RChbU4tjhigJsWd.m4a", lpString2="program files") returned 1 [0102.778] lstrcmpiW (lpString1="RChbU4tjhigJsWd.m4a", lpString2="program files (x86)") returned 1 [0102.778] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0102.778] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="RChbU4tjhigJsWd.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RChbU4tjhigJsWd.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RChbU4tjhigJsWd.m4a" [0102.778] PathFindExtensionW (pszPath="RChbU4tjhigJsWd.m4a") returned=".m4a" [0102.778] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0102.778] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0102.778] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0102.778] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0102.778] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0102.778] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0102.779] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0102.779] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0102.779] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0102.779] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0102.779] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0102.779] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0102.779] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0102.779] lstrcmpiW (lpString1=".m4a", lpString2=".NEPHILIM") returned -1 [0102.779] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0102.779] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0102.779] lstrcmpiW (lpString1="RChbU4tjhigJsWd.m4a", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0102.779] lstrlenA (lpString="NEPHILIM") returned 8 [0102.779] GetProcessHeap () returned 0x4e0000 [0102.779] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x507718 [0102.779] lstrlenA (lpString="NEPHILIM") returned 8 [0102.779] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RChbU4tjhigJsWd.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\rchbu4tjhigjswd.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0102.779] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=13184) returned 1 [0102.779] GetProcessHeap () returned 0x4e0000 [0102.779] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.779] GetProcessHeap () returned 0x4e0000 [0102.779] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.779] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.779] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.779] GetProcessHeap () returned 0x4e0000 [0102.780] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.780] GetProcessHeap () returned 0x4e0000 [0102.780] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.780] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de208*=0x100) returned 1 [0102.780] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de204*=0x100) returned 1 [0102.780] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x3380, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.780] SetLastError (dwErrCode=0x0) [0102.780] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.781] GetLastError () returned 0x0 [0102.781] GetLastError () returned 0x0 [0102.781] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x3480, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.781] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.781] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x3580, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.781] lstrlenA (lpString="NEPHILIM") returned 8 [0102.781] WriteFile (in: hFile=0xec, lpBuffer=0x507718*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507718*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0102.781] GetProcessHeap () returned 0x4e0000 [0102.781] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x3380) returned 0x50a8a8 [0102.781] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.781] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x3380, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x3380, lpOverlapped=0x0) returned 1 [0102.782] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.782] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x3380, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x3380, lpOverlapped=0x0) returned 1 [0102.782] GetProcessHeap () returned 0x4e0000 [0102.782] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0102.782] CloseHandle (hObject=0xec) returned 1 [0102.784] GetProcessHeap () returned 0x4e0000 [0102.784] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.784] GetProcessHeap () returned 0x4e0000 [0102.784] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.784] GetProcessHeap () returned 0x4e0000 [0102.784] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.784] GetProcessHeap () returned 0x4e0000 [0102.784] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.784] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RChbU4tjhigJsWd.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RChbU4tjhigJsWd.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RChbU4tjhigJsWd.m4a" [0102.784] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RChbU4tjhigJsWd.m4a", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RChbU4tjhigJsWd.m4a.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RChbU4tjhigJsWd.m4a.NEPHILIM" [0102.784] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RChbU4tjhigJsWd.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\rchbu4tjhigjswd.m4a"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RChbU4tjhigJsWd.m4a.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\rchbu4tjhigjswd.m4a.nephilim")) returned 1 [0102.787] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4d8de40, ftCreationTime.dwHighDateTime=0x1d5dfd4, ftLastAccessTime.dwLowDateTime=0xa67618c0, ftLastAccessTime.dwHighDateTime=0x1d5e2f5, ftLastWriteTime.dwLowDateTime=0xa67618c0, ftLastWriteTime.dwHighDateTime=0x1d5e2f5, nFileSizeHigh=0x0, nFileSizeLow=0x9171, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="RxAavaqz2_z.odt", cAlternateFileName="RXAAVA~1.ODT")) returned 1 [0102.787] lstrcmpiW (lpString1="RxAavaqz2_z.odt", lpString2=".") returned 1 [0102.787] lstrcmpiW (lpString1="RxAavaqz2_z.odt", lpString2="..") returned 1 [0102.787] lstrcmpiW (lpString1="RxAavaqz2_z.odt", lpString2="...") returned 1 [0102.787] lstrcmpiW (lpString1="RxAavaqz2_z.odt", lpString2="windows") returned -1 [0102.787] lstrcmpiW (lpString1="RxAavaqz2_z.odt", lpString2="$RECYCLE.BIN") returned 1 [0102.787] lstrcmpiW (lpString1="RxAavaqz2_z.odt", lpString2="rsa") returned 1 [0102.787] lstrcmpiW (lpString1="RxAavaqz2_z.odt", lpString2="log") returned 1 [0102.787] lstrcmpiW (lpString1="RxAavaqz2_z.odt", lpString2="NTDETECT.COM") returned 1 [0102.787] lstrcmpiW (lpString1="RxAavaqz2_z.odt", lpString2="ntldr") returned 1 [0102.787] lstrcmpiW (lpString1="RxAavaqz2_z.odt", lpString2="MSDOS.SYS") returned 1 [0102.787] lstrcmpiW (lpString1="RxAavaqz2_z.odt", lpString2="IO.SYS") returned 1 [0102.787] lstrcmpiW (lpString1="RxAavaqz2_z.odt", lpString2="boot.ini") returned 1 [0102.787] lstrcmpiW (lpString1="RxAavaqz2_z.odt", lpString2="AUTOEXEC.BAT") returned 1 [0102.787] lstrcmpiW (lpString1="RxAavaqz2_z.odt", lpString2="ntuser.dat") returned 1 [0102.787] lstrcmpiW (lpString1="RxAavaqz2_z.odt", lpString2="desktop.ini") returned 1 [0102.787] lstrcmpiW (lpString1="RxAavaqz2_z.odt", lpString2="CONFIG.SYS") returned 1 [0102.787] lstrcmpiW (lpString1="RxAavaqz2_z.odt", lpString2="RECYCLER") returned 1 [0102.787] lstrcmpiW (lpString1="RxAavaqz2_z.odt", lpString2="BOOTSECT.BAK") returned 1 [0102.787] lstrcmpiW (lpString1="RxAavaqz2_z.odt", lpString2="bootmgr") returned 1 [0102.787] lstrcmpiW (lpString1="RxAavaqz2_z.odt", lpString2="programdata") returned 1 [0102.787] lstrcmpiW (lpString1="RxAavaqz2_z.odt", lpString2="appdata") returned 1 [0102.787] lstrcmpiW (lpString1="RxAavaqz2_z.odt", lpString2="program files") returned 1 [0102.787] lstrcmpiW (lpString1="RxAavaqz2_z.odt", lpString2="program files (x86)") returned 1 [0102.788] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0102.788] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="RxAavaqz2_z.odt" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RxAavaqz2_z.odt") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RxAavaqz2_z.odt" [0102.788] PathFindExtensionW (pszPath="RxAavaqz2_z.odt") returned=".odt" [0102.788] lstrcmpiW (lpString1=".odt", lpString2=".exe") returned 1 [0102.788] lstrcmpiW (lpString1=".odt", lpString2=".log") returned 1 [0102.788] lstrcmpiW (lpString1=".odt", lpString2=".cab") returned 1 [0102.788] lstrcmpiW (lpString1=".odt", lpString2=".cmd") returned 1 [0102.788] lstrcmpiW (lpString1=".odt", lpString2=".com") returned 1 [0102.788] lstrcmpiW (lpString1=".odt", lpString2=".cpl") returned 1 [0102.788] lstrcmpiW (lpString1=".odt", lpString2=".ini") returned 1 [0102.788] lstrcmpiW (lpString1=".odt", lpString2=".dll") returned 1 [0102.788] lstrcmpiW (lpString1=".odt", lpString2=".url") returned -1 [0102.788] lstrcmpiW (lpString1=".odt", lpString2=".ttf") returned -1 [0102.788] lstrcmpiW (lpString1=".odt", lpString2=".mp3") returned 1 [0102.788] lstrcmpiW (lpString1=".odt", lpString2=".pif") returned -1 [0102.788] lstrcmpiW (lpString1=".odt", lpString2=".mp4") returned 1 [0102.788] lstrcmpiW (lpString1=".odt", lpString2=".NEPHILIM") returned 1 [0102.788] lstrcmpiW (lpString1=".odt", lpString2=".msi") returned 1 [0102.788] lstrcmpiW (lpString1=".odt", lpString2=".lnk") returned 1 [0102.788] lstrcmpiW (lpString1="RxAavaqz2_z.odt", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0102.788] lstrlenA (lpString="NEPHILIM") returned 8 [0102.788] GetProcessHeap () returned 0x4e0000 [0102.788] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x507728 [0102.788] lstrlenA (lpString="NEPHILIM") returned 8 [0102.788] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RxAavaqz2_z.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\rxaavaqz2_z.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0102.789] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=37233) returned 1 [0102.789] GetProcessHeap () returned 0x4e0000 [0102.789] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.789] GetProcessHeap () returned 0x4e0000 [0102.789] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.789] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.789] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.789] GetProcessHeap () returned 0x4e0000 [0102.789] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.789] GetProcessHeap () returned 0x4e0000 [0102.789] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.789] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de208*=0x100) returned 1 [0102.789] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de204*=0x100) returned 1 [0102.789] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x9171, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.789] SetLastError (dwErrCode=0x0) [0102.790] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.790] GetLastError () returned 0x0 [0102.790] GetLastError () returned 0x0 [0102.790] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x9271, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.790] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.791] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x9371, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.791] lstrlenA (lpString="NEPHILIM") returned 8 [0102.791] WriteFile (in: hFile=0xec, lpBuffer=0x507728*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507728*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0102.791] GetProcessHeap () returned 0x4e0000 [0102.791] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x9171) returned 0x50a8a8 [0102.791] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.791] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x9171, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x9171, lpOverlapped=0x0) returned 1 [0102.793] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.793] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x9171, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x9171, lpOverlapped=0x0) returned 1 [0102.793] GetProcessHeap () returned 0x4e0000 [0102.793] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0102.793] CloseHandle (hObject=0xec) returned 1 [0102.795] GetProcessHeap () returned 0x4e0000 [0102.795] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.795] GetProcessHeap () returned 0x4e0000 [0102.795] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.795] GetProcessHeap () returned 0x4e0000 [0102.795] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.795] GetProcessHeap () returned 0x4e0000 [0102.795] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.795] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RxAavaqz2_z.odt" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RxAavaqz2_z.odt") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RxAavaqz2_z.odt" [0102.795] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RxAavaqz2_z.odt", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RxAavaqz2_z.odt.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RxAavaqz2_z.odt.NEPHILIM" [0102.795] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RxAavaqz2_z.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\rxaavaqz2_z.odt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\RxAavaqz2_z.odt.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\rxaavaqz2_z.odt.nephilim")) returned 1 [0102.796] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc05f4f60, ftCreationTime.dwHighDateTime=0x1d5debb, ftLastAccessTime.dwLowDateTime=0x52e8bb90, ftLastAccessTime.dwHighDateTime=0x1d5e50c, ftLastWriteTime.dwLowDateTime=0x52e8bb90, ftLastWriteTime.dwHighDateTime=0x1d5e50c, nFileSizeHigh=0x0, nFileSizeLow=0x12a87, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="sBD1QdkY.flv", cAlternateFileName="")) returned 1 [0102.796] lstrcmpiW (lpString1="sBD1QdkY.flv", lpString2=".") returned 1 [0102.796] lstrcmpiW (lpString1="sBD1QdkY.flv", lpString2="..") returned 1 [0102.796] lstrcmpiW (lpString1="sBD1QdkY.flv", lpString2="...") returned 1 [0102.796] lstrcmpiW (lpString1="sBD1QdkY.flv", lpString2="windows") returned -1 [0102.796] lstrcmpiW (lpString1="sBD1QdkY.flv", lpString2="$RECYCLE.BIN") returned 1 [0102.796] lstrcmpiW (lpString1="sBD1QdkY.flv", lpString2="rsa") returned 1 [0102.796] lstrcmpiW (lpString1="sBD1QdkY.flv", lpString2="log") returned 1 [0102.797] lstrcmpiW (lpString1="sBD1QdkY.flv", lpString2="NTDETECT.COM") returned 1 [0102.797] lstrcmpiW (lpString1="sBD1QdkY.flv", lpString2="ntldr") returned 1 [0102.797] lstrcmpiW (lpString1="sBD1QdkY.flv", lpString2="MSDOS.SYS") returned 1 [0102.797] lstrcmpiW (lpString1="sBD1QdkY.flv", lpString2="IO.SYS") returned 1 [0102.797] lstrcmpiW (lpString1="sBD1QdkY.flv", lpString2="boot.ini") returned 1 [0102.797] lstrcmpiW (lpString1="sBD1QdkY.flv", lpString2="AUTOEXEC.BAT") returned 1 [0102.797] lstrcmpiW (lpString1="sBD1QdkY.flv", lpString2="ntuser.dat") returned 1 [0102.797] lstrcmpiW (lpString1="sBD1QdkY.flv", lpString2="desktop.ini") returned 1 [0102.797] lstrcmpiW (lpString1="sBD1QdkY.flv", lpString2="CONFIG.SYS") returned 1 [0102.797] lstrcmpiW (lpString1="sBD1QdkY.flv", lpString2="RECYCLER") returned 1 [0102.797] lstrcmpiW (lpString1="sBD1QdkY.flv", lpString2="BOOTSECT.BAK") returned 1 [0102.797] lstrcmpiW (lpString1="sBD1QdkY.flv", lpString2="bootmgr") returned 1 [0102.797] lstrcmpiW (lpString1="sBD1QdkY.flv", lpString2="programdata") returned 1 [0102.797] lstrcmpiW (lpString1="sBD1QdkY.flv", lpString2="appdata") returned 1 [0102.797] lstrcmpiW (lpString1="sBD1QdkY.flv", lpString2="program files") returned 1 [0102.797] lstrcmpiW (lpString1="sBD1QdkY.flv", lpString2="program files (x86)") returned 1 [0102.797] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0102.797] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="sBD1QdkY.flv" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\sBD1QdkY.flv") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\sBD1QdkY.flv" [0102.797] PathFindExtensionW (pszPath="sBD1QdkY.flv") returned=".flv" [0102.797] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0102.797] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0102.797] lstrcmpiW (lpString1=".flv", lpString2=".cab") returned 1 [0102.797] lstrcmpiW (lpString1=".flv", lpString2=".cmd") returned 1 [0102.797] lstrcmpiW (lpString1=".flv", lpString2=".com") returned 1 [0102.797] lstrcmpiW (lpString1=".flv", lpString2=".cpl") returned 1 [0102.797] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0102.797] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0102.797] lstrcmpiW (lpString1=".flv", lpString2=".url") returned -1 [0102.797] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0102.797] lstrcmpiW (lpString1=".flv", lpString2=".mp3") returned -1 [0102.797] lstrcmpiW (lpString1=".flv", lpString2=".pif") returned -1 [0102.797] lstrcmpiW (lpString1=".flv", lpString2=".mp4") returned -1 [0102.797] lstrcmpiW (lpString1=".flv", lpString2=".NEPHILIM") returned -1 [0102.798] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0102.798] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0102.798] lstrcmpiW (lpString1="sBD1QdkY.flv", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0102.798] lstrlenA (lpString="NEPHILIM") returned 8 [0102.798] GetProcessHeap () returned 0x4e0000 [0102.798] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x507738 [0102.798] lstrlenA (lpString="NEPHILIM") returned 8 [0102.798] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\sBD1QdkY.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\sbd1qdky.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0102.798] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=76423) returned 1 [0102.798] GetProcessHeap () returned 0x4e0000 [0102.798] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.798] GetProcessHeap () returned 0x4e0000 [0102.798] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.798] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.798] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.798] GetProcessHeap () returned 0x4e0000 [0102.798] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.798] GetProcessHeap () returned 0x4e0000 [0102.798] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.799] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de208*=0x100) returned 1 [0102.799] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de204*=0x100) returned 1 [0102.799] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x12a87, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.799] SetLastError (dwErrCode=0x0) [0102.799] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.800] GetLastError () returned 0x0 [0102.800] GetLastError () returned 0x0 [0102.800] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x12b87, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.800] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.800] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x12c87, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.800] lstrlenA (lpString="NEPHILIM") returned 8 [0102.800] WriteFile (in: hFile=0xec, lpBuffer=0x507738*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507738*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0102.800] GetProcessHeap () returned 0x4e0000 [0102.800] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x12a87) returned 0x50a8a8 [0102.800] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.801] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x12a87, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x12a87, lpOverlapped=0x0) returned 1 [0102.805] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.805] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x12a87, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x12a87, lpOverlapped=0x0) returned 1 [0102.805] GetProcessHeap () returned 0x4e0000 [0102.805] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0102.805] CloseHandle (hObject=0xec) returned 1 [0102.808] GetProcessHeap () returned 0x4e0000 [0102.808] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.808] GetProcessHeap () returned 0x4e0000 [0102.808] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.808] GetProcessHeap () returned 0x4e0000 [0102.808] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.809] GetProcessHeap () returned 0x4e0000 [0102.809] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.809] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\sBD1QdkY.flv" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\sBD1QdkY.flv") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\sBD1QdkY.flv" [0102.809] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\sBD1QdkY.flv", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\sBD1QdkY.flv.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\sBD1QdkY.flv.NEPHILIM" [0102.809] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\sBD1QdkY.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\sbd1qdky.flv"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\sBD1QdkY.flv.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\sbd1qdky.flv.nephilim")) returned 1 [0102.810] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0a10a90, ftCreationTime.dwHighDateTime=0x1d5e5d2, ftLastAccessTime.dwLowDateTime=0xd001f4e0, ftLastAccessTime.dwHighDateTime=0x1d5e67c, ftLastWriteTime.dwLowDateTime=0xd001f4e0, ftLastWriteTime.dwHighDateTime=0x1d5e67c, nFileSizeHigh=0x0, nFileSizeLow=0x159df, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="Tuo8EkNp.jpg", cAlternateFileName="")) returned 1 [0102.810] lstrcmpiW (lpString1="Tuo8EkNp.jpg", lpString2=".") returned 1 [0102.810] lstrcmpiW (lpString1="Tuo8EkNp.jpg", lpString2="..") returned 1 [0102.810] lstrcmpiW (lpString1="Tuo8EkNp.jpg", lpString2="...") returned 1 [0102.810] lstrcmpiW (lpString1="Tuo8EkNp.jpg", lpString2="windows") returned -1 [0102.810] lstrcmpiW (lpString1="Tuo8EkNp.jpg", lpString2="$RECYCLE.BIN") returned 1 [0102.810] lstrcmpiW (lpString1="Tuo8EkNp.jpg", lpString2="rsa") returned 1 [0102.810] lstrcmpiW (lpString1="Tuo8EkNp.jpg", lpString2="log") returned 1 [0102.810] lstrcmpiW (lpString1="Tuo8EkNp.jpg", lpString2="NTDETECT.COM") returned 1 [0102.810] lstrcmpiW (lpString1="Tuo8EkNp.jpg", lpString2="ntldr") returned 1 [0102.810] lstrcmpiW (lpString1="Tuo8EkNp.jpg", lpString2="MSDOS.SYS") returned 1 [0102.810] lstrcmpiW (lpString1="Tuo8EkNp.jpg", lpString2="IO.SYS") returned 1 [0102.810] lstrcmpiW (lpString1="Tuo8EkNp.jpg", lpString2="boot.ini") returned 1 [0102.810] lstrcmpiW (lpString1="Tuo8EkNp.jpg", lpString2="AUTOEXEC.BAT") returned 1 [0102.811] lstrcmpiW (lpString1="Tuo8EkNp.jpg", lpString2="ntuser.dat") returned 1 [0102.811] lstrcmpiW (lpString1="Tuo8EkNp.jpg", lpString2="desktop.ini") returned 1 [0102.811] lstrcmpiW (lpString1="Tuo8EkNp.jpg", lpString2="CONFIG.SYS") returned 1 [0102.811] lstrcmpiW (lpString1="Tuo8EkNp.jpg", lpString2="RECYCLER") returned 1 [0102.811] lstrcmpiW (lpString1="Tuo8EkNp.jpg", lpString2="BOOTSECT.BAK") returned 1 [0102.811] lstrcmpiW (lpString1="Tuo8EkNp.jpg", lpString2="bootmgr") returned 1 [0102.811] lstrcmpiW (lpString1="Tuo8EkNp.jpg", lpString2="programdata") returned 1 [0102.811] lstrcmpiW (lpString1="Tuo8EkNp.jpg", lpString2="appdata") returned 1 [0102.811] lstrcmpiW (lpString1="Tuo8EkNp.jpg", lpString2="program files") returned 1 [0102.811] lstrcmpiW (lpString1="Tuo8EkNp.jpg", lpString2="program files (x86)") returned 1 [0102.811] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0102.811] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="Tuo8EkNp.jpg" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Tuo8EkNp.jpg") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Tuo8EkNp.jpg" [0102.811] PathFindExtensionW (pszPath="Tuo8EkNp.jpg") returned=".jpg" [0102.811] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0102.811] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0102.811] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0102.811] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0102.811] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0102.811] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0102.811] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0102.811] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0102.811] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0102.811] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0102.811] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0102.811] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0102.811] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0102.811] lstrcmpiW (lpString1=".jpg", lpString2=".NEPHILIM") returned -1 [0102.811] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0102.811] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0102.811] lstrcmpiW (lpString1="Tuo8EkNp.jpg", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0102.812] lstrlenA (lpString="NEPHILIM") returned 8 [0102.812] GetProcessHeap () returned 0x4e0000 [0102.812] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x507748 [0102.812] lstrlenA (lpString="NEPHILIM") returned 8 [0102.812] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Tuo8EkNp.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\tuo8eknp.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0102.812] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=88543) returned 1 [0102.812] GetProcessHeap () returned 0x4e0000 [0102.812] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.812] GetProcessHeap () returned 0x4e0000 [0102.812] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.812] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.812] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.812] GetProcessHeap () returned 0x4e0000 [0102.812] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.812] GetProcessHeap () returned 0x4e0000 [0102.812] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.812] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de208*=0x100) returned 1 [0102.812] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de204*=0x100) returned 1 [0102.813] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x159df, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.813] SetLastError (dwErrCode=0x0) [0102.813] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.814] GetLastError () returned 0x0 [0102.814] GetLastError () returned 0x0 [0102.814] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x15adf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.814] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.814] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x15bdf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.814] lstrlenA (lpString="NEPHILIM") returned 8 [0102.814] WriteFile (in: hFile=0xec, lpBuffer=0x507748*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507748*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0102.814] GetProcessHeap () returned 0x4e0000 [0102.814] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x159df) returned 0x50a8a8 [0102.814] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.814] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x159df, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x159df, lpOverlapped=0x0) returned 1 [0102.819] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.819] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x159df, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x159df, lpOverlapped=0x0) returned 1 [0102.819] GetProcessHeap () returned 0x4e0000 [0102.819] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0102.819] CloseHandle (hObject=0xec) returned 1 [0102.822] GetProcessHeap () returned 0x4e0000 [0102.822] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.822] GetProcessHeap () returned 0x4e0000 [0102.822] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.822] GetProcessHeap () returned 0x4e0000 [0102.822] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.822] GetProcessHeap () returned 0x4e0000 [0102.822] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.822] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Tuo8EkNp.jpg" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Tuo8EkNp.jpg") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Tuo8EkNp.jpg" [0102.822] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Tuo8EkNp.jpg", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Tuo8EkNp.jpg.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Tuo8EkNp.jpg.NEPHILIM" [0102.822] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Tuo8EkNp.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\tuo8eknp.jpg"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Tuo8EkNp.jpg.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\tuo8eknp.jpg.nephilim")) returned 1 [0102.824] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x20d77b90, ftCreationTime.dwHighDateTime=0x1d5e125, ftLastAccessTime.dwLowDateTime=0xf708afb0, ftLastAccessTime.dwHighDateTime=0x1d5e5c4, ftLastWriteTime.dwLowDateTime=0xf708afb0, ftLastWriteTime.dwHighDateTime=0x1d5e5c4, nFileSizeHigh=0x0, nFileSizeLow=0x9746, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="uAGaXXfmNTeSn6aQso.m4a", cAlternateFileName="UAGAXX~1.M4A")) returned 1 [0102.824] lstrcmpiW (lpString1="uAGaXXfmNTeSn6aQso.m4a", lpString2=".") returned 1 [0102.824] lstrcmpiW (lpString1="uAGaXXfmNTeSn6aQso.m4a", lpString2="..") returned 1 [0102.824] lstrcmpiW (lpString1="uAGaXXfmNTeSn6aQso.m4a", lpString2="...") returned 1 [0102.824] lstrcmpiW (lpString1="uAGaXXfmNTeSn6aQso.m4a", lpString2="windows") returned -1 [0102.824] lstrcmpiW (lpString1="uAGaXXfmNTeSn6aQso.m4a", lpString2="$RECYCLE.BIN") returned 1 [0102.824] lstrcmpiW (lpString1="uAGaXXfmNTeSn6aQso.m4a", lpString2="rsa") returned 1 [0102.824] lstrcmpiW (lpString1="uAGaXXfmNTeSn6aQso.m4a", lpString2="log") returned 1 [0102.824] lstrcmpiW (lpString1="uAGaXXfmNTeSn6aQso.m4a", lpString2="NTDETECT.COM") returned 1 [0102.824] lstrcmpiW (lpString1="uAGaXXfmNTeSn6aQso.m4a", lpString2="ntldr") returned 1 [0102.825] lstrcmpiW (lpString1="uAGaXXfmNTeSn6aQso.m4a", lpString2="MSDOS.SYS") returned 1 [0102.825] lstrcmpiW (lpString1="uAGaXXfmNTeSn6aQso.m4a", lpString2="IO.SYS") returned 1 [0102.825] lstrcmpiW (lpString1="uAGaXXfmNTeSn6aQso.m4a", lpString2="boot.ini") returned 1 [0102.825] lstrcmpiW (lpString1="uAGaXXfmNTeSn6aQso.m4a", lpString2="AUTOEXEC.BAT") returned 1 [0102.825] lstrcmpiW (lpString1="uAGaXXfmNTeSn6aQso.m4a", lpString2="ntuser.dat") returned 1 [0102.825] lstrcmpiW (lpString1="uAGaXXfmNTeSn6aQso.m4a", lpString2="desktop.ini") returned 1 [0102.825] lstrcmpiW (lpString1="uAGaXXfmNTeSn6aQso.m4a", lpString2="CONFIG.SYS") returned 1 [0102.825] lstrcmpiW (lpString1="uAGaXXfmNTeSn6aQso.m4a", lpString2="RECYCLER") returned 1 [0102.825] lstrcmpiW (lpString1="uAGaXXfmNTeSn6aQso.m4a", lpString2="BOOTSECT.BAK") returned 1 [0102.825] lstrcmpiW (lpString1="uAGaXXfmNTeSn6aQso.m4a", lpString2="bootmgr") returned 1 [0102.825] lstrcmpiW (lpString1="uAGaXXfmNTeSn6aQso.m4a", lpString2="programdata") returned 1 [0102.825] lstrcmpiW (lpString1="uAGaXXfmNTeSn6aQso.m4a", lpString2="appdata") returned 1 [0102.825] lstrcmpiW (lpString1="uAGaXXfmNTeSn6aQso.m4a", lpString2="program files") returned 1 [0102.825] lstrcmpiW (lpString1="uAGaXXfmNTeSn6aQso.m4a", lpString2="program files (x86)") returned 1 [0102.825] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0102.825] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="uAGaXXfmNTeSn6aQso.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\uAGaXXfmNTeSn6aQso.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\uAGaXXfmNTeSn6aQso.m4a" [0102.825] PathFindExtensionW (pszPath="uAGaXXfmNTeSn6aQso.m4a") returned=".m4a" [0102.825] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0102.825] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0102.825] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0102.825] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0102.825] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0102.826] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0102.826] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0102.826] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0102.826] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0102.826] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0102.826] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0102.826] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0102.826] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0102.826] lstrcmpiW (lpString1=".m4a", lpString2=".NEPHILIM") returned -1 [0102.826] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0102.826] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0102.826] lstrcmpiW (lpString1="uAGaXXfmNTeSn6aQso.m4a", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0102.826] lstrlenA (lpString="NEPHILIM") returned 8 [0102.826] GetProcessHeap () returned 0x4e0000 [0102.826] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x507758 [0102.826] lstrlenA (lpString="NEPHILIM") returned 8 [0102.826] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\uAGaXXfmNTeSn6aQso.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\uagaxxfmntesn6aqso.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0102.827] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=38726) returned 1 [0102.827] GetProcessHeap () returned 0x4e0000 [0102.827] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.827] GetProcessHeap () returned 0x4e0000 [0102.827] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.827] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.827] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.827] GetProcessHeap () returned 0x4e0000 [0102.827] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.827] GetProcessHeap () returned 0x4e0000 [0102.827] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.827] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de208*=0x100) returned 1 [0102.827] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de204*=0x100) returned 1 [0102.828] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x9746, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.828] SetLastError (dwErrCode=0x0) [0102.828] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.829] GetLastError () returned 0x0 [0102.829] GetLastError () returned 0x0 [0102.829] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x9846, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.829] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.829] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x9946, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.830] lstrlenA (lpString="NEPHILIM") returned 8 [0102.830] WriteFile (in: hFile=0xec, lpBuffer=0x507758*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507758*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0102.830] GetProcessHeap () returned 0x4e0000 [0102.830] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x9746) returned 0x50a8a8 [0102.830] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.830] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x9746, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x9746, lpOverlapped=0x0) returned 1 [0102.833] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.833] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x9746, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x9746, lpOverlapped=0x0) returned 1 [0102.833] GetProcessHeap () returned 0x4e0000 [0102.833] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0102.833] CloseHandle (hObject=0xec) returned 1 [0102.835] GetProcessHeap () returned 0x4e0000 [0102.835] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.835] GetProcessHeap () returned 0x4e0000 [0102.835] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.835] GetProcessHeap () returned 0x4e0000 [0102.835] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.835] GetProcessHeap () returned 0x4e0000 [0102.835] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.835] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\uAGaXXfmNTeSn6aQso.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\uAGaXXfmNTeSn6aQso.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\uAGaXXfmNTeSn6aQso.m4a" [0102.835] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\uAGaXXfmNTeSn6aQso.m4a", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\uAGaXXfmNTeSn6aQso.m4a.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\uAGaXXfmNTeSn6aQso.m4a.NEPHILIM" [0102.835] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\uAGaXXfmNTeSn6aQso.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\uagaxxfmntesn6aqso.m4a"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\uAGaXXfmNTeSn6aQso.m4a.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\uagaxxfmntesn6aqso.m4a.nephilim")) returned 1 [0102.837] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca3e28d0, ftCreationTime.dwHighDateTime=0x1d5e0c8, ftLastAccessTime.dwLowDateTime=0x99c0af30, ftLastAccessTime.dwHighDateTime=0x1d5e658, ftLastWriteTime.dwLowDateTime=0x99c0af30, ftLastWriteTime.dwHighDateTime=0x1d5e658, nFileSizeHigh=0x0, nFileSizeLow=0x14eb0, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="viJbrbj2QoktEF6cu9K.pps", cAlternateFileName="VIJBRB~1.PPS")) returned 1 [0102.837] lstrcmpiW (lpString1="viJbrbj2QoktEF6cu9K.pps", lpString2=".") returned 1 [0102.837] lstrcmpiW (lpString1="viJbrbj2QoktEF6cu9K.pps", lpString2="..") returned 1 [0102.838] lstrcmpiW (lpString1="viJbrbj2QoktEF6cu9K.pps", lpString2="...") returned 1 [0102.838] lstrcmpiW (lpString1="viJbrbj2QoktEF6cu9K.pps", lpString2="windows") returned -1 [0102.838] lstrcmpiW (lpString1="viJbrbj2QoktEF6cu9K.pps", lpString2="$RECYCLE.BIN") returned 1 [0102.838] lstrcmpiW (lpString1="viJbrbj2QoktEF6cu9K.pps", lpString2="rsa") returned 1 [0102.838] lstrcmpiW (lpString1="viJbrbj2QoktEF6cu9K.pps", lpString2="log") returned 1 [0102.838] lstrcmpiW (lpString1="viJbrbj2QoktEF6cu9K.pps", lpString2="NTDETECT.COM") returned 1 [0102.838] lstrcmpiW (lpString1="viJbrbj2QoktEF6cu9K.pps", lpString2="ntldr") returned 1 [0102.838] lstrcmpiW (lpString1="viJbrbj2QoktEF6cu9K.pps", lpString2="MSDOS.SYS") returned 1 [0102.838] lstrcmpiW (lpString1="viJbrbj2QoktEF6cu9K.pps", lpString2="IO.SYS") returned 1 [0102.838] lstrcmpiW (lpString1="viJbrbj2QoktEF6cu9K.pps", lpString2="boot.ini") returned 1 [0102.838] lstrcmpiW (lpString1="viJbrbj2QoktEF6cu9K.pps", lpString2="AUTOEXEC.BAT") returned 1 [0102.838] lstrcmpiW (lpString1="viJbrbj2QoktEF6cu9K.pps", lpString2="ntuser.dat") returned 1 [0102.838] lstrcmpiW (lpString1="viJbrbj2QoktEF6cu9K.pps", lpString2="desktop.ini") returned 1 [0102.838] lstrcmpiW (lpString1="viJbrbj2QoktEF6cu9K.pps", lpString2="CONFIG.SYS") returned 1 [0102.838] lstrcmpiW (lpString1="viJbrbj2QoktEF6cu9K.pps", lpString2="RECYCLER") returned 1 [0102.838] lstrcmpiW (lpString1="viJbrbj2QoktEF6cu9K.pps", lpString2="BOOTSECT.BAK") returned 1 [0102.838] lstrcmpiW (lpString1="viJbrbj2QoktEF6cu9K.pps", lpString2="bootmgr") returned 1 [0102.838] lstrcmpiW (lpString1="viJbrbj2QoktEF6cu9K.pps", lpString2="programdata") returned 1 [0102.838] lstrcmpiW (lpString1="viJbrbj2QoktEF6cu9K.pps", lpString2="appdata") returned 1 [0102.838] lstrcmpiW (lpString1="viJbrbj2QoktEF6cu9K.pps", lpString2="program files") returned 1 [0102.838] lstrcmpiW (lpString1="viJbrbj2QoktEF6cu9K.pps", lpString2="program files (x86)") returned 1 [0102.838] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0102.838] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="viJbrbj2QoktEF6cu9K.pps" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\viJbrbj2QoktEF6cu9K.pps") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\viJbrbj2QoktEF6cu9K.pps" [0102.838] PathFindExtensionW (pszPath="viJbrbj2QoktEF6cu9K.pps") returned=".pps" [0102.838] lstrcmpiW (lpString1=".pps", lpString2=".exe") returned 1 [0102.839] lstrcmpiW (lpString1=".pps", lpString2=".log") returned 1 [0102.839] lstrcmpiW (lpString1=".pps", lpString2=".cab") returned 1 [0102.839] lstrcmpiW (lpString1=".pps", lpString2=".cmd") returned 1 [0102.839] lstrcmpiW (lpString1=".pps", lpString2=".com") returned 1 [0102.839] lstrcmpiW (lpString1=".pps", lpString2=".cpl") returned 1 [0102.839] lstrcmpiW (lpString1=".pps", lpString2=".ini") returned 1 [0102.839] lstrcmpiW (lpString1=".pps", lpString2=".dll") returned 1 [0102.839] lstrcmpiW (lpString1=".pps", lpString2=".url") returned -1 [0102.839] lstrcmpiW (lpString1=".pps", lpString2=".ttf") returned -1 [0102.839] lstrcmpiW (lpString1=".pps", lpString2=".mp3") returned 1 [0102.839] lstrcmpiW (lpString1=".pps", lpString2=".pif") returned 1 [0102.839] lstrcmpiW (lpString1=".pps", lpString2=".mp4") returned 1 [0102.839] lstrcmpiW (lpString1=".pps", lpString2=".NEPHILIM") returned 1 [0102.839] lstrcmpiW (lpString1=".pps", lpString2=".msi") returned 1 [0102.839] lstrcmpiW (lpString1=".pps", lpString2=".lnk") returned 1 [0102.839] lstrcmpiW (lpString1="viJbrbj2QoktEF6cu9K.pps", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0102.839] lstrlenA (lpString="NEPHILIM") returned 8 [0102.839] GetProcessHeap () returned 0x4e0000 [0102.839] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x507768 [0102.839] lstrlenA (lpString="NEPHILIM") returned 8 [0102.839] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\viJbrbj2QoktEF6cu9K.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\vijbrbj2qoktef6cu9k.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0102.840] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=85680) returned 1 [0102.840] GetProcessHeap () returned 0x4e0000 [0102.840] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.840] GetProcessHeap () returned 0x4e0000 [0102.840] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.840] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.840] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.840] GetProcessHeap () returned 0x4e0000 [0102.840] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.840] GetProcessHeap () returned 0x4e0000 [0102.840] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.840] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de208*=0x100) returned 1 [0102.840] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de204*=0x100) returned 1 [0102.840] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x14eb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.841] SetLastError (dwErrCode=0x0) [0102.841] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.842] GetLastError () returned 0x0 [0102.842] GetLastError () returned 0x0 [0102.842] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x14fb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.842] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.842] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x150b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.842] lstrlenA (lpString="NEPHILIM") returned 8 [0102.842] WriteFile (in: hFile=0xec, lpBuffer=0x507768*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507768*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0102.842] GetProcessHeap () returned 0x4e0000 [0102.842] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x14eb0) returned 0x50a8a8 [0102.842] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.842] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x14eb0, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x14eb0, lpOverlapped=0x0) returned 1 [0102.850] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.850] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x14eb0, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x14eb0, lpOverlapped=0x0) returned 1 [0102.850] GetProcessHeap () returned 0x4e0000 [0102.850] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0102.850] CloseHandle (hObject=0xec) returned 1 [0102.856] GetProcessHeap () returned 0x4e0000 [0102.856] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.856] GetProcessHeap () returned 0x4e0000 [0102.856] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.857] GetProcessHeap () returned 0x4e0000 [0102.857] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.857] GetProcessHeap () returned 0x4e0000 [0102.857] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.857] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\viJbrbj2QoktEF6cu9K.pps" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\viJbrbj2QoktEF6cu9K.pps") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\viJbrbj2QoktEF6cu9K.pps" [0102.857] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\viJbrbj2QoktEF6cu9K.pps", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\viJbrbj2QoktEF6cu9K.pps.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\viJbrbj2QoktEF6cu9K.pps.NEPHILIM" [0102.857] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\viJbrbj2QoktEF6cu9K.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\vijbrbj2qoktef6cu9k.pps"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\viJbrbj2QoktEF6cu9K.pps.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\vijbrbj2qoktef6cu9k.pps.nephilim")) returned 1 [0102.859] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a9e1f50, ftCreationTime.dwHighDateTime=0x1d5db9b, ftLastAccessTime.dwLowDateTime=0x51e548d0, ftLastAccessTime.dwHighDateTime=0x1d5e1ec, ftLastWriteTime.dwLowDateTime=0x51e548d0, ftLastWriteTime.dwHighDateTime=0x1d5e1ec, nFileSizeHigh=0x0, nFileSizeLow=0x79dd, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="w4fe2ze8GN1YF3cWCmCb.m4a", cAlternateFileName="W4FE2Z~1.M4A")) returned 1 [0102.859] lstrcmpiW (lpString1="w4fe2ze8GN1YF3cWCmCb.m4a", lpString2=".") returned 1 [0102.859] lstrcmpiW (lpString1="w4fe2ze8GN1YF3cWCmCb.m4a", lpString2="..") returned 1 [0102.859] lstrcmpiW (lpString1="w4fe2ze8GN1YF3cWCmCb.m4a", lpString2="...") returned 1 [0102.859] lstrcmpiW (lpString1="w4fe2ze8GN1YF3cWCmCb.m4a", lpString2="windows") returned -1 [0102.859] lstrcmpiW (lpString1="w4fe2ze8GN1YF3cWCmCb.m4a", lpString2="$RECYCLE.BIN") returned 1 [0102.859] lstrcmpiW (lpString1="w4fe2ze8GN1YF3cWCmCb.m4a", lpString2="rsa") returned 1 [0102.859] lstrcmpiW (lpString1="w4fe2ze8GN1YF3cWCmCb.m4a", lpString2="log") returned 1 [0102.859] lstrcmpiW (lpString1="w4fe2ze8GN1YF3cWCmCb.m4a", lpString2="NTDETECT.COM") returned 1 [0102.859] lstrcmpiW (lpString1="w4fe2ze8GN1YF3cWCmCb.m4a", lpString2="ntldr") returned 1 [0102.859] lstrcmpiW (lpString1="w4fe2ze8GN1YF3cWCmCb.m4a", lpString2="MSDOS.SYS") returned 1 [0102.859] lstrcmpiW (lpString1="w4fe2ze8GN1YF3cWCmCb.m4a", lpString2="IO.SYS") returned 1 [0102.859] lstrcmpiW (lpString1="w4fe2ze8GN1YF3cWCmCb.m4a", lpString2="boot.ini") returned 1 [0102.859] lstrcmpiW (lpString1="w4fe2ze8GN1YF3cWCmCb.m4a", lpString2="AUTOEXEC.BAT") returned 1 [0102.859] lstrcmpiW (lpString1="w4fe2ze8GN1YF3cWCmCb.m4a", lpString2="ntuser.dat") returned 1 [0102.859] lstrcmpiW (lpString1="w4fe2ze8GN1YF3cWCmCb.m4a", lpString2="desktop.ini") returned 1 [0102.859] lstrcmpiW (lpString1="w4fe2ze8GN1YF3cWCmCb.m4a", lpString2="CONFIG.SYS") returned 1 [0102.859] lstrcmpiW (lpString1="w4fe2ze8GN1YF3cWCmCb.m4a", lpString2="RECYCLER") returned 1 [0102.859] lstrcmpiW (lpString1="w4fe2ze8GN1YF3cWCmCb.m4a", lpString2="BOOTSECT.BAK") returned 1 [0102.859] lstrcmpiW (lpString1="w4fe2ze8GN1YF3cWCmCb.m4a", lpString2="bootmgr") returned 1 [0102.859] lstrcmpiW (lpString1="w4fe2ze8GN1YF3cWCmCb.m4a", lpString2="programdata") returned 1 [0102.860] lstrcmpiW (lpString1="w4fe2ze8GN1YF3cWCmCb.m4a", lpString2="appdata") returned 1 [0102.860] lstrcmpiW (lpString1="w4fe2ze8GN1YF3cWCmCb.m4a", lpString2="program files") returned 1 [0102.860] lstrcmpiW (lpString1="w4fe2ze8GN1YF3cWCmCb.m4a", lpString2="program files (x86)") returned 1 [0102.860] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0102.860] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="w4fe2ze8GN1YF3cWCmCb.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\w4fe2ze8GN1YF3cWCmCb.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\w4fe2ze8GN1YF3cWCmCb.m4a" [0102.860] PathFindExtensionW (pszPath="w4fe2ze8GN1YF3cWCmCb.m4a") returned=".m4a" [0102.860] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0102.860] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0102.860] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0102.860] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0102.860] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0102.860] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0102.860] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0102.860] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0102.860] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0102.860] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0102.860] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0102.860] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0102.860] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0102.860] lstrcmpiW (lpString1=".m4a", lpString2=".NEPHILIM") returned -1 [0102.860] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0102.860] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0102.860] lstrcmpiW (lpString1="w4fe2ze8GN1YF3cWCmCb.m4a", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0102.860] lstrlenA (lpString="NEPHILIM") returned 8 [0102.860] GetProcessHeap () returned 0x4e0000 [0102.860] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x507778 [0102.860] lstrlenA (lpString="NEPHILIM") returned 8 [0102.861] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\w4fe2ze8GN1YF3cWCmCb.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\w4fe2ze8gn1yf3cwcmcb.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0102.861] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=31197) returned 1 [0102.861] GetProcessHeap () returned 0x4e0000 [0102.861] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.861] GetProcessHeap () returned 0x4e0000 [0102.861] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.861] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.861] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.861] GetProcessHeap () returned 0x4e0000 [0102.861] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.861] GetProcessHeap () returned 0x4e0000 [0102.861] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.862] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de208*=0x100) returned 1 [0102.862] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de204*=0x100) returned 1 [0102.862] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x79dd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.862] SetLastError (dwErrCode=0x0) [0102.862] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.863] GetLastError () returned 0x0 [0102.863] GetLastError () returned 0x0 [0102.863] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x7add, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.863] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.863] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x7bdd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.863] lstrlenA (lpString="NEPHILIM") returned 8 [0102.863] WriteFile (in: hFile=0xec, lpBuffer=0x507778*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x507778*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0102.863] GetProcessHeap () returned 0x4e0000 [0102.863] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x79dd) returned 0x50a8a8 [0102.864] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.864] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x79dd, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x79dd, lpOverlapped=0x0) returned 1 [0102.866] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.866] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x79dd, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x79dd, lpOverlapped=0x0) returned 1 [0102.866] GetProcessHeap () returned 0x4e0000 [0102.866] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0102.866] CloseHandle (hObject=0xec) returned 1 [0102.868] GetProcessHeap () returned 0x4e0000 [0102.868] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.868] GetProcessHeap () returned 0x4e0000 [0102.868] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.868] GetProcessHeap () returned 0x4e0000 [0102.868] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.868] GetProcessHeap () returned 0x4e0000 [0102.868] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.868] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\w4fe2ze8GN1YF3cWCmCb.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\w4fe2ze8GN1YF3cWCmCb.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\w4fe2ze8GN1YF3cWCmCb.m4a" [0102.869] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\w4fe2ze8GN1YF3cWCmCb.m4a", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\w4fe2ze8GN1YF3cWCmCb.m4a.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\w4fe2ze8GN1YF3cWCmCb.m4a.NEPHILIM" [0102.869] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\w4fe2ze8GN1YF3cWCmCb.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\w4fe2ze8gn1yf3cwcmcb.m4a"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\w4fe2ze8GN1YF3cWCmCb.m4a.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\w4fe2ze8gn1yf3cwcmcb.m4a.nephilim")) returned 1 [0102.870] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab2d1180, ftCreationTime.dwHighDateTime=0x1d607de, ftLastAccessTime.dwLowDateTime=0xab2d1180, ftLastAccessTime.dwHighDateTime=0x1d607de, ftLastWriteTime.dwLowDateTime=0xe37a2300, ftLastWriteTime.dwHighDateTime=0x1d607d1, nFileSizeHigh=0x0, nFileSizeLow=0x47f8, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="weeli.exe", cAlternateFileName="")) returned 1 [0102.870] lstrcmpiW (lpString1="weeli.exe", lpString2=".") returned 1 [0102.870] lstrcmpiW (lpString1="weeli.exe", lpString2="..") returned 1 [0102.870] lstrcmpiW (lpString1="weeli.exe", lpString2="...") returned 1 [0102.870] lstrcmpiW (lpString1="weeli.exe", lpString2="windows") returned -1 [0102.870] lstrcmpiW (lpString1="weeli.exe", lpString2="$RECYCLE.BIN") returned 1 [0102.870] lstrcmpiW (lpString1="weeli.exe", lpString2="rsa") returned 1 [0102.870] lstrcmpiW (lpString1="weeli.exe", lpString2="log") returned 1 [0102.870] lstrcmpiW (lpString1="weeli.exe", lpString2="NTDETECT.COM") returned 1 [0102.870] lstrcmpiW (lpString1="weeli.exe", lpString2="ntldr") returned 1 [0102.870] lstrcmpiW (lpString1="weeli.exe", lpString2="MSDOS.SYS") returned 1 [0102.870] lstrcmpiW (lpString1="weeli.exe", lpString2="IO.SYS") returned 1 [0102.870] lstrcmpiW (lpString1="weeli.exe", lpString2="boot.ini") returned 1 [0102.870] lstrcmpiW (lpString1="weeli.exe", lpString2="AUTOEXEC.BAT") returned 1 [0102.870] lstrcmpiW (lpString1="weeli.exe", lpString2="ntuser.dat") returned 1 [0102.871] lstrcmpiW (lpString1="weeli.exe", lpString2="desktop.ini") returned 1 [0102.871] lstrcmpiW (lpString1="weeli.exe", lpString2="CONFIG.SYS") returned 1 [0102.871] lstrcmpiW (lpString1="weeli.exe", lpString2="RECYCLER") returned 1 [0102.871] lstrcmpiW (lpString1="weeli.exe", lpString2="BOOTSECT.BAK") returned 1 [0102.871] lstrcmpiW (lpString1="weeli.exe", lpString2="bootmgr") returned 1 [0102.871] lstrcmpiW (lpString1="weeli.exe", lpString2="programdata") returned 1 [0102.871] lstrcmpiW (lpString1="weeli.exe", lpString2="appdata") returned 1 [0102.871] lstrcmpiW (lpString1="weeli.exe", lpString2="program files") returned 1 [0102.871] lstrcmpiW (lpString1="weeli.exe", lpString2="program files (x86)") returned 1 [0102.871] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0102.871] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="weeli.exe" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\weeli.exe") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\weeli.exe" [0102.871] PathFindExtensionW (pszPath="weeli.exe") returned=".exe" [0102.871] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0102.871] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x12b217e0, ftCreationTime.dwHighDateTime=0x1d5e5f4, ftLastAccessTime.dwLowDateTime=0x436c68c0, ftLastAccessTime.dwHighDateTime=0x1d5d827, ftLastWriteTime.dwLowDateTime=0x436c68c0, ftLastWriteTime.dwHighDateTime=0x1d5d827, nFileSizeHigh=0x0, nFileSizeLow=0x1859b, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="XLRKCqo3.png", cAlternateFileName="")) returned 1 [0102.871] lstrcmpiW (lpString1="XLRKCqo3.png", lpString2=".") returned 1 [0102.871] lstrcmpiW (lpString1="XLRKCqo3.png", lpString2="..") returned 1 [0102.871] lstrcmpiW (lpString1="XLRKCqo3.png", lpString2="...") returned 1 [0102.871] lstrcmpiW (lpString1="XLRKCqo3.png", lpString2="windows") returned 1 [0102.871] lstrcmpiW (lpString1="XLRKCqo3.png", lpString2="$RECYCLE.BIN") returned 1 [0102.871] lstrcmpiW (lpString1="XLRKCqo3.png", lpString2="rsa") returned 1 [0102.871] lstrcmpiW (lpString1="XLRKCqo3.png", lpString2="log") returned 1 [0102.871] lstrcmpiW (lpString1="XLRKCqo3.png", lpString2="NTDETECT.COM") returned 1 [0102.871] lstrcmpiW (lpString1="XLRKCqo3.png", lpString2="ntldr") returned 1 [0102.871] lstrcmpiW (lpString1="XLRKCqo3.png", lpString2="MSDOS.SYS") returned 1 [0102.871] lstrcmpiW (lpString1="XLRKCqo3.png", lpString2="IO.SYS") returned 1 [0102.871] lstrcmpiW (lpString1="XLRKCqo3.png", lpString2="boot.ini") returned 1 [0102.871] lstrcmpiW (lpString1="XLRKCqo3.png", lpString2="AUTOEXEC.BAT") returned 1 [0102.871] lstrcmpiW (lpString1="XLRKCqo3.png", lpString2="ntuser.dat") returned 1 [0102.871] lstrcmpiW (lpString1="XLRKCqo3.png", lpString2="desktop.ini") returned 1 [0102.872] lstrcmpiW (lpString1="XLRKCqo3.png", lpString2="CONFIG.SYS") returned 1 [0102.872] lstrcmpiW (lpString1="XLRKCqo3.png", lpString2="RECYCLER") returned 1 [0102.872] lstrcmpiW (lpString1="XLRKCqo3.png", lpString2="BOOTSECT.BAK") returned 1 [0102.872] lstrcmpiW (lpString1="XLRKCqo3.png", lpString2="bootmgr") returned 1 [0102.872] lstrcmpiW (lpString1="XLRKCqo3.png", lpString2="programdata") returned 1 [0102.872] lstrcmpiW (lpString1="XLRKCqo3.png", lpString2="appdata") returned 1 [0102.872] lstrcmpiW (lpString1="XLRKCqo3.png", lpString2="program files") returned 1 [0102.872] lstrcmpiW (lpString1="XLRKCqo3.png", lpString2="program files (x86)") returned 1 [0102.872] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0102.872] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="XLRKCqo3.png" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\XLRKCqo3.png") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\XLRKCqo3.png" [0102.872] PathFindExtensionW (pszPath="XLRKCqo3.png") returned=".png" [0102.872] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0102.872] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0102.872] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0102.872] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0102.872] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0102.872] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0102.872] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0102.872] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0102.872] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0102.872] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0102.872] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0102.872] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0102.872] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0102.872] lstrcmpiW (lpString1=".png", lpString2=".NEPHILIM") returned 1 [0102.872] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0102.872] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0102.872] lstrcmpiW (lpString1="XLRKCqo3.png", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0102.872] lstrlenA (lpString="NEPHILIM") returned 8 [0102.873] GetProcessHeap () returned 0x4e0000 [0102.873] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x504e80 [0102.873] lstrlenA (lpString="NEPHILIM") returned 8 [0102.873] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\XLRKCqo3.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\xlrkcqo3.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0102.873] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=99739) returned 1 [0102.873] GetProcessHeap () returned 0x4e0000 [0102.873] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.873] GetProcessHeap () returned 0x4e0000 [0102.873] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.873] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.873] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.873] GetProcessHeap () returned 0x4e0000 [0102.873] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.873] GetProcessHeap () returned 0x4e0000 [0102.873] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.873] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de208*=0x100) returned 1 [0102.873] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de204*=0x100) returned 1 [0102.874] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x1859b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.874] SetLastError (dwErrCode=0x0) [0102.874] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.875] GetLastError () returned 0x0 [0102.875] GetLastError () returned 0x0 [0102.875] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x1869b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.875] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.875] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x1879b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.875] lstrlenA (lpString="NEPHILIM") returned 8 [0102.875] WriteFile (in: hFile=0xec, lpBuffer=0x504e80*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x504e80*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0102.875] GetProcessHeap () returned 0x4e0000 [0102.875] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1859b) returned 0x50a8a8 [0102.875] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.875] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x1859b, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x1859b, lpOverlapped=0x0) returned 1 [0102.880] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.880] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x1859b, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x1859b, lpOverlapped=0x0) returned 1 [0102.881] GetProcessHeap () returned 0x4e0000 [0102.881] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0102.881] CloseHandle (hObject=0xec) returned 1 [0102.886] GetProcessHeap () returned 0x4e0000 [0102.886] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.886] GetProcessHeap () returned 0x4e0000 [0102.886] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.887] GetProcessHeap () returned 0x4e0000 [0102.887] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.887] GetProcessHeap () returned 0x4e0000 [0102.887] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.887] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\XLRKCqo3.png" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\XLRKCqo3.png") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\XLRKCqo3.png" [0102.887] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\XLRKCqo3.png", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\XLRKCqo3.png.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\XLRKCqo3.png.NEPHILIM" [0102.887] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\XLRKCqo3.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\xlrkcqo3.png"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\XLRKCqo3.png.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\xlrkcqo3.png.nephilim")) returned 1 [0102.888] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa5c51da0, ftCreationTime.dwHighDateTime=0x1d5e7ea, ftLastAccessTime.dwLowDateTime=0xd7e62c40, ftLastAccessTime.dwHighDateTime=0x1d5e135, ftLastWriteTime.dwLowDateTime=0xd7e62c40, ftLastWriteTime.dwHighDateTime=0x1d5e135, nFileSizeHigh=0x0, nFileSizeLow=0xe227, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="zddpcY.flv", cAlternateFileName="")) returned 1 [0102.889] lstrcmpiW (lpString1="zddpcY.flv", lpString2=".") returned 1 [0102.889] lstrcmpiW (lpString1="zddpcY.flv", lpString2="..") returned 1 [0102.889] lstrcmpiW (lpString1="zddpcY.flv", lpString2="...") returned 1 [0102.889] lstrcmpiW (lpString1="zddpcY.flv", lpString2="windows") returned 1 [0102.889] lstrcmpiW (lpString1="zddpcY.flv", lpString2="$RECYCLE.BIN") returned 1 [0102.889] lstrcmpiW (lpString1="zddpcY.flv", lpString2="rsa") returned 1 [0102.889] lstrcmpiW (lpString1="zddpcY.flv", lpString2="log") returned 1 [0102.889] lstrcmpiW (lpString1="zddpcY.flv", lpString2="NTDETECT.COM") returned 1 [0102.889] lstrcmpiW (lpString1="zddpcY.flv", lpString2="ntldr") returned 1 [0102.889] lstrcmpiW (lpString1="zddpcY.flv", lpString2="MSDOS.SYS") returned 1 [0102.889] lstrcmpiW (lpString1="zddpcY.flv", lpString2="IO.SYS") returned 1 [0102.889] lstrcmpiW (lpString1="zddpcY.flv", lpString2="boot.ini") returned 1 [0102.889] lstrcmpiW (lpString1="zddpcY.flv", lpString2="AUTOEXEC.BAT") returned 1 [0102.889] lstrcmpiW (lpString1="zddpcY.flv", lpString2="ntuser.dat") returned 1 [0102.889] lstrcmpiW (lpString1="zddpcY.flv", lpString2="desktop.ini") returned 1 [0102.889] lstrcmpiW (lpString1="zddpcY.flv", lpString2="CONFIG.SYS") returned 1 [0102.889] lstrcmpiW (lpString1="zddpcY.flv", lpString2="RECYCLER") returned 1 [0102.889] lstrcmpiW (lpString1="zddpcY.flv", lpString2="BOOTSECT.BAK") returned 1 [0102.889] lstrcmpiW (lpString1="zddpcY.flv", lpString2="bootmgr") returned 1 [0102.889] lstrcmpiW (lpString1="zddpcY.flv", lpString2="programdata") returned 1 [0102.889] lstrcmpiW (lpString1="zddpcY.flv", lpString2="appdata") returned 1 [0102.889] lstrcmpiW (lpString1="zddpcY.flv", lpString2="program files") returned 1 [0102.889] lstrcmpiW (lpString1="zddpcY.flv", lpString2="program files (x86)") returned 1 [0102.889] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0102.889] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="zddpcY.flv" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zddpcY.flv") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zddpcY.flv" [0102.890] PathFindExtensionW (pszPath="zddpcY.flv") returned=".flv" [0102.890] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0102.890] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0102.890] lstrcmpiW (lpString1=".flv", lpString2=".cab") returned 1 [0102.890] lstrcmpiW (lpString1=".flv", lpString2=".cmd") returned 1 [0102.890] lstrcmpiW (lpString1=".flv", lpString2=".com") returned 1 [0102.890] lstrcmpiW (lpString1=".flv", lpString2=".cpl") returned 1 [0102.890] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0102.890] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0102.890] lstrcmpiW (lpString1=".flv", lpString2=".url") returned -1 [0102.890] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0102.890] lstrcmpiW (lpString1=".flv", lpString2=".mp3") returned -1 [0102.890] lstrcmpiW (lpString1=".flv", lpString2=".pif") returned -1 [0102.890] lstrcmpiW (lpString1=".flv", lpString2=".mp4") returned -1 [0102.890] lstrcmpiW (lpString1=".flv", lpString2=".NEPHILIM") returned -1 [0102.890] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0102.890] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0102.890] lstrcmpiW (lpString1="zddpcY.flv", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0102.890] lstrlenA (lpString="NEPHILIM") returned 8 [0102.890] GetProcessHeap () returned 0x4e0000 [0102.890] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x504e90 [0102.890] lstrlenA (lpString="NEPHILIM") returned 8 [0102.890] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zddpcY.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zddpcy.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0102.891] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=57895) returned 1 [0102.891] GetProcessHeap () returned 0x4e0000 [0102.891] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.891] GetProcessHeap () returned 0x4e0000 [0102.891] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.891] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.891] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.891] GetProcessHeap () returned 0x4e0000 [0102.891] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.891] GetProcessHeap () returned 0x4e0000 [0102.891] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.891] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de208*=0x100) returned 1 [0102.891] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de204*=0x100) returned 1 [0102.892] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xe227, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.892] SetLastError (dwErrCode=0x0) [0102.892] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.893] GetLastError () returned 0x0 [0102.893] GetLastError () returned 0x0 [0102.893] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xe327, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.893] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.893] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xe427, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.893] lstrlenA (lpString="NEPHILIM") returned 8 [0102.893] WriteFile (in: hFile=0xec, lpBuffer=0x504e90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x504e90*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0102.894] GetProcessHeap () returned 0x4e0000 [0102.894] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xe227) returned 0x50a8a8 [0102.894] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.894] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0xe227, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0xe227, lpOverlapped=0x0) returned 1 [0102.897] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.897] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0xe227, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0xe227, lpOverlapped=0x0) returned 1 [0102.898] GetProcessHeap () returned 0x4e0000 [0102.898] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0102.898] CloseHandle (hObject=0xec) returned 1 [0102.900] GetProcessHeap () returned 0x4e0000 [0102.900] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.900] GetProcessHeap () returned 0x4e0000 [0102.900] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.900] GetProcessHeap () returned 0x4e0000 [0102.901] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.901] GetProcessHeap () returned 0x4e0000 [0102.901] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.901] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zddpcY.flv" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zddpcY.flv") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zddpcY.flv" [0102.901] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zddpcY.flv", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zddpcY.flv.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zddpcY.flv.NEPHILIM" [0102.901] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zddpcY.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zddpcy.flv"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zddpcY.flv.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zddpcy.flv.nephilim")) returned 1 [0102.902] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f321930, ftCreationTime.dwHighDateTime=0x1d5dc05, ftLastAccessTime.dwLowDateTime=0x23a47de0, ftLastAccessTime.dwHighDateTime=0x1d5e34c, ftLastWriteTime.dwLowDateTime=0x23a47de0, ftLastWriteTime.dwHighDateTime=0x1d5e34c, nFileSizeHigh=0x0, nFileSizeLow=0x8245, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="Zpj5SmV8mS_BQW.m4a", cAlternateFileName="ZPJ5SM~1.M4A")) returned 1 [0102.902] lstrcmpiW (lpString1="Zpj5SmV8mS_BQW.m4a", lpString2=".") returned 1 [0102.902] lstrcmpiW (lpString1="Zpj5SmV8mS_BQW.m4a", lpString2="..") returned 1 [0102.903] lstrcmpiW (lpString1="Zpj5SmV8mS_BQW.m4a", lpString2="...") returned 1 [0102.903] lstrcmpiW (lpString1="Zpj5SmV8mS_BQW.m4a", lpString2="windows") returned 1 [0102.903] lstrcmpiW (lpString1="Zpj5SmV8mS_BQW.m4a", lpString2="$RECYCLE.BIN") returned 1 [0102.903] lstrcmpiW (lpString1="Zpj5SmV8mS_BQW.m4a", lpString2="rsa") returned 1 [0102.903] lstrcmpiW (lpString1="Zpj5SmV8mS_BQW.m4a", lpString2="log") returned 1 [0102.903] lstrcmpiW (lpString1="Zpj5SmV8mS_BQW.m4a", lpString2="NTDETECT.COM") returned 1 [0102.903] lstrcmpiW (lpString1="Zpj5SmV8mS_BQW.m4a", lpString2="ntldr") returned 1 [0102.903] lstrcmpiW (lpString1="Zpj5SmV8mS_BQW.m4a", lpString2="MSDOS.SYS") returned 1 [0102.903] lstrcmpiW (lpString1="Zpj5SmV8mS_BQW.m4a", lpString2="IO.SYS") returned 1 [0102.903] lstrcmpiW (lpString1="Zpj5SmV8mS_BQW.m4a", lpString2="boot.ini") returned 1 [0102.903] lstrcmpiW (lpString1="Zpj5SmV8mS_BQW.m4a", lpString2="AUTOEXEC.BAT") returned 1 [0102.903] lstrcmpiW (lpString1="Zpj5SmV8mS_BQW.m4a", lpString2="ntuser.dat") returned 1 [0102.903] lstrcmpiW (lpString1="Zpj5SmV8mS_BQW.m4a", lpString2="desktop.ini") returned 1 [0102.903] lstrcmpiW (lpString1="Zpj5SmV8mS_BQW.m4a", lpString2="CONFIG.SYS") returned 1 [0102.903] lstrcmpiW (lpString1="Zpj5SmV8mS_BQW.m4a", lpString2="RECYCLER") returned 1 [0102.903] lstrcmpiW (lpString1="Zpj5SmV8mS_BQW.m4a", lpString2="BOOTSECT.BAK") returned 1 [0102.903] lstrcmpiW (lpString1="Zpj5SmV8mS_BQW.m4a", lpString2="bootmgr") returned 1 [0102.903] lstrcmpiW (lpString1="Zpj5SmV8mS_BQW.m4a", lpString2="programdata") returned 1 [0102.903] lstrcmpiW (lpString1="Zpj5SmV8mS_BQW.m4a", lpString2="appdata") returned 1 [0102.903] lstrcmpiW (lpString1="Zpj5SmV8mS_BQW.m4a", lpString2="program files") returned 1 [0102.903] lstrcmpiW (lpString1="Zpj5SmV8mS_BQW.m4a", lpString2="program files (x86)") returned 1 [0102.903] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0102.903] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="Zpj5SmV8mS_BQW.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Zpj5SmV8mS_BQW.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Zpj5SmV8mS_BQW.m4a" [0102.903] PathFindExtensionW (pszPath="Zpj5SmV8mS_BQW.m4a") returned=".m4a" [0102.903] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0102.904] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0102.904] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0102.904] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0102.904] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0102.904] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0102.904] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0102.904] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0102.904] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0102.904] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0102.904] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0102.904] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0102.904] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0102.904] lstrcmpiW (lpString1=".m4a", lpString2=".NEPHILIM") returned -1 [0102.904] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0102.904] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0102.904] lstrcmpiW (lpString1="Zpj5SmV8mS_BQW.m4a", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0102.904] lstrlenA (lpString="NEPHILIM") returned 8 [0102.904] GetProcessHeap () returned 0x4e0000 [0102.904] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x504ea0 [0102.904] lstrlenA (lpString="NEPHILIM") returned 8 [0102.904] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Zpj5SmV8mS_BQW.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zpj5smv8ms_bqw.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0102.905] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=33349) returned 1 [0102.905] GetProcessHeap () returned 0x4e0000 [0102.905] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.905] GetProcessHeap () returned 0x4e0000 [0102.905] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.905] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.905] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.905] GetProcessHeap () returned 0x4e0000 [0102.905] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.905] GetProcessHeap () returned 0x4e0000 [0102.905] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.905] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de208*=0x100) returned 1 [0102.905] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de204*=0x100) returned 1 [0102.906] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x8245, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.906] SetLastError (dwErrCode=0x0) [0102.906] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.907] GetLastError () returned 0x0 [0102.907] GetLastError () returned 0x0 [0102.907] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x8345, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.907] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.907] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x8445, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.907] lstrlenA (lpString="NEPHILIM") returned 8 [0102.907] WriteFile (in: hFile=0xec, lpBuffer=0x504ea0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x504ea0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0102.907] GetProcessHeap () returned 0x4e0000 [0102.907] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8245) returned 0x50a8a8 [0102.907] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.907] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x8245, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x8245, lpOverlapped=0x0) returned 1 [0102.910] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.910] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x8245, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x8245, lpOverlapped=0x0) returned 1 [0102.910] GetProcessHeap () returned 0x4e0000 [0102.910] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0102.910] CloseHandle (hObject=0xec) returned 1 [0102.912] GetProcessHeap () returned 0x4e0000 [0102.912] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.912] GetProcessHeap () returned 0x4e0000 [0102.912] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.912] GetProcessHeap () returned 0x4e0000 [0102.912] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.912] GetProcessHeap () returned 0x4e0000 [0102.912] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.912] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Zpj5SmV8mS_BQW.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Zpj5SmV8mS_BQW.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Zpj5SmV8mS_BQW.m4a" [0102.912] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Zpj5SmV8mS_BQW.m4a", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Zpj5SmV8mS_BQW.m4a.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Zpj5SmV8mS_BQW.m4a.NEPHILIM" [0102.913] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Zpj5SmV8mS_BQW.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zpj5smv8ms_bqw.m4a"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Zpj5SmV8mS_BQW.m4a.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zpj5smv8ms_bqw.m4a.nephilim")) returned 1 [0102.915] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f321930, ftCreationTime.dwHighDateTime=0x1d5dc05, ftLastAccessTime.dwLowDateTime=0x23a47de0, ftLastAccessTime.dwHighDateTime=0x1d5e34c, ftLastWriteTime.dwLowDateTime=0x23a47de0, ftLastWriteTime.dwHighDateTime=0x1d5e34c, nFileSizeHigh=0x0, nFileSizeLow=0x8245, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="Zpj5SmV8mS_BQW.m4a", cAlternateFileName="ZPJ5SM~1.M4A")) returned 0 [0102.915] FindClose (in: hFindFile=0x502830 | out: hFindFile=0x502830) returned 1 [0102.915] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xde3d1080, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xde3d1080, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0102.915] lstrcmpiW (lpString1="Documents", lpString2=".") returned 1 [0102.915] lstrcmpiW (lpString1="Documents", lpString2="..") returned 1 [0102.915] lstrcmpiW (lpString1="Documents", lpString2="...") returned 1 [0102.915] lstrcmpiW (lpString1="Documents", lpString2="windows") returned -1 [0102.915] lstrcmpiW (lpString1="Documents", lpString2="$RECYCLE.BIN") returned 1 [0102.915] lstrcmpiW (lpString1="Documents", lpString2="rsa") returned -1 [0102.915] lstrcmpiW (lpString1="Documents", lpString2="log") returned -1 [0102.915] lstrcmpiW (lpString1="Documents", lpString2="NTDETECT.COM") returned -1 [0102.915] lstrcmpiW (lpString1="Documents", lpString2="ntldr") returned -1 [0102.915] lstrcmpiW (lpString1="Documents", lpString2="MSDOS.SYS") returned -1 [0102.915] lstrcmpiW (lpString1="Documents", lpString2="IO.SYS") returned -1 [0102.915] lstrcmpiW (lpString1="Documents", lpString2="boot.ini") returned 1 [0102.915] lstrcmpiW (lpString1="Documents", lpString2="AUTOEXEC.BAT") returned 1 [0102.915] lstrcmpiW (lpString1="Documents", lpString2="ntuser.dat") returned -1 [0102.915] lstrcmpiW (lpString1="Documents", lpString2="desktop.ini") returned 1 [0102.916] lstrcmpiW (lpString1="Documents", lpString2="CONFIG.SYS") returned 1 [0102.916] lstrcmpiW (lpString1="Documents", lpString2="RECYCLER") returned -1 [0102.916] lstrcmpiW (lpString1="Documents", lpString2="BOOTSECT.BAK") returned 1 [0102.916] lstrcmpiW (lpString1="Documents", lpString2="bootmgr") returned 1 [0102.916] lstrcmpiW (lpString1="Documents", lpString2="programdata") returned -1 [0102.916] lstrcmpiW (lpString1="Documents", lpString2="appdata") returned 1 [0102.916] lstrcmpiW (lpString1="Documents", lpString2="program files") returned -1 [0102.916] lstrcmpiW (lpString1="Documents", lpString2="program files (x86)") returned -1 [0102.916] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" [0102.916] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Documents" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0102.916] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0102.916] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0102.916] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="*.*" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" [0102.916] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xde3d1080, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xde3d1080, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x502830 [0102.916] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0102.916] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xde3d1080, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xde3d1080, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0102.917] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0102.917] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0102.917] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x48c628c0, ftCreationTime.dwHighDateTime=0x1d5e578, ftLastAccessTime.dwLowDateTime=0x58590dc0, ftLastAccessTime.dwHighDateTime=0x1d5e49c, ftLastWriteTime.dwLowDateTime=0x58590dc0, ftLastWriteTime.dwHighDateTime=0x1d5e49c, nFileSizeHigh=0x0, nFileSizeLow=0xb15d, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="-SC6MV5eTF3.csv", cAlternateFileName="-SC6MV~1.CSV")) returned 1 [0102.917] lstrcmpiW (lpString1="-SC6MV5eTF3.csv", lpString2=".") returned 1 [0102.917] lstrcmpiW (lpString1="-SC6MV5eTF3.csv", lpString2="..") returned 1 [0102.917] lstrcmpiW (lpString1="-SC6MV5eTF3.csv", lpString2="...") returned 1 [0102.917] lstrcmpiW (lpString1="-SC6MV5eTF3.csv", lpString2="windows") returned -1 [0102.917] lstrcmpiW (lpString1="-SC6MV5eTF3.csv", lpString2="$RECYCLE.BIN") returned 1 [0102.917] lstrcmpiW (lpString1="-SC6MV5eTF3.csv", lpString2="rsa") returned 1 [0102.917] lstrcmpiW (lpString1="-SC6MV5eTF3.csv", lpString2="log") returned 1 [0102.917] lstrcmpiW (lpString1="-SC6MV5eTF3.csv", lpString2="NTDETECT.COM") returned 1 [0102.917] lstrcmpiW (lpString1="-SC6MV5eTF3.csv", lpString2="ntldr") returned 1 [0102.917] lstrcmpiW (lpString1="-SC6MV5eTF3.csv", lpString2="MSDOS.SYS") returned 1 [0102.917] lstrcmpiW (lpString1="-SC6MV5eTF3.csv", lpString2="IO.SYS") returned 1 [0102.917] lstrcmpiW (lpString1="-SC6MV5eTF3.csv", lpString2="boot.ini") returned 1 [0102.917] lstrcmpiW (lpString1="-SC6MV5eTF3.csv", lpString2="AUTOEXEC.BAT") returned 1 [0102.917] lstrcmpiW (lpString1="-SC6MV5eTF3.csv", lpString2="ntuser.dat") returned 1 [0102.917] lstrcmpiW (lpString1="-SC6MV5eTF3.csv", lpString2="desktop.ini") returned 1 [0102.917] lstrcmpiW (lpString1="-SC6MV5eTF3.csv", lpString2="CONFIG.SYS") returned 1 [0102.917] lstrcmpiW (lpString1="-SC6MV5eTF3.csv", lpString2="RECYCLER") returned 1 [0102.917] lstrcmpiW (lpString1="-SC6MV5eTF3.csv", lpString2="BOOTSECT.BAK") returned 1 [0102.917] lstrcmpiW (lpString1="-SC6MV5eTF3.csv", lpString2="bootmgr") returned 1 [0102.917] lstrcmpiW (lpString1="-SC6MV5eTF3.csv", lpString2="programdata") returned 1 [0102.917] lstrcmpiW (lpString1="-SC6MV5eTF3.csv", lpString2="appdata") returned 1 [0102.918] lstrcmpiW (lpString1="-SC6MV5eTF3.csv", lpString2="program files") returned 1 [0102.918] lstrcmpiW (lpString1="-SC6MV5eTF3.csv", lpString2="program files (x86)") returned 1 [0102.918] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0102.918] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="-SC6MV5eTF3.csv" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-SC6MV5eTF3.csv") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-SC6MV5eTF3.csv" [0102.918] PathFindExtensionW (pszPath="-SC6MV5eTF3.csv") returned=".csv" [0102.918] lstrcmpiW (lpString1=".csv", lpString2=".exe") returned -1 [0102.918] lstrcmpiW (lpString1=".csv", lpString2=".log") returned -1 [0102.918] lstrcmpiW (lpString1=".csv", lpString2=".cab") returned 1 [0102.918] lstrcmpiW (lpString1=".csv", lpString2=".cmd") returned 1 [0102.918] lstrcmpiW (lpString1=".csv", lpString2=".com") returned 1 [0102.918] lstrcmpiW (lpString1=".csv", lpString2=".cpl") returned 1 [0102.918] lstrcmpiW (lpString1=".csv", lpString2=".ini") returned -1 [0102.918] lstrcmpiW (lpString1=".csv", lpString2=".dll") returned -1 [0102.918] lstrcmpiW (lpString1=".csv", lpString2=".url") returned -1 [0102.918] lstrcmpiW (lpString1=".csv", lpString2=".ttf") returned -1 [0102.918] lstrcmpiW (lpString1=".csv", lpString2=".mp3") returned -1 [0102.918] lstrcmpiW (lpString1=".csv", lpString2=".pif") returned -1 [0102.918] lstrcmpiW (lpString1=".csv", lpString2=".mp4") returned -1 [0102.918] lstrcmpiW (lpString1=".csv", lpString2=".NEPHILIM") returned -1 [0102.918] lstrcmpiW (lpString1=".csv", lpString2=".msi") returned -1 [0102.918] lstrcmpiW (lpString1=".csv", lpString2=".lnk") returned -1 [0102.918] lstrcmpiW (lpString1="-SC6MV5eTF3.csv", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0102.918] lstrlenA (lpString="NEPHILIM") returned 8 [0102.919] GetProcessHeap () returned 0x4e0000 [0102.919] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x504eb0 [0102.919] lstrlenA (lpString="NEPHILIM") returned 8 [0102.919] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-SC6MV5eTF3.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-sc6mv5etf3.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0102.919] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=45405) returned 1 [0102.919] GetProcessHeap () returned 0x4e0000 [0102.919] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.919] GetProcessHeap () returned 0x4e0000 [0102.919] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.919] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.919] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.919] GetProcessHeap () returned 0x4e0000 [0102.919] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.919] GetProcessHeap () returned 0x4e0000 [0102.919] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.919] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de208*=0x100) returned 1 [0102.920] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de204*=0x100) returned 1 [0102.920] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xb15d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.920] SetLastError (dwErrCode=0x0) [0102.920] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.921] GetLastError () returned 0x0 [0102.921] GetLastError () returned 0x0 [0102.921] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xb25d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.921] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.921] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xb35d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.922] lstrlenA (lpString="NEPHILIM") returned 8 [0102.922] WriteFile (in: hFile=0xec, lpBuffer=0x504eb0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x504eb0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0102.922] GetProcessHeap () returned 0x4e0000 [0102.922] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xb15d) returned 0x50a8a8 [0102.922] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.922] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0xb15d, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0xb15d, lpOverlapped=0x0) returned 1 [0102.926] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.926] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0xb15d, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0xb15d, lpOverlapped=0x0) returned 1 [0102.927] GetProcessHeap () returned 0x4e0000 [0102.927] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0102.927] CloseHandle (hObject=0xec) returned 1 [0102.932] GetProcessHeap () returned 0x4e0000 [0102.932] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.932] GetProcessHeap () returned 0x4e0000 [0102.932] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.932] GetProcessHeap () returned 0x4e0000 [0102.932] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.932] GetProcessHeap () returned 0x4e0000 [0102.932] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.932] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-SC6MV5eTF3.csv" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-SC6MV5eTF3.csv") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-SC6MV5eTF3.csv" [0102.933] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-SC6MV5eTF3.csv", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-SC6MV5eTF3.csv.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-SC6MV5eTF3.csv.NEPHILIM" [0102.933] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-SC6MV5eTF3.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-sc6mv5etf3.csv"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\-SC6MV5eTF3.csv.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\-sc6mv5etf3.csv.nephilim")) returned 1 [0102.934] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1935ce0, ftCreationTime.dwHighDateTime=0x1d5e7ac, ftLastAccessTime.dwLowDateTime=0xa7a6af20, ftLastAccessTime.dwHighDateTime=0x1d5e269, ftLastWriteTime.dwLowDateTime=0xa7a6af20, ftLastWriteTime.dwHighDateTime=0x1d5e269, nFileSizeHigh=0x0, nFileSizeLow=0x1d42, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="1zszOcg.pptx", cAlternateFileName="1ZSZOC~1.PPT")) returned 1 [0102.934] lstrcmpiW (lpString1="1zszOcg.pptx", lpString2=".") returned 1 [0102.934] lstrcmpiW (lpString1="1zszOcg.pptx", lpString2="..") returned 1 [0102.934] lstrcmpiW (lpString1="1zszOcg.pptx", lpString2="...") returned 1 [0102.934] lstrcmpiW (lpString1="1zszOcg.pptx", lpString2="windows") returned -1 [0102.934] lstrcmpiW (lpString1="1zszOcg.pptx", lpString2="$RECYCLE.BIN") returned 1 [0102.934] lstrcmpiW (lpString1="1zszOcg.pptx", lpString2="rsa") returned -1 [0102.934] lstrcmpiW (lpString1="1zszOcg.pptx", lpString2="log") returned -1 [0102.934] lstrcmpiW (lpString1="1zszOcg.pptx", lpString2="NTDETECT.COM") returned -1 [0102.934] lstrcmpiW (lpString1="1zszOcg.pptx", lpString2="ntldr") returned -1 [0102.934] lstrcmpiW (lpString1="1zszOcg.pptx", lpString2="MSDOS.SYS") returned -1 [0102.934] lstrcmpiW (lpString1="1zszOcg.pptx", lpString2="IO.SYS") returned -1 [0102.934] lstrcmpiW (lpString1="1zszOcg.pptx", lpString2="boot.ini") returned -1 [0102.934] lstrcmpiW (lpString1="1zszOcg.pptx", lpString2="AUTOEXEC.BAT") returned -1 [0102.934] lstrcmpiW (lpString1="1zszOcg.pptx", lpString2="ntuser.dat") returned -1 [0102.935] lstrcmpiW (lpString1="1zszOcg.pptx", lpString2="desktop.ini") returned -1 [0102.935] lstrcmpiW (lpString1="1zszOcg.pptx", lpString2="CONFIG.SYS") returned -1 [0102.935] lstrcmpiW (lpString1="1zszOcg.pptx", lpString2="RECYCLER") returned -1 [0102.935] lstrcmpiW (lpString1="1zszOcg.pptx", lpString2="BOOTSECT.BAK") returned -1 [0102.935] lstrcmpiW (lpString1="1zszOcg.pptx", lpString2="bootmgr") returned -1 [0102.935] lstrcmpiW (lpString1="1zszOcg.pptx", lpString2="programdata") returned -1 [0102.935] lstrcmpiW (lpString1="1zszOcg.pptx", lpString2="appdata") returned -1 [0102.935] lstrcmpiW (lpString1="1zszOcg.pptx", lpString2="program files") returned -1 [0102.935] lstrcmpiW (lpString1="1zszOcg.pptx", lpString2="program files (x86)") returned -1 [0102.935] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0102.935] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="1zszOcg.pptx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\1zszOcg.pptx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\1zszOcg.pptx" [0102.935] PathFindExtensionW (pszPath="1zszOcg.pptx") returned=".pptx" [0102.935] lstrcmpiW (lpString1=".pptx", lpString2=".exe") returned 1 [0102.935] lstrcmpiW (lpString1=".pptx", lpString2=".log") returned 1 [0102.935] lstrcmpiW (lpString1=".pptx", lpString2=".cab") returned 1 [0102.935] lstrcmpiW (lpString1=".pptx", lpString2=".cmd") returned 1 [0102.935] lstrcmpiW (lpString1=".pptx", lpString2=".com") returned 1 [0102.935] lstrcmpiW (lpString1=".pptx", lpString2=".cpl") returned 1 [0102.936] lstrcmpiW (lpString1=".pptx", lpString2=".ini") returned 1 [0102.936] lstrcmpiW (lpString1=".pptx", lpString2=".dll") returned 1 [0102.936] lstrcmpiW (lpString1=".pptx", lpString2=".url") returned -1 [0102.936] lstrcmpiW (lpString1=".pptx", lpString2=".ttf") returned -1 [0102.936] lstrcmpiW (lpString1=".pptx", lpString2=".mp3") returned 1 [0102.936] lstrcmpiW (lpString1=".pptx", lpString2=".pif") returned 1 [0102.936] lstrcmpiW (lpString1=".pptx", lpString2=".mp4") returned 1 [0102.936] lstrcmpiW (lpString1=".pptx", lpString2=".NEPHILIM") returned 1 [0102.936] lstrcmpiW (lpString1=".pptx", lpString2=".msi") returned 1 [0102.936] lstrcmpiW (lpString1=".pptx", lpString2=".lnk") returned 1 [0102.936] lstrcmpiW (lpString1="1zszOcg.pptx", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0102.936] lstrlenA (lpString="NEPHILIM") returned 8 [0102.936] GetProcessHeap () returned 0x4e0000 [0102.936] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x504ec0 [0102.936] lstrlenA (lpString="NEPHILIM") returned 8 [0102.936] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\1zszOcg.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\1zszocg.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0102.936] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=7490) returned 1 [0102.936] GetProcessHeap () returned 0x4e0000 [0102.937] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.937] GetProcessHeap () returned 0x4e0000 [0102.937] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.937] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.937] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.937] GetProcessHeap () returned 0x4e0000 [0102.937] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.937] GetProcessHeap () returned 0x4e0000 [0102.937] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.937] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de208*=0x100) returned 1 [0102.937] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de204*=0x100) returned 1 [0102.937] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x1d42, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.937] SetLastError (dwErrCode=0x0) [0102.938] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.939] GetLastError () returned 0x0 [0102.939] GetLastError () returned 0x0 [0102.939] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x1e42, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.940] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.940] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x1f42, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.940] lstrlenA (lpString="NEPHILIM") returned 8 [0102.940] WriteFile (in: hFile=0xec, lpBuffer=0x504ec0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x504ec0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0102.940] GetProcessHeap () returned 0x4e0000 [0102.940] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1d42) returned 0x50a8a8 [0102.940] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.940] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x1d42, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x1d42, lpOverlapped=0x0) returned 1 [0102.941] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.941] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x1d42, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x1d42, lpOverlapped=0x0) returned 1 [0102.941] GetProcessHeap () returned 0x4e0000 [0102.941] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0102.941] CloseHandle (hObject=0xec) returned 1 [0102.948] GetProcessHeap () returned 0x4e0000 [0102.948] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.948] GetProcessHeap () returned 0x4e0000 [0102.948] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.948] GetProcessHeap () returned 0x4e0000 [0102.948] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.948] GetProcessHeap () returned 0x4e0000 [0102.948] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.948] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\1zszOcg.pptx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\1zszOcg.pptx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\1zszOcg.pptx" [0102.948] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\1zszOcg.pptx", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\1zszOcg.pptx.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\1zszOcg.pptx.NEPHILIM" [0102.948] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\1zszOcg.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\1zszocg.pptx"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\1zszOcg.pptx.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\1zszocg.pptx.nephilim")) returned 1 [0102.949] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x12556440, ftCreationTime.dwHighDateTime=0x1d583d0, ftLastAccessTime.dwLowDateTime=0xa982d590, ftLastAccessTime.dwHighDateTime=0x1d5b2bb, ftLastWriteTime.dwLowDateTime=0xa982d590, ftLastWriteTime.dwHighDateTime=0x1d5b2bb, nFileSizeHigh=0x0, nFileSizeLow=0x81a5, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="CTwx4Cqt.pptx", cAlternateFileName="CTWX4C~1.PPT")) returned 1 [0102.949] lstrcmpiW (lpString1="CTwx4Cqt.pptx", lpString2=".") returned 1 [0102.949] lstrcmpiW (lpString1="CTwx4Cqt.pptx", lpString2="..") returned 1 [0102.949] lstrcmpiW (lpString1="CTwx4Cqt.pptx", lpString2="...") returned 1 [0102.949] lstrcmpiW (lpString1="CTwx4Cqt.pptx", lpString2="windows") returned -1 [0102.950] lstrcmpiW (lpString1="CTwx4Cqt.pptx", lpString2="$RECYCLE.BIN") returned 1 [0102.950] lstrcmpiW (lpString1="CTwx4Cqt.pptx", lpString2="rsa") returned -1 [0102.950] lstrcmpiW (lpString1="CTwx4Cqt.pptx", lpString2="log") returned -1 [0102.950] lstrcmpiW (lpString1="CTwx4Cqt.pptx", lpString2="NTDETECT.COM") returned -1 [0102.950] lstrcmpiW (lpString1="CTwx4Cqt.pptx", lpString2="ntldr") returned -1 [0102.950] lstrcmpiW (lpString1="CTwx4Cqt.pptx", lpString2="MSDOS.SYS") returned -1 [0102.950] lstrcmpiW (lpString1="CTwx4Cqt.pptx", lpString2="IO.SYS") returned -1 [0102.950] lstrcmpiW (lpString1="CTwx4Cqt.pptx", lpString2="boot.ini") returned 1 [0102.950] lstrcmpiW (lpString1="CTwx4Cqt.pptx", lpString2="AUTOEXEC.BAT") returned 1 [0102.950] lstrcmpiW (lpString1="CTwx4Cqt.pptx", lpString2="ntuser.dat") returned -1 [0102.950] lstrcmpiW (lpString1="CTwx4Cqt.pptx", lpString2="desktop.ini") returned -1 [0102.950] lstrcmpiW (lpString1="CTwx4Cqt.pptx", lpString2="CONFIG.SYS") returned 1 [0102.950] lstrcmpiW (lpString1="CTwx4Cqt.pptx", lpString2="RECYCLER") returned -1 [0102.950] lstrcmpiW (lpString1="CTwx4Cqt.pptx", lpString2="BOOTSECT.BAK") returned 1 [0102.950] lstrcmpiW (lpString1="CTwx4Cqt.pptx", lpString2="bootmgr") returned 1 [0102.950] lstrcmpiW (lpString1="CTwx4Cqt.pptx", lpString2="programdata") returned -1 [0102.950] lstrcmpiW (lpString1="CTwx4Cqt.pptx", lpString2="appdata") returned 1 [0102.950] lstrcmpiW (lpString1="CTwx4Cqt.pptx", lpString2="program files") returned -1 [0102.950] lstrcmpiW (lpString1="CTwx4Cqt.pptx", lpString2="program files (x86)") returned -1 [0102.950] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0102.950] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="CTwx4Cqt.pptx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\CTwx4Cqt.pptx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\CTwx4Cqt.pptx" [0102.950] PathFindExtensionW (pszPath="CTwx4Cqt.pptx") returned=".pptx" [0102.951] lstrcmpiW (lpString1=".pptx", lpString2=".exe") returned 1 [0102.951] lstrcmpiW (lpString1=".pptx", lpString2=".log") returned 1 [0102.951] lstrcmpiW (lpString1=".pptx", lpString2=".cab") returned 1 [0102.951] lstrcmpiW (lpString1=".pptx", lpString2=".cmd") returned 1 [0102.951] lstrcmpiW (lpString1=".pptx", lpString2=".com") returned 1 [0102.951] lstrcmpiW (lpString1=".pptx", lpString2=".cpl") returned 1 [0102.951] lstrcmpiW (lpString1=".pptx", lpString2=".ini") returned 1 [0102.951] lstrcmpiW (lpString1=".pptx", lpString2=".dll") returned 1 [0102.951] lstrcmpiW (lpString1=".pptx", lpString2=".url") returned -1 [0102.951] lstrcmpiW (lpString1=".pptx", lpString2=".ttf") returned -1 [0102.951] lstrcmpiW (lpString1=".pptx", lpString2=".mp3") returned 1 [0102.951] lstrcmpiW (lpString1=".pptx", lpString2=".pif") returned 1 [0102.951] lstrcmpiW (lpString1=".pptx", lpString2=".mp4") returned 1 [0102.951] lstrcmpiW (lpString1=".pptx", lpString2=".NEPHILIM") returned 1 [0102.951] lstrcmpiW (lpString1=".pptx", lpString2=".msi") returned 1 [0102.951] lstrcmpiW (lpString1=".pptx", lpString2=".lnk") returned 1 [0102.951] lstrcmpiW (lpString1="CTwx4Cqt.pptx", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0102.951] lstrlenA (lpString="NEPHILIM") returned 8 [0102.951] GetProcessHeap () returned 0x4e0000 [0102.951] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x504ed0 [0102.951] lstrlenA (lpString="NEPHILIM") returned 8 [0102.951] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\CTwx4Cqt.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ctwx4cqt.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0102.952] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=33189) returned 1 [0102.952] GetProcessHeap () returned 0x4e0000 [0102.952] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.952] GetProcessHeap () returned 0x4e0000 [0102.952] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.952] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.952] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.952] GetProcessHeap () returned 0x4e0000 [0102.952] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.952] GetProcessHeap () returned 0x4e0000 [0102.952] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.952] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de208*=0x100) returned 1 [0102.952] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de204*=0x100) returned 1 [0102.953] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x81a5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.953] SetLastError (dwErrCode=0x0) [0102.953] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.954] GetLastError () returned 0x0 [0102.954] GetLastError () returned 0x0 [0102.954] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x82a5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.955] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.955] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x83a5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.955] lstrlenA (lpString="NEPHILIM") returned 8 [0102.955] WriteFile (in: hFile=0xec, lpBuffer=0x504ed0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x504ed0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0102.955] GetProcessHeap () returned 0x4e0000 [0102.955] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x81a5) returned 0x50a8a8 [0102.955] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.955] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x81a5, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x81a5, lpOverlapped=0x0) returned 1 [0102.957] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.957] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x81a5, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x81a5, lpOverlapped=0x0) returned 1 [0102.958] GetProcessHeap () returned 0x4e0000 [0102.958] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0102.958] CloseHandle (hObject=0xec) returned 1 [0102.959] GetProcessHeap () returned 0x4e0000 [0102.960] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.960] GetProcessHeap () returned 0x4e0000 [0102.960] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.960] GetProcessHeap () returned 0x4e0000 [0102.960] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.960] GetProcessHeap () returned 0x4e0000 [0102.960] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.960] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\CTwx4Cqt.pptx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\CTwx4Cqt.pptx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\CTwx4Cqt.pptx" [0102.960] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\CTwx4Cqt.pptx", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\CTwx4Cqt.pptx.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\CTwx4Cqt.pptx.NEPHILIM" [0102.960] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\CTwx4Cqt.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ctwx4cqt.pptx"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\CTwx4Cqt.pptx.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ctwx4cqt.pptx.nephilim")) returned 1 [0102.962] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d207440, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0102.962] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0102.962] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0102.962] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0102.962] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0102.962] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0102.962] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0102.962] lstrcmpiW (lpString1="desktop.ini", lpString2="log") returned -1 [0102.962] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0102.962] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0102.962] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0102.963] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0102.963] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0102.963] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0102.963] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0102.963] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0102.963] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4ef96130, ftCreationTime.dwHighDateTime=0x1d5df33, ftLastAccessTime.dwLowDateTime=0x4e8f0880, ftLastAccessTime.dwHighDateTime=0x1d5e7f8, ftLastWriteTime.dwLowDateTime=0x4e8f0880, ftLastWriteTime.dwHighDateTime=0x1d5e7f8, nFileSizeHigh=0x0, nFileSizeLow=0x8c6b, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="Dk7mKnbJLmGTyjWV.pps", cAlternateFileName="DK7MKN~1.PPS")) returned 1 [0102.963] lstrcmpiW (lpString1="Dk7mKnbJLmGTyjWV.pps", lpString2=".") returned 1 [0102.963] lstrcmpiW (lpString1="Dk7mKnbJLmGTyjWV.pps", lpString2="..") returned 1 [0102.963] lstrcmpiW (lpString1="Dk7mKnbJLmGTyjWV.pps", lpString2="...") returned 1 [0102.963] lstrcmpiW (lpString1="Dk7mKnbJLmGTyjWV.pps", lpString2="windows") returned -1 [0102.963] lstrcmpiW (lpString1="Dk7mKnbJLmGTyjWV.pps", lpString2="$RECYCLE.BIN") returned 1 [0102.963] lstrcmpiW (lpString1="Dk7mKnbJLmGTyjWV.pps", lpString2="rsa") returned -1 [0102.963] lstrcmpiW (lpString1="Dk7mKnbJLmGTyjWV.pps", lpString2="log") returned -1 [0102.963] lstrcmpiW (lpString1="Dk7mKnbJLmGTyjWV.pps", lpString2="NTDETECT.COM") returned -1 [0102.964] lstrcmpiW (lpString1="Dk7mKnbJLmGTyjWV.pps", lpString2="ntldr") returned -1 [0102.964] lstrcmpiW (lpString1="Dk7mKnbJLmGTyjWV.pps", lpString2="MSDOS.SYS") returned -1 [0102.964] lstrcmpiW (lpString1="Dk7mKnbJLmGTyjWV.pps", lpString2="IO.SYS") returned -1 [0102.964] lstrcmpiW (lpString1="Dk7mKnbJLmGTyjWV.pps", lpString2="boot.ini") returned 1 [0102.964] lstrcmpiW (lpString1="Dk7mKnbJLmGTyjWV.pps", lpString2="AUTOEXEC.BAT") returned 1 [0102.964] lstrcmpiW (lpString1="Dk7mKnbJLmGTyjWV.pps", lpString2="ntuser.dat") returned -1 [0102.964] lstrcmpiW (lpString1="Dk7mKnbJLmGTyjWV.pps", lpString2="desktop.ini") returned 1 [0102.964] lstrcmpiW (lpString1="Dk7mKnbJLmGTyjWV.pps", lpString2="CONFIG.SYS") returned 1 [0102.964] lstrcmpiW (lpString1="Dk7mKnbJLmGTyjWV.pps", lpString2="RECYCLER") returned -1 [0102.964] lstrcmpiW (lpString1="Dk7mKnbJLmGTyjWV.pps", lpString2="BOOTSECT.BAK") returned 1 [0102.964] lstrcmpiW (lpString1="Dk7mKnbJLmGTyjWV.pps", lpString2="bootmgr") returned 1 [0102.964] lstrcmpiW (lpString1="Dk7mKnbJLmGTyjWV.pps", lpString2="programdata") returned -1 [0102.964] lstrcmpiW (lpString1="Dk7mKnbJLmGTyjWV.pps", lpString2="appdata") returned 1 [0102.964] lstrcmpiW (lpString1="Dk7mKnbJLmGTyjWV.pps", lpString2="program files") returned -1 [0102.964] lstrcmpiW (lpString1="Dk7mKnbJLmGTyjWV.pps", lpString2="program files (x86)") returned -1 [0102.964] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0102.964] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="Dk7mKnbJLmGTyjWV.pps" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Dk7mKnbJLmGTyjWV.pps") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Dk7mKnbJLmGTyjWV.pps" [0102.964] PathFindExtensionW (pszPath="Dk7mKnbJLmGTyjWV.pps") returned=".pps" [0102.964] lstrcmpiW (lpString1=".pps", lpString2=".exe") returned 1 [0102.965] lstrcmpiW (lpString1=".pps", lpString2=".log") returned 1 [0102.965] lstrcmpiW (lpString1=".pps", lpString2=".cab") returned 1 [0102.965] lstrcmpiW (lpString1=".pps", lpString2=".cmd") returned 1 [0102.965] lstrcmpiW (lpString1=".pps", lpString2=".com") returned 1 [0102.965] lstrcmpiW (lpString1=".pps", lpString2=".cpl") returned 1 [0102.965] lstrcmpiW (lpString1=".pps", lpString2=".ini") returned 1 [0102.965] lstrcmpiW (lpString1=".pps", lpString2=".dll") returned 1 [0102.965] lstrcmpiW (lpString1=".pps", lpString2=".url") returned -1 [0102.965] lstrcmpiW (lpString1=".pps", lpString2=".ttf") returned -1 [0102.965] lstrcmpiW (lpString1=".pps", lpString2=".mp3") returned 1 [0102.968] lstrcmpiW (lpString1=".pps", lpString2=".pif") returned 1 [0102.968] lstrcmpiW (lpString1=".pps", lpString2=".mp4") returned 1 [0102.968] lstrcmpiW (lpString1=".pps", lpString2=".NEPHILIM") returned 1 [0102.968] lstrcmpiW (lpString1=".pps", lpString2=".msi") returned 1 [0102.968] lstrcmpiW (lpString1=".pps", lpString2=".lnk") returned 1 [0102.969] lstrcmpiW (lpString1="Dk7mKnbJLmGTyjWV.pps", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0102.969] lstrlenA (lpString="NEPHILIM") returned 8 [0102.969] GetProcessHeap () returned 0x4e0000 [0102.969] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x504ee0 [0102.969] lstrlenA (lpString="NEPHILIM") returned 8 [0102.969] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Dk7mKnbJLmGTyjWV.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\dk7mknbjlmgtyjwv.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0102.969] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=35947) returned 1 [0102.969] GetProcessHeap () returned 0x4e0000 [0102.969] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.969] GetProcessHeap () returned 0x4e0000 [0102.969] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.969] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.969] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.970] GetProcessHeap () returned 0x4e0000 [0102.970] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.972] GetProcessHeap () returned 0x4e0000 [0102.972] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.973] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de208*=0x100) returned 1 [0102.973] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de204*=0x100) returned 1 [0102.973] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x8c6b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.974] SetLastError (dwErrCode=0x0) [0102.974] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.975] GetLastError () returned 0x0 [0102.975] GetLastError () returned 0x0 [0102.975] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x8d6b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.975] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.975] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x8e6b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.975] lstrlenA (lpString="NEPHILIM") returned 8 [0102.975] WriteFile (in: hFile=0xec, lpBuffer=0x504ee0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x504ee0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0102.975] GetProcessHeap () returned 0x4e0000 [0102.975] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8c6b) returned 0x50a8a8 [0102.975] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.976] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x8c6b, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x8c6b, lpOverlapped=0x0) returned 1 [0102.978] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.978] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x8c6b, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x8c6b, lpOverlapped=0x0) returned 1 [0102.978] GetProcessHeap () returned 0x4e0000 [0102.978] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0102.978] CloseHandle (hObject=0xec) returned 1 [0102.980] GetProcessHeap () returned 0x4e0000 [0102.980] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.980] GetProcessHeap () returned 0x4e0000 [0102.980] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.980] GetProcessHeap () returned 0x4e0000 [0102.980] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.980] GetProcessHeap () returned 0x4e0000 [0102.980] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.980] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Dk7mKnbJLmGTyjWV.pps" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Dk7mKnbJLmGTyjWV.pps") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Dk7mKnbJLmGTyjWV.pps" [0102.980] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Dk7mKnbJLmGTyjWV.pps", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Dk7mKnbJLmGTyjWV.pps.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Dk7mKnbJLmGTyjWV.pps.NEPHILIM" [0102.981] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Dk7mKnbJLmGTyjWV.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\dk7mknbjlmgtyjwv.pps"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Dk7mKnbJLmGTyjWV.pps.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\dk7mknbjlmgtyjwv.pps.nephilim")) returned 1 [0102.984] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f801a30, ftCreationTime.dwHighDateTime=0x1d571c7, ftLastAccessTime.dwLowDateTime=0xda0a5280, ftLastAccessTime.dwHighDateTime=0x1d55fd5, ftLastWriteTime.dwLowDateTime=0xda0a5280, ftLastWriteTime.dwHighDateTime=0x1d55fd5, nFileSizeHigh=0x0, nFileSizeLow=0x10faa, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="DrkA.pptx", cAlternateFileName="DRKA~1.PPT")) returned 1 [0102.984] lstrcmpiW (lpString1="DrkA.pptx", lpString2=".") returned 1 [0102.984] lstrcmpiW (lpString1="DrkA.pptx", lpString2="..") returned 1 [0102.984] lstrcmpiW (lpString1="DrkA.pptx", lpString2="...") returned 1 [0102.984] lstrcmpiW (lpString1="DrkA.pptx", lpString2="windows") returned -1 [0102.984] lstrcmpiW (lpString1="DrkA.pptx", lpString2="$RECYCLE.BIN") returned 1 [0102.984] lstrcmpiW (lpString1="DrkA.pptx", lpString2="rsa") returned -1 [0102.984] lstrcmpiW (lpString1="DrkA.pptx", lpString2="log") returned -1 [0102.984] lstrcmpiW (lpString1="DrkA.pptx", lpString2="NTDETECT.COM") returned -1 [0102.984] lstrcmpiW (lpString1="DrkA.pptx", lpString2="ntldr") returned -1 [0102.984] lstrcmpiW (lpString1="DrkA.pptx", lpString2="MSDOS.SYS") returned -1 [0102.984] lstrcmpiW (lpString1="DrkA.pptx", lpString2="IO.SYS") returned -1 [0102.984] lstrcmpiW (lpString1="DrkA.pptx", lpString2="boot.ini") returned 1 [0102.984] lstrcmpiW (lpString1="DrkA.pptx", lpString2="AUTOEXEC.BAT") returned 1 [0102.984] lstrcmpiW (lpString1="DrkA.pptx", lpString2="ntuser.dat") returned -1 [0102.984] lstrcmpiW (lpString1="DrkA.pptx", lpString2="desktop.ini") returned 1 [0102.984] lstrcmpiW (lpString1="DrkA.pptx", lpString2="CONFIG.SYS") returned 1 [0102.984] lstrcmpiW (lpString1="DrkA.pptx", lpString2="RECYCLER") returned -1 [0102.985] lstrcmpiW (lpString1="DrkA.pptx", lpString2="BOOTSECT.BAK") returned 1 [0102.985] lstrcmpiW (lpString1="DrkA.pptx", lpString2="bootmgr") returned 1 [0102.985] lstrcmpiW (lpString1="DrkA.pptx", lpString2="programdata") returned -1 [0102.985] lstrcmpiW (lpString1="DrkA.pptx", lpString2="appdata") returned 1 [0102.985] lstrcmpiW (lpString1="DrkA.pptx", lpString2="program files") returned -1 [0102.985] lstrcmpiW (lpString1="DrkA.pptx", lpString2="program files (x86)") returned -1 [0102.985] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0102.985] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="DrkA.pptx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\DrkA.pptx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\DrkA.pptx" [0102.985] PathFindExtensionW (pszPath="DrkA.pptx") returned=".pptx" [0102.985] lstrcmpiW (lpString1=".pptx", lpString2=".exe") returned 1 [0102.985] lstrcmpiW (lpString1=".pptx", lpString2=".log") returned 1 [0102.985] lstrcmpiW (lpString1=".pptx", lpString2=".cab") returned 1 [0102.985] lstrcmpiW (lpString1=".pptx", lpString2=".cmd") returned 1 [0102.985] lstrcmpiW (lpString1=".pptx", lpString2=".com") returned 1 [0102.985] lstrcmpiW (lpString1=".pptx", lpString2=".cpl") returned 1 [0102.985] lstrcmpiW (lpString1=".pptx", lpString2=".ini") returned 1 [0102.985] lstrcmpiW (lpString1=".pptx", lpString2=".dll") returned 1 [0102.985] lstrcmpiW (lpString1=".pptx", lpString2=".url") returned -1 [0102.985] lstrcmpiW (lpString1=".pptx", lpString2=".ttf") returned -1 [0102.985] lstrcmpiW (lpString1=".pptx", lpString2=".mp3") returned 1 [0102.985] lstrcmpiW (lpString1=".pptx", lpString2=".pif") returned 1 [0102.986] lstrcmpiW (lpString1=".pptx", lpString2=".mp4") returned 1 [0102.986] lstrcmpiW (lpString1=".pptx", lpString2=".NEPHILIM") returned 1 [0102.986] lstrcmpiW (lpString1=".pptx", lpString2=".msi") returned 1 [0102.986] lstrcmpiW (lpString1=".pptx", lpString2=".lnk") returned 1 [0102.986] lstrcmpiW (lpString1="DrkA.pptx", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0102.986] lstrlenA (lpString="NEPHILIM") returned 8 [0102.986] GetProcessHeap () returned 0x4e0000 [0102.986] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x504ef0 [0102.986] lstrlenA (lpString="NEPHILIM") returned 8 [0102.986] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\DrkA.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\drka.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0102.986] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=69546) returned 1 [0102.986] GetProcessHeap () returned 0x4e0000 [0102.986] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0102.986] GetProcessHeap () returned 0x4e0000 [0102.986] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.986] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0102.986] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0102.987] GetProcessHeap () returned 0x4e0000 [0102.987] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0102.987] GetProcessHeap () returned 0x4e0000 [0102.987] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0102.987] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de208*=0x100) returned 1 [0102.987] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de204*=0x100) returned 1 [0102.987] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x10faa, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.987] SetLastError (dwErrCode=0x0) [0102.987] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.988] GetLastError () returned 0x0 [0102.988] GetLastError () returned 0x0 [0102.988] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x110aa, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.989] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0102.989] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x111aa, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.989] lstrlenA (lpString="NEPHILIM") returned 8 [0102.989] WriteFile (in: hFile=0xec, lpBuffer=0x504ef0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x504ef0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0102.989] GetProcessHeap () returned 0x4e0000 [0102.989] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10faa) returned 0x50a8a8 [0102.989] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.989] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x10faa, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x10faa, lpOverlapped=0x0) returned 1 [0102.993] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.993] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x10faa, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x10faa, lpOverlapped=0x0) returned 1 [0102.993] GetProcessHeap () returned 0x4e0000 [0102.993] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0102.993] CloseHandle (hObject=0xec) returned 1 [0102.996] GetProcessHeap () returned 0x4e0000 [0102.996] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0102.996] GetProcessHeap () returned 0x4e0000 [0102.996] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0102.996] GetProcessHeap () returned 0x4e0000 [0102.996] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0102.996] GetProcessHeap () returned 0x4e0000 [0102.996] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0102.996] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\DrkA.pptx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\DrkA.pptx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\DrkA.pptx" [0102.996] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\DrkA.pptx", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\DrkA.pptx.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\DrkA.pptx.NEPHILIM" [0102.996] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\DrkA.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\drka.pptx"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\DrkA.pptx.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\drka.pptx.nephilim")) returned 1 [0102.997] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd25cc620, ftCreationTime.dwHighDateTime=0x1d5d989, ftLastAccessTime.dwLowDateTime=0x83fe6d50, ftLastAccessTime.dwHighDateTime=0x1d5e0cb, ftLastWriteTime.dwLowDateTime=0x83fe6d50, ftLastWriteTime.dwHighDateTime=0x1d5e0cb, nFileSizeHigh=0x0, nFileSizeLow=0x60a4, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="e6d1Jkz wG7c.docx", cAlternateFileName="E6D1JK~1.DOC")) returned 1 [0102.997] lstrcmpiW (lpString1="e6d1Jkz wG7c.docx", lpString2=".") returned 1 [0102.997] lstrcmpiW (lpString1="e6d1Jkz wG7c.docx", lpString2="..") returned 1 [0102.997] lstrcmpiW (lpString1="e6d1Jkz wG7c.docx", lpString2="...") returned 1 [0102.997] lstrcmpiW (lpString1="e6d1Jkz wG7c.docx", lpString2="windows") returned -1 [0102.997] lstrcmpiW (lpString1="e6d1Jkz wG7c.docx", lpString2="$RECYCLE.BIN") returned 1 [0102.997] lstrcmpiW (lpString1="e6d1Jkz wG7c.docx", lpString2="rsa") returned -1 [0102.997] lstrcmpiW (lpString1="e6d1Jkz wG7c.docx", lpString2="log") returned -1 [0102.998] lstrcmpiW (lpString1="e6d1Jkz wG7c.docx", lpString2="NTDETECT.COM") returned -1 [0102.998] lstrcmpiW (lpString1="e6d1Jkz wG7c.docx", lpString2="ntldr") returned -1 [0102.998] lstrcmpiW (lpString1="e6d1Jkz wG7c.docx", lpString2="MSDOS.SYS") returned -1 [0102.998] lstrcmpiW (lpString1="e6d1Jkz wG7c.docx", lpString2="IO.SYS") returned -1 [0102.998] lstrcmpiW (lpString1="e6d1Jkz wG7c.docx", lpString2="boot.ini") returned 1 [0102.998] lstrcmpiW (lpString1="e6d1Jkz wG7c.docx", lpString2="AUTOEXEC.BAT") returned 1 [0102.998] lstrcmpiW (lpString1="e6d1Jkz wG7c.docx", lpString2="ntuser.dat") returned -1 [0102.998] lstrcmpiW (lpString1="e6d1Jkz wG7c.docx", lpString2="desktop.ini") returned 1 [0102.998] lstrcmpiW (lpString1="e6d1Jkz wG7c.docx", lpString2="CONFIG.SYS") returned 1 [0102.998] lstrcmpiW (lpString1="e6d1Jkz wG7c.docx", lpString2="RECYCLER") returned -1 [0102.998] lstrcmpiW (lpString1="e6d1Jkz wG7c.docx", lpString2="BOOTSECT.BAK") returned 1 [0102.998] lstrcmpiW (lpString1="e6d1Jkz wG7c.docx", lpString2="bootmgr") returned 1 [0102.998] lstrcmpiW (lpString1="e6d1Jkz wG7c.docx", lpString2="programdata") returned -1 [0102.998] lstrcmpiW (lpString1="e6d1Jkz wG7c.docx", lpString2="appdata") returned 1 [0102.998] lstrcmpiW (lpString1="e6d1Jkz wG7c.docx", lpString2="program files") returned -1 [0102.998] lstrcmpiW (lpString1="e6d1Jkz wG7c.docx", lpString2="program files (x86)") returned -1 [0102.998] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0102.998] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="e6d1Jkz wG7c.docx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\e6d1Jkz wG7c.docx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\e6d1Jkz wG7c.docx" [0102.998] PathFindExtensionW (pszPath="e6d1Jkz wG7c.docx") returned=".docx" [0102.998] lstrcmpiW (lpString1=".docx", lpString2=".exe") returned -1 [0102.998] lstrcmpiW (lpString1=".docx", lpString2=".log") returned -1 [0102.998] lstrcmpiW (lpString1=".docx", lpString2=".cab") returned 1 [0102.998] lstrcmpiW (lpString1=".docx", lpString2=".cmd") returned 1 [0102.998] lstrcmpiW (lpString1=".docx", lpString2=".com") returned 1 [0102.998] lstrcmpiW (lpString1=".docx", lpString2=".cpl") returned 1 [0102.999] lstrcmpiW (lpString1=".docx", lpString2=".ini") returned -1 [0102.999] lstrcmpiW (lpString1=".docx", lpString2=".dll") returned 1 [0102.999] lstrcmpiW (lpString1=".docx", lpString2=".url") returned -1 [0102.999] lstrcmpiW (lpString1=".docx", lpString2=".ttf") returned -1 [0102.999] lstrcmpiW (lpString1=".docx", lpString2=".mp3") returned -1 [0102.999] lstrcmpiW (lpString1=".docx", lpString2=".pif") returned -1 [0102.999] lstrcmpiW (lpString1=".docx", lpString2=".mp4") returned -1 [0102.999] lstrcmpiW (lpString1=".docx", lpString2=".NEPHILIM") returned -1 [0102.999] lstrcmpiW (lpString1=".docx", lpString2=".msi") returned -1 [0102.999] lstrcmpiW (lpString1=".docx", lpString2=".lnk") returned -1 [0102.999] lstrcmpiW (lpString1="e6d1Jkz wG7c.docx", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0102.999] lstrlenA (lpString="NEPHILIM") returned 8 [0102.999] GetProcessHeap () returned 0x4e0000 [0102.999] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x504f00 [0102.999] lstrlenA (lpString="NEPHILIM") returned 8 [0102.999] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\e6d1Jkz wG7c.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\e6d1jkz wg7c.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0102.999] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=24740) returned 1 [0102.999] GetProcessHeap () returned 0x4e0000 [0102.999] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0102.999] GetProcessHeap () returned 0x4e0000 [0103.000] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0103.000] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0103.000] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0103.000] GetProcessHeap () returned 0x4e0000 [0103.000] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0103.000] GetProcessHeap () returned 0x4e0000 [0103.000] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0103.000] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de208*=0x100) returned 1 [0103.000] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de204*=0x100) returned 1 [0103.000] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x60a4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.000] SetLastError (dwErrCode=0x0) [0103.000] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.001] GetLastError () returned 0x0 [0103.001] GetLastError () returned 0x0 [0103.002] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x61a4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.002] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.002] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x62a4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.002] lstrlenA (lpString="NEPHILIM") returned 8 [0103.002] WriteFile (in: hFile=0xec, lpBuffer=0x504f00*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x504f00*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0103.002] GetProcessHeap () returned 0x4e0000 [0103.002] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x60a4) returned 0x50a8a8 [0103.002] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.002] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x60a4, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x60a4, lpOverlapped=0x0) returned 1 [0103.004] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.004] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x60a4, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x60a4, lpOverlapped=0x0) returned 1 [0103.004] GetProcessHeap () returned 0x4e0000 [0103.004] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0103.004] CloseHandle (hObject=0xec) returned 1 [0103.005] GetProcessHeap () returned 0x4e0000 [0103.005] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0103.005] GetProcessHeap () returned 0x4e0000 [0103.005] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0103.005] GetProcessHeap () returned 0x4e0000 [0103.005] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0103.005] GetProcessHeap () returned 0x4e0000 [0103.006] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0103.006] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\e6d1Jkz wG7c.docx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\e6d1Jkz wG7c.docx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\e6d1Jkz wG7c.docx" [0103.006] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\e6d1Jkz wG7c.docx", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\e6d1Jkz wG7c.docx.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\e6d1Jkz wG7c.docx.NEPHILIM" [0103.006] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\e6d1Jkz wG7c.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\e6d1jkz wg7c.docx"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\e6d1Jkz wG7c.docx.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\e6d1jkz wg7c.docx.nephilim")) returned 1 [0103.008] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe794390, ftCreationTime.dwHighDateTime=0x1d5e434, ftLastAccessTime.dwLowDateTime=0x55d3b720, ftLastAccessTime.dwHighDateTime=0x1d5e678, ftLastWriteTime.dwLowDateTime=0x55d3b720, ftLastWriteTime.dwHighDateTime=0x1d5e678, nFileSizeHigh=0x0, nFileSizeLow=0x3fb7, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="gHbU7_W8JM.xls", cAlternateFileName="GHBU7_~1.XLS")) returned 1 [0103.008] lstrcmpiW (lpString1="gHbU7_W8JM.xls", lpString2=".") returned 1 [0103.008] lstrcmpiW (lpString1="gHbU7_W8JM.xls", lpString2="..") returned 1 [0103.008] lstrcmpiW (lpString1="gHbU7_W8JM.xls", lpString2="...") returned 1 [0103.008] lstrcmpiW (lpString1="gHbU7_W8JM.xls", lpString2="windows") returned -1 [0103.008] lstrcmpiW (lpString1="gHbU7_W8JM.xls", lpString2="$RECYCLE.BIN") returned 1 [0103.008] lstrcmpiW (lpString1="gHbU7_W8JM.xls", lpString2="rsa") returned -1 [0103.008] lstrcmpiW (lpString1="gHbU7_W8JM.xls", lpString2="log") returned -1 [0103.008] lstrcmpiW (lpString1="gHbU7_W8JM.xls", lpString2="NTDETECT.COM") returned -1 [0103.008] lstrcmpiW (lpString1="gHbU7_W8JM.xls", lpString2="ntldr") returned -1 [0103.008] lstrcmpiW (lpString1="gHbU7_W8JM.xls", lpString2="MSDOS.SYS") returned -1 [0103.008] lstrcmpiW (lpString1="gHbU7_W8JM.xls", lpString2="IO.SYS") returned -1 [0103.008] lstrcmpiW (lpString1="gHbU7_W8JM.xls", lpString2="boot.ini") returned 1 [0103.008] lstrcmpiW (lpString1="gHbU7_W8JM.xls", lpString2="AUTOEXEC.BAT") returned 1 [0103.008] lstrcmpiW (lpString1="gHbU7_W8JM.xls", lpString2="ntuser.dat") returned -1 [0103.008] lstrcmpiW (lpString1="gHbU7_W8JM.xls", lpString2="desktop.ini") returned 1 [0103.009] lstrcmpiW (lpString1="gHbU7_W8JM.xls", lpString2="CONFIG.SYS") returned 1 [0103.009] lstrcmpiW (lpString1="gHbU7_W8JM.xls", lpString2="RECYCLER") returned -1 [0103.009] lstrcmpiW (lpString1="gHbU7_W8JM.xls", lpString2="BOOTSECT.BAK") returned 1 [0103.009] lstrcmpiW (lpString1="gHbU7_W8JM.xls", lpString2="bootmgr") returned 1 [0103.009] lstrcmpiW (lpString1="gHbU7_W8JM.xls", lpString2="programdata") returned -1 [0103.009] lstrcmpiW (lpString1="gHbU7_W8JM.xls", lpString2="appdata") returned 1 [0103.009] lstrcmpiW (lpString1="gHbU7_W8JM.xls", lpString2="program files") returned -1 [0103.009] lstrcmpiW (lpString1="gHbU7_W8JM.xls", lpString2="program files (x86)") returned -1 [0103.009] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0103.009] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="gHbU7_W8JM.xls" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\gHbU7_W8JM.xls") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\gHbU7_W8JM.xls" [0103.009] PathFindExtensionW (pszPath="gHbU7_W8JM.xls") returned=".xls" [0103.009] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0103.009] lstrcmpiW (lpString1=".xls", lpString2=".log") returned 1 [0103.009] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0103.009] lstrcmpiW (lpString1=".xls", lpString2=".cmd") returned 1 [0103.009] lstrcmpiW (lpString1=".xls", lpString2=".com") returned 1 [0103.009] lstrcmpiW (lpString1=".xls", lpString2=".cpl") returned 1 [0103.009] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0103.009] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0103.009] lstrcmpiW (lpString1=".xls", lpString2=".url") returned 1 [0103.009] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0103.009] lstrcmpiW (lpString1=".xls", lpString2=".mp3") returned 1 [0103.009] lstrcmpiW (lpString1=".xls", lpString2=".pif") returned 1 [0103.009] lstrcmpiW (lpString1=".xls", lpString2=".mp4") returned 1 [0103.009] lstrcmpiW (lpString1=".xls", lpString2=".NEPHILIM") returned 1 [0103.009] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0103.010] lstrcmpiW (lpString1=".xls", lpString2=".lnk") returned 1 [0103.010] lstrcmpiW (lpString1="gHbU7_W8JM.xls", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0103.010] lstrlenA (lpString="NEPHILIM") returned 8 [0103.010] GetProcessHeap () returned 0x4e0000 [0103.010] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x504f10 [0103.010] lstrlenA (lpString="NEPHILIM") returned 8 [0103.010] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\gHbU7_W8JM.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ghbu7_w8jm.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0103.010] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=16311) returned 1 [0103.010] GetProcessHeap () returned 0x4e0000 [0103.010] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0103.010] GetProcessHeap () returned 0x4e0000 [0103.010] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0103.010] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0103.010] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0103.010] GetProcessHeap () returned 0x4e0000 [0103.010] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0103.010] GetProcessHeap () returned 0x4e0000 [0103.010] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0103.010] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de208*=0x100) returned 1 [0103.011] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de204*=0x100) returned 1 [0103.011] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x3fb7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.011] SetLastError (dwErrCode=0x0) [0103.011] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.012] GetLastError () returned 0x0 [0103.012] GetLastError () returned 0x0 [0103.012] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x40b7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.012] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.012] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x41b7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.013] lstrlenA (lpString="NEPHILIM") returned 8 [0103.013] WriteFile (in: hFile=0xec, lpBuffer=0x504f10*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x504f10*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0103.013] GetProcessHeap () returned 0x4e0000 [0103.013] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x3fb7) returned 0x50a8a8 [0103.013] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.013] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x3fb7, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x3fb7, lpOverlapped=0x0) returned 1 [0103.014] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.014] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x3fb7, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x3fb7, lpOverlapped=0x0) returned 1 [0103.014] GetProcessHeap () returned 0x4e0000 [0103.014] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0103.014] CloseHandle (hObject=0xec) returned 1 [0103.015] GetProcessHeap () returned 0x4e0000 [0103.015] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0103.015] GetProcessHeap () returned 0x4e0000 [0103.015] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0103.015] GetProcessHeap () returned 0x4e0000 [0103.015] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0103.015] GetProcessHeap () returned 0x4e0000 [0103.015] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0103.015] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\gHbU7_W8JM.xls" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\gHbU7_W8JM.xls") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\gHbU7_W8JM.xls" [0103.015] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\gHbU7_W8JM.xls", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\gHbU7_W8JM.xls.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\gHbU7_W8JM.xls.NEPHILIM" [0103.016] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\gHbU7_W8JM.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ghbu7_w8jm.xls"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\gHbU7_W8JM.xls.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ghbu7_w8jm.xls.nephilim")) returned 1 [0103.016] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xda71d4d0, ftCreationTime.dwHighDateTime=0x1d5ae1f, ftLastAccessTime.dwLowDateTime=0x523bb890, ftLastAccessTime.dwHighDateTime=0x1d57875, ftLastWriteTime.dwLowDateTime=0x523bb890, ftLastWriteTime.dwHighDateTime=0x1d57875, nFileSizeHigh=0x0, nFileSizeLow=0x18f08, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="hFm1kpKH3Q.docx", cAlternateFileName="HFM1KP~1.DOC")) returned 1 [0103.016] lstrcmpiW (lpString1="hFm1kpKH3Q.docx", lpString2=".") returned 1 [0103.016] lstrcmpiW (lpString1="hFm1kpKH3Q.docx", lpString2="..") returned 1 [0103.017] lstrcmpiW (lpString1="hFm1kpKH3Q.docx", lpString2="...") returned 1 [0103.017] lstrcmpiW (lpString1="hFm1kpKH3Q.docx", lpString2="windows") returned -1 [0103.017] lstrcmpiW (lpString1="hFm1kpKH3Q.docx", lpString2="$RECYCLE.BIN") returned 1 [0103.017] lstrcmpiW (lpString1="hFm1kpKH3Q.docx", lpString2="rsa") returned -1 [0103.017] lstrcmpiW (lpString1="hFm1kpKH3Q.docx", lpString2="log") returned -1 [0103.017] lstrcmpiW (lpString1="hFm1kpKH3Q.docx", lpString2="NTDETECT.COM") returned -1 [0103.017] lstrcmpiW (lpString1="hFm1kpKH3Q.docx", lpString2="ntldr") returned -1 [0103.017] lstrcmpiW (lpString1="hFm1kpKH3Q.docx", lpString2="MSDOS.SYS") returned -1 [0103.017] lstrcmpiW (lpString1="hFm1kpKH3Q.docx", lpString2="IO.SYS") returned -1 [0103.017] lstrcmpiW (lpString1="hFm1kpKH3Q.docx", lpString2="boot.ini") returned 1 [0103.017] lstrcmpiW (lpString1="hFm1kpKH3Q.docx", lpString2="AUTOEXEC.BAT") returned 1 [0103.017] lstrcmpiW (lpString1="hFm1kpKH3Q.docx", lpString2="ntuser.dat") returned -1 [0103.017] lstrcmpiW (lpString1="hFm1kpKH3Q.docx", lpString2="desktop.ini") returned 1 [0103.017] lstrcmpiW (lpString1="hFm1kpKH3Q.docx", lpString2="CONFIG.SYS") returned 1 [0103.018] lstrcmpiW (lpString1="hFm1kpKH3Q.docx", lpString2="RECYCLER") returned -1 [0103.018] lstrcmpiW (lpString1="hFm1kpKH3Q.docx", lpString2="BOOTSECT.BAK") returned 1 [0103.018] lstrcmpiW (lpString1="hFm1kpKH3Q.docx", lpString2="bootmgr") returned 1 [0103.018] lstrcmpiW (lpString1="hFm1kpKH3Q.docx", lpString2="programdata") returned -1 [0103.018] lstrcmpiW (lpString1="hFm1kpKH3Q.docx", lpString2="appdata") returned 1 [0103.018] lstrcmpiW (lpString1="hFm1kpKH3Q.docx", lpString2="program files") returned -1 [0103.018] lstrcmpiW (lpString1="hFm1kpKH3Q.docx", lpString2="program files (x86)") returned -1 [0103.018] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0103.018] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="hFm1kpKH3Q.docx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\hFm1kpKH3Q.docx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\hFm1kpKH3Q.docx" [0103.018] PathFindExtensionW (pszPath="hFm1kpKH3Q.docx") returned=".docx" [0103.018] lstrcmpiW (lpString1=".docx", lpString2=".exe") returned -1 [0103.018] lstrcmpiW (lpString1=".docx", lpString2=".log") returned -1 [0103.018] lstrcmpiW (lpString1=".docx", lpString2=".cab") returned 1 [0103.018] lstrcmpiW (lpString1=".docx", lpString2=".cmd") returned 1 [0103.018] lstrcmpiW (lpString1=".docx", lpString2=".com") returned 1 [0103.018] lstrcmpiW (lpString1=".docx", lpString2=".cpl") returned 1 [0103.018] lstrcmpiW (lpString1=".docx", lpString2=".ini") returned -1 [0103.018] lstrcmpiW (lpString1=".docx", lpString2=".dll") returned 1 [0103.019] lstrcmpiW (lpString1=".docx", lpString2=".url") returned -1 [0103.019] lstrcmpiW (lpString1=".docx", lpString2=".ttf") returned -1 [0103.019] lstrcmpiW (lpString1=".docx", lpString2=".mp3") returned -1 [0103.019] lstrcmpiW (lpString1=".docx", lpString2=".pif") returned -1 [0103.019] lstrcmpiW (lpString1=".docx", lpString2=".mp4") returned -1 [0103.019] lstrcmpiW (lpString1=".docx", lpString2=".NEPHILIM") returned -1 [0103.019] lstrcmpiW (lpString1=".docx", lpString2=".msi") returned -1 [0103.019] lstrcmpiW (lpString1=".docx", lpString2=".lnk") returned -1 [0103.019] lstrcmpiW (lpString1="hFm1kpKH3Q.docx", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0103.019] lstrlenA (lpString="NEPHILIM") returned 8 [0103.019] GetProcessHeap () returned 0x4e0000 [0103.019] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x504f20 [0103.019] lstrlenA (lpString="NEPHILIM") returned 8 [0103.019] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\hFm1kpKH3Q.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\hfm1kpkh3q.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0103.019] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=102152) returned 1 [0103.019] GetProcessHeap () returned 0x4e0000 [0103.019] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0103.019] GetProcessHeap () returned 0x4e0000 [0103.019] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0103.019] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0103.019] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0103.019] GetProcessHeap () returned 0x4e0000 [0103.019] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0103.020] GetProcessHeap () returned 0x4e0000 [0103.020] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0103.020] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de208*=0x100) returned 1 [0103.020] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de204*=0x100) returned 1 [0103.020] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x18f08, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.020] SetLastError (dwErrCode=0x0) [0103.020] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.021] GetLastError () returned 0x0 [0103.021] GetLastError () returned 0x0 [0103.021] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x19008, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.021] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.021] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x19108, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.022] lstrlenA (lpString="NEPHILIM") returned 8 [0103.022] WriteFile (in: hFile=0xec, lpBuffer=0x504f20*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x504f20*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0103.022] GetProcessHeap () returned 0x4e0000 [0103.022] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x18f08) returned 0x50a8a8 [0103.022] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.022] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x18f08, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x18f08, lpOverlapped=0x0) returned 1 [0103.028] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.028] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x18f08, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x18f08, lpOverlapped=0x0) returned 1 [0103.028] GetProcessHeap () returned 0x4e0000 [0103.028] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0103.028] CloseHandle (hObject=0xec) returned 1 [0103.030] GetProcessHeap () returned 0x4e0000 [0103.030] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0103.030] GetProcessHeap () returned 0x4e0000 [0103.030] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0103.030] GetProcessHeap () returned 0x4e0000 [0103.030] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0103.030] GetProcessHeap () returned 0x4e0000 [0103.031] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0103.031] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\hFm1kpKH3Q.docx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\hFm1kpKH3Q.docx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\hFm1kpKH3Q.docx" [0103.031] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\hFm1kpKH3Q.docx", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\hFm1kpKH3Q.docx.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\hFm1kpKH3Q.docx.NEPHILIM" [0103.031] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\hFm1kpKH3Q.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\hfm1kpkh3q.docx"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\hFm1kpKH3Q.docx.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\hfm1kpkh3q.docx.nephilim")) returned 1 [0103.032] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2c1e160, ftCreationTime.dwHighDateTime=0x1d5da30, ftLastAccessTime.dwLowDateTime=0x206cc2e0, ftLastAccessTime.dwHighDateTime=0x1d5e1d5, ftLastWriteTime.dwLowDateTime=0x206cc2e0, ftLastWriteTime.dwHighDateTime=0x1d5e1d5, nFileSizeHigh=0x0, nFileSizeLow=0x7554, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="hGgaJMwOgUg.doc", cAlternateFileName="HGGAJM~1.DOC")) returned 1 [0103.033] lstrcmpiW (lpString1="hGgaJMwOgUg.doc", lpString2=".") returned 1 [0103.033] lstrcmpiW (lpString1="hGgaJMwOgUg.doc", lpString2="..") returned 1 [0103.033] lstrcmpiW (lpString1="hGgaJMwOgUg.doc", lpString2="...") returned 1 [0103.033] lstrcmpiW (lpString1="hGgaJMwOgUg.doc", lpString2="windows") returned -1 [0103.033] lstrcmpiW (lpString1="hGgaJMwOgUg.doc", lpString2="$RECYCLE.BIN") returned 1 [0103.033] lstrcmpiW (lpString1="hGgaJMwOgUg.doc", lpString2="rsa") returned -1 [0103.033] lstrcmpiW (lpString1="hGgaJMwOgUg.doc", lpString2="log") returned -1 [0103.033] lstrcmpiW (lpString1="hGgaJMwOgUg.doc", lpString2="NTDETECT.COM") returned -1 [0103.033] lstrcmpiW (lpString1="hGgaJMwOgUg.doc", lpString2="ntldr") returned -1 [0103.033] lstrcmpiW (lpString1="hGgaJMwOgUg.doc", lpString2="MSDOS.SYS") returned -1 [0103.033] lstrcmpiW (lpString1="hGgaJMwOgUg.doc", lpString2="IO.SYS") returned -1 [0103.033] lstrcmpiW (lpString1="hGgaJMwOgUg.doc", lpString2="boot.ini") returned 1 [0103.033] lstrcmpiW (lpString1="hGgaJMwOgUg.doc", lpString2="AUTOEXEC.BAT") returned 1 [0103.033] lstrcmpiW (lpString1="hGgaJMwOgUg.doc", lpString2="ntuser.dat") returned -1 [0103.033] lstrcmpiW (lpString1="hGgaJMwOgUg.doc", lpString2="desktop.ini") returned 1 [0103.033] lstrcmpiW (lpString1="hGgaJMwOgUg.doc", lpString2="CONFIG.SYS") returned 1 [0103.033] lstrcmpiW (lpString1="hGgaJMwOgUg.doc", lpString2="RECYCLER") returned -1 [0103.033] lstrcmpiW (lpString1="hGgaJMwOgUg.doc", lpString2="BOOTSECT.BAK") returned 1 [0103.033] lstrcmpiW (lpString1="hGgaJMwOgUg.doc", lpString2="bootmgr") returned 1 [0103.033] lstrcmpiW (lpString1="hGgaJMwOgUg.doc", lpString2="programdata") returned -1 [0103.033] lstrcmpiW (lpString1="hGgaJMwOgUg.doc", lpString2="appdata") returned 1 [0103.033] lstrcmpiW (lpString1="hGgaJMwOgUg.doc", lpString2="program files") returned -1 [0103.033] lstrcmpiW (lpString1="hGgaJMwOgUg.doc", lpString2="program files (x86)") returned -1 [0103.033] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0103.033] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="hGgaJMwOgUg.doc" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\hGgaJMwOgUg.doc") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\hGgaJMwOgUg.doc" [0103.033] PathFindExtensionW (pszPath="hGgaJMwOgUg.doc") returned=".doc" [0103.033] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0103.033] lstrcmpiW (lpString1=".doc", lpString2=".log") returned -1 [0103.033] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0103.033] lstrcmpiW (lpString1=".doc", lpString2=".cmd") returned 1 [0103.034] lstrcmpiW (lpString1=".doc", lpString2=".com") returned 1 [0103.034] lstrcmpiW (lpString1=".doc", lpString2=".cpl") returned 1 [0103.034] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0103.034] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0103.034] lstrcmpiW (lpString1=".doc", lpString2=".url") returned -1 [0103.034] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0103.034] lstrcmpiW (lpString1=".doc", lpString2=".mp3") returned -1 [0103.034] lstrcmpiW (lpString1=".doc", lpString2=".pif") returned -1 [0103.034] lstrcmpiW (lpString1=".doc", lpString2=".mp4") returned -1 [0103.034] lstrcmpiW (lpString1=".doc", lpString2=".NEPHILIM") returned -1 [0103.034] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0103.034] lstrcmpiW (lpString1=".doc", lpString2=".lnk") returned -1 [0103.034] lstrcmpiW (lpString1="hGgaJMwOgUg.doc", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0103.034] lstrlenA (lpString="NEPHILIM") returned 8 [0103.034] GetProcessHeap () returned 0x4e0000 [0103.034] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x504f30 [0103.034] lstrlenA (lpString="NEPHILIM") returned 8 [0103.034] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\hGgaJMwOgUg.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\hggajmwogug.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0103.034] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=30036) returned 1 [0103.034] GetProcessHeap () returned 0x4e0000 [0103.034] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0103.034] GetProcessHeap () returned 0x4e0000 [0103.034] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0103.034] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0103.034] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0103.034] GetProcessHeap () returned 0x4e0000 [0103.034] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0103.035] GetProcessHeap () returned 0x4e0000 [0103.035] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0103.035] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de208*=0x100) returned 1 [0103.035] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de204*=0x100) returned 1 [0103.035] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x7554, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.035] SetLastError (dwErrCode=0x0) [0103.035] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.036] GetLastError () returned 0x0 [0103.036] GetLastError () returned 0x0 [0103.036] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x7654, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.036] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.036] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x7754, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.036] lstrlenA (lpString="NEPHILIM") returned 8 [0103.036] WriteFile (in: hFile=0xec, lpBuffer=0x504f30*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x504f30*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0103.036] GetProcessHeap () returned 0x4e0000 [0103.037] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x7554) returned 0x50a8a8 [0103.037] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.037] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x7554, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x7554, lpOverlapped=0x0) returned 1 [0103.038] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.038] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x7554, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x7554, lpOverlapped=0x0) returned 1 [0103.038] GetProcessHeap () returned 0x4e0000 [0103.038] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0103.038] CloseHandle (hObject=0xec) returned 1 [0103.043] GetProcessHeap () returned 0x4e0000 [0103.043] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0103.043] GetProcessHeap () returned 0x4e0000 [0103.043] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0103.044] GetProcessHeap () returned 0x4e0000 [0103.044] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0103.044] GetProcessHeap () returned 0x4e0000 [0103.044] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0103.044] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\hGgaJMwOgUg.doc" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\hGgaJMwOgUg.doc") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\hGgaJMwOgUg.doc" [0103.044] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\hGgaJMwOgUg.doc", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\hGgaJMwOgUg.doc.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\hGgaJMwOgUg.doc.NEPHILIM" [0103.044] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\hGgaJMwOgUg.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\hggajmwogug.doc"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\hGgaJMwOgUg.doc.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\hggajmwogug.doc.nephilim")) returned 1 [0103.045] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x388b0170, ftCreationTime.dwHighDateTime=0x1d5a60c, ftLastAccessTime.dwLowDateTime=0xe594f190, ftLastAccessTime.dwHighDateTime=0x1d55bcb, ftLastWriteTime.dwLowDateTime=0xe594f190, ftLastWriteTime.dwHighDateTime=0x1d55bcb, nFileSizeHigh=0x0, nFileSizeLow=0x4979, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="I3ODYtrtIoMU9TnXB8.pptx", cAlternateFileName="I3ODYT~1.PPT")) returned 1 [0103.045] lstrcmpiW (lpString1="I3ODYtrtIoMU9TnXB8.pptx", lpString2=".") returned 1 [0103.045] lstrcmpiW (lpString1="I3ODYtrtIoMU9TnXB8.pptx", lpString2="..") returned 1 [0103.045] lstrcmpiW (lpString1="I3ODYtrtIoMU9TnXB8.pptx", lpString2="...") returned 1 [0103.045] lstrcmpiW (lpString1="I3ODYtrtIoMU9TnXB8.pptx", lpString2="windows") returned -1 [0103.045] lstrcmpiW (lpString1="I3ODYtrtIoMU9TnXB8.pptx", lpString2="$RECYCLE.BIN") returned 1 [0103.045] lstrcmpiW (lpString1="I3ODYtrtIoMU9TnXB8.pptx", lpString2="rsa") returned -1 [0103.045] lstrcmpiW (lpString1="I3ODYtrtIoMU9TnXB8.pptx", lpString2="log") returned -1 [0103.045] lstrcmpiW (lpString1="I3ODYtrtIoMU9TnXB8.pptx", lpString2="NTDETECT.COM") returned -1 [0103.045] lstrcmpiW (lpString1="I3ODYtrtIoMU9TnXB8.pptx", lpString2="ntldr") returned -1 [0103.045] lstrcmpiW (lpString1="I3ODYtrtIoMU9TnXB8.pptx", lpString2="MSDOS.SYS") returned -1 [0103.045] lstrcmpiW (lpString1="I3ODYtrtIoMU9TnXB8.pptx", lpString2="IO.SYS") returned -1 [0103.045] lstrcmpiW (lpString1="I3ODYtrtIoMU9TnXB8.pptx", lpString2="boot.ini") returned 1 [0103.045] lstrcmpiW (lpString1="I3ODYtrtIoMU9TnXB8.pptx", lpString2="AUTOEXEC.BAT") returned 1 [0103.045] lstrcmpiW (lpString1="I3ODYtrtIoMU9TnXB8.pptx", lpString2="ntuser.dat") returned -1 [0103.045] lstrcmpiW (lpString1="I3ODYtrtIoMU9TnXB8.pptx", lpString2="desktop.ini") returned 1 [0103.045] lstrcmpiW (lpString1="I3ODYtrtIoMU9TnXB8.pptx", lpString2="CONFIG.SYS") returned 1 [0103.045] lstrcmpiW (lpString1="I3ODYtrtIoMU9TnXB8.pptx", lpString2="RECYCLER") returned -1 [0103.045] lstrcmpiW (lpString1="I3ODYtrtIoMU9TnXB8.pptx", lpString2="BOOTSECT.BAK") returned 1 [0103.045] lstrcmpiW (lpString1="I3ODYtrtIoMU9TnXB8.pptx", lpString2="bootmgr") returned 1 [0103.045] lstrcmpiW (lpString1="I3ODYtrtIoMU9TnXB8.pptx", lpString2="programdata") returned -1 [0103.045] lstrcmpiW (lpString1="I3ODYtrtIoMU9TnXB8.pptx", lpString2="appdata") returned 1 [0103.045] lstrcmpiW (lpString1="I3ODYtrtIoMU9TnXB8.pptx", lpString2="program files") returned -1 [0103.045] lstrcmpiW (lpString1="I3ODYtrtIoMU9TnXB8.pptx", lpString2="program files (x86)") returned -1 [0103.046] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0103.046] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="I3ODYtrtIoMU9TnXB8.pptx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\I3ODYtrtIoMU9TnXB8.pptx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\I3ODYtrtIoMU9TnXB8.pptx" [0103.046] PathFindExtensionW (pszPath="I3ODYtrtIoMU9TnXB8.pptx") returned=".pptx" [0103.046] lstrcmpiW (lpString1=".pptx", lpString2=".exe") returned 1 [0103.046] lstrcmpiW (lpString1=".pptx", lpString2=".log") returned 1 [0103.046] lstrcmpiW (lpString1=".pptx", lpString2=".cab") returned 1 [0103.046] lstrcmpiW (lpString1=".pptx", lpString2=".cmd") returned 1 [0103.046] lstrcmpiW (lpString1=".pptx", lpString2=".com") returned 1 [0103.046] lstrcmpiW (lpString1=".pptx", lpString2=".cpl") returned 1 [0103.046] lstrcmpiW (lpString1=".pptx", lpString2=".ini") returned 1 [0103.046] lstrcmpiW (lpString1=".pptx", lpString2=".dll") returned 1 [0103.046] lstrcmpiW (lpString1=".pptx", lpString2=".url") returned -1 [0103.046] lstrcmpiW (lpString1=".pptx", lpString2=".ttf") returned -1 [0103.046] lstrcmpiW (lpString1=".pptx", lpString2=".mp3") returned 1 [0103.046] lstrcmpiW (lpString1=".pptx", lpString2=".pif") returned 1 [0103.046] lstrcmpiW (lpString1=".pptx", lpString2=".mp4") returned 1 [0103.046] lstrcmpiW (lpString1=".pptx", lpString2=".NEPHILIM") returned 1 [0103.046] lstrcmpiW (lpString1=".pptx", lpString2=".msi") returned 1 [0103.046] lstrcmpiW (lpString1=".pptx", lpString2=".lnk") returned 1 [0103.046] lstrcmpiW (lpString1="I3ODYtrtIoMU9TnXB8.pptx", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0103.046] lstrlenA (lpString="NEPHILIM") returned 8 [0103.046] GetProcessHeap () returned 0x4e0000 [0103.046] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x504f40 [0103.046] lstrlenA (lpString="NEPHILIM") returned 8 [0103.046] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\I3ODYtrtIoMU9TnXB8.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\i3odytrtiomu9tnxb8.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0103.046] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=18809) returned 1 [0103.046] GetProcessHeap () returned 0x4e0000 [0103.046] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0103.047] GetProcessHeap () returned 0x4e0000 [0103.047] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0103.047] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0103.047] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0103.047] GetProcessHeap () returned 0x4e0000 [0103.047] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0103.047] GetProcessHeap () returned 0x4e0000 [0103.047] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0103.047] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de208*=0x100) returned 1 [0103.047] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de204*=0x100) returned 1 [0103.047] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x4979, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.047] SetLastError (dwErrCode=0x0) [0103.047] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.049] GetLastError () returned 0x0 [0103.049] GetLastError () returned 0x0 [0103.049] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x4a79, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.049] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.049] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x4b79, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.049] lstrlenA (lpString="NEPHILIM") returned 8 [0103.049] WriteFile (in: hFile=0xec, lpBuffer=0x504f40*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x504f40*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0103.049] GetProcessHeap () returned 0x4e0000 [0103.049] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x4979) returned 0x50a8a8 [0103.049] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.049] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x4979, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x4979, lpOverlapped=0x0) returned 1 [0103.050] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.050] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x4979, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x4979, lpOverlapped=0x0) returned 1 [0103.051] GetProcessHeap () returned 0x4e0000 [0103.051] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0103.051] CloseHandle (hObject=0xec) returned 1 [0103.056] GetProcessHeap () returned 0x4e0000 [0103.056] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0103.056] GetProcessHeap () returned 0x4e0000 [0103.056] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0103.056] GetProcessHeap () returned 0x4e0000 [0103.056] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0103.056] GetProcessHeap () returned 0x4e0000 [0103.056] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0103.056] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\I3ODYtrtIoMU9TnXB8.pptx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\I3ODYtrtIoMU9TnXB8.pptx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\I3ODYtrtIoMU9TnXB8.pptx" [0103.056] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\I3ODYtrtIoMU9TnXB8.pptx", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\I3ODYtrtIoMU9TnXB8.pptx.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\I3ODYtrtIoMU9TnXB8.pptx.NEPHILIM" [0103.056] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\I3ODYtrtIoMU9TnXB8.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\i3odytrtiomu9tnxb8.pptx"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\I3ODYtrtIoMU9TnXB8.pptx.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\i3odytrtiomu9tnxb8.pptx.nephilim")) returned 1 [0103.057] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e2f51e0, ftCreationTime.dwHighDateTime=0x1d5dfb8, ftLastAccessTime.dwLowDateTime=0x9be2ded0, ftLastAccessTime.dwHighDateTime=0x1d5e3da, ftLastWriteTime.dwLowDateTime=0x9be2ded0, ftLastWriteTime.dwHighDateTime=0x1d5e3da, nFileSizeHigh=0x0, nFileSizeLow=0x1038f, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="Irr_.pdf", cAlternateFileName="")) returned 1 [0103.058] lstrcmpiW (lpString1="Irr_.pdf", lpString2=".") returned 1 [0103.058] lstrcmpiW (lpString1="Irr_.pdf", lpString2="..") returned 1 [0103.058] lstrcmpiW (lpString1="Irr_.pdf", lpString2="...") returned 1 [0103.058] lstrcmpiW (lpString1="Irr_.pdf", lpString2="windows") returned -1 [0103.058] lstrcmpiW (lpString1="Irr_.pdf", lpString2="$RECYCLE.BIN") returned 1 [0103.058] lstrcmpiW (lpString1="Irr_.pdf", lpString2="rsa") returned -1 [0103.058] lstrcmpiW (lpString1="Irr_.pdf", lpString2="log") returned -1 [0103.058] lstrcmpiW (lpString1="Irr_.pdf", lpString2="NTDETECT.COM") returned -1 [0103.058] lstrcmpiW (lpString1="Irr_.pdf", lpString2="ntldr") returned -1 [0103.058] lstrcmpiW (lpString1="Irr_.pdf", lpString2="MSDOS.SYS") returned -1 [0103.058] lstrcmpiW (lpString1="Irr_.pdf", lpString2="IO.SYS") returned 1 [0103.058] lstrcmpiW (lpString1="Irr_.pdf", lpString2="boot.ini") returned 1 [0103.058] lstrcmpiW (lpString1="Irr_.pdf", lpString2="AUTOEXEC.BAT") returned 1 [0103.058] lstrcmpiW (lpString1="Irr_.pdf", lpString2="ntuser.dat") returned -1 [0103.058] lstrcmpiW (lpString1="Irr_.pdf", lpString2="desktop.ini") returned 1 [0103.058] lstrcmpiW (lpString1="Irr_.pdf", lpString2="CONFIG.SYS") returned 1 [0103.058] lstrcmpiW (lpString1="Irr_.pdf", lpString2="RECYCLER") returned -1 [0103.058] lstrcmpiW (lpString1="Irr_.pdf", lpString2="BOOTSECT.BAK") returned 1 [0103.058] lstrcmpiW (lpString1="Irr_.pdf", lpString2="bootmgr") returned 1 [0103.058] lstrcmpiW (lpString1="Irr_.pdf", lpString2="programdata") returned -1 [0103.058] lstrcmpiW (lpString1="Irr_.pdf", lpString2="appdata") returned 1 [0103.058] lstrcmpiW (lpString1="Irr_.pdf", lpString2="program files") returned -1 [0103.058] lstrcmpiW (lpString1="Irr_.pdf", lpString2="program files (x86)") returned -1 [0103.058] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0103.058] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="Irr_.pdf" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Irr_.pdf") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Irr_.pdf" [0103.058] PathFindExtensionW (pszPath="Irr_.pdf") returned=".pdf" [0103.058] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0103.058] lstrcmpiW (lpString1=".pdf", lpString2=".log") returned 1 [0103.058] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0103.058] lstrcmpiW (lpString1=".pdf", lpString2=".cmd") returned 1 [0103.058] lstrcmpiW (lpString1=".pdf", lpString2=".com") returned 1 [0103.059] lstrcmpiW (lpString1=".pdf", lpString2=".cpl") returned 1 [0103.059] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0103.059] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0103.059] lstrcmpiW (lpString1=".pdf", lpString2=".url") returned -1 [0103.059] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0103.059] lstrcmpiW (lpString1=".pdf", lpString2=".mp3") returned 1 [0103.059] lstrcmpiW (lpString1=".pdf", lpString2=".pif") returned -1 [0103.059] lstrcmpiW (lpString1=".pdf", lpString2=".mp4") returned 1 [0103.059] lstrcmpiW (lpString1=".pdf", lpString2=".NEPHILIM") returned 1 [0103.059] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0103.059] lstrcmpiW (lpString1=".pdf", lpString2=".lnk") returned 1 [0103.059] lstrcmpiW (lpString1="Irr_.pdf", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0103.059] lstrlenA (lpString="NEPHILIM") returned 8 [0103.059] GetProcessHeap () returned 0x4e0000 [0103.059] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x504f50 [0103.059] lstrlenA (lpString="NEPHILIM") returned 8 [0103.059] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Irr_.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\irr_.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0103.059] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=66447) returned 1 [0103.059] GetProcessHeap () returned 0x4e0000 [0103.059] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0103.059] GetProcessHeap () returned 0x4e0000 [0103.059] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0103.059] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0103.059] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0103.060] GetProcessHeap () returned 0x4e0000 [0103.060] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0103.060] GetProcessHeap () returned 0x4e0000 [0103.060] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0103.060] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de208*=0x100) returned 1 [0103.060] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de204*=0x100) returned 1 [0103.060] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x1038f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.060] SetLastError (dwErrCode=0x0) [0103.060] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.061] GetLastError () returned 0x0 [0103.061] GetLastError () returned 0x0 [0103.061] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x1048f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.061] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.061] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x1058f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.061] lstrlenA (lpString="NEPHILIM") returned 8 [0103.061] WriteFile (in: hFile=0xec, lpBuffer=0x504f50*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x504f50*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0103.062] GetProcessHeap () returned 0x4e0000 [0103.062] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1038f) returned 0x50a8a8 [0103.062] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.062] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x1038f, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x1038f, lpOverlapped=0x0) returned 1 [0103.066] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.066] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x1038f, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x1038f, lpOverlapped=0x0) returned 1 [0103.066] GetProcessHeap () returned 0x4e0000 [0103.066] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0103.066] CloseHandle (hObject=0xec) returned 1 [0103.068] GetProcessHeap () returned 0x4e0000 [0103.068] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0103.068] GetProcessHeap () returned 0x4e0000 [0103.068] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0103.068] GetProcessHeap () returned 0x4e0000 [0103.068] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0103.068] GetProcessHeap () returned 0x4e0000 [0103.068] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0103.068] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Irr_.pdf" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Irr_.pdf") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Irr_.pdf" [0103.068] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Irr_.pdf", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Irr_.pdf.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Irr_.pdf.NEPHILIM" [0103.068] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Irr_.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\irr_.pdf"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Irr_.pdf.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\irr_.pdf.nephilim")) returned 1 [0103.069] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xccae510, ftCreationTime.dwHighDateTime=0x1d5c604, ftLastAccessTime.dwLowDateTime=0x96b37b10, ftLastAccessTime.dwHighDateTime=0x1d596cb, ftLastWriteTime.dwLowDateTime=0x96b37b10, ftLastWriteTime.dwHighDateTime=0x1d596cb, nFileSizeHigh=0x0, nFileSizeLow=0x2eb3, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="k rQv1BVbxkLF1PT_t.pptx", cAlternateFileName="KRQV1B~1.PPT")) returned 1 [0103.069] lstrcmpiW (lpString1="k rQv1BVbxkLF1PT_t.pptx", lpString2=".") returned 1 [0103.069] lstrcmpiW (lpString1="k rQv1BVbxkLF1PT_t.pptx", lpString2="..") returned 1 [0103.069] lstrcmpiW (lpString1="k rQv1BVbxkLF1PT_t.pptx", lpString2="...") returned 1 [0103.069] lstrcmpiW (lpString1="k rQv1BVbxkLF1PT_t.pptx", lpString2="windows") returned -1 [0103.069] lstrcmpiW (lpString1="k rQv1BVbxkLF1PT_t.pptx", lpString2="$RECYCLE.BIN") returned 1 [0103.069] lstrcmpiW (lpString1="k rQv1BVbxkLF1PT_t.pptx", lpString2="rsa") returned -1 [0103.069] lstrcmpiW (lpString1="k rQv1BVbxkLF1PT_t.pptx", lpString2="log") returned -1 [0103.069] lstrcmpiW (lpString1="k rQv1BVbxkLF1PT_t.pptx", lpString2="NTDETECT.COM") returned -1 [0103.069] lstrcmpiW (lpString1="k rQv1BVbxkLF1PT_t.pptx", lpString2="ntldr") returned -1 [0103.069] lstrcmpiW (lpString1="k rQv1BVbxkLF1PT_t.pptx", lpString2="MSDOS.SYS") returned -1 [0103.069] lstrcmpiW (lpString1="k rQv1BVbxkLF1PT_t.pptx", lpString2="IO.SYS") returned 1 [0103.069] lstrcmpiW (lpString1="k rQv1BVbxkLF1PT_t.pptx", lpString2="boot.ini") returned 1 [0103.069] lstrcmpiW (lpString1="k rQv1BVbxkLF1PT_t.pptx", lpString2="AUTOEXEC.BAT") returned 1 [0103.069] lstrcmpiW (lpString1="k rQv1BVbxkLF1PT_t.pptx", lpString2="ntuser.dat") returned -1 [0103.069] lstrcmpiW (lpString1="k rQv1BVbxkLF1PT_t.pptx", lpString2="desktop.ini") returned 1 [0103.069] lstrcmpiW (lpString1="k rQv1BVbxkLF1PT_t.pptx", lpString2="CONFIG.SYS") returned 1 [0103.069] lstrcmpiW (lpString1="k rQv1BVbxkLF1PT_t.pptx", lpString2="RECYCLER") returned -1 [0103.069] lstrcmpiW (lpString1="k rQv1BVbxkLF1PT_t.pptx", lpString2="BOOTSECT.BAK") returned 1 [0103.069] lstrcmpiW (lpString1="k rQv1BVbxkLF1PT_t.pptx", lpString2="bootmgr") returned 1 [0103.069] lstrcmpiW (lpString1="k rQv1BVbxkLF1PT_t.pptx", lpString2="programdata") returned -1 [0103.069] lstrcmpiW (lpString1="k rQv1BVbxkLF1PT_t.pptx", lpString2="appdata") returned 1 [0103.069] lstrcmpiW (lpString1="k rQv1BVbxkLF1PT_t.pptx", lpString2="program files") returned -1 [0103.069] lstrcmpiW (lpString1="k rQv1BVbxkLF1PT_t.pptx", lpString2="program files (x86)") returned -1 [0103.070] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0103.070] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="k rQv1BVbxkLF1PT_t.pptx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\k rQv1BVbxkLF1PT_t.pptx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\k rQv1BVbxkLF1PT_t.pptx" [0103.070] PathFindExtensionW (pszPath="k rQv1BVbxkLF1PT_t.pptx") returned=".pptx" [0103.070] lstrcmpiW (lpString1=".pptx", lpString2=".exe") returned 1 [0103.070] lstrcmpiW (lpString1=".pptx", lpString2=".log") returned 1 [0103.070] lstrcmpiW (lpString1=".pptx", lpString2=".cab") returned 1 [0103.070] lstrcmpiW (lpString1=".pptx", lpString2=".cmd") returned 1 [0103.070] lstrcmpiW (lpString1=".pptx", lpString2=".com") returned 1 [0103.070] lstrcmpiW (lpString1=".pptx", lpString2=".cpl") returned 1 [0103.070] lstrcmpiW (lpString1=".pptx", lpString2=".ini") returned 1 [0103.070] lstrcmpiW (lpString1=".pptx", lpString2=".dll") returned 1 [0103.070] lstrcmpiW (lpString1=".pptx", lpString2=".url") returned -1 [0103.070] lstrcmpiW (lpString1=".pptx", lpString2=".ttf") returned -1 [0103.070] lstrcmpiW (lpString1=".pptx", lpString2=".mp3") returned 1 [0103.070] lstrcmpiW (lpString1=".pptx", lpString2=".pif") returned 1 [0103.070] lstrcmpiW (lpString1=".pptx", lpString2=".mp4") returned 1 [0103.070] lstrcmpiW (lpString1=".pptx", lpString2=".NEPHILIM") returned 1 [0103.070] lstrcmpiW (lpString1=".pptx", lpString2=".msi") returned 1 [0103.070] lstrcmpiW (lpString1=".pptx", lpString2=".lnk") returned 1 [0103.070] lstrcmpiW (lpString1="k rQv1BVbxkLF1PT_t.pptx", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0103.070] lstrlenA (lpString="NEPHILIM") returned 8 [0103.070] GetProcessHeap () returned 0x4e0000 [0103.070] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x504f60 [0103.070] lstrlenA (lpString="NEPHILIM") returned 8 [0103.070] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\k rQv1BVbxkLF1PT_t.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\k rqv1bvbxklf1pt_t.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0103.071] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=11955) returned 1 [0103.071] GetProcessHeap () returned 0x4e0000 [0103.071] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0103.071] GetProcessHeap () returned 0x4e0000 [0103.071] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0103.071] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0103.071] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0103.071] GetProcessHeap () returned 0x4e0000 [0103.071] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0103.071] GetProcessHeap () returned 0x4e0000 [0103.071] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0103.071] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de208*=0x100) returned 1 [0103.072] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de204*=0x100) returned 1 [0103.072] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x2eb3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.072] SetLastError (dwErrCode=0x0) [0103.072] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.073] GetLastError () returned 0x0 [0103.074] GetLastError () returned 0x0 [0103.074] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x2fb3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.074] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.074] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x30b3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.074] lstrlenA (lpString="NEPHILIM") returned 8 [0103.074] WriteFile (in: hFile=0xec, lpBuffer=0x504f60*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x504f60*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0103.074] GetProcessHeap () returned 0x4e0000 [0103.074] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x2eb3) returned 0x50a8a8 [0103.074] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.074] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x2eb3, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x2eb3, lpOverlapped=0x0) returned 1 [0103.076] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.076] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x2eb3, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x2eb3, lpOverlapped=0x0) returned 1 [0103.076] GetProcessHeap () returned 0x4e0000 [0103.076] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0103.076] CloseHandle (hObject=0xec) returned 1 [0103.082] GetProcessHeap () returned 0x4e0000 [0103.082] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0103.082] GetProcessHeap () returned 0x4e0000 [0103.082] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0103.082] GetProcessHeap () returned 0x4e0000 [0103.082] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0103.083] GetProcessHeap () returned 0x4e0000 [0103.083] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0103.083] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\k rQv1BVbxkLF1PT_t.pptx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\k rQv1BVbxkLF1PT_t.pptx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\k rQv1BVbxkLF1PT_t.pptx" [0103.083] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\k rQv1BVbxkLF1PT_t.pptx", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\k rQv1BVbxkLF1PT_t.pptx.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\k rQv1BVbxkLF1PT_t.pptx.NEPHILIM" [0103.083] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\k rQv1BVbxkLF1PT_t.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\k rqv1bvbxklf1pt_t.pptx"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\k rQv1BVbxkLF1PT_t.pptx.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\k rqv1bvbxklf1pt_t.pptx.nephilim")) returned 1 [0103.084] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb97dd0, ftCreationTime.dwHighDateTime=0x1d5e2fc, ftLastAccessTime.dwLowDateTime=0xe6bb9590, ftLastAccessTime.dwHighDateTime=0x1d5e5a7, ftLastWriteTime.dwLowDateTime=0xe6bb9590, ftLastWriteTime.dwHighDateTime=0x1d5e5a7, nFileSizeHigh=0x0, nFileSizeLow=0xdc4c, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="KTm9Oa0kRuLE49QF.pptx", cAlternateFileName="KTM9OA~1.PPT")) returned 1 [0103.084] lstrcmpiW (lpString1="KTm9Oa0kRuLE49QF.pptx", lpString2=".") returned 1 [0103.084] lstrcmpiW (lpString1="KTm9Oa0kRuLE49QF.pptx", lpString2="..") returned 1 [0103.084] lstrcmpiW (lpString1="KTm9Oa0kRuLE49QF.pptx", lpString2="...") returned 1 [0103.084] lstrcmpiW (lpString1="KTm9Oa0kRuLE49QF.pptx", lpString2="windows") returned -1 [0103.084] lstrcmpiW (lpString1="KTm9Oa0kRuLE49QF.pptx", lpString2="$RECYCLE.BIN") returned 1 [0103.084] lstrcmpiW (lpString1="KTm9Oa0kRuLE49QF.pptx", lpString2="rsa") returned -1 [0103.084] lstrcmpiW (lpString1="KTm9Oa0kRuLE49QF.pptx", lpString2="log") returned -1 [0103.084] lstrcmpiW (lpString1="KTm9Oa0kRuLE49QF.pptx", lpString2="NTDETECT.COM") returned -1 [0103.084] lstrcmpiW (lpString1="KTm9Oa0kRuLE49QF.pptx", lpString2="ntldr") returned -1 [0103.084] lstrcmpiW (lpString1="KTm9Oa0kRuLE49QF.pptx", lpString2="MSDOS.SYS") returned -1 [0103.084] lstrcmpiW (lpString1="KTm9Oa0kRuLE49QF.pptx", lpString2="IO.SYS") returned 1 [0103.084] lstrcmpiW (lpString1="KTm9Oa0kRuLE49QF.pptx", lpString2="boot.ini") returned 1 [0103.084] lstrcmpiW (lpString1="KTm9Oa0kRuLE49QF.pptx", lpString2="AUTOEXEC.BAT") returned 1 [0103.084] lstrcmpiW (lpString1="KTm9Oa0kRuLE49QF.pptx", lpString2="ntuser.dat") returned -1 [0103.084] lstrcmpiW (lpString1="KTm9Oa0kRuLE49QF.pptx", lpString2="desktop.ini") returned 1 [0103.084] lstrcmpiW (lpString1="KTm9Oa0kRuLE49QF.pptx", lpString2="CONFIG.SYS") returned 1 [0103.084] lstrcmpiW (lpString1="KTm9Oa0kRuLE49QF.pptx", lpString2="RECYCLER") returned -1 [0103.085] lstrcmpiW (lpString1="KTm9Oa0kRuLE49QF.pptx", lpString2="BOOTSECT.BAK") returned 1 [0103.085] lstrcmpiW (lpString1="KTm9Oa0kRuLE49QF.pptx", lpString2="bootmgr") returned 1 [0103.085] lstrcmpiW (lpString1="KTm9Oa0kRuLE49QF.pptx", lpString2="programdata") returned -1 [0103.085] lstrcmpiW (lpString1="KTm9Oa0kRuLE49QF.pptx", lpString2="appdata") returned 1 [0103.085] lstrcmpiW (lpString1="KTm9Oa0kRuLE49QF.pptx", lpString2="program files") returned -1 [0103.085] lstrcmpiW (lpString1="KTm9Oa0kRuLE49QF.pptx", lpString2="program files (x86)") returned -1 [0103.085] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0103.085] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="KTm9Oa0kRuLE49QF.pptx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KTm9Oa0kRuLE49QF.pptx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KTm9Oa0kRuLE49QF.pptx" [0103.085] PathFindExtensionW (pszPath="KTm9Oa0kRuLE49QF.pptx") returned=".pptx" [0103.085] lstrcmpiW (lpString1=".pptx", lpString2=".exe") returned 1 [0103.085] lstrcmpiW (lpString1=".pptx", lpString2=".log") returned 1 [0103.085] lstrcmpiW (lpString1=".pptx", lpString2=".cab") returned 1 [0103.085] lstrcmpiW (lpString1=".pptx", lpString2=".cmd") returned 1 [0103.085] lstrcmpiW (lpString1=".pptx", lpString2=".com") returned 1 [0103.085] lstrcmpiW (lpString1=".pptx", lpString2=".cpl") returned 1 [0103.085] lstrcmpiW (lpString1=".pptx", lpString2=".ini") returned 1 [0103.085] lstrcmpiW (lpString1=".pptx", lpString2=".dll") returned 1 [0103.085] lstrcmpiW (lpString1=".pptx", lpString2=".url") returned -1 [0103.085] lstrcmpiW (lpString1=".pptx", lpString2=".ttf") returned -1 [0103.085] lstrcmpiW (lpString1=".pptx", lpString2=".mp3") returned 1 [0103.085] lstrcmpiW (lpString1=".pptx", lpString2=".pif") returned 1 [0103.086] lstrcmpiW (lpString1=".pptx", lpString2=".mp4") returned 1 [0103.086] lstrcmpiW (lpString1=".pptx", lpString2=".NEPHILIM") returned 1 [0103.086] lstrcmpiW (lpString1=".pptx", lpString2=".msi") returned 1 [0103.086] lstrcmpiW (lpString1=".pptx", lpString2=".lnk") returned 1 [0103.086] lstrcmpiW (lpString1="KTm9Oa0kRuLE49QF.pptx", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0103.086] lstrlenA (lpString="NEPHILIM") returned 8 [0103.086] GetProcessHeap () returned 0x4e0000 [0103.086] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x504f70 [0103.086] lstrlenA (lpString="NEPHILIM") returned 8 [0103.086] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KTm9Oa0kRuLE49QF.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ktm9oa0krule49qf.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0103.086] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=56396) returned 1 [0103.086] GetProcessHeap () returned 0x4e0000 [0103.086] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0103.086] GetProcessHeap () returned 0x4e0000 [0103.086] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0103.086] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0103.086] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0103.086] GetProcessHeap () returned 0x4e0000 [0103.087] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0103.087] GetProcessHeap () returned 0x4e0000 [0103.087] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0103.087] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de208*=0x100) returned 1 [0103.088] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de204*=0x100) returned 1 [0103.088] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xdc4c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.088] SetLastError (dwErrCode=0x0) [0103.088] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.090] GetLastError () returned 0x0 [0103.090] GetLastError () returned 0x0 [0103.090] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xdd4c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.090] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.090] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xde4c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.090] lstrlenA (lpString="NEPHILIM") returned 8 [0103.090] WriteFile (in: hFile=0xec, lpBuffer=0x504f70*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x504f70*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0103.090] GetProcessHeap () returned 0x4e0000 [0103.090] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xdc4c) returned 0x50a8a8 [0103.090] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.091] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0xdc4c, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0xdc4c, lpOverlapped=0x0) returned 1 [0103.094] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.094] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0xdc4c, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0xdc4c, lpOverlapped=0x0) returned 1 [0103.095] GetProcessHeap () returned 0x4e0000 [0103.095] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0103.095] CloseHandle (hObject=0xec) returned 1 [0103.099] GetProcessHeap () returned 0x4e0000 [0103.099] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0103.099] GetProcessHeap () returned 0x4e0000 [0103.099] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0103.099] GetProcessHeap () returned 0x4e0000 [0103.099] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0103.099] GetProcessHeap () returned 0x4e0000 [0103.099] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0103.099] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KTm9Oa0kRuLE49QF.pptx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KTm9Oa0kRuLE49QF.pptx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KTm9Oa0kRuLE49QF.pptx" [0103.099] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KTm9Oa0kRuLE49QF.pptx", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KTm9Oa0kRuLE49QF.pptx.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KTm9Oa0kRuLE49QF.pptx.NEPHILIM" [0103.099] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KTm9Oa0kRuLE49QF.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ktm9oa0krule49qf.pptx"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KTm9Oa0kRuLE49QF.pptx.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ktm9oa0krule49qf.pptx.nephilim")) returned 1 [0103.100] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c30f5a0, ftCreationTime.dwHighDateTime=0x1d5e5c6, ftLastAccessTime.dwLowDateTime=0x803ec570, ftLastAccessTime.dwHighDateTime=0x1d5ded7, ftLastWriteTime.dwLowDateTime=0x803ec570, ftLastWriteTime.dwHighDateTime=0x1d5ded7, nFileSizeHigh=0x0, nFileSizeLow=0x11173, dwReserved0=0x440042, dwReserved1=0x24def60, cFileName="KYOamUk14HBWDY9DY.odp", cAlternateFileName="KYOAMU~1.ODP")) returned 1 [0103.100] lstrcmpiW (lpString1="KYOamUk14HBWDY9DY.odp", lpString2=".") returned 1 [0103.101] lstrcmpiW (lpString1="KYOamUk14HBWDY9DY.odp", lpString2="..") returned 1 [0103.101] lstrcmpiW (lpString1="KYOamUk14HBWDY9DY.odp", lpString2="...") returned 1 [0103.101] lstrcmpiW (lpString1="KYOamUk14HBWDY9DY.odp", lpString2="windows") returned -1 [0103.101] lstrcmpiW (lpString1="KYOamUk14HBWDY9DY.odp", lpString2="$RECYCLE.BIN") returned 1 [0103.101] lstrcmpiW (lpString1="KYOamUk14HBWDY9DY.odp", lpString2="rsa") returned -1 [0103.101] lstrcmpiW (lpString1="KYOamUk14HBWDY9DY.odp", lpString2="log") returned -1 [0103.101] lstrcmpiW (lpString1="KYOamUk14HBWDY9DY.odp", lpString2="NTDETECT.COM") returned -1 [0103.101] lstrcmpiW (lpString1="KYOamUk14HBWDY9DY.odp", lpString2="ntldr") returned -1 [0103.101] lstrcmpiW (lpString1="KYOamUk14HBWDY9DY.odp", lpString2="MSDOS.SYS") returned -1 [0103.101] lstrcmpiW (lpString1="KYOamUk14HBWDY9DY.odp", lpString2="IO.SYS") returned 1 [0103.101] lstrcmpiW (lpString1="KYOamUk14HBWDY9DY.odp", lpString2="boot.ini") returned 1 [0103.101] lstrcmpiW (lpString1="KYOamUk14HBWDY9DY.odp", lpString2="AUTOEXEC.BAT") returned 1 [0103.101] lstrcmpiW (lpString1="KYOamUk14HBWDY9DY.odp", lpString2="ntuser.dat") returned -1 [0103.101] lstrcmpiW (lpString1="KYOamUk14HBWDY9DY.odp", lpString2="desktop.ini") returned 1 [0103.101] lstrcmpiW (lpString1="KYOamUk14HBWDY9DY.odp", lpString2="CONFIG.SYS") returned 1 [0103.101] lstrcmpiW (lpString1="KYOamUk14HBWDY9DY.odp", lpString2="RECYCLER") returned -1 [0103.101] lstrcmpiW (lpString1="KYOamUk14HBWDY9DY.odp", lpString2="BOOTSECT.BAK") returned 1 [0103.101] lstrcmpiW (lpString1="KYOamUk14HBWDY9DY.odp", lpString2="bootmgr") returned 1 [0103.101] lstrcmpiW (lpString1="KYOamUk14HBWDY9DY.odp", lpString2="programdata") returned -1 [0103.101] lstrcmpiW (lpString1="KYOamUk14HBWDY9DY.odp", lpString2="appdata") returned 1 [0103.101] lstrcmpiW (lpString1="KYOamUk14HBWDY9DY.odp", lpString2="program files") returned -1 [0103.101] lstrcmpiW (lpString1="KYOamUk14HBWDY9DY.odp", lpString2="program files (x86)") returned -1 [0103.101] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0103.101] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="KYOamUk14HBWDY9DY.odp" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KYOamUk14HBWDY9DY.odp") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KYOamUk14HBWDY9DY.odp" [0103.101] PathFindExtensionW (pszPath="KYOamUk14HBWDY9DY.odp") returned=".odp" [0103.101] lstrcmpiW (lpString1=".odp", lpString2=".exe") returned 1 [0103.101] lstrcmpiW (lpString1=".odp", lpString2=".log") returned 1 [0103.102] lstrcmpiW (lpString1=".odp", lpString2=".cab") returned 1 [0103.102] lstrcmpiW (lpString1=".odp", lpString2=".cmd") returned 1 [0103.102] lstrcmpiW (lpString1=".odp", lpString2=".com") returned 1 [0103.102] lstrcmpiW (lpString1=".odp", lpString2=".cpl") returned 1 [0103.102] lstrcmpiW (lpString1=".odp", lpString2=".ini") returned 1 [0103.102] lstrcmpiW (lpString1=".odp", lpString2=".dll") returned 1 [0103.102] lstrcmpiW (lpString1=".odp", lpString2=".url") returned -1 [0103.102] lstrcmpiW (lpString1=".odp", lpString2=".ttf") returned -1 [0103.102] lstrcmpiW (lpString1=".odp", lpString2=".mp3") returned 1 [0103.102] lstrcmpiW (lpString1=".odp", lpString2=".pif") returned -1 [0103.102] lstrcmpiW (lpString1=".odp", lpString2=".mp4") returned 1 [0103.102] lstrcmpiW (lpString1=".odp", lpString2=".NEPHILIM") returned 1 [0103.102] lstrcmpiW (lpString1=".odp", lpString2=".msi") returned 1 [0103.102] lstrcmpiW (lpString1=".odp", lpString2=".lnk") returned 1 [0103.102] lstrcmpiW (lpString1="KYOamUk14HBWDY9DY.odp", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0103.102] lstrlenA (lpString="NEPHILIM") returned 8 [0103.102] GetProcessHeap () returned 0x4e0000 [0103.102] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x504f80 [0103.102] lstrlenA (lpString="NEPHILIM") returned 8 [0103.102] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KYOamUk14HBWDY9DY.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kyoamuk14hbwdy9dy.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0103.102] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=70003) returned 1 [0103.102] GetProcessHeap () returned 0x4e0000 [0103.102] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0103.103] GetProcessHeap () returned 0x4e0000 [0103.103] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0103.103] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0103.103] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0103.103] GetProcessHeap () returned 0x4e0000 [0103.103] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0103.103] GetProcessHeap () returned 0x4e0000 [0103.103] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0103.103] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de208*=0x100) returned 1 [0103.103] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de204*=0x100) returned 1 [0103.103] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x11173, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.103] SetLastError (dwErrCode=0x0) [0103.103] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.104] GetLastError () returned 0x0 [0103.104] GetLastError () returned 0x0 [0103.104] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x11273, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.104] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.104] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x11373, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.104] lstrlenA (lpString="NEPHILIM") returned 8 [0103.105] WriteFile (in: hFile=0xec, lpBuffer=0x504f80*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x504f80*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0103.105] GetProcessHeap () returned 0x4e0000 [0103.105] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x11173) returned 0x50a8a8 [0103.105] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.105] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x11173, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x11173, lpOverlapped=0x0) returned 1 [0103.108] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.108] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x11173, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x11173, lpOverlapped=0x0) returned 1 [0103.108] GetProcessHeap () returned 0x4e0000 [0103.109] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0103.109] CloseHandle (hObject=0xec) returned 1 [0103.111] GetProcessHeap () returned 0x4e0000 [0103.111] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0103.111] GetProcessHeap () returned 0x4e0000 [0103.111] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0103.111] GetProcessHeap () returned 0x4e0000 [0103.111] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0103.111] GetProcessHeap () returned 0x4e0000 [0103.111] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0103.111] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KYOamUk14HBWDY9DY.odp" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KYOamUk14HBWDY9DY.odp") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KYOamUk14HBWDY9DY.odp" [0103.111] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KYOamUk14HBWDY9DY.odp", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KYOamUk14HBWDY9DY.odp.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KYOamUk14HBWDY9DY.odp.NEPHILIM" [0103.111] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KYOamUk14HBWDY9DY.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kyoamuk14hbwdy9dy.odp"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KYOamUk14HBWDY9DY.odp.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kyoamuk14hbwdy9dy.odp.nephilim")) returned 1 [0103.112] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x290dda00, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x290dda00, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x290dda00, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0103.112] lstrcmpiW (lpString1="My Music", lpString2=".") returned 1 [0103.112] lstrcmpiW (lpString1="My Music", lpString2="..") returned 1 [0103.112] lstrcmpiW (lpString1="My Music", lpString2="...") returned 1 [0103.112] lstrcmpiW (lpString1="My Music", lpString2="windows") returned -1 [0103.112] lstrcmpiW (lpString1="My Music", lpString2="$RECYCLE.BIN") returned 1 [0103.112] lstrcmpiW (lpString1="My Music", lpString2="rsa") returned -1 [0103.112] lstrcmpiW (lpString1="My Music", lpString2="log") returned 1 [0103.112] lstrcmpiW (lpString1="My Music", lpString2="NTDETECT.COM") returned -1 [0103.113] lstrcmpiW (lpString1="My Music", lpString2="ntldr") returned -1 [0103.113] lstrcmpiW (lpString1="My Music", lpString2="MSDOS.SYS") returned 1 [0103.113] lstrcmpiW (lpString1="My Music", lpString2="IO.SYS") returned 1 [0103.113] lstrcmpiW (lpString1="My Music", lpString2="boot.ini") returned 1 [0103.113] lstrcmpiW (lpString1="My Music", lpString2="AUTOEXEC.BAT") returned 1 [0103.113] lstrcmpiW (lpString1="My Music", lpString2="ntuser.dat") returned -1 [0103.113] lstrcmpiW (lpString1="My Music", lpString2="desktop.ini") returned 1 [0103.113] lstrcmpiW (lpString1="My Music", lpString2="CONFIG.SYS") returned 1 [0103.113] lstrcmpiW (lpString1="My Music", lpString2="RECYCLER") returned -1 [0103.113] lstrcmpiW (lpString1="My Music", lpString2="BOOTSECT.BAK") returned 1 [0103.113] lstrcmpiW (lpString1="My Music", lpString2="bootmgr") returned 1 [0103.113] lstrcmpiW (lpString1="My Music", lpString2="programdata") returned -1 [0103.113] lstrcmpiW (lpString1="My Music", lpString2="appdata") returned 1 [0103.113] lstrcmpiW (lpString1="My Music", lpString2="program files") returned -1 [0103.113] lstrcmpiW (lpString1="My Music", lpString2="program files (x86)") returned -1 [0103.113] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0103.113] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="My Music" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music" [0103.113] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music\\" [0103.113] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music\\" [0103.113] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music\\", lpString2="*.*" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music\\*.*") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music\\*.*" [0103.113] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x18492b, ftLastAccessTime.dwHighDateTime=0x3, ftLastWriteTime.dwLowDateTime=0x8c, ftLastWriteTime.dwHighDateTime=0x1acc9a04, nFileSizeHigh=0x8240483c, nFileSizeLow=0x759be6a3, dwReserved0=0x24dddac, dwReserved1=0x72381664, cFileName="ɍọ矋", cAlternateFileName="")) returned 0xffffffff [0103.114] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x290dda00, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x290dda00, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x290dda00, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0103.114] lstrcmpiW (lpString1="My Pictures", lpString2=".") returned 1 [0103.114] lstrcmpiW (lpString1="My Pictures", lpString2="..") returned 1 [0103.114] lstrcmpiW (lpString1="My Pictures", lpString2="...") returned 1 [0103.114] lstrcmpiW (lpString1="My Pictures", lpString2="windows") returned -1 [0103.114] lstrcmpiW (lpString1="My Pictures", lpString2="$RECYCLE.BIN") returned 1 [0103.114] lstrcmpiW (lpString1="My Pictures", lpString2="rsa") returned -1 [0103.114] lstrcmpiW (lpString1="My Pictures", lpString2="log") returned 1 [0103.114] lstrcmpiW (lpString1="My Pictures", lpString2="NTDETECT.COM") returned -1 [0103.114] lstrcmpiW (lpString1="My Pictures", lpString2="ntldr") returned -1 [0103.114] lstrcmpiW (lpString1="My Pictures", lpString2="MSDOS.SYS") returned 1 [0103.114] lstrcmpiW (lpString1="My Pictures", lpString2="IO.SYS") returned 1 [0103.114] lstrcmpiW (lpString1="My Pictures", lpString2="boot.ini") returned 1 [0103.114] lstrcmpiW (lpString1="My Pictures", lpString2="AUTOEXEC.BAT") returned 1 [0103.114] lstrcmpiW (lpString1="My Pictures", lpString2="ntuser.dat") returned -1 [0103.114] lstrcmpiW (lpString1="My Pictures", lpString2="desktop.ini") returned 1 [0103.114] lstrcmpiW (lpString1="My Pictures", lpString2="CONFIG.SYS") returned 1 [0103.114] lstrcmpiW (lpString1="My Pictures", lpString2="RECYCLER") returned -1 [0103.114] lstrcmpiW (lpString1="My Pictures", lpString2="BOOTSECT.BAK") returned 1 [0103.114] lstrcmpiW (lpString1="My Pictures", lpString2="bootmgr") returned 1 [0103.114] lstrcmpiW (lpString1="My Pictures", lpString2="programdata") returned -1 [0103.114] lstrcmpiW (lpString1="My Pictures", lpString2="appdata") returned 1 [0103.114] lstrcmpiW (lpString1="My Pictures", lpString2="program files") returned -1 [0103.114] lstrcmpiW (lpString1="My Pictures", lpString2="program files (x86)") returned -1 [0103.114] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0103.114] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="My Pictures" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures" [0103.115] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures\\" [0103.115] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures\\" [0103.115] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures\\", lpString2="*.*" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures\\*.*") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures\\*.*" [0103.115] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x18492b, ftLastAccessTime.dwHighDateTime=0x3, ftLastWriteTime.dwLowDateTime=0x8c, ftLastWriteTime.dwHighDateTime=0x1acc9a04, nFileSizeHigh=0x8240483c, nFileSizeLow=0x759be6a3, dwReserved0=0x24dddac, dwReserved1=0x72381664, cFileName="ɍọ矋", cAlternateFileName="")) returned 0xffffffff [0103.115] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x9e9e4460, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="My Shapes", cAlternateFileName="MYSHAP~1")) returned 1 [0103.115] lstrcmpiW (lpString1="My Shapes", lpString2=".") returned 1 [0103.115] lstrcmpiW (lpString1="My Shapes", lpString2="..") returned 1 [0103.115] lstrcmpiW (lpString1="My Shapes", lpString2="...") returned 1 [0103.115] lstrcmpiW (lpString1="My Shapes", lpString2="windows") returned -1 [0103.115] lstrcmpiW (lpString1="My Shapes", lpString2="$RECYCLE.BIN") returned 1 [0103.115] lstrcmpiW (lpString1="My Shapes", lpString2="rsa") returned -1 [0103.115] lstrcmpiW (lpString1="My Shapes", lpString2="log") returned 1 [0103.115] lstrcmpiW (lpString1="My Shapes", lpString2="NTDETECT.COM") returned -1 [0103.115] lstrcmpiW (lpString1="My Shapes", lpString2="ntldr") returned -1 [0103.115] lstrcmpiW (lpString1="My Shapes", lpString2="MSDOS.SYS") returned 1 [0103.115] lstrcmpiW (lpString1="My Shapes", lpString2="IO.SYS") returned 1 [0103.115] lstrcmpiW (lpString1="My Shapes", lpString2="boot.ini") returned 1 [0103.115] lstrcmpiW (lpString1="My Shapes", lpString2="AUTOEXEC.BAT") returned 1 [0103.115] lstrcmpiW (lpString1="My Shapes", lpString2="ntuser.dat") returned -1 [0103.115] lstrcmpiW (lpString1="My Shapes", lpString2="desktop.ini") returned 1 [0103.115] lstrcmpiW (lpString1="My Shapes", lpString2="CONFIG.SYS") returned 1 [0103.115] lstrcmpiW (lpString1="My Shapes", lpString2="RECYCLER") returned -1 [0103.116] lstrcmpiW (lpString1="My Shapes", lpString2="BOOTSECT.BAK") returned 1 [0103.116] lstrcmpiW (lpString1="My Shapes", lpString2="bootmgr") returned 1 [0103.116] lstrcmpiW (lpString1="My Shapes", lpString2="programdata") returned -1 [0103.116] lstrcmpiW (lpString1="My Shapes", lpString2="appdata") returned 1 [0103.116] lstrcmpiW (lpString1="My Shapes", lpString2="program files") returned -1 [0103.116] lstrcmpiW (lpString1="My Shapes", lpString2="program files (x86)") returned -1 [0103.116] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0103.116] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="My Shapes" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes" [0103.116] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\" [0103.116] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\" [0103.116] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\", lpString2="*.*" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\*.*") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\*.*" [0103.116] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x9e9e4460, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24dddac, dwReserved1=0x72381664, cFileName=".", cAlternateFileName="")) returned 0x502870 [0103.117] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0103.117] FindNextFileW (in: hFindFile=0x502870, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x9e9e4460, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24dddac, dwReserved1=0x72381664, cFileName="..", cAlternateFileName="")) returned 1 [0103.117] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0103.117] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0103.117] FindNextFileW (in: hFindFile=0x502870, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebf97a0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0xd8, dwReserved0=0x24dddac, dwReserved1=0x72381664, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0103.117] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0103.117] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0103.117] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0103.117] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0103.117] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0103.117] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0103.117] lstrcmpiW (lpString1="desktop.ini", lpString2="log") returned -1 [0103.117] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0103.117] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0103.117] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0103.117] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0103.117] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0103.117] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0103.117] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0103.117] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0103.117] FindNextFileW (in: hFindFile=0x502870, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9e9e4460, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9e9e4460, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9e9e4460, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24dddac, dwReserved1=0x72381664, cFileName="Favorites.vss", cAlternateFileName="FAVORI~1.VSS")) returned 1 [0103.117] lstrcmpiW (lpString1="Favorites.vss", lpString2=".") returned 1 [0103.117] lstrcmpiW (lpString1="Favorites.vss", lpString2="..") returned 1 [0103.118] lstrcmpiW (lpString1="Favorites.vss", lpString2="...") returned 1 [0103.118] lstrcmpiW (lpString1="Favorites.vss", lpString2="windows") returned -1 [0103.118] lstrcmpiW (lpString1="Favorites.vss", lpString2="$RECYCLE.BIN") returned 1 [0103.118] lstrcmpiW (lpString1="Favorites.vss", lpString2="rsa") returned -1 [0103.118] lstrcmpiW (lpString1="Favorites.vss", lpString2="log") returned -1 [0103.118] lstrcmpiW (lpString1="Favorites.vss", lpString2="NTDETECT.COM") returned -1 [0103.118] lstrcmpiW (lpString1="Favorites.vss", lpString2="ntldr") returned -1 [0103.118] lstrcmpiW (lpString1="Favorites.vss", lpString2="MSDOS.SYS") returned -1 [0103.118] lstrcmpiW (lpString1="Favorites.vss", lpString2="IO.SYS") returned -1 [0103.118] lstrcmpiW (lpString1="Favorites.vss", lpString2="boot.ini") returned 1 [0103.118] lstrcmpiW (lpString1="Favorites.vss", lpString2="AUTOEXEC.BAT") returned 1 [0103.118] lstrcmpiW (lpString1="Favorites.vss", lpString2="ntuser.dat") returned -1 [0103.118] lstrcmpiW (lpString1="Favorites.vss", lpString2="desktop.ini") returned 1 [0103.118] lstrcmpiW (lpString1="Favorites.vss", lpString2="CONFIG.SYS") returned 1 [0103.118] lstrcmpiW (lpString1="Favorites.vss", lpString2="RECYCLER") returned -1 [0103.118] lstrcmpiW (lpString1="Favorites.vss", lpString2="BOOTSECT.BAK") returned 1 [0103.118] lstrcmpiW (lpString1="Favorites.vss", lpString2="bootmgr") returned 1 [0103.118] lstrcmpiW (lpString1="Favorites.vss", lpString2="programdata") returned -1 [0103.118] lstrcmpiW (lpString1="Favorites.vss", lpString2="appdata") returned 1 [0103.118] lstrcmpiW (lpString1="Favorites.vss", lpString2="program files") returned -1 [0103.118] lstrcmpiW (lpString1="Favorites.vss", lpString2="program files (x86)") returned -1 [0103.118] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\" [0103.118] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\", lpString2="Favorites.vss" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss" [0103.118] PathFindExtensionW (pszPath="Favorites.vss") returned=".vss" [0103.119] lstrcmpiW (lpString1=".vss", lpString2=".exe") returned 1 [0103.119] lstrcmpiW (lpString1=".vss", lpString2=".log") returned 1 [0103.119] lstrcmpiW (lpString1=".vss", lpString2=".cab") returned 1 [0103.119] lstrcmpiW (lpString1=".vss", lpString2=".cmd") returned 1 [0103.119] lstrcmpiW (lpString1=".vss", lpString2=".com") returned 1 [0103.119] lstrcmpiW (lpString1=".vss", lpString2=".cpl") returned 1 [0103.119] lstrcmpiW (lpString1=".vss", lpString2=".ini") returned 1 [0103.119] lstrcmpiW (lpString1=".vss", lpString2=".dll") returned 1 [0103.119] lstrcmpiW (lpString1=".vss", lpString2=".url") returned 1 [0103.119] lstrcmpiW (lpString1=".vss", lpString2=".ttf") returned 1 [0103.119] lstrcmpiW (lpString1=".vss", lpString2=".mp3") returned 1 [0103.119] lstrcmpiW (lpString1=".vss", lpString2=".pif") returned 1 [0103.119] lstrcmpiW (lpString1=".vss", lpString2=".mp4") returned 1 [0103.119] lstrcmpiW (lpString1=".vss", lpString2=".NEPHILIM") returned 1 [0103.119] lstrcmpiW (lpString1=".vss", lpString2=".msi") returned 1 [0103.119] lstrcmpiW (lpString1=".vss", lpString2=".lnk") returned 1 [0103.119] lstrcmpiW (lpString1="Favorites.vss", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0103.119] lstrlenA (lpString="NEPHILIM") returned 8 [0103.119] GetProcessHeap () returned 0x4e0000 [0103.119] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x504f90 [0103.119] lstrlenA (lpString="NEPHILIM") returned 8 [0103.119] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\favorites.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0103.121] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=0) returned 1 [0103.121] GetProcessHeap () returned 0x4e0000 [0103.121] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0103.121] GetProcessHeap () returned 0x4e0000 [0103.121] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0103.121] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0103.121] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0103.121] GetProcessHeap () returned 0x4e0000 [0103.121] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0103.121] GetProcessHeap () returned 0x4e0000 [0103.121] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0103.121] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0103.121] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0103.122] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.122] SetLastError (dwErrCode=0x0) [0103.122] WriteFile (in: hFile=0xf0, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0103.123] GetLastError () returned 0x0 [0103.123] GetLastError () returned 0x0 [0103.123] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.123] WriteFile (in: hFile=0xf0, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0103.123] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.123] lstrlenA (lpString="NEPHILIM") returned 8 [0103.123] WriteFile (in: hFile=0xf0, lpBuffer=0x504f90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x504f90*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0103.123] GetProcessHeap () returned 0x4e0000 [0103.124] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x0) returned 0x504fa0 [0103.124] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.124] ReadFile (in: hFile=0xf0, lpBuffer=0x504fa0, nNumberOfBytesToRead=0x0, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x504fa0*, lpNumberOfBytesRead=0x24dddb0*=0x0, lpOverlapped=0x0) returned 1 [0103.124] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.124] WriteFile (in: hFile=0xf0, lpBuffer=0x504fa0*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x504fa0*, lpNumberOfBytesWritten=0x24dddbc*=0x0, lpOverlapped=0x0) returned 1 [0103.124] GetProcessHeap () returned 0x4e0000 [0103.124] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504fa0 | out: hHeap=0x4e0000) returned 1 [0103.124] CloseHandle (hObject=0xf0) returned 1 [0103.125] GetProcessHeap () returned 0x4e0000 [0103.125] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0103.125] GetProcessHeap () returned 0x4e0000 [0103.125] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0103.125] GetProcessHeap () returned 0x4e0000 [0103.125] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0103.125] GetProcessHeap () returned 0x4e0000 [0103.125] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0103.125] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss" [0103.125] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss.NEPHILIM" [0103.125] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\favorites.vss"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\favorites.vss.nephilim")) returned 1 [0103.126] FindNextFileW (in: hFindFile=0x502870, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24dddac, dwReserved1=0x72381664, cFileName="_private", cAlternateFileName="")) returned 1 [0103.126] lstrcmpiW (lpString1="_private", lpString2=".") returned 1 [0103.126] lstrcmpiW (lpString1="_private", lpString2="..") returned 1 [0103.126] lstrcmpiW (lpString1="_private", lpString2="...") returned 1 [0103.126] lstrcmpiW (lpString1="_private", lpString2="windows") returned -1 [0103.126] lstrcmpiW (lpString1="_private", lpString2="$RECYCLE.BIN") returned 1 [0103.126] lstrcmpiW (lpString1="_private", lpString2="rsa") returned -1 [0103.126] lstrcmpiW (lpString1="_private", lpString2="log") returned -1 [0103.126] lstrcmpiW (lpString1="_private", lpString2="NTDETECT.COM") returned -1 [0103.127] lstrcmpiW (lpString1="_private", lpString2="ntldr") returned -1 [0103.127] lstrcmpiW (lpString1="_private", lpString2="MSDOS.SYS") returned -1 [0103.127] lstrcmpiW (lpString1="_private", lpString2="IO.SYS") returned -1 [0103.127] lstrcmpiW (lpString1="_private", lpString2="boot.ini") returned -1 [0103.127] lstrcmpiW (lpString1="_private", lpString2="AUTOEXEC.BAT") returned -1 [0103.127] lstrcmpiW (lpString1="_private", lpString2="ntuser.dat") returned -1 [0103.127] lstrcmpiW (lpString1="_private", lpString2="desktop.ini") returned -1 [0103.127] lstrcmpiW (lpString1="_private", lpString2="CONFIG.SYS") returned -1 [0103.127] lstrcmpiW (lpString1="_private", lpString2="RECYCLER") returned -1 [0103.127] lstrcmpiW (lpString1="_private", lpString2="BOOTSECT.BAK") returned -1 [0103.127] lstrcmpiW (lpString1="_private", lpString2="bootmgr") returned -1 [0103.127] lstrcmpiW (lpString1="_private", lpString2="programdata") returned -1 [0103.127] lstrcmpiW (lpString1="_private", lpString2="appdata") returned -1 [0103.127] lstrcmpiW (lpString1="_private", lpString2="program files") returned -1 [0103.127] lstrcmpiW (lpString1="_private", lpString2="program files (x86)") returned -1 [0103.127] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\" [0103.127] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\", lpString2="_private" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private" [0103.127] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\" [0103.127] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\" [0103.127] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\", lpString2="*.*" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\*.*") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\*.*" [0103.127] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24dd72c, dwReserved1=0x8fb49638, cFileName=".", cAlternateFileName="")) returned 0x5028b0 [0103.147] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0103.147] FindNextFileW (in: hFindFile=0x5028b0, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24dd72c, dwReserved1=0x8fb49638, cFileName="..", cAlternateFileName="")) returned 1 [0103.147] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0103.147] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0103.147] FindNextFileW (in: hFindFile=0x5028b0, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebf97a0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x74e6, dwReserved0=0x24dd72c, dwReserved1=0x8fb49638, cFileName="folder.ico", cAlternateFileName="")) returned 1 [0103.147] lstrcmpiW (lpString1="folder.ico", lpString2=".") returned 1 [0103.147] lstrcmpiW (lpString1="folder.ico", lpString2="..") returned 1 [0103.147] lstrcmpiW (lpString1="folder.ico", lpString2="...") returned 1 [0103.147] lstrcmpiW (lpString1="folder.ico", lpString2="windows") returned -1 [0103.147] lstrcmpiW (lpString1="folder.ico", lpString2="$RECYCLE.BIN") returned 1 [0103.148] lstrcmpiW (lpString1="folder.ico", lpString2="rsa") returned -1 [0103.148] lstrcmpiW (lpString1="folder.ico", lpString2="log") returned -1 [0103.148] lstrcmpiW (lpString1="folder.ico", lpString2="NTDETECT.COM") returned -1 [0103.148] lstrcmpiW (lpString1="folder.ico", lpString2="ntldr") returned -1 [0103.148] lstrcmpiW (lpString1="folder.ico", lpString2="MSDOS.SYS") returned -1 [0103.148] lstrcmpiW (lpString1="folder.ico", lpString2="IO.SYS") returned -1 [0103.148] lstrcmpiW (lpString1="folder.ico", lpString2="boot.ini") returned 1 [0103.148] lstrcmpiW (lpString1="folder.ico", lpString2="AUTOEXEC.BAT") returned 1 [0103.148] lstrcmpiW (lpString1="folder.ico", lpString2="ntuser.dat") returned -1 [0103.148] lstrcmpiW (lpString1="folder.ico", lpString2="desktop.ini") returned 1 [0103.148] lstrcmpiW (lpString1="folder.ico", lpString2="CONFIG.SYS") returned 1 [0103.148] lstrcmpiW (lpString1="folder.ico", lpString2="RECYCLER") returned -1 [0103.148] lstrcmpiW (lpString1="folder.ico", lpString2="BOOTSECT.BAK") returned 1 [0103.148] lstrcmpiW (lpString1="folder.ico", lpString2="bootmgr") returned 1 [0103.148] lstrcmpiW (lpString1="folder.ico", lpString2="programdata") returned -1 [0103.148] lstrcmpiW (lpString1="folder.ico", lpString2="appdata") returned 1 [0103.148] lstrcmpiW (lpString1="folder.ico", lpString2="program files") returned -1 [0103.148] lstrcmpiW (lpString1="folder.ico", lpString2="program files (x86)") returned -1 [0103.148] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\" [0103.148] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\", lpString2="folder.ico" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico" [0103.148] PathFindExtensionW (pszPath="folder.ico") returned=".ico" [0103.148] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0103.148] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0103.148] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0103.148] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0103.148] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0103.149] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0103.149] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0103.149] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0103.149] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0103.149] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0103.149] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0103.149] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0103.149] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0103.149] lstrcmpiW (lpString1=".ico", lpString2=".NEPHILIM") returned -1 [0103.149] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0103.149] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0103.149] lstrcmpiW (lpString1="folder.ico", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0103.149] lstrlenA (lpString="NEPHILIM") returned 8 [0103.149] GetProcessHeap () returned 0x4e0000 [0103.149] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x504fa0 [0103.149] lstrlenA (lpString="NEPHILIM") returned 8 [0103.149] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\_private\\folder.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0103.151] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=29926) returned 1 [0103.151] GetProcessHeap () returned 0x4e0000 [0103.151] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0103.151] GetProcessHeap () returned 0x4e0000 [0103.151] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0103.151] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0103.151] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0103.151] GetProcessHeap () returned 0x4e0000 [0103.151] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0103.151] GetProcessHeap () returned 0x4e0000 [0103.151] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0103.151] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24dd508*=0x100) returned 1 [0103.152] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24dd504*=0x100) returned 1 [0103.152] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x74e6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.152] SetLastError (dwErrCode=0x0) [0103.152] WriteFile (in: hFile=0xf4, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0103.177] GetLastError () returned 0x0 [0103.177] GetLastError () returned 0x0 [0103.177] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x75e6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.177] WriteFile (in: hFile=0xf4, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0103.178] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x76e6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.178] lstrlenA (lpString="NEPHILIM") returned 8 [0103.178] WriteFile (in: hFile=0xf4, lpBuffer=0x504fa0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x504fa0*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0103.178] GetProcessHeap () returned 0x4e0000 [0103.178] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x74e6) returned 0x50c8b8 [0103.178] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.178] ReadFile (in: hFile=0xf4, lpBuffer=0x50c8b8, nNumberOfBytesToRead=0x74e6, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x50c8b8*, lpNumberOfBytesRead=0x24dd730*=0x74e6, lpOverlapped=0x0) returned 1 [0103.191] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.191] WriteFile (in: hFile=0xf4, lpBuffer=0x50c8b8*, nNumberOfBytesToWrite=0x74e6, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50c8b8*, lpNumberOfBytesWritten=0x24dd73c*=0x74e6, lpOverlapped=0x0) returned 1 [0103.191] GetProcessHeap () returned 0x4e0000 [0103.191] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50c8b8 | out: hHeap=0x4e0000) returned 1 [0103.191] CloseHandle (hObject=0xf4) returned 1 [0103.193] GetProcessHeap () returned 0x4e0000 [0103.193] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0103.193] GetProcessHeap () returned 0x4e0000 [0103.193] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0103.193] GetProcessHeap () returned 0x4e0000 [0103.193] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0103.193] GetProcessHeap () returned 0x4e0000 [0103.193] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0103.193] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico" [0103.193] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico.NEPHILIM" [0103.193] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\_private\\folder.ico"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\_private\\folder.ico.nephilim")) returned 1 [0103.194] FindNextFileW (in: hFindFile=0x5028b0, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebf97a0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x74e6, dwReserved0=0x24dd72c, dwReserved1=0x8fb49638, cFileName="folder.ico", cAlternateFileName="")) returned 0 [0103.194] FindClose (in: hFindFile=0x5028b0 | out: hFindFile=0x5028b0) returned 1 [0103.194] FindNextFileW (in: hFindFile=0x502870, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24dddac, dwReserved1=0x72381664, cFileName="_private", cAlternateFileName="")) returned 0 [0103.194] FindClose (in: hFindFile=0x502870 | out: hFindFile=0x502870) returned 1 [0103.194] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x290dda00, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x290dda00, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x290dda00, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0103.195] lstrcmpiW (lpString1="My Videos", lpString2=".") returned 1 [0103.195] lstrcmpiW (lpString1="My Videos", lpString2="..") returned 1 [0103.195] lstrcmpiW (lpString1="My Videos", lpString2="...") returned 1 [0103.195] lstrcmpiW (lpString1="My Videos", lpString2="windows") returned -1 [0103.195] lstrcmpiW (lpString1="My Videos", lpString2="$RECYCLE.BIN") returned 1 [0103.195] lstrcmpiW (lpString1="My Videos", lpString2="rsa") returned -1 [0103.195] lstrcmpiW (lpString1="My Videos", lpString2="log") returned 1 [0103.195] lstrcmpiW (lpString1="My Videos", lpString2="NTDETECT.COM") returned -1 [0103.195] lstrcmpiW (lpString1="My Videos", lpString2="ntldr") returned -1 [0103.195] lstrcmpiW (lpString1="My Videos", lpString2="MSDOS.SYS") returned 1 [0103.195] lstrcmpiW (lpString1="My Videos", lpString2="IO.SYS") returned 1 [0103.195] lstrcmpiW (lpString1="My Videos", lpString2="boot.ini") returned 1 [0103.195] lstrcmpiW (lpString1="My Videos", lpString2="AUTOEXEC.BAT") returned 1 [0103.195] lstrcmpiW (lpString1="My Videos", lpString2="ntuser.dat") returned -1 [0103.195] lstrcmpiW (lpString1="My Videos", lpString2="desktop.ini") returned 1 [0103.195] lstrcmpiW (lpString1="My Videos", lpString2="CONFIG.SYS") returned 1 [0103.195] lstrcmpiW (lpString1="My Videos", lpString2="RECYCLER") returned -1 [0103.195] lstrcmpiW (lpString1="My Videos", lpString2="BOOTSECT.BAK") returned 1 [0103.195] lstrcmpiW (lpString1="My Videos", lpString2="bootmgr") returned 1 [0103.195] lstrcmpiW (lpString1="My Videos", lpString2="programdata") returned -1 [0103.195] lstrcmpiW (lpString1="My Videos", lpString2="appdata") returned 1 [0103.195] lstrcmpiW (lpString1="My Videos", lpString2="program files") returned -1 [0103.195] lstrcmpiW (lpString1="My Videos", lpString2="program files (x86)") returned -1 [0103.195] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0103.196] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="My Videos" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos" [0103.196] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos\\" [0103.196] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos\\" [0103.196] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos\\", lpString2="*.*" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos\\*.*") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos\\*.*" [0103.196] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24dddac, dwReserved1=0x72381664, cFileName="_private", cAlternateFileName="")) returned 0xffffffff [0103.196] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43cffbb0, ftCreationTime.dwHighDateTime=0x1d5add9, ftLastAccessTime.dwLowDateTime=0x98669a10, ftLastAccessTime.dwHighDateTime=0x1d5ae08, ftLastWriteTime.dwLowDateTime=0x98669a10, ftLastWriteTime.dwHighDateTime=0x1d5ae08, nFileSizeHigh=0x0, nFileSizeLow=0x12f15, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="NiLRt-IssRBIvJL.xlsx", cAlternateFileName="NILRT-~1.XLS")) returned 1 [0103.196] lstrcmpiW (lpString1="NiLRt-IssRBIvJL.xlsx", lpString2=".") returned 1 [0103.196] lstrcmpiW (lpString1="NiLRt-IssRBIvJL.xlsx", lpString2="..") returned 1 [0103.196] lstrcmpiW (lpString1="NiLRt-IssRBIvJL.xlsx", lpString2="...") returned 1 [0103.196] lstrcmpiW (lpString1="NiLRt-IssRBIvJL.xlsx", lpString2="windows") returned -1 [0103.196] lstrcmpiW (lpString1="NiLRt-IssRBIvJL.xlsx", lpString2="$RECYCLE.BIN") returned 1 [0103.196] lstrcmpiW (lpString1="NiLRt-IssRBIvJL.xlsx", lpString2="rsa") returned -1 [0103.196] lstrcmpiW (lpString1="NiLRt-IssRBIvJL.xlsx", lpString2="log") returned 1 [0103.196] lstrcmpiW (lpString1="NiLRt-IssRBIvJL.xlsx", lpString2="NTDETECT.COM") returned -1 [0103.196] lstrcmpiW (lpString1="NiLRt-IssRBIvJL.xlsx", lpString2="ntldr") returned -1 [0103.196] lstrcmpiW (lpString1="NiLRt-IssRBIvJL.xlsx", lpString2="MSDOS.SYS") returned 1 [0103.197] lstrcmpiW (lpString1="NiLRt-IssRBIvJL.xlsx", lpString2="IO.SYS") returned 1 [0103.197] lstrcmpiW (lpString1="NiLRt-IssRBIvJL.xlsx", lpString2="boot.ini") returned 1 [0103.197] lstrcmpiW (lpString1="NiLRt-IssRBIvJL.xlsx", lpString2="AUTOEXEC.BAT") returned 1 [0103.197] lstrcmpiW (lpString1="NiLRt-IssRBIvJL.xlsx", lpString2="ntuser.dat") returned -1 [0103.197] lstrcmpiW (lpString1="NiLRt-IssRBIvJL.xlsx", lpString2="desktop.ini") returned 1 [0103.197] lstrcmpiW (lpString1="NiLRt-IssRBIvJL.xlsx", lpString2="CONFIG.SYS") returned 1 [0103.197] lstrcmpiW (lpString1="NiLRt-IssRBIvJL.xlsx", lpString2="RECYCLER") returned -1 [0103.197] lstrcmpiW (lpString1="NiLRt-IssRBIvJL.xlsx", lpString2="BOOTSECT.BAK") returned 1 [0103.197] lstrcmpiW (lpString1="NiLRt-IssRBIvJL.xlsx", lpString2="bootmgr") returned 1 [0103.197] lstrcmpiW (lpString1="NiLRt-IssRBIvJL.xlsx", lpString2="programdata") returned -1 [0103.197] lstrcmpiW (lpString1="NiLRt-IssRBIvJL.xlsx", lpString2="appdata") returned 1 [0103.197] lstrcmpiW (lpString1="NiLRt-IssRBIvJL.xlsx", lpString2="program files") returned -1 [0103.197] lstrcmpiW (lpString1="NiLRt-IssRBIvJL.xlsx", lpString2="program files (x86)") returned -1 [0103.197] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0103.197] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="NiLRt-IssRBIvJL.xlsx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NiLRt-IssRBIvJL.xlsx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NiLRt-IssRBIvJL.xlsx" [0103.197] PathFindExtensionW (pszPath="NiLRt-IssRBIvJL.xlsx") returned=".xlsx" [0103.197] lstrcmpiW (lpString1=".xlsx", lpString2=".exe") returned 1 [0103.197] lstrcmpiW (lpString1=".xlsx", lpString2=".log") returned 1 [0103.197] lstrcmpiW (lpString1=".xlsx", lpString2=".cab") returned 1 [0103.197] lstrcmpiW (lpString1=".xlsx", lpString2=".cmd") returned 1 [0103.197] lstrcmpiW (lpString1=".xlsx", lpString2=".com") returned 1 [0103.197] lstrcmpiW (lpString1=".xlsx", lpString2=".cpl") returned 1 [0103.197] lstrcmpiW (lpString1=".xlsx", lpString2=".ini") returned 1 [0103.198] lstrcmpiW (lpString1=".xlsx", lpString2=".dll") returned 1 [0103.198] lstrcmpiW (lpString1=".xlsx", lpString2=".url") returned 1 [0103.198] lstrcmpiW (lpString1=".xlsx", lpString2=".ttf") returned 1 [0103.198] lstrcmpiW (lpString1=".xlsx", lpString2=".mp3") returned 1 [0103.198] lstrcmpiW (lpString1=".xlsx", lpString2=".pif") returned 1 [0103.198] lstrcmpiW (lpString1=".xlsx", lpString2=".mp4") returned 1 [0103.198] lstrcmpiW (lpString1=".xlsx", lpString2=".NEPHILIM") returned 1 [0103.198] lstrcmpiW (lpString1=".xlsx", lpString2=".msi") returned 1 [0103.198] lstrcmpiW (lpString1=".xlsx", lpString2=".lnk") returned 1 [0103.198] lstrcmpiW (lpString1="NiLRt-IssRBIvJL.xlsx", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0103.198] lstrlenA (lpString="NEPHILIM") returned 8 [0103.198] GetProcessHeap () returned 0x4e0000 [0103.198] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x504fb0 [0103.198] lstrlenA (lpString="NEPHILIM") returned 8 [0103.198] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NiLRt-IssRBIvJL.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\nilrt-issrbivjl.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0103.198] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=77589) returned 1 [0103.198] GetProcessHeap () returned 0x4e0000 [0103.198] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0103.198] GetProcessHeap () returned 0x4e0000 [0103.198] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0103.199] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0103.199] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0103.199] GetProcessHeap () returned 0x4e0000 [0103.199] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0103.199] GetProcessHeap () returned 0x4e0000 [0103.199] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0103.199] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de208*=0x100) returned 1 [0103.199] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de204*=0x100) returned 1 [0103.199] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x12f15, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.199] SetLastError (dwErrCode=0x0) [0103.199] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.201] GetLastError () returned 0x0 [0103.201] GetLastError () returned 0x0 [0103.201] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x13015, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.201] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.201] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x13115, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.201] lstrlenA (lpString="NEPHILIM") returned 8 [0103.201] WriteFile (in: hFile=0xec, lpBuffer=0x504fb0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x504fb0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0103.201] GetProcessHeap () returned 0x4e0000 [0103.201] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x12f15) returned 0x50a8a8 [0103.201] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.201] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x12f15, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x12f15, lpOverlapped=0x0) returned 1 [0103.207] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.207] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x12f15, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x12f15, lpOverlapped=0x0) returned 1 [0103.207] GetProcessHeap () returned 0x4e0000 [0103.208] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0103.208] CloseHandle (hObject=0xec) returned 1 [0103.210] GetProcessHeap () returned 0x4e0000 [0103.210] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0103.210] GetProcessHeap () returned 0x4e0000 [0103.210] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0103.210] GetProcessHeap () returned 0x4e0000 [0103.210] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0103.210] GetProcessHeap () returned 0x4e0000 [0103.210] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0103.210] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NiLRt-IssRBIvJL.xlsx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NiLRt-IssRBIvJL.xlsx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NiLRt-IssRBIvJL.xlsx" [0103.210] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NiLRt-IssRBIvJL.xlsx", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NiLRt-IssRBIvJL.xlsx.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NiLRt-IssRBIvJL.xlsx.NEPHILIM" [0103.210] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NiLRt-IssRBIvJL.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\nilrt-issrbivjl.xlsx"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NiLRt-IssRBIvJL.xlsx.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\nilrt-issrbivjl.xlsx.nephilim")) returned 1 [0103.211] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc30d6580, ftCreationTime.dwHighDateTime=0x1d584c0, ftLastAccessTime.dwLowDateTime=0x1ca66f0, ftLastAccessTime.dwHighDateTime=0x1d5c031, ftLastWriteTime.dwLowDateTime=0x1ca66f0, ftLastWriteTime.dwHighDateTime=0x1d5c031, nFileSizeHigh=0x0, nFileSizeLow=0xabb7, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="Ogf7AjwKVj- f7L.xlsx", cAlternateFileName="OGF7AJ~1.XLS")) returned 1 [0103.211] lstrcmpiW (lpString1="Ogf7AjwKVj- f7L.xlsx", lpString2=".") returned 1 [0103.211] lstrcmpiW (lpString1="Ogf7AjwKVj- f7L.xlsx", lpString2="..") returned 1 [0103.211] lstrcmpiW (lpString1="Ogf7AjwKVj- f7L.xlsx", lpString2="...") returned 1 [0103.211] lstrcmpiW (lpString1="Ogf7AjwKVj- f7L.xlsx", lpString2="windows") returned -1 [0103.211] lstrcmpiW (lpString1="Ogf7AjwKVj- f7L.xlsx", lpString2="$RECYCLE.BIN") returned 1 [0103.211] lstrcmpiW (lpString1="Ogf7AjwKVj- f7L.xlsx", lpString2="rsa") returned -1 [0103.212] lstrcmpiW (lpString1="Ogf7AjwKVj- f7L.xlsx", lpString2="log") returned 1 [0103.212] lstrcmpiW (lpString1="Ogf7AjwKVj- f7L.xlsx", lpString2="NTDETECT.COM") returned 1 [0103.212] lstrcmpiW (lpString1="Ogf7AjwKVj- f7L.xlsx", lpString2="ntldr") returned 1 [0103.212] lstrcmpiW (lpString1="Ogf7AjwKVj- f7L.xlsx", lpString2="MSDOS.SYS") returned 1 [0103.212] lstrcmpiW (lpString1="Ogf7AjwKVj- f7L.xlsx", lpString2="IO.SYS") returned 1 [0103.212] lstrcmpiW (lpString1="Ogf7AjwKVj- f7L.xlsx", lpString2="boot.ini") returned 1 [0103.212] lstrcmpiW (lpString1="Ogf7AjwKVj- f7L.xlsx", lpString2="AUTOEXEC.BAT") returned 1 [0103.212] lstrcmpiW (lpString1="Ogf7AjwKVj- f7L.xlsx", lpString2="ntuser.dat") returned 1 [0103.212] lstrcmpiW (lpString1="Ogf7AjwKVj- f7L.xlsx", lpString2="desktop.ini") returned 1 [0103.212] lstrcmpiW (lpString1="Ogf7AjwKVj- f7L.xlsx", lpString2="CONFIG.SYS") returned 1 [0103.212] lstrcmpiW (lpString1="Ogf7AjwKVj- f7L.xlsx", lpString2="RECYCLER") returned -1 [0103.212] lstrcmpiW (lpString1="Ogf7AjwKVj- f7L.xlsx", lpString2="BOOTSECT.BAK") returned 1 [0103.212] lstrcmpiW (lpString1="Ogf7AjwKVj- f7L.xlsx", lpString2="bootmgr") returned 1 [0103.212] lstrcmpiW (lpString1="Ogf7AjwKVj- f7L.xlsx", lpString2="programdata") returned -1 [0103.212] lstrcmpiW (lpString1="Ogf7AjwKVj- f7L.xlsx", lpString2="appdata") returned 1 [0103.212] lstrcmpiW (lpString1="Ogf7AjwKVj- f7L.xlsx", lpString2="program files") returned -1 [0103.212] lstrcmpiW (lpString1="Ogf7AjwKVj- f7L.xlsx", lpString2="program files (x86)") returned -1 [0103.212] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0103.212] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="Ogf7AjwKVj- f7L.xlsx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Ogf7AjwKVj- f7L.xlsx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Ogf7AjwKVj- f7L.xlsx" [0103.212] PathFindExtensionW (pszPath="Ogf7AjwKVj- f7L.xlsx") returned=".xlsx" [0103.212] lstrcmpiW (lpString1=".xlsx", lpString2=".exe") returned 1 [0103.212] lstrcmpiW (lpString1=".xlsx", lpString2=".log") returned 1 [0103.212] lstrcmpiW (lpString1=".xlsx", lpString2=".cab") returned 1 [0103.212] lstrcmpiW (lpString1=".xlsx", lpString2=".cmd") returned 1 [0103.213] lstrcmpiW (lpString1=".xlsx", lpString2=".com") returned 1 [0103.213] lstrcmpiW (lpString1=".xlsx", lpString2=".cpl") returned 1 [0103.213] lstrcmpiW (lpString1=".xlsx", lpString2=".ini") returned 1 [0103.213] lstrcmpiW (lpString1=".xlsx", lpString2=".dll") returned 1 [0103.213] lstrcmpiW (lpString1=".xlsx", lpString2=".url") returned 1 [0103.213] lstrcmpiW (lpString1=".xlsx", lpString2=".ttf") returned 1 [0103.213] lstrcmpiW (lpString1=".xlsx", lpString2=".mp3") returned 1 [0103.213] lstrcmpiW (lpString1=".xlsx", lpString2=".pif") returned 1 [0103.213] lstrcmpiW (lpString1=".xlsx", lpString2=".mp4") returned 1 [0103.213] lstrcmpiW (lpString1=".xlsx", lpString2=".NEPHILIM") returned 1 [0103.213] lstrcmpiW (lpString1=".xlsx", lpString2=".msi") returned 1 [0103.213] lstrcmpiW (lpString1=".xlsx", lpString2=".lnk") returned 1 [0103.213] lstrcmpiW (lpString1="Ogf7AjwKVj- f7L.xlsx", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0103.213] lstrlenA (lpString="NEPHILIM") returned 8 [0103.213] GetProcessHeap () returned 0x4e0000 [0103.213] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x504fc0 [0103.213] lstrlenA (lpString="NEPHILIM") returned 8 [0103.213] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Ogf7AjwKVj- f7L.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ogf7ajwkvj- f7l.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0103.213] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=43959) returned 1 [0103.214] GetProcessHeap () returned 0x4e0000 [0103.214] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0103.214] GetProcessHeap () returned 0x4e0000 [0103.214] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0103.214] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0103.214] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0103.214] GetProcessHeap () returned 0x4e0000 [0103.214] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0103.214] GetProcessHeap () returned 0x4e0000 [0103.214] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0103.214] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de208*=0x100) returned 1 [0103.214] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de204*=0x100) returned 1 [0103.214] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xabb7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.214] SetLastError (dwErrCode=0x0) [0103.215] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.216] GetLastError () returned 0x0 [0103.216] GetLastError () returned 0x0 [0103.216] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xacb7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.216] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.216] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xadb7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.216] lstrlenA (lpString="NEPHILIM") returned 8 [0103.216] WriteFile (in: hFile=0xec, lpBuffer=0x504fc0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x504fc0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0103.216] GetProcessHeap () returned 0x4e0000 [0103.216] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xabb7) returned 0x50a8a8 [0103.216] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.216] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0xabb7, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0xabb7, lpOverlapped=0x0) returned 1 [0103.219] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.219] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0xabb7, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0xabb7, lpOverlapped=0x0) returned 1 [0103.222] GetProcessHeap () returned 0x4e0000 [0103.222] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0103.222] CloseHandle (hObject=0xec) returned 1 [0103.224] GetProcessHeap () returned 0x4e0000 [0103.224] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0103.224] GetProcessHeap () returned 0x4e0000 [0103.224] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0103.224] GetProcessHeap () returned 0x4e0000 [0103.224] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0103.224] GetProcessHeap () returned 0x4e0000 [0103.224] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0103.224] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Ogf7AjwKVj- f7L.xlsx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Ogf7AjwKVj- f7L.xlsx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Ogf7AjwKVj- f7L.xlsx" [0103.225] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Ogf7AjwKVj- f7L.xlsx", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Ogf7AjwKVj- f7L.xlsx.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Ogf7AjwKVj- f7L.xlsx.NEPHILIM" [0103.225] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Ogf7AjwKVj- f7L.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ogf7ajwkvj- f7l.xlsx"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Ogf7AjwKVj- f7L.xlsx.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ogf7ajwkvj- f7l.xlsx.nephilim")) returned 1 [0103.226] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea9062e0, ftCreationTime.dwHighDateTime=0x1d5dcb5, ftLastAccessTime.dwLowDateTime=0x84105800, ftLastAccessTime.dwHighDateTime=0x1d5d912, ftLastWriteTime.dwLowDateTime=0x84105800, ftLastWriteTime.dwHighDateTime=0x1d5d912, nFileSizeHigh=0x0, nFileSizeLow=0xfea8, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="OGo4dD K8S.docx", cAlternateFileName="OGO4DD~1.DOC")) returned 1 [0103.226] lstrcmpiW (lpString1="OGo4dD K8S.docx", lpString2=".") returned 1 [0103.229] lstrcmpiW (lpString1="OGo4dD K8S.docx", lpString2="..") returned 1 [0103.229] lstrcmpiW (lpString1="OGo4dD K8S.docx", lpString2="...") returned 1 [0103.229] lstrcmpiW (lpString1="OGo4dD K8S.docx", lpString2="windows") returned -1 [0103.229] lstrcmpiW (lpString1="OGo4dD K8S.docx", lpString2="$RECYCLE.BIN") returned 1 [0103.229] lstrcmpiW (lpString1="OGo4dD K8S.docx", lpString2="rsa") returned -1 [0103.229] lstrcmpiW (lpString1="OGo4dD K8S.docx", lpString2="log") returned 1 [0103.229] lstrcmpiW (lpString1="OGo4dD K8S.docx", lpString2="NTDETECT.COM") returned 1 [0103.229] lstrcmpiW (lpString1="OGo4dD K8S.docx", lpString2="ntldr") returned 1 [0103.229] lstrcmpiW (lpString1="OGo4dD K8S.docx", lpString2="MSDOS.SYS") returned 1 [0103.229] lstrcmpiW (lpString1="OGo4dD K8S.docx", lpString2="IO.SYS") returned 1 [0103.229] lstrcmpiW (lpString1="OGo4dD K8S.docx", lpString2="boot.ini") returned 1 [0103.229] lstrcmpiW (lpString1="OGo4dD K8S.docx", lpString2="AUTOEXEC.BAT") returned 1 [0103.229] lstrcmpiW (lpString1="OGo4dD K8S.docx", lpString2="ntuser.dat") returned 1 [0103.229] lstrcmpiW (lpString1="OGo4dD K8S.docx", lpString2="desktop.ini") returned 1 [0103.230] lstrcmpiW (lpString1="OGo4dD K8S.docx", lpString2="CONFIG.SYS") returned 1 [0103.230] lstrcmpiW (lpString1="OGo4dD K8S.docx", lpString2="RECYCLER") returned -1 [0103.230] lstrcmpiW (lpString1="OGo4dD K8S.docx", lpString2="BOOTSECT.BAK") returned 1 [0103.230] lstrcmpiW (lpString1="OGo4dD K8S.docx", lpString2="bootmgr") returned 1 [0103.230] lstrcmpiW (lpString1="OGo4dD K8S.docx", lpString2="programdata") returned -1 [0103.230] lstrcmpiW (lpString1="OGo4dD K8S.docx", lpString2="appdata") returned 1 [0103.230] lstrcmpiW (lpString1="OGo4dD K8S.docx", lpString2="program files") returned -1 [0103.230] lstrcmpiW (lpString1="OGo4dD K8S.docx", lpString2="program files (x86)") returned -1 [0103.230] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0103.231] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="OGo4dD K8S.docx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OGo4dD K8S.docx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OGo4dD K8S.docx" [0103.231] PathFindExtensionW (pszPath="OGo4dD K8S.docx") returned=".docx" [0103.231] lstrcmpiW (lpString1=".docx", lpString2=".exe") returned -1 [0103.231] lstrcmpiW (lpString1=".docx", lpString2=".log") returned -1 [0103.231] lstrcmpiW (lpString1=".docx", lpString2=".cab") returned 1 [0103.231] lstrcmpiW (lpString1=".docx", lpString2=".cmd") returned 1 [0103.231] lstrcmpiW (lpString1=".docx", lpString2=".com") returned 1 [0103.231] lstrcmpiW (lpString1=".docx", lpString2=".cpl") returned 1 [0103.231] lstrcmpiW (lpString1=".docx", lpString2=".ini") returned -1 [0103.231] lstrcmpiW (lpString1=".docx", lpString2=".dll") returned 1 [0103.231] lstrcmpiW (lpString1=".docx", lpString2=".url") returned -1 [0103.231] lstrcmpiW (lpString1=".docx", lpString2=".ttf") returned -1 [0103.231] lstrcmpiW (lpString1=".docx", lpString2=".mp3") returned -1 [0103.231] lstrcmpiW (lpString1=".docx", lpString2=".pif") returned -1 [0103.231] lstrcmpiW (lpString1=".docx", lpString2=".mp4") returned -1 [0103.231] lstrcmpiW (lpString1=".docx", lpString2=".NEPHILIM") returned -1 [0103.231] lstrcmpiW (lpString1=".docx", lpString2=".msi") returned -1 [0103.231] lstrcmpiW (lpString1=".docx", lpString2=".lnk") returned -1 [0103.231] lstrcmpiW (lpString1="OGo4dD K8S.docx", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0103.231] lstrlenA (lpString="NEPHILIM") returned 8 [0103.231] GetProcessHeap () returned 0x4e0000 [0103.231] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x504fd0 [0103.232] lstrlenA (lpString="NEPHILIM") returned 8 [0103.232] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OGo4dD K8S.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ogo4dd k8s.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0103.232] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=65192) returned 1 [0103.232] GetProcessHeap () returned 0x4e0000 [0103.232] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0103.232] GetProcessHeap () returned 0x4e0000 [0103.232] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0103.232] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0103.232] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0103.232] GetProcessHeap () returned 0x4e0000 [0103.232] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0103.232] GetProcessHeap () returned 0x4e0000 [0103.232] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0103.232] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de208*=0x100) returned 1 [0103.233] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de204*=0x100) returned 1 [0103.233] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfea8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.233] SetLastError (dwErrCode=0x0) [0103.233] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.234] GetLastError () returned 0x0 [0103.234] GetLastError () returned 0x0 [0103.234] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffa8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.234] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.234] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x100a8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.235] lstrlenA (lpString="NEPHILIM") returned 8 [0103.235] WriteFile (in: hFile=0xec, lpBuffer=0x504fd0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x504fd0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0103.235] GetProcessHeap () returned 0x4e0000 [0103.235] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xfea8) returned 0x50a8a8 [0103.235] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.235] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0xfea8, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0xfea8, lpOverlapped=0x0) returned 1 [0103.240] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.240] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0xfea8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0xfea8, lpOverlapped=0x0) returned 1 [0103.240] GetProcessHeap () returned 0x4e0000 [0103.240] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0103.240] CloseHandle (hObject=0xec) returned 1 [0103.244] GetProcessHeap () returned 0x4e0000 [0103.244] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0103.244] GetProcessHeap () returned 0x4e0000 [0103.244] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0103.244] GetProcessHeap () returned 0x4e0000 [0103.244] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0103.244] GetProcessHeap () returned 0x4e0000 [0103.244] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0103.244] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OGo4dD K8S.docx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OGo4dD K8S.docx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OGo4dD K8S.docx" [0103.244] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OGo4dD K8S.docx", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OGo4dD K8S.docx.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OGo4dD K8S.docx.NEPHILIM" [0103.245] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OGo4dD K8S.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ogo4dd k8s.docx"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OGo4dD K8S.docx.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ogo4dd k8s.docx.nephilim")) returned 1 [0103.246] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcfd4870, ftCreationTime.dwHighDateTime=0x1d5e2c8, ftLastAccessTime.dwLowDateTime=0x6d92bd30, ftLastAccessTime.dwHighDateTime=0x1d5dccc, ftLastWriteTime.dwLowDateTime=0x6d92bd30, ftLastWriteTime.dwHighDateTime=0x1d5dccc, nFileSizeHigh=0x0, nFileSizeLow=0x30cc, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="orgKFXQ--.pdf", cAlternateFileName="ORGKFX~1.PDF")) returned 1 [0103.246] lstrcmpiW (lpString1="orgKFXQ--.pdf", lpString2=".") returned 1 [0103.246] lstrcmpiW (lpString1="orgKFXQ--.pdf", lpString2="..") returned 1 [0103.246] lstrcmpiW (lpString1="orgKFXQ--.pdf", lpString2="...") returned 1 [0103.246] lstrcmpiW (lpString1="orgKFXQ--.pdf", lpString2="windows") returned -1 [0103.246] lstrcmpiW (lpString1="orgKFXQ--.pdf", lpString2="$RECYCLE.BIN") returned 1 [0103.246] lstrcmpiW (lpString1="orgKFXQ--.pdf", lpString2="rsa") returned -1 [0103.246] lstrcmpiW (lpString1="orgKFXQ--.pdf", lpString2="log") returned 1 [0103.246] lstrcmpiW (lpString1="orgKFXQ--.pdf", lpString2="NTDETECT.COM") returned 1 [0103.246] lstrcmpiW (lpString1="orgKFXQ--.pdf", lpString2="ntldr") returned 1 [0103.246] lstrcmpiW (lpString1="orgKFXQ--.pdf", lpString2="MSDOS.SYS") returned 1 [0103.246] lstrcmpiW (lpString1="orgKFXQ--.pdf", lpString2="IO.SYS") returned 1 [0103.246] lstrcmpiW (lpString1="orgKFXQ--.pdf", lpString2="boot.ini") returned 1 [0103.246] lstrcmpiW (lpString1="orgKFXQ--.pdf", lpString2="AUTOEXEC.BAT") returned 1 [0103.246] lstrcmpiW (lpString1="orgKFXQ--.pdf", lpString2="ntuser.dat") returned 1 [0103.246] lstrcmpiW (lpString1="orgKFXQ--.pdf", lpString2="desktop.ini") returned 1 [0103.246] lstrcmpiW (lpString1="orgKFXQ--.pdf", lpString2="CONFIG.SYS") returned 1 [0103.246] lstrcmpiW (lpString1="orgKFXQ--.pdf", lpString2="RECYCLER") returned -1 [0103.246] lstrcmpiW (lpString1="orgKFXQ--.pdf", lpString2="BOOTSECT.BAK") returned 1 [0103.246] lstrcmpiW (lpString1="orgKFXQ--.pdf", lpString2="bootmgr") returned 1 [0103.246] lstrcmpiW (lpString1="orgKFXQ--.pdf", lpString2="programdata") returned -1 [0103.246] lstrcmpiW (lpString1="orgKFXQ--.pdf", lpString2="appdata") returned 1 [0103.246] lstrcmpiW (lpString1="orgKFXQ--.pdf", lpString2="program files") returned -1 [0103.247] lstrcmpiW (lpString1="orgKFXQ--.pdf", lpString2="program files (x86)") returned -1 [0103.247] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0103.247] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="orgKFXQ--.pdf" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\orgKFXQ--.pdf") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\orgKFXQ--.pdf" [0103.247] PathFindExtensionW (pszPath="orgKFXQ--.pdf") returned=".pdf" [0103.247] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0103.247] lstrcmpiW (lpString1=".pdf", lpString2=".log") returned 1 [0103.247] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0103.247] lstrcmpiW (lpString1=".pdf", lpString2=".cmd") returned 1 [0103.247] lstrcmpiW (lpString1=".pdf", lpString2=".com") returned 1 [0103.247] lstrcmpiW (lpString1=".pdf", lpString2=".cpl") returned 1 [0103.247] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0103.247] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0103.247] lstrcmpiW (lpString1=".pdf", lpString2=".url") returned -1 [0103.247] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0103.247] lstrcmpiW (lpString1=".pdf", lpString2=".mp3") returned 1 [0103.247] lstrcmpiW (lpString1=".pdf", lpString2=".pif") returned -1 [0103.247] lstrcmpiW (lpString1=".pdf", lpString2=".mp4") returned 1 [0103.247] lstrcmpiW (lpString1=".pdf", lpString2=".NEPHILIM") returned 1 [0103.247] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0103.247] lstrcmpiW (lpString1=".pdf", lpString2=".lnk") returned 1 [0103.247] lstrcmpiW (lpString1="orgKFXQ--.pdf", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0103.247] lstrlenA (lpString="NEPHILIM") returned 8 [0103.247] GetProcessHeap () returned 0x4e0000 [0103.247] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x504fe0 [0103.248] lstrlenA (lpString="NEPHILIM") returned 8 [0103.248] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\orgKFXQ--.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\orgkfxq--.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0103.248] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=12492) returned 1 [0103.248] GetProcessHeap () returned 0x4e0000 [0103.248] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0103.248] GetProcessHeap () returned 0x4e0000 [0103.248] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0103.248] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0103.248] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0103.248] GetProcessHeap () returned 0x4e0000 [0103.248] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0103.248] GetProcessHeap () returned 0x4e0000 [0103.248] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0103.248] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de208*=0x100) returned 1 [0103.248] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de204*=0x100) returned 1 [0103.249] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x30cc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.249] SetLastError (dwErrCode=0x0) [0103.249] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.250] GetLastError () returned 0x0 [0103.250] GetLastError () returned 0x0 [0103.250] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x31cc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.250] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.250] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x32cc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.250] lstrlenA (lpString="NEPHILIM") returned 8 [0103.250] WriteFile (in: hFile=0xec, lpBuffer=0x504fe0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x504fe0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0103.250] GetProcessHeap () returned 0x4e0000 [0103.250] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x30cc) returned 0x50a8a8 [0103.251] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.251] ReadFile (in: hFile=0xec, lpBuffer=0x50a8a8, nNumberOfBytesToRead=0x30cc, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesRead=0x24de430*=0x30cc, lpOverlapped=0x0) returned 1 [0103.251] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.252] WriteFile (in: hFile=0xec, lpBuffer=0x50a8a8*, nNumberOfBytesToWrite=0x30cc, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50a8a8*, lpNumberOfBytesWritten=0x24de43c*=0x30cc, lpOverlapped=0x0) returned 1 [0103.252] GetProcessHeap () returned 0x4e0000 [0103.252] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50a8a8 | out: hHeap=0x4e0000) returned 1 [0103.252] CloseHandle (hObject=0xec) returned 1 [0103.253] GetProcessHeap () returned 0x4e0000 [0103.253] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0103.253] GetProcessHeap () returned 0x4e0000 [0103.253] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0103.253] GetProcessHeap () returned 0x4e0000 [0103.253] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0103.253] GetProcessHeap () returned 0x4e0000 [0103.253] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0103.253] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\orgKFXQ--.pdf" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\orgKFXQ--.pdf") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\orgKFXQ--.pdf" [0103.253] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\orgKFXQ--.pdf", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\orgKFXQ--.pdf.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\orgKFXQ--.pdf.NEPHILIM" [0103.253] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\orgKFXQ--.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\orgkfxq--.pdf"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\orgKFXQ--.pdf.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\orgkfxq--.pdf.nephilim")) returned 1 [0103.254] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a7a9f80, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x8a4af3c0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x8a4af3c0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="Outlook Files", cAlternateFileName="OUTLOO~1")) returned 1 [0103.254] lstrcmpiW (lpString1="Outlook Files", lpString2=".") returned 1 [0103.254] lstrcmpiW (lpString1="Outlook Files", lpString2="..") returned 1 [0103.254] lstrcmpiW (lpString1="Outlook Files", lpString2="...") returned 1 [0103.254] lstrcmpiW (lpString1="Outlook Files", lpString2="windows") returned -1 [0103.255] lstrcmpiW (lpString1="Outlook Files", lpString2="$RECYCLE.BIN") returned 1 [0103.255] lstrcmpiW (lpString1="Outlook Files", lpString2="rsa") returned -1 [0103.255] lstrcmpiW (lpString1="Outlook Files", lpString2="log") returned 1 [0103.255] lstrcmpiW (lpString1="Outlook Files", lpString2="NTDETECT.COM") returned 1 [0103.255] lstrcmpiW (lpString1="Outlook Files", lpString2="ntldr") returned 1 [0103.255] lstrcmpiW (lpString1="Outlook Files", lpString2="MSDOS.SYS") returned 1 [0103.255] lstrcmpiW (lpString1="Outlook Files", lpString2="IO.SYS") returned 1 [0103.255] lstrcmpiW (lpString1="Outlook Files", lpString2="boot.ini") returned 1 [0103.255] lstrcmpiW (lpString1="Outlook Files", lpString2="AUTOEXEC.BAT") returned 1 [0103.255] lstrcmpiW (lpString1="Outlook Files", lpString2="ntuser.dat") returned 1 [0103.255] lstrcmpiW (lpString1="Outlook Files", lpString2="desktop.ini") returned 1 [0103.255] lstrcmpiW (lpString1="Outlook Files", lpString2="CONFIG.SYS") returned 1 [0103.255] lstrcmpiW (lpString1="Outlook Files", lpString2="RECYCLER") returned -1 [0103.255] lstrcmpiW (lpString1="Outlook Files", lpString2="BOOTSECT.BAK") returned 1 [0103.255] lstrcmpiW (lpString1="Outlook Files", lpString2="bootmgr") returned 1 [0103.255] lstrcmpiW (lpString1="Outlook Files", lpString2="programdata") returned -1 [0103.255] lstrcmpiW (lpString1="Outlook Files", lpString2="appdata") returned 1 [0103.255] lstrcmpiW (lpString1="Outlook Files", lpString2="program files") returned -1 [0103.255] lstrcmpiW (lpString1="Outlook Files", lpString2="program files (x86)") returned -1 [0103.255] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0103.255] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="Outlook Files" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files" [0103.255] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\" [0103.255] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\" [0103.255] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\", lpString2="*.*" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\*.*") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\*.*" [0103.256] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a7a9f80, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x8a4af3c0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x8a4af3c0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24dddac, dwReserved1=0xcc3eb24, cFileName=".", cAlternateFileName="")) returned 0x50a8c0 [0103.256] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0103.256] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a7a9f80, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x8a4af3c0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x8a4af3c0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24dddac, dwReserved1=0xcc3eb24, cFileName="..", cAlternateFileName="")) returned 1 [0103.256] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0103.256] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0103.256] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5a868660, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x5a868660, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x8a4fb680, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x42400, dwReserved0=0x24dddac, dwReserved1=0xcc3eb24, cFileName="voeimd@djhreuu.uhd.pst", cAlternateFileName="VOEIMD~1.PST")) returned 1 [0103.256] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2=".") returned 1 [0103.256] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="..") returned 1 [0103.256] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="...") returned 1 [0103.256] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="windows") returned -1 [0103.257] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="$RECYCLE.BIN") returned 1 [0103.257] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="rsa") returned 1 [0103.257] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="log") returned 1 [0103.257] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="NTDETECT.COM") returned 1 [0103.257] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="ntldr") returned 1 [0103.257] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="MSDOS.SYS") returned 1 [0103.257] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="IO.SYS") returned 1 [0103.257] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="boot.ini") returned 1 [0103.257] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="AUTOEXEC.BAT") returned 1 [0103.257] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="ntuser.dat") returned 1 [0103.257] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="desktop.ini") returned 1 [0103.257] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="CONFIG.SYS") returned 1 [0103.257] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="RECYCLER") returned 1 [0103.257] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="BOOTSECT.BAK") returned 1 [0103.257] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="bootmgr") returned 1 [0103.257] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="programdata") returned 1 [0103.257] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="appdata") returned 1 [0103.257] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="program files") returned 1 [0103.257] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="program files (x86)") returned 1 [0103.257] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\" [0103.257] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\", lpString2="voeimd@djhreuu.uhd.pst" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst" [0103.257] PathFindExtensionW (pszPath="voeimd@djhreuu.uhd.pst") returned=".pst" [0103.257] lstrcmpiW (lpString1=".pst", lpString2=".exe") returned 1 [0103.257] lstrcmpiW (lpString1=".pst", lpString2=".log") returned 1 [0103.257] lstrcmpiW (lpString1=".pst", lpString2=".cab") returned 1 [0103.258] lstrcmpiW (lpString1=".pst", lpString2=".cmd") returned 1 [0103.258] lstrcmpiW (lpString1=".pst", lpString2=".com") returned 1 [0103.258] lstrcmpiW (lpString1=".pst", lpString2=".cpl") returned 1 [0103.258] lstrcmpiW (lpString1=".pst", lpString2=".ini") returned 1 [0103.258] lstrcmpiW (lpString1=".pst", lpString2=".dll") returned 1 [0103.258] lstrcmpiW (lpString1=".pst", lpString2=".url") returned -1 [0103.258] lstrcmpiW (lpString1=".pst", lpString2=".ttf") returned -1 [0103.258] lstrcmpiW (lpString1=".pst", lpString2=".mp3") returned 1 [0103.258] lstrcmpiW (lpString1=".pst", lpString2=".pif") returned 1 [0103.258] lstrcmpiW (lpString1=".pst", lpString2=".mp4") returned 1 [0103.258] lstrcmpiW (lpString1=".pst", lpString2=".NEPHILIM") returned 1 [0103.258] lstrcmpiW (lpString1=".pst", lpString2=".msi") returned 1 [0103.258] lstrcmpiW (lpString1=".pst", lpString2=".lnk") returned 1 [0103.258] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0103.258] lstrlenA (lpString="NEPHILIM") returned 8 [0103.258] GetProcessHeap () returned 0x4e0000 [0103.258] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x504ff0 [0103.258] lstrlenA (lpString="NEPHILIM") returned 8 [0103.258] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files\\voeimd@djhreuu.uhd.pst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0103.259] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=271360) returned 1 [0103.259] GetProcessHeap () returned 0x4e0000 [0103.259] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0103.259] GetProcessHeap () returned 0x4e0000 [0103.259] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0103.259] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0103.259] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0103.259] GetProcessHeap () returned 0x4e0000 [0103.259] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0103.259] GetProcessHeap () returned 0x4e0000 [0103.259] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0103.259] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0103.259] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0103.260] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x42400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.260] SetLastError (dwErrCode=0x0) [0103.260] WriteFile (in: hFile=0xf0, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0103.297] GetLastError () returned 0x0 [0103.297] GetLastError () returned 0x0 [0103.297] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x42500, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.297] WriteFile (in: hFile=0xf0, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0103.297] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x42600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.297] lstrlenA (lpString="NEPHILIM") returned 8 [0103.297] WriteFile (in: hFile=0xf0, lpBuffer=0x504ff0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x504ff0*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0103.297] GetProcessHeap () returned 0x4e0000 [0103.297] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x42400) returned 0x50c8b0 [0103.299] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.299] ReadFile (in: hFile=0xf0, lpBuffer=0x50c8b0, nNumberOfBytesToRead=0x42400, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50c8b0*, lpNumberOfBytesRead=0x24dddb0*=0x42400, lpOverlapped=0x0) returned 1 [0103.317] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.317] WriteFile (in: hFile=0xf0, lpBuffer=0x50c8b0*, nNumberOfBytesToWrite=0x42400, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50c8b0*, lpNumberOfBytesWritten=0x24dddbc*=0x42400, lpOverlapped=0x0) returned 1 [0103.318] GetProcessHeap () returned 0x4e0000 [0103.318] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50c8b0 | out: hHeap=0x4e0000) returned 1 [0103.318] CloseHandle (hObject=0xf0) returned 1 [0103.324] GetProcessHeap () returned 0x4e0000 [0103.324] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0103.324] GetProcessHeap () returned 0x4e0000 [0103.324] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0103.324] GetProcessHeap () returned 0x4e0000 [0103.325] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0103.325] GetProcessHeap () returned 0x4e0000 [0103.325] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0103.325] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst" [0103.325] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst.NEPHILIM" [0103.325] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files\\voeimd@djhreuu.uhd.pst"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files\\voeimd@djhreuu.uhd.pst.nephilim")) returned 1 [0103.326] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5a868660, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x5a868660, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x8a4fb680, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x42400, dwReserved0=0x24dddac, dwReserved1=0xcc3eb24, cFileName="voeimd@djhreuu.uhd.pst", cAlternateFileName="VOEIMD~1.PST")) returned 0 [0103.326] FindClose (in: hFindFile=0x50a8c0 | out: hFindFile=0x50a8c0) returned 1 [0103.326] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1784a60, ftCreationTime.dwHighDateTime=0x1d5e6b4, ftLastAccessTime.dwLowDateTime=0x1b2b6540, ftLastAccessTime.dwHighDateTime=0x1d5e15b, ftLastWriteTime.dwLowDateTime=0x1b2b6540, ftLastWriteTime.dwHighDateTime=0x1d5e15b, nFileSizeHigh=0x0, nFileSizeLow=0x6822, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="QA7FXyy6TF.ods", cAlternateFileName="QA7FXY~1.ODS")) returned 1 [0103.326] lstrcmpiW (lpString1="QA7FXyy6TF.ods", lpString2=".") returned 1 [0103.326] lstrcmpiW (lpString1="QA7FXyy6TF.ods", lpString2="..") returned 1 [0103.326] lstrcmpiW (lpString1="QA7FXyy6TF.ods", lpString2="...") returned 1 [0103.326] lstrcmpiW (lpString1="QA7FXyy6TF.ods", lpString2="windows") returned -1 [0103.327] lstrcmpiW (lpString1="QA7FXyy6TF.ods", lpString2="$RECYCLE.BIN") returned 1 [0103.327] lstrcmpiW (lpString1="QA7FXyy6TF.ods", lpString2="rsa") returned -1 [0103.327] lstrcmpiW (lpString1="QA7FXyy6TF.ods", lpString2="log") returned 1 [0103.327] lstrcmpiW (lpString1="QA7FXyy6TF.ods", lpString2="NTDETECT.COM") returned 1 [0103.327] lstrcmpiW (lpString1="QA7FXyy6TF.ods", lpString2="ntldr") returned 1 [0103.327] lstrcmpiW (lpString1="QA7FXyy6TF.ods", lpString2="MSDOS.SYS") returned 1 [0103.327] lstrcmpiW (lpString1="QA7FXyy6TF.ods", lpString2="IO.SYS") returned 1 [0103.327] lstrcmpiW (lpString1="QA7FXyy6TF.ods", lpString2="boot.ini") returned 1 [0103.327] lstrcmpiW (lpString1="QA7FXyy6TF.ods", lpString2="AUTOEXEC.BAT") returned 1 [0103.327] lstrcmpiW (lpString1="QA7FXyy6TF.ods", lpString2="ntuser.dat") returned 1 [0103.327] lstrcmpiW (lpString1="QA7FXyy6TF.ods", lpString2="desktop.ini") returned 1 [0103.327] lstrcmpiW (lpString1="QA7FXyy6TF.ods", lpString2="CONFIG.SYS") returned 1 [0103.327] lstrcmpiW (lpString1="QA7FXyy6TF.ods", lpString2="RECYCLER") returned -1 [0103.327] lstrcmpiW (lpString1="QA7FXyy6TF.ods", lpString2="BOOTSECT.BAK") returned 1 [0103.327] lstrcmpiW (lpString1="QA7FXyy6TF.ods", lpString2="bootmgr") returned 1 [0103.327] lstrcmpiW (lpString1="QA7FXyy6TF.ods", lpString2="programdata") returned 1 [0103.327] lstrcmpiW (lpString1="QA7FXyy6TF.ods", lpString2="appdata") returned 1 [0103.327] lstrcmpiW (lpString1="QA7FXyy6TF.ods", lpString2="program files") returned 1 [0103.327] lstrcmpiW (lpString1="QA7FXyy6TF.ods", lpString2="program files (x86)") returned 1 [0103.327] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0103.328] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="QA7FXyy6TF.ods" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\QA7FXyy6TF.ods") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\QA7FXyy6TF.ods" [0103.328] PathFindExtensionW (pszPath="QA7FXyy6TF.ods") returned=".ods" [0103.328] lstrcmpiW (lpString1=".ods", lpString2=".exe") returned 1 [0103.328] lstrcmpiW (lpString1=".ods", lpString2=".log") returned 1 [0103.328] lstrcmpiW (lpString1=".ods", lpString2=".cab") returned 1 [0103.328] lstrcmpiW (lpString1=".ods", lpString2=".cmd") returned 1 [0103.328] lstrcmpiW (lpString1=".ods", lpString2=".com") returned 1 [0103.328] lstrcmpiW (lpString1=".ods", lpString2=".cpl") returned 1 [0103.328] lstrcmpiW (lpString1=".ods", lpString2=".ini") returned 1 [0103.328] lstrcmpiW (lpString1=".ods", lpString2=".dll") returned 1 [0103.328] lstrcmpiW (lpString1=".ods", lpString2=".url") returned -1 [0103.328] lstrcmpiW (lpString1=".ods", lpString2=".ttf") returned -1 [0103.328] lstrcmpiW (lpString1=".ods", lpString2=".mp3") returned 1 [0103.328] lstrcmpiW (lpString1=".ods", lpString2=".pif") returned -1 [0103.328] lstrcmpiW (lpString1=".ods", lpString2=".mp4") returned 1 [0103.328] lstrcmpiW (lpString1=".ods", lpString2=".NEPHILIM") returned 1 [0103.328] lstrcmpiW (lpString1=".ods", lpString2=".msi") returned 1 [0103.328] lstrcmpiW (lpString1=".ods", lpString2=".lnk") returned 1 [0103.328] lstrcmpiW (lpString1="QA7FXyy6TF.ods", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0103.328] lstrlenA (lpString="NEPHILIM") returned 8 [0103.328] GetProcessHeap () returned 0x4e0000 [0103.328] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x505000 [0103.328] lstrlenA (lpString="NEPHILIM") returned 8 [0103.328] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\QA7FXyy6TF.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qa7fxyy6tf.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0103.342] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=26658) returned 1 [0103.343] GetProcessHeap () returned 0x4e0000 [0103.343] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0103.343] GetProcessHeap () returned 0x4e0000 [0103.343] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0103.343] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0103.343] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0103.343] GetProcessHeap () returned 0x4e0000 [0103.343] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0103.343] GetProcessHeap () returned 0x4e0000 [0103.343] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0103.343] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de208*=0x100) returned 1 [0103.343] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de204*=0x100) returned 1 [0103.343] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x6822, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.344] SetLastError (dwErrCode=0x0) [0103.344] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.345] GetLastError () returned 0x0 [0103.345] GetLastError () returned 0x0 [0103.345] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x6922, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.345] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.345] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x6a22, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.345] lstrlenA (lpString="NEPHILIM") returned 8 [0103.345] WriteFile (in: hFile=0xec, lpBuffer=0x505000*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x505000*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0103.345] GetProcessHeap () returned 0x4e0000 [0103.346] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x6822) returned 0x50b8a8 [0103.346] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.346] ReadFile (in: hFile=0xec, lpBuffer=0x50b8a8, nNumberOfBytesToRead=0x6822, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50b8a8*, lpNumberOfBytesRead=0x24de430*=0x6822, lpOverlapped=0x0) returned 1 [0103.347] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.347] WriteFile (in: hFile=0xec, lpBuffer=0x50b8a8*, nNumberOfBytesToWrite=0x6822, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50b8a8*, lpNumberOfBytesWritten=0x24de43c*=0x6822, lpOverlapped=0x0) returned 1 [0103.348] GetProcessHeap () returned 0x4e0000 [0103.348] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50b8a8 | out: hHeap=0x4e0000) returned 1 [0103.348] CloseHandle (hObject=0xec) returned 1 [0103.352] GetProcessHeap () returned 0x4e0000 [0103.352] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0103.352] GetProcessHeap () returned 0x4e0000 [0103.352] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0103.352] GetProcessHeap () returned 0x4e0000 [0103.352] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0103.352] GetProcessHeap () returned 0x4e0000 [0103.352] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0103.352] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\QA7FXyy6TF.ods" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\QA7FXyy6TF.ods") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\QA7FXyy6TF.ods" [0103.352] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\QA7FXyy6TF.ods", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\QA7FXyy6TF.ods.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\QA7FXyy6TF.ods.NEPHILIM" [0103.352] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\QA7FXyy6TF.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qa7fxyy6tf.ods"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\QA7FXyy6TF.ods.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qa7fxyy6tf.ods.nephilim")) returned 1 [0103.354] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5595720, ftCreationTime.dwHighDateTime=0x1d5d538, ftLastAccessTime.dwLowDateTime=0x55c15330, ftLastAccessTime.dwHighDateTime=0x1d55ca5, ftLastWriteTime.dwLowDateTime=0x55c15330, ftLastWriteTime.dwHighDateTime=0x1d55ca5, nFileSizeHigh=0x0, nFileSizeLow=0x495e, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="r ATUhf6wTb8.pptx", cAlternateFileName="RATUHF~1.PPT")) returned 1 [0103.354] lstrcmpiW (lpString1="r ATUhf6wTb8.pptx", lpString2=".") returned 1 [0103.354] lstrcmpiW (lpString1="r ATUhf6wTb8.pptx", lpString2="..") returned 1 [0103.354] lstrcmpiW (lpString1="r ATUhf6wTb8.pptx", lpString2="...") returned 1 [0103.354] lstrcmpiW (lpString1="r ATUhf6wTb8.pptx", lpString2="windows") returned -1 [0103.354] lstrcmpiW (lpString1="r ATUhf6wTb8.pptx", lpString2="$RECYCLE.BIN") returned 1 [0103.354] lstrcmpiW (lpString1="r ATUhf6wTb8.pptx", lpString2="rsa") returned -1 [0103.354] lstrcmpiW (lpString1="r ATUhf6wTb8.pptx", lpString2="log") returned 1 [0103.354] lstrcmpiW (lpString1="r ATUhf6wTb8.pptx", lpString2="NTDETECT.COM") returned 1 [0103.354] lstrcmpiW (lpString1="r ATUhf6wTb8.pptx", lpString2="ntldr") returned 1 [0103.354] lstrcmpiW (lpString1="r ATUhf6wTb8.pptx", lpString2="MSDOS.SYS") returned 1 [0103.354] lstrcmpiW (lpString1="r ATUhf6wTb8.pptx", lpString2="IO.SYS") returned 1 [0103.354] lstrcmpiW (lpString1="r ATUhf6wTb8.pptx", lpString2="boot.ini") returned 1 [0103.354] lstrcmpiW (lpString1="r ATUhf6wTb8.pptx", lpString2="AUTOEXEC.BAT") returned 1 [0103.354] lstrcmpiW (lpString1="r ATUhf6wTb8.pptx", lpString2="ntuser.dat") returned 1 [0103.354] lstrcmpiW (lpString1="r ATUhf6wTb8.pptx", lpString2="desktop.ini") returned 1 [0103.354] lstrcmpiW (lpString1="r ATUhf6wTb8.pptx", lpString2="CONFIG.SYS") returned 1 [0103.354] lstrcmpiW (lpString1="r ATUhf6wTb8.pptx", lpString2="RECYCLER") returned -1 [0103.354] lstrcmpiW (lpString1="r ATUhf6wTb8.pptx", lpString2="BOOTSECT.BAK") returned 1 [0103.354] lstrcmpiW (lpString1="r ATUhf6wTb8.pptx", lpString2="bootmgr") returned 1 [0103.354] lstrcmpiW (lpString1="r ATUhf6wTb8.pptx", lpString2="programdata") returned 1 [0103.354] lstrcmpiW (lpString1="r ATUhf6wTb8.pptx", lpString2="appdata") returned 1 [0103.354] lstrcmpiW (lpString1="r ATUhf6wTb8.pptx", lpString2="program files") returned 1 [0103.354] lstrcmpiW (lpString1="r ATUhf6wTb8.pptx", lpString2="program files (x86)") returned 1 [0103.354] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0103.354] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="r ATUhf6wTb8.pptx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\r ATUhf6wTb8.pptx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\r ATUhf6wTb8.pptx" [0103.354] PathFindExtensionW (pszPath="r ATUhf6wTb8.pptx") returned=".pptx" [0103.354] lstrcmpiW (lpString1=".pptx", lpString2=".exe") returned 1 [0103.354] lstrcmpiW (lpString1=".pptx", lpString2=".log") returned 1 [0103.354] lstrcmpiW (lpString1=".pptx", lpString2=".cab") returned 1 [0103.354] lstrcmpiW (lpString1=".pptx", lpString2=".cmd") returned 1 [0103.355] lstrcmpiW (lpString1=".pptx", lpString2=".com") returned 1 [0103.355] lstrcmpiW (lpString1=".pptx", lpString2=".cpl") returned 1 [0103.355] lstrcmpiW (lpString1=".pptx", lpString2=".ini") returned 1 [0103.355] lstrcmpiW (lpString1=".pptx", lpString2=".dll") returned 1 [0103.355] lstrcmpiW (lpString1=".pptx", lpString2=".url") returned -1 [0103.355] lstrcmpiW (lpString1=".pptx", lpString2=".ttf") returned -1 [0103.355] lstrcmpiW (lpString1=".pptx", lpString2=".mp3") returned 1 [0103.355] lstrcmpiW (lpString1=".pptx", lpString2=".pif") returned 1 [0103.355] lstrcmpiW (lpString1=".pptx", lpString2=".mp4") returned 1 [0103.355] lstrcmpiW (lpString1=".pptx", lpString2=".NEPHILIM") returned 1 [0103.355] lstrcmpiW (lpString1=".pptx", lpString2=".msi") returned 1 [0103.355] lstrcmpiW (lpString1=".pptx", lpString2=".lnk") returned 1 [0103.355] lstrcmpiW (lpString1="r ATUhf6wTb8.pptx", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0103.355] lstrlenA (lpString="NEPHILIM") returned 8 [0103.355] GetProcessHeap () returned 0x4e0000 [0103.355] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x505010 [0103.355] lstrlenA (lpString="NEPHILIM") returned 8 [0103.355] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\r ATUhf6wTb8.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\r atuhf6wtb8.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0103.355] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=18782) returned 1 [0103.355] GetProcessHeap () returned 0x4e0000 [0103.355] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0103.355] GetProcessHeap () returned 0x4e0000 [0103.355] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0103.355] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0103.355] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0103.356] GetProcessHeap () returned 0x4e0000 [0103.356] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0103.356] GetProcessHeap () returned 0x4e0000 [0103.356] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0103.356] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de208*=0x100) returned 1 [0103.356] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de204*=0x100) returned 1 [0103.356] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x495e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.356] SetLastError (dwErrCode=0x0) [0103.356] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.357] GetLastError () returned 0x0 [0103.357] GetLastError () returned 0x0 [0103.357] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x4a5e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.357] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.357] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x4b5e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.357] lstrlenA (lpString="NEPHILIM") returned 8 [0103.357] WriteFile (in: hFile=0xec, lpBuffer=0x505010*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x505010*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0103.357] GetProcessHeap () returned 0x4e0000 [0103.357] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x495e) returned 0x50b8a8 [0103.357] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.357] ReadFile (in: hFile=0xec, lpBuffer=0x50b8a8, nNumberOfBytesToRead=0x495e, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50b8a8*, lpNumberOfBytesRead=0x24de430*=0x495e, lpOverlapped=0x0) returned 1 [0103.359] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.359] WriteFile (in: hFile=0xec, lpBuffer=0x50b8a8*, nNumberOfBytesToWrite=0x495e, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50b8a8*, lpNumberOfBytesWritten=0x24de43c*=0x495e, lpOverlapped=0x0) returned 1 [0103.359] GetProcessHeap () returned 0x4e0000 [0103.359] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50b8a8 | out: hHeap=0x4e0000) returned 1 [0103.359] CloseHandle (hObject=0xec) returned 1 [0103.371] GetProcessHeap () returned 0x4e0000 [0103.371] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0103.371] GetProcessHeap () returned 0x4e0000 [0103.371] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0103.371] GetProcessHeap () returned 0x4e0000 [0103.371] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0103.371] GetProcessHeap () returned 0x4e0000 [0103.371] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0103.371] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\r ATUhf6wTb8.pptx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\r ATUhf6wTb8.pptx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\r ATUhf6wTb8.pptx" [0103.371] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\r ATUhf6wTb8.pptx", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\r ATUhf6wTb8.pptx.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\r ATUhf6wTb8.pptx.NEPHILIM" [0103.371] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\r ATUhf6wTb8.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\r atuhf6wtb8.pptx"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\r ATUhf6wTb8.pptx.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\r atuhf6wtb8.pptx.nephilim")) returned 1 [0103.372] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c969fa0, ftCreationTime.dwHighDateTime=0x1d5b9d7, ftLastAccessTime.dwLowDateTime=0x1a16bb50, ftLastAccessTime.dwHighDateTime=0x1d593c7, ftLastWriteTime.dwLowDateTime=0x1a16bb50, ftLastWriteTime.dwHighDateTime=0x1d593c7, nFileSizeHigh=0x0, nFileSizeLow=0x47a5, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="r0BhnPupzSSdlJ.xlsx", cAlternateFileName="R0BHNP~1.XLS")) returned 1 [0103.372] lstrcmpiW (lpString1="r0BhnPupzSSdlJ.xlsx", lpString2=".") returned 1 [0103.372] lstrcmpiW (lpString1="r0BhnPupzSSdlJ.xlsx", lpString2="..") returned 1 [0103.372] lstrcmpiW (lpString1="r0BhnPupzSSdlJ.xlsx", lpString2="...") returned 1 [0103.372] lstrcmpiW (lpString1="r0BhnPupzSSdlJ.xlsx", lpString2="windows") returned -1 [0103.372] lstrcmpiW (lpString1="r0BhnPupzSSdlJ.xlsx", lpString2="$RECYCLE.BIN") returned 1 [0103.372] lstrcmpiW (lpString1="r0BhnPupzSSdlJ.xlsx", lpString2="rsa") returned -1 [0103.372] lstrcmpiW (lpString1="r0BhnPupzSSdlJ.xlsx", lpString2="log") returned 1 [0103.372] lstrcmpiW (lpString1="r0BhnPupzSSdlJ.xlsx", lpString2="NTDETECT.COM") returned 1 [0103.372] lstrcmpiW (lpString1="r0BhnPupzSSdlJ.xlsx", lpString2="ntldr") returned 1 [0103.372] lstrcmpiW (lpString1="r0BhnPupzSSdlJ.xlsx", lpString2="MSDOS.SYS") returned 1 [0103.372] lstrcmpiW (lpString1="r0BhnPupzSSdlJ.xlsx", lpString2="IO.SYS") returned 1 [0103.372] lstrcmpiW (lpString1="r0BhnPupzSSdlJ.xlsx", lpString2="boot.ini") returned 1 [0103.372] lstrcmpiW (lpString1="r0BhnPupzSSdlJ.xlsx", lpString2="AUTOEXEC.BAT") returned 1 [0103.373] lstrcmpiW (lpString1="r0BhnPupzSSdlJ.xlsx", lpString2="ntuser.dat") returned 1 [0103.373] lstrcmpiW (lpString1="r0BhnPupzSSdlJ.xlsx", lpString2="desktop.ini") returned 1 [0103.373] lstrcmpiW (lpString1="r0BhnPupzSSdlJ.xlsx", lpString2="CONFIG.SYS") returned 1 [0103.373] lstrcmpiW (lpString1="r0BhnPupzSSdlJ.xlsx", lpString2="RECYCLER") returned -1 [0103.373] lstrcmpiW (lpString1="r0BhnPupzSSdlJ.xlsx", lpString2="BOOTSECT.BAK") returned 1 [0103.373] lstrcmpiW (lpString1="r0BhnPupzSSdlJ.xlsx", lpString2="bootmgr") returned 1 [0103.373] lstrcmpiW (lpString1="r0BhnPupzSSdlJ.xlsx", lpString2="programdata") returned 1 [0103.373] lstrcmpiW (lpString1="r0BhnPupzSSdlJ.xlsx", lpString2="appdata") returned 1 [0103.373] lstrcmpiW (lpString1="r0BhnPupzSSdlJ.xlsx", lpString2="program files") returned 1 [0103.373] lstrcmpiW (lpString1="r0BhnPupzSSdlJ.xlsx", lpString2="program files (x86)") returned 1 [0103.373] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0103.373] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="r0BhnPupzSSdlJ.xlsx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\r0BhnPupzSSdlJ.xlsx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\r0BhnPupzSSdlJ.xlsx" [0103.373] PathFindExtensionW (pszPath="r0BhnPupzSSdlJ.xlsx") returned=".xlsx" [0103.373] lstrcmpiW (lpString1=".xlsx", lpString2=".exe") returned 1 [0103.373] lstrcmpiW (lpString1=".xlsx", lpString2=".log") returned 1 [0103.373] lstrcmpiW (lpString1=".xlsx", lpString2=".cab") returned 1 [0103.373] lstrcmpiW (lpString1=".xlsx", lpString2=".cmd") returned 1 [0103.373] lstrcmpiW (lpString1=".xlsx", lpString2=".com") returned 1 [0103.373] lstrcmpiW (lpString1=".xlsx", lpString2=".cpl") returned 1 [0103.373] lstrcmpiW (lpString1=".xlsx", lpString2=".ini") returned 1 [0103.373] lstrcmpiW (lpString1=".xlsx", lpString2=".dll") returned 1 [0103.373] lstrcmpiW (lpString1=".xlsx", lpString2=".url") returned 1 [0103.373] lstrcmpiW (lpString1=".xlsx", lpString2=".ttf") returned 1 [0103.373] lstrcmpiW (lpString1=".xlsx", lpString2=".mp3") returned 1 [0103.373] lstrcmpiW (lpString1=".xlsx", lpString2=".pif") returned 1 [0103.373] lstrcmpiW (lpString1=".xlsx", lpString2=".mp4") returned 1 [0103.374] lstrcmpiW (lpString1=".xlsx", lpString2=".NEPHILIM") returned 1 [0103.374] lstrcmpiW (lpString1=".xlsx", lpString2=".msi") returned 1 [0103.374] lstrcmpiW (lpString1=".xlsx", lpString2=".lnk") returned 1 [0103.374] lstrcmpiW (lpString1="r0BhnPupzSSdlJ.xlsx", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0103.374] lstrlenA (lpString="NEPHILIM") returned 8 [0103.374] GetProcessHeap () returned 0x4e0000 [0103.374] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x505020 [0103.374] lstrlenA (lpString="NEPHILIM") returned 8 [0103.374] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\r0BhnPupzSSdlJ.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\r0bhnpupzssdlj.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0103.374] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=18341) returned 1 [0103.374] GetProcessHeap () returned 0x4e0000 [0103.374] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0103.374] GetProcessHeap () returned 0x4e0000 [0103.374] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0103.374] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0103.374] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0103.374] GetProcessHeap () returned 0x4e0000 [0103.374] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0103.377] GetProcessHeap () returned 0x4e0000 [0103.377] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0103.377] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de208*=0x100) returned 1 [0103.378] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de204*=0x100) returned 1 [0103.378] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x47a5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.378] SetLastError (dwErrCode=0x0) [0103.378] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.379] GetLastError () returned 0x0 [0103.379] GetLastError () returned 0x0 [0103.379] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x48a5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.379] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.379] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x49a5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.379] lstrlenA (lpString="NEPHILIM") returned 8 [0103.379] WriteFile (in: hFile=0xec, lpBuffer=0x505020*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x505020*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0103.380] GetProcessHeap () returned 0x4e0000 [0103.380] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x47a5) returned 0x50b8a8 [0103.380] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.380] ReadFile (in: hFile=0xec, lpBuffer=0x50b8a8, nNumberOfBytesToRead=0x47a5, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50b8a8*, lpNumberOfBytesRead=0x24de430*=0x47a5, lpOverlapped=0x0) returned 1 [0103.381] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.381] WriteFile (in: hFile=0xec, lpBuffer=0x50b8a8*, nNumberOfBytesToWrite=0x47a5, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50b8a8*, lpNumberOfBytesWritten=0x24de43c*=0x47a5, lpOverlapped=0x0) returned 1 [0103.381] GetProcessHeap () returned 0x4e0000 [0103.381] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50b8a8 | out: hHeap=0x4e0000) returned 1 [0103.381] CloseHandle (hObject=0xec) returned 1 [0103.382] GetProcessHeap () returned 0x4e0000 [0103.383] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0103.383] GetProcessHeap () returned 0x4e0000 [0103.383] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0103.383] GetProcessHeap () returned 0x4e0000 [0103.383] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0103.383] GetProcessHeap () returned 0x4e0000 [0103.383] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0103.383] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\r0BhnPupzSSdlJ.xlsx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\r0BhnPupzSSdlJ.xlsx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\r0BhnPupzSSdlJ.xlsx" [0103.383] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\r0BhnPupzSSdlJ.xlsx", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\r0BhnPupzSSdlJ.xlsx.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\r0BhnPupzSSdlJ.xlsx.NEPHILIM" [0103.383] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\r0BhnPupzSSdlJ.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\r0bhnpupzssdlj.xlsx"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\r0BhnPupzSSdlJ.xlsx.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\r0bhnpupzssdlj.xlsx.nephilim")) returned 1 [0103.384] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8702c70, ftCreationTime.dwHighDateTime=0x1d5828a, ftLastAccessTime.dwLowDateTime=0x27e37090, ftLastAccessTime.dwHighDateTime=0x1d590cd, ftLastWriteTime.dwLowDateTime=0x27e37090, ftLastWriteTime.dwHighDateTime=0x1d590cd, nFileSizeHigh=0x0, nFileSizeLow=0x1736d, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="r19wgUh2G_a.xlsx", cAlternateFileName="R19WGU~1.XLS")) returned 1 [0103.384] lstrcmpiW (lpString1="r19wgUh2G_a.xlsx", lpString2=".") returned 1 [0103.384] lstrcmpiW (lpString1="r19wgUh2G_a.xlsx", lpString2="..") returned 1 [0103.384] lstrcmpiW (lpString1="r19wgUh2G_a.xlsx", lpString2="...") returned 1 [0103.384] lstrcmpiW (lpString1="r19wgUh2G_a.xlsx", lpString2="windows") returned -1 [0103.384] lstrcmpiW (lpString1="r19wgUh2G_a.xlsx", lpString2="$RECYCLE.BIN") returned 1 [0103.384] lstrcmpiW (lpString1="r19wgUh2G_a.xlsx", lpString2="rsa") returned -1 [0103.384] lstrcmpiW (lpString1="r19wgUh2G_a.xlsx", lpString2="log") returned 1 [0103.384] lstrcmpiW (lpString1="r19wgUh2G_a.xlsx", lpString2="NTDETECT.COM") returned 1 [0103.384] lstrcmpiW (lpString1="r19wgUh2G_a.xlsx", lpString2="ntldr") returned 1 [0103.384] lstrcmpiW (lpString1="r19wgUh2G_a.xlsx", lpString2="MSDOS.SYS") returned 1 [0103.384] lstrcmpiW (lpString1="r19wgUh2G_a.xlsx", lpString2="IO.SYS") returned 1 [0103.384] lstrcmpiW (lpString1="r19wgUh2G_a.xlsx", lpString2="boot.ini") returned 1 [0103.385] lstrcmpiW (lpString1="r19wgUh2G_a.xlsx", lpString2="AUTOEXEC.BAT") returned 1 [0103.385] lstrcmpiW (lpString1="r19wgUh2G_a.xlsx", lpString2="ntuser.dat") returned 1 [0103.385] lstrcmpiW (lpString1="r19wgUh2G_a.xlsx", lpString2="desktop.ini") returned 1 [0103.385] lstrcmpiW (lpString1="r19wgUh2G_a.xlsx", lpString2="CONFIG.SYS") returned 1 [0103.385] lstrcmpiW (lpString1="r19wgUh2G_a.xlsx", lpString2="RECYCLER") returned -1 [0103.385] lstrcmpiW (lpString1="r19wgUh2G_a.xlsx", lpString2="BOOTSECT.BAK") returned 1 [0103.385] lstrcmpiW (lpString1="r19wgUh2G_a.xlsx", lpString2="bootmgr") returned 1 [0103.385] lstrcmpiW (lpString1="r19wgUh2G_a.xlsx", lpString2="programdata") returned 1 [0103.385] lstrcmpiW (lpString1="r19wgUh2G_a.xlsx", lpString2="appdata") returned 1 [0103.385] lstrcmpiW (lpString1="r19wgUh2G_a.xlsx", lpString2="program files") returned 1 [0103.385] lstrcmpiW (lpString1="r19wgUh2G_a.xlsx", lpString2="program files (x86)") returned 1 [0103.385] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0103.385] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="r19wgUh2G_a.xlsx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\r19wgUh2G_a.xlsx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\r19wgUh2G_a.xlsx" [0103.385] PathFindExtensionW (pszPath="r19wgUh2G_a.xlsx") returned=".xlsx" [0103.385] lstrcmpiW (lpString1=".xlsx", lpString2=".exe") returned 1 [0103.385] lstrcmpiW (lpString1=".xlsx", lpString2=".log") returned 1 [0103.385] lstrcmpiW (lpString1=".xlsx", lpString2=".cab") returned 1 [0103.385] lstrcmpiW (lpString1=".xlsx", lpString2=".cmd") returned 1 [0103.385] lstrcmpiW (lpString1=".xlsx", lpString2=".com") returned 1 [0103.385] lstrcmpiW (lpString1=".xlsx", lpString2=".cpl") returned 1 [0103.385] lstrcmpiW (lpString1=".xlsx", lpString2=".ini") returned 1 [0103.385] lstrcmpiW (lpString1=".xlsx", lpString2=".dll") returned 1 [0103.385] lstrcmpiW (lpString1=".xlsx", lpString2=".url") returned 1 [0103.385] lstrcmpiW (lpString1=".xlsx", lpString2=".ttf") returned 1 [0103.385] lstrcmpiW (lpString1=".xlsx", lpString2=".mp3") returned 1 [0103.385] lstrcmpiW (lpString1=".xlsx", lpString2=".pif") returned 1 [0103.385] lstrcmpiW (lpString1=".xlsx", lpString2=".mp4") returned 1 [0103.386] lstrcmpiW (lpString1=".xlsx", lpString2=".NEPHILIM") returned 1 [0103.386] lstrcmpiW (lpString1=".xlsx", lpString2=".msi") returned 1 [0103.386] lstrcmpiW (lpString1=".xlsx", lpString2=".lnk") returned 1 [0103.386] lstrcmpiW (lpString1="r19wgUh2G_a.xlsx", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0103.386] lstrlenA (lpString="NEPHILIM") returned 8 [0103.386] GetProcessHeap () returned 0x4e0000 [0103.386] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x505030 [0103.386] lstrlenA (lpString="NEPHILIM") returned 8 [0103.386] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\r19wgUh2G_a.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\r19wguh2g_a.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0103.386] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=95085) returned 1 [0103.386] GetProcessHeap () returned 0x4e0000 [0103.386] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0103.386] GetProcessHeap () returned 0x4e0000 [0103.386] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0103.386] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0103.386] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0103.386] GetProcessHeap () returned 0x4e0000 [0103.386] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0103.386] GetProcessHeap () returned 0x4e0000 [0103.386] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0103.386] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de208*=0x100) returned 1 [0103.387] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de204*=0x100) returned 1 [0103.387] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x1736d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.387] SetLastError (dwErrCode=0x0) [0103.387] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.388] GetLastError () returned 0x0 [0103.388] GetLastError () returned 0x0 [0103.388] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x1746d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.388] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.388] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x1756d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.388] lstrlenA (lpString="NEPHILIM") returned 8 [0103.389] WriteFile (in: hFile=0xec, lpBuffer=0x505030*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x505030*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0103.389] GetProcessHeap () returned 0x4e0000 [0103.389] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1736d) returned 0x50b8a8 [0103.389] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.389] ReadFile (in: hFile=0xec, lpBuffer=0x50b8a8, nNumberOfBytesToRead=0x1736d, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50b8a8*, lpNumberOfBytesRead=0x24de430*=0x1736d, lpOverlapped=0x0) returned 1 [0103.395] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.396] WriteFile (in: hFile=0xec, lpBuffer=0x50b8a8*, nNumberOfBytesToWrite=0x1736d, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50b8a8*, lpNumberOfBytesWritten=0x24de43c*=0x1736d, lpOverlapped=0x0) returned 1 [0103.396] GetProcessHeap () returned 0x4e0000 [0103.396] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50b8a8 | out: hHeap=0x4e0000) returned 1 [0103.396] CloseHandle (hObject=0xec) returned 1 [0103.398] GetProcessHeap () returned 0x4e0000 [0103.398] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0103.398] GetProcessHeap () returned 0x4e0000 [0103.398] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0103.398] GetProcessHeap () returned 0x4e0000 [0103.398] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0103.398] GetProcessHeap () returned 0x4e0000 [0103.398] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0103.398] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\r19wgUh2G_a.xlsx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\r19wgUh2G_a.xlsx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\r19wgUh2G_a.xlsx" [0103.398] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\r19wgUh2G_a.xlsx", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\r19wgUh2G_a.xlsx.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\r19wgUh2G_a.xlsx.NEPHILIM" [0103.398] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\r19wgUh2G_a.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\r19wguh2g_a.xlsx"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\r19wgUh2G_a.xlsx.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\r19wguh2g_a.xlsx.nephilim")) returned 1 [0103.399] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2f49c880, ftCreationTime.dwHighDateTime=0x1d5d7fd, ftLastAccessTime.dwLowDateTime=0xbf234c60, ftLastAccessTime.dwHighDateTime=0x1d5e32e, ftLastWriteTime.dwLowDateTime=0xbf234c60, ftLastWriteTime.dwHighDateTime=0x1d5e32e, nFileSizeHigh=0x0, nFileSizeLow=0x2f39, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="RpcZuWKqTIoEmC-7XzPq.csv", cAlternateFileName="RPCZUW~1.CSV")) returned 1 [0103.399] lstrcmpiW (lpString1="RpcZuWKqTIoEmC-7XzPq.csv", lpString2=".") returned 1 [0103.399] lstrcmpiW (lpString1="RpcZuWKqTIoEmC-7XzPq.csv", lpString2="..") returned 1 [0103.399] lstrcmpiW (lpString1="RpcZuWKqTIoEmC-7XzPq.csv", lpString2="...") returned 1 [0103.399] lstrcmpiW (lpString1="RpcZuWKqTIoEmC-7XzPq.csv", lpString2="windows") returned -1 [0103.399] lstrcmpiW (lpString1="RpcZuWKqTIoEmC-7XzPq.csv", lpString2="$RECYCLE.BIN") returned 1 [0103.399] lstrcmpiW (lpString1="RpcZuWKqTIoEmC-7XzPq.csv", lpString2="rsa") returned -1 [0103.399] lstrcmpiW (lpString1="RpcZuWKqTIoEmC-7XzPq.csv", lpString2="log") returned 1 [0103.399] lstrcmpiW (lpString1="RpcZuWKqTIoEmC-7XzPq.csv", lpString2="NTDETECT.COM") returned 1 [0103.399] lstrcmpiW (lpString1="RpcZuWKqTIoEmC-7XzPq.csv", lpString2="ntldr") returned 1 [0103.399] lstrcmpiW (lpString1="RpcZuWKqTIoEmC-7XzPq.csv", lpString2="MSDOS.SYS") returned 1 [0103.399] lstrcmpiW (lpString1="RpcZuWKqTIoEmC-7XzPq.csv", lpString2="IO.SYS") returned 1 [0103.399] lstrcmpiW (lpString1="RpcZuWKqTIoEmC-7XzPq.csv", lpString2="boot.ini") returned 1 [0103.399] lstrcmpiW (lpString1="RpcZuWKqTIoEmC-7XzPq.csv", lpString2="AUTOEXEC.BAT") returned 1 [0103.399] lstrcmpiW (lpString1="RpcZuWKqTIoEmC-7XzPq.csv", lpString2="ntuser.dat") returned 1 [0103.399] lstrcmpiW (lpString1="RpcZuWKqTIoEmC-7XzPq.csv", lpString2="desktop.ini") returned 1 [0103.399] lstrcmpiW (lpString1="RpcZuWKqTIoEmC-7XzPq.csv", lpString2="CONFIG.SYS") returned 1 [0103.400] lstrcmpiW (lpString1="RpcZuWKqTIoEmC-7XzPq.csv", lpString2="RECYCLER") returned 1 [0103.400] lstrcmpiW (lpString1="RpcZuWKqTIoEmC-7XzPq.csv", lpString2="BOOTSECT.BAK") returned 1 [0103.400] lstrcmpiW (lpString1="RpcZuWKqTIoEmC-7XzPq.csv", lpString2="bootmgr") returned 1 [0103.400] lstrcmpiW (lpString1="RpcZuWKqTIoEmC-7XzPq.csv", lpString2="programdata") returned 1 [0103.400] lstrcmpiW (lpString1="RpcZuWKqTIoEmC-7XzPq.csv", lpString2="appdata") returned 1 [0103.400] lstrcmpiW (lpString1="RpcZuWKqTIoEmC-7XzPq.csv", lpString2="program files") returned 1 [0103.400] lstrcmpiW (lpString1="RpcZuWKqTIoEmC-7XzPq.csv", lpString2="program files (x86)") returned 1 [0103.400] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0103.400] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="RpcZuWKqTIoEmC-7XzPq.csv" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\RpcZuWKqTIoEmC-7XzPq.csv") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\RpcZuWKqTIoEmC-7XzPq.csv" [0103.400] PathFindExtensionW (pszPath="RpcZuWKqTIoEmC-7XzPq.csv") returned=".csv" [0103.400] lstrcmpiW (lpString1=".csv", lpString2=".exe") returned -1 [0103.400] lstrcmpiW (lpString1=".csv", lpString2=".log") returned -1 [0103.400] lstrcmpiW (lpString1=".csv", lpString2=".cab") returned 1 [0103.400] lstrcmpiW (lpString1=".csv", lpString2=".cmd") returned 1 [0103.400] lstrcmpiW (lpString1=".csv", lpString2=".com") returned 1 [0103.400] lstrcmpiW (lpString1=".csv", lpString2=".cpl") returned 1 [0103.400] lstrcmpiW (lpString1=".csv", lpString2=".ini") returned -1 [0103.400] lstrcmpiW (lpString1=".csv", lpString2=".dll") returned -1 [0103.400] lstrcmpiW (lpString1=".csv", lpString2=".url") returned -1 [0103.400] lstrcmpiW (lpString1=".csv", lpString2=".ttf") returned -1 [0103.400] lstrcmpiW (lpString1=".csv", lpString2=".mp3") returned -1 [0103.400] lstrcmpiW (lpString1=".csv", lpString2=".pif") returned -1 [0103.400] lstrcmpiW (lpString1=".csv", lpString2=".mp4") returned -1 [0103.400] lstrcmpiW (lpString1=".csv", lpString2=".NEPHILIM") returned -1 [0103.400] lstrcmpiW (lpString1=".csv", lpString2=".msi") returned -1 [0103.401] lstrcmpiW (lpString1=".csv", lpString2=".lnk") returned -1 [0103.401] lstrcmpiW (lpString1="RpcZuWKqTIoEmC-7XzPq.csv", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0103.401] lstrlenA (lpString="NEPHILIM") returned 8 [0103.401] GetProcessHeap () returned 0x4e0000 [0103.401] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x505040 [0103.401] lstrlenA (lpString="NEPHILIM") returned 8 [0103.401] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\RpcZuWKqTIoEmC-7XzPq.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\rpczuwkqtioemc-7xzpq.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0103.401] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=12089) returned 1 [0103.401] GetProcessHeap () returned 0x4e0000 [0103.401] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0103.401] GetProcessHeap () returned 0x4e0000 [0103.401] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0103.401] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0103.401] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0103.401] GetProcessHeap () returned 0x4e0000 [0103.401] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0103.401] GetProcessHeap () returned 0x4e0000 [0103.401] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0103.401] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de208*=0x100) returned 1 [0103.402] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de204*=0x100) returned 1 [0103.402] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x2f39, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.402] SetLastError (dwErrCode=0x0) [0103.402] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.524] GetLastError () returned 0x0 [0103.524] GetLastError () returned 0x0 [0103.524] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x3039, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.524] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.524] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x3139, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.524] lstrlenA (lpString="NEPHILIM") returned 8 [0103.524] WriteFile (in: hFile=0xec, lpBuffer=0x505040*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x505040*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0103.524] GetProcessHeap () returned 0x4e0000 [0103.524] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x2f39) returned 0x50b8a8 [0103.525] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.525] ReadFile (in: hFile=0xec, lpBuffer=0x50b8a8, nNumberOfBytesToRead=0x2f39, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50b8a8*, lpNumberOfBytesRead=0x24de430*=0x2f39, lpOverlapped=0x0) returned 1 [0103.525] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.526] WriteFile (in: hFile=0xec, lpBuffer=0x50b8a8*, nNumberOfBytesToWrite=0x2f39, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50b8a8*, lpNumberOfBytesWritten=0x24de43c*=0x2f39, lpOverlapped=0x0) returned 1 [0103.526] GetProcessHeap () returned 0x4e0000 [0103.526] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50b8a8 | out: hHeap=0x4e0000) returned 1 [0103.526] CloseHandle (hObject=0xec) returned 1 [0103.527] GetProcessHeap () returned 0x4e0000 [0103.527] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0103.527] GetProcessHeap () returned 0x4e0000 [0103.527] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0103.527] GetProcessHeap () returned 0x4e0000 [0103.527] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0103.527] GetProcessHeap () returned 0x4e0000 [0103.527] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0103.527] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\RpcZuWKqTIoEmC-7XzPq.csv" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\RpcZuWKqTIoEmC-7XzPq.csv") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\RpcZuWKqTIoEmC-7XzPq.csv" [0103.527] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\RpcZuWKqTIoEmC-7XzPq.csv", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\RpcZuWKqTIoEmC-7XzPq.csv.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\RpcZuWKqTIoEmC-7XzPq.csv.NEPHILIM" [0103.527] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\RpcZuWKqTIoEmC-7XzPq.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\rpczuwkqtioemc-7xzpq.csv"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\RpcZuWKqTIoEmC-7XzPq.csv.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\rpczuwkqtioemc-7xzpq.csv.nephilim")) returned 1 [0103.529] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ea469b0, ftCreationTime.dwHighDateTime=0x1d5bc23, ftLastAccessTime.dwLowDateTime=0x95406130, ftLastAccessTime.dwHighDateTime=0x1d59077, ftLastWriteTime.dwLowDateTime=0x95406130, ftLastWriteTime.dwHighDateTime=0x1d59077, nFileSizeHigh=0x0, nFileSizeLow=0x6bbe, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="taV1q.docx", cAlternateFileName="TAV1Q~1.DOC")) returned 1 [0103.529] lstrcmpiW (lpString1="taV1q.docx", lpString2=".") returned 1 [0103.529] lstrcmpiW (lpString1="taV1q.docx", lpString2="..") returned 1 [0103.529] lstrcmpiW (lpString1="taV1q.docx", lpString2="...") returned 1 [0103.529] lstrcmpiW (lpString1="taV1q.docx", lpString2="windows") returned -1 [0103.529] lstrcmpiW (lpString1="taV1q.docx", lpString2="$RECYCLE.BIN") returned 1 [0103.529] lstrcmpiW (lpString1="taV1q.docx", lpString2="rsa") returned 1 [0103.529] lstrcmpiW (lpString1="taV1q.docx", lpString2="log") returned 1 [0103.529] lstrcmpiW (lpString1="taV1q.docx", lpString2="NTDETECT.COM") returned 1 [0103.529] lstrcmpiW (lpString1="taV1q.docx", lpString2="ntldr") returned 1 [0103.529] lstrcmpiW (lpString1="taV1q.docx", lpString2="MSDOS.SYS") returned 1 [0103.529] lstrcmpiW (lpString1="taV1q.docx", lpString2="IO.SYS") returned 1 [0103.529] lstrcmpiW (lpString1="taV1q.docx", lpString2="boot.ini") returned 1 [0103.529] lstrcmpiW (lpString1="taV1q.docx", lpString2="AUTOEXEC.BAT") returned 1 [0103.529] lstrcmpiW (lpString1="taV1q.docx", lpString2="ntuser.dat") returned 1 [0103.529] lstrcmpiW (lpString1="taV1q.docx", lpString2="desktop.ini") returned 1 [0103.529] lstrcmpiW (lpString1="taV1q.docx", lpString2="CONFIG.SYS") returned 1 [0103.529] lstrcmpiW (lpString1="taV1q.docx", lpString2="RECYCLER") returned 1 [0103.529] lstrcmpiW (lpString1="taV1q.docx", lpString2="BOOTSECT.BAK") returned 1 [0103.529] lstrcmpiW (lpString1="taV1q.docx", lpString2="bootmgr") returned 1 [0103.529] lstrcmpiW (lpString1="taV1q.docx", lpString2="programdata") returned 1 [0103.529] lstrcmpiW (lpString1="taV1q.docx", lpString2="appdata") returned 1 [0103.529] lstrcmpiW (lpString1="taV1q.docx", lpString2="program files") returned 1 [0103.529] lstrcmpiW (lpString1="taV1q.docx", lpString2="program files (x86)") returned 1 [0103.529] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0103.530] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="taV1q.docx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\taV1q.docx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\taV1q.docx" [0103.530] PathFindExtensionW (pszPath="taV1q.docx") returned=".docx" [0103.530] lstrcmpiW (lpString1=".docx", lpString2=".exe") returned -1 [0103.530] lstrcmpiW (lpString1=".docx", lpString2=".log") returned -1 [0103.530] lstrcmpiW (lpString1=".docx", lpString2=".cab") returned 1 [0103.530] lstrcmpiW (lpString1=".docx", lpString2=".cmd") returned 1 [0103.530] lstrcmpiW (lpString1=".docx", lpString2=".com") returned 1 [0103.530] lstrcmpiW (lpString1=".docx", lpString2=".cpl") returned 1 [0103.530] lstrcmpiW (lpString1=".docx", lpString2=".ini") returned -1 [0103.530] lstrcmpiW (lpString1=".docx", lpString2=".dll") returned 1 [0103.530] lstrcmpiW (lpString1=".docx", lpString2=".url") returned -1 [0103.530] lstrcmpiW (lpString1=".docx", lpString2=".ttf") returned -1 [0103.530] lstrcmpiW (lpString1=".docx", lpString2=".mp3") returned -1 [0103.530] lstrcmpiW (lpString1=".docx", lpString2=".pif") returned -1 [0103.530] lstrcmpiW (lpString1=".docx", lpString2=".mp4") returned -1 [0103.530] lstrcmpiW (lpString1=".docx", lpString2=".NEPHILIM") returned -1 [0103.530] lstrcmpiW (lpString1=".docx", lpString2=".msi") returned -1 [0103.530] lstrcmpiW (lpString1=".docx", lpString2=".lnk") returned -1 [0103.530] lstrcmpiW (lpString1="taV1q.docx", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0103.530] lstrlenA (lpString="NEPHILIM") returned 8 [0103.530] GetProcessHeap () returned 0x4e0000 [0103.530] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x505050 [0103.530] lstrlenA (lpString="NEPHILIM") returned 8 [0103.530] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\taV1q.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tav1q.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0103.531] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=27582) returned 1 [0103.531] GetProcessHeap () returned 0x4e0000 [0103.531] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0103.531] GetProcessHeap () returned 0x4e0000 [0103.531] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0103.531] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0103.531] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0103.531] GetProcessHeap () returned 0x4e0000 [0103.531] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0103.531] GetProcessHeap () returned 0x4e0000 [0103.531] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0103.531] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de208*=0x100) returned 1 [0103.532] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de204*=0x100) returned 1 [0103.532] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x6bbe, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.532] SetLastError (dwErrCode=0x0) [0103.532] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.533] GetLastError () returned 0x0 [0103.533] GetLastError () returned 0x0 [0103.533] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x6cbe, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.533] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.533] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x6dbe, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.534] lstrlenA (lpString="NEPHILIM") returned 8 [0103.534] WriteFile (in: hFile=0xec, lpBuffer=0x505050*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x505050*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0103.534] GetProcessHeap () returned 0x4e0000 [0103.534] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x6bbe) returned 0x50b8a8 [0103.534] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.534] ReadFile (in: hFile=0xec, lpBuffer=0x50b8a8, nNumberOfBytesToRead=0x6bbe, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50b8a8*, lpNumberOfBytesRead=0x24de430*=0x6bbe, lpOverlapped=0x0) returned 1 [0103.536] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.536] WriteFile (in: hFile=0xec, lpBuffer=0x50b8a8*, nNumberOfBytesToWrite=0x6bbe, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50b8a8*, lpNumberOfBytesWritten=0x24de43c*=0x6bbe, lpOverlapped=0x0) returned 1 [0103.536] GetProcessHeap () returned 0x4e0000 [0103.536] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50b8a8 | out: hHeap=0x4e0000) returned 1 [0103.536] CloseHandle (hObject=0xec) returned 1 [0103.537] GetProcessHeap () returned 0x4e0000 [0103.538] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0103.538] GetProcessHeap () returned 0x4e0000 [0103.538] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0103.538] GetProcessHeap () returned 0x4e0000 [0103.538] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0103.538] GetProcessHeap () returned 0x4e0000 [0103.538] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0103.538] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\taV1q.docx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\taV1q.docx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\taV1q.docx" [0103.538] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\taV1q.docx", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\taV1q.docx.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\taV1q.docx.NEPHILIM" [0103.538] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\taV1q.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tav1q.docx"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\taV1q.docx.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\tav1q.docx.nephilim")) returned 1 [0103.539] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54a53ca0, ftCreationTime.dwHighDateTime=0x1d5e26f, ftLastAccessTime.dwLowDateTime=0x610fd240, ftLastAccessTime.dwHighDateTime=0x1d5dc32, ftLastWriteTime.dwLowDateTime=0x610fd240, ftLastWriteTime.dwHighDateTime=0x1d5dc32, nFileSizeHigh=0x0, nFileSizeLow=0x17744, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="UNdkbVtnLslvox.csv", cAlternateFileName="UNDKBV~1.CSV")) returned 1 [0103.539] lstrcmpiW (lpString1="UNdkbVtnLslvox.csv", lpString2=".") returned 1 [0103.539] lstrcmpiW (lpString1="UNdkbVtnLslvox.csv", lpString2="..") returned 1 [0103.539] lstrcmpiW (lpString1="UNdkbVtnLslvox.csv", lpString2="...") returned 1 [0103.539] lstrcmpiW (lpString1="UNdkbVtnLslvox.csv", lpString2="windows") returned -1 [0103.539] lstrcmpiW (lpString1="UNdkbVtnLslvox.csv", lpString2="$RECYCLE.BIN") returned 1 [0103.539] lstrcmpiW (lpString1="UNdkbVtnLslvox.csv", lpString2="rsa") returned 1 [0103.539] lstrcmpiW (lpString1="UNdkbVtnLslvox.csv", lpString2="log") returned 1 [0103.539] lstrcmpiW (lpString1="UNdkbVtnLslvox.csv", lpString2="NTDETECT.COM") returned 1 [0103.539] lstrcmpiW (lpString1="UNdkbVtnLslvox.csv", lpString2="ntldr") returned 1 [0103.539] lstrcmpiW (lpString1="UNdkbVtnLslvox.csv", lpString2="MSDOS.SYS") returned 1 [0103.539] lstrcmpiW (lpString1="UNdkbVtnLslvox.csv", lpString2="IO.SYS") returned 1 [0103.539] lstrcmpiW (lpString1="UNdkbVtnLslvox.csv", lpString2="boot.ini") returned 1 [0103.539] lstrcmpiW (lpString1="UNdkbVtnLslvox.csv", lpString2="AUTOEXEC.BAT") returned 1 [0103.539] lstrcmpiW (lpString1="UNdkbVtnLslvox.csv", lpString2="ntuser.dat") returned 1 [0103.539] lstrcmpiW (lpString1="UNdkbVtnLslvox.csv", lpString2="desktop.ini") returned 1 [0103.539] lstrcmpiW (lpString1="UNdkbVtnLslvox.csv", lpString2="CONFIG.SYS") returned 1 [0103.539] lstrcmpiW (lpString1="UNdkbVtnLslvox.csv", lpString2="RECYCLER") returned 1 [0103.539] lstrcmpiW (lpString1="UNdkbVtnLslvox.csv", lpString2="BOOTSECT.BAK") returned 1 [0103.539] lstrcmpiW (lpString1="UNdkbVtnLslvox.csv", lpString2="bootmgr") returned 1 [0103.540] lstrcmpiW (lpString1="UNdkbVtnLslvox.csv", lpString2="programdata") returned 1 [0103.540] lstrcmpiW (lpString1="UNdkbVtnLslvox.csv", lpString2="appdata") returned 1 [0103.540] lstrcmpiW (lpString1="UNdkbVtnLslvox.csv", lpString2="program files") returned 1 [0103.540] lstrcmpiW (lpString1="UNdkbVtnLslvox.csv", lpString2="program files (x86)") returned 1 [0103.540] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0103.540] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="UNdkbVtnLslvox.csv" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\UNdkbVtnLslvox.csv") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\UNdkbVtnLslvox.csv" [0103.540] PathFindExtensionW (pszPath="UNdkbVtnLslvox.csv") returned=".csv" [0103.540] lstrcmpiW (lpString1=".csv", lpString2=".exe") returned -1 [0103.540] lstrcmpiW (lpString1=".csv", lpString2=".log") returned -1 [0103.540] lstrcmpiW (lpString1=".csv", lpString2=".cab") returned 1 [0103.540] lstrcmpiW (lpString1=".csv", lpString2=".cmd") returned 1 [0103.540] lstrcmpiW (lpString1=".csv", lpString2=".com") returned 1 [0103.540] lstrcmpiW (lpString1=".csv", lpString2=".cpl") returned 1 [0103.540] lstrcmpiW (lpString1=".csv", lpString2=".ini") returned -1 [0103.540] lstrcmpiW (lpString1=".csv", lpString2=".dll") returned -1 [0103.540] lstrcmpiW (lpString1=".csv", lpString2=".url") returned -1 [0103.540] lstrcmpiW (lpString1=".csv", lpString2=".ttf") returned -1 [0103.540] lstrcmpiW (lpString1=".csv", lpString2=".mp3") returned -1 [0103.540] lstrcmpiW (lpString1=".csv", lpString2=".pif") returned -1 [0103.540] lstrcmpiW (lpString1=".csv", lpString2=".mp4") returned -1 [0103.540] lstrcmpiW (lpString1=".csv", lpString2=".NEPHILIM") returned -1 [0103.540] lstrcmpiW (lpString1=".csv", lpString2=".msi") returned -1 [0103.540] lstrcmpiW (lpString1=".csv", lpString2=".lnk") returned -1 [0103.540] lstrcmpiW (lpString1="UNdkbVtnLslvox.csv", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0103.540] lstrlenA (lpString="NEPHILIM") returned 8 [0103.540] GetProcessHeap () returned 0x4e0000 [0103.540] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x505060 [0103.540] lstrlenA (lpString="NEPHILIM") returned 8 [0103.540] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\UNdkbVtnLslvox.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\undkbvtnlslvox.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0103.541] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=96068) returned 1 [0103.541] GetProcessHeap () returned 0x4e0000 [0103.541] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0103.541] GetProcessHeap () returned 0x4e0000 [0103.541] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0103.541] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0103.541] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0103.541] GetProcessHeap () returned 0x4e0000 [0103.541] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0103.541] GetProcessHeap () returned 0x4e0000 [0103.541] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0103.541] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de208*=0x100) returned 1 [0103.541] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de204*=0x100) returned 1 [0103.541] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x17744, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.541] SetLastError (dwErrCode=0x0) [0103.542] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.542] GetLastError () returned 0x0 [0103.542] GetLastError () returned 0x0 [0103.543] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x17844, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.543] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.543] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x17944, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.543] lstrlenA (lpString="NEPHILIM") returned 8 [0103.543] WriteFile (in: hFile=0xec, lpBuffer=0x505060*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x505060*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0103.543] GetProcessHeap () returned 0x4e0000 [0103.543] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x17744) returned 0x50b8a8 [0103.543] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.543] ReadFile (in: hFile=0xec, lpBuffer=0x50b8a8, nNumberOfBytesToRead=0x17744, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50b8a8*, lpNumberOfBytesRead=0x24de430*=0x17744, lpOverlapped=0x0) returned 1 [0103.549] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.549] WriteFile (in: hFile=0xec, lpBuffer=0x50b8a8*, nNumberOfBytesToWrite=0x17744, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50b8a8*, lpNumberOfBytesWritten=0x24de43c*=0x17744, lpOverlapped=0x0) returned 1 [0103.549] GetProcessHeap () returned 0x4e0000 [0103.549] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50b8a8 | out: hHeap=0x4e0000) returned 1 [0103.549] CloseHandle (hObject=0xec) returned 1 [0103.551] GetProcessHeap () returned 0x4e0000 [0103.551] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0103.551] GetProcessHeap () returned 0x4e0000 [0103.551] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0103.551] GetProcessHeap () returned 0x4e0000 [0103.551] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0103.551] GetProcessHeap () returned 0x4e0000 [0103.551] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0103.551] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\UNdkbVtnLslvox.csv" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\UNdkbVtnLslvox.csv") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\UNdkbVtnLslvox.csv" [0103.551] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\UNdkbVtnLslvox.csv", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\UNdkbVtnLslvox.csv.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\UNdkbVtnLslvox.csv.NEPHILIM" [0103.551] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\UNdkbVtnLslvox.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\undkbvtnlslvox.csv"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\UNdkbVtnLslvox.csv.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\undkbvtnlslvox.csv.nephilim")) returned 1 [0103.552] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95388ee0, ftCreationTime.dwHighDateTime=0x1d572b0, ftLastAccessTime.dwLowDateTime=0xd03f090, ftLastAccessTime.dwHighDateTime=0x1d5ce82, ftLastWriteTime.dwLowDateTime=0xd03f090, ftLastWriteTime.dwHighDateTime=0x1d5ce82, nFileSizeHigh=0x0, nFileSizeLow=0xa5f0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="wovmA.docx", cAlternateFileName="WOVMA~1.DOC")) returned 1 [0103.552] lstrcmpiW (lpString1="wovmA.docx", lpString2=".") returned 1 [0103.552] lstrcmpiW (lpString1="wovmA.docx", lpString2="..") returned 1 [0103.552] lstrcmpiW (lpString1="wovmA.docx", lpString2="...") returned 1 [0103.552] lstrcmpiW (lpString1="wovmA.docx", lpString2="windows") returned 1 [0103.552] lstrcmpiW (lpString1="wovmA.docx", lpString2="$RECYCLE.BIN") returned 1 [0103.553] lstrcmpiW (lpString1="wovmA.docx", lpString2="rsa") returned 1 [0103.553] lstrcmpiW (lpString1="wovmA.docx", lpString2="log") returned 1 [0103.553] lstrcmpiW (lpString1="wovmA.docx", lpString2="NTDETECT.COM") returned 1 [0103.553] lstrcmpiW (lpString1="wovmA.docx", lpString2="ntldr") returned 1 [0103.553] lstrcmpiW (lpString1="wovmA.docx", lpString2="MSDOS.SYS") returned 1 [0103.553] lstrcmpiW (lpString1="wovmA.docx", lpString2="IO.SYS") returned 1 [0103.553] lstrcmpiW (lpString1="wovmA.docx", lpString2="boot.ini") returned 1 [0103.553] lstrcmpiW (lpString1="wovmA.docx", lpString2="AUTOEXEC.BAT") returned 1 [0103.553] lstrcmpiW (lpString1="wovmA.docx", lpString2="ntuser.dat") returned 1 [0103.553] lstrcmpiW (lpString1="wovmA.docx", lpString2="desktop.ini") returned 1 [0103.553] lstrcmpiW (lpString1="wovmA.docx", lpString2="CONFIG.SYS") returned 1 [0103.553] lstrcmpiW (lpString1="wovmA.docx", lpString2="RECYCLER") returned 1 [0103.553] lstrcmpiW (lpString1="wovmA.docx", lpString2="BOOTSECT.BAK") returned 1 [0103.553] lstrcmpiW (lpString1="wovmA.docx", lpString2="bootmgr") returned 1 [0103.553] lstrcmpiW (lpString1="wovmA.docx", lpString2="programdata") returned 1 [0103.553] lstrcmpiW (lpString1="wovmA.docx", lpString2="appdata") returned 1 [0103.553] lstrcmpiW (lpString1="wovmA.docx", lpString2="program files") returned 1 [0103.553] lstrcmpiW (lpString1="wovmA.docx", lpString2="program files (x86)") returned 1 [0103.553] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0103.553] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="wovmA.docx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\wovmA.docx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\wovmA.docx" [0103.553] PathFindExtensionW (pszPath="wovmA.docx") returned=".docx" [0103.553] lstrcmpiW (lpString1=".docx", lpString2=".exe") returned -1 [0103.553] lstrcmpiW (lpString1=".docx", lpString2=".log") returned -1 [0103.553] lstrcmpiW (lpString1=".docx", lpString2=".cab") returned 1 [0103.553] lstrcmpiW (lpString1=".docx", lpString2=".cmd") returned 1 [0103.553] lstrcmpiW (lpString1=".docx", lpString2=".com") returned 1 [0103.553] lstrcmpiW (lpString1=".docx", lpString2=".cpl") returned 1 [0103.553] lstrcmpiW (lpString1=".docx", lpString2=".ini") returned -1 [0103.553] lstrcmpiW (lpString1=".docx", lpString2=".dll") returned 1 [0103.553] lstrcmpiW (lpString1=".docx", lpString2=".url") returned -1 [0103.553] lstrcmpiW (lpString1=".docx", lpString2=".ttf") returned -1 [0103.553] lstrcmpiW (lpString1=".docx", lpString2=".mp3") returned -1 [0103.553] lstrcmpiW (lpString1=".docx", lpString2=".pif") returned -1 [0103.553] lstrcmpiW (lpString1=".docx", lpString2=".mp4") returned -1 [0103.554] lstrcmpiW (lpString1=".docx", lpString2=".NEPHILIM") returned -1 [0103.554] lstrcmpiW (lpString1=".docx", lpString2=".msi") returned -1 [0103.554] lstrcmpiW (lpString1=".docx", lpString2=".lnk") returned -1 [0103.554] lstrcmpiW (lpString1="wovmA.docx", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0103.554] lstrlenA (lpString="NEPHILIM") returned 8 [0103.554] GetProcessHeap () returned 0x4e0000 [0103.554] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x505070 [0103.554] lstrlenA (lpString="NEPHILIM") returned 8 [0103.554] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\wovmA.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\wovma.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0103.554] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=42480) returned 1 [0103.554] GetProcessHeap () returned 0x4e0000 [0103.554] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0103.554] GetProcessHeap () returned 0x4e0000 [0103.554] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0103.554] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0103.554] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0103.554] GetProcessHeap () returned 0x4e0000 [0103.554] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0103.554] GetProcessHeap () returned 0x4e0000 [0103.554] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0103.554] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de208*=0x100) returned 1 [0103.554] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de204*=0x100) returned 1 [0103.555] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xa5f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.555] SetLastError (dwErrCode=0x0) [0103.555] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.556] GetLastError () returned 0x0 [0103.556] GetLastError () returned 0x0 [0103.556] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xa6f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.556] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.556] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xa7f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.556] lstrlenA (lpString="NEPHILIM") returned 8 [0103.556] WriteFile (in: hFile=0xec, lpBuffer=0x505070*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x505070*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0103.556] GetProcessHeap () returned 0x4e0000 [0103.556] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xa5f0) returned 0x50b8a8 [0103.556] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.556] ReadFile (in: hFile=0xec, lpBuffer=0x50b8a8, nNumberOfBytesToRead=0xa5f0, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50b8a8*, lpNumberOfBytesRead=0x24de430*=0xa5f0, lpOverlapped=0x0) returned 1 [0103.559] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.559] WriteFile (in: hFile=0xec, lpBuffer=0x50b8a8*, nNumberOfBytesToWrite=0xa5f0, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50b8a8*, lpNumberOfBytesWritten=0x24de43c*=0xa5f0, lpOverlapped=0x0) returned 1 [0103.559] GetProcessHeap () returned 0x4e0000 [0103.559] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50b8a8 | out: hHeap=0x4e0000) returned 1 [0103.559] CloseHandle (hObject=0xec) returned 1 [0103.560] GetProcessHeap () returned 0x4e0000 [0103.560] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0103.560] GetProcessHeap () returned 0x4e0000 [0103.560] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0103.560] GetProcessHeap () returned 0x4e0000 [0103.560] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0103.560] GetProcessHeap () returned 0x4e0000 [0103.561] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0103.561] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\wovmA.docx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\wovmA.docx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\wovmA.docx" [0103.561] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\wovmA.docx", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\wovmA.docx.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\wovmA.docx.NEPHILIM" [0103.561] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\wovmA.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\wovma.docx"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\wovmA.docx.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\wovma.docx.nephilim")) returned 1 [0103.562] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc3259b60, ftCreationTime.dwHighDateTime=0x1d5e7bb, ftLastAccessTime.dwLowDateTime=0xdf527dc0, ftLastAccessTime.dwHighDateTime=0x1d5d87b, ftLastWriteTime.dwLowDateTime=0xdf527dc0, ftLastWriteTime.dwHighDateTime=0x1d5d87b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="X5140S3Luj8ic32Dytgg", cAlternateFileName="X5140S~1")) returned 1 [0103.562] lstrcmpiW (lpString1="X5140S3Luj8ic32Dytgg", lpString2=".") returned 1 [0103.562] lstrcmpiW (lpString1="X5140S3Luj8ic32Dytgg", lpString2="..") returned 1 [0103.562] lstrcmpiW (lpString1="X5140S3Luj8ic32Dytgg", lpString2="...") returned 1 [0103.562] lstrcmpiW (lpString1="X5140S3Luj8ic32Dytgg", lpString2="windows") returned 1 [0103.562] lstrcmpiW (lpString1="X5140S3Luj8ic32Dytgg", lpString2="$RECYCLE.BIN") returned 1 [0103.562] lstrcmpiW (lpString1="X5140S3Luj8ic32Dytgg", lpString2="rsa") returned 1 [0103.562] lstrcmpiW (lpString1="X5140S3Luj8ic32Dytgg", lpString2="log") returned 1 [0103.562] lstrcmpiW (lpString1="X5140S3Luj8ic32Dytgg", lpString2="NTDETECT.COM") returned 1 [0103.562] lstrcmpiW (lpString1="X5140S3Luj8ic32Dytgg", lpString2="ntldr") returned 1 [0103.562] lstrcmpiW (lpString1="X5140S3Luj8ic32Dytgg", lpString2="MSDOS.SYS") returned 1 [0103.562] lstrcmpiW (lpString1="X5140S3Luj8ic32Dytgg", lpString2="IO.SYS") returned 1 [0103.562] lstrcmpiW (lpString1="X5140S3Luj8ic32Dytgg", lpString2="boot.ini") returned 1 [0103.562] lstrcmpiW (lpString1="X5140S3Luj8ic32Dytgg", lpString2="AUTOEXEC.BAT") returned 1 [0103.562] lstrcmpiW (lpString1="X5140S3Luj8ic32Dytgg", lpString2="ntuser.dat") returned 1 [0103.562] lstrcmpiW (lpString1="X5140S3Luj8ic32Dytgg", lpString2="desktop.ini") returned 1 [0103.562] lstrcmpiW (lpString1="X5140S3Luj8ic32Dytgg", lpString2="CONFIG.SYS") returned 1 [0103.562] lstrcmpiW (lpString1="X5140S3Luj8ic32Dytgg", lpString2="RECYCLER") returned 1 [0103.562] lstrcmpiW (lpString1="X5140S3Luj8ic32Dytgg", lpString2="BOOTSECT.BAK") returned 1 [0103.562] lstrcmpiW (lpString1="X5140S3Luj8ic32Dytgg", lpString2="bootmgr") returned 1 [0103.562] lstrcmpiW (lpString1="X5140S3Luj8ic32Dytgg", lpString2="programdata") returned 1 [0103.562] lstrcmpiW (lpString1="X5140S3Luj8ic32Dytgg", lpString2="appdata") returned 1 [0103.562] lstrcmpiW (lpString1="X5140S3Luj8ic32Dytgg", lpString2="program files") returned 1 [0103.562] lstrcmpiW (lpString1="X5140S3Luj8ic32Dytgg", lpString2="program files (x86)") returned 1 [0103.562] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0103.562] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="X5140S3Luj8ic32Dytgg" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg" [0103.562] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\" [0103.562] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\" [0103.565] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\", lpString2="*.*" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\*.*") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\*.*" [0103.565] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc3259b60, ftCreationTime.dwHighDateTime=0x1d5e7bb, ftLastAccessTime.dwLowDateTime=0xdf527dc0, ftLastAccessTime.dwHighDateTime=0x1d5d87b, ftLastWriteTime.dwLowDateTime=0xdf527dc0, ftLastWriteTime.dwHighDateTime=0x1d5d87b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24dddac, dwReserved1=0x4650a9ce, cFileName=".", cAlternateFileName="")) returned 0x50a8c0 [0103.565] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0103.565] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc3259b60, ftCreationTime.dwHighDateTime=0x1d5e7bb, ftLastAccessTime.dwLowDateTime=0xdf527dc0, ftLastAccessTime.dwHighDateTime=0x1d5d87b, ftLastWriteTime.dwLowDateTime=0xdf527dc0, ftLastWriteTime.dwHighDateTime=0x1d5d87b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24dddac, dwReserved1=0x4650a9ce, cFileName="..", cAlternateFileName="")) returned 1 [0103.565] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0103.565] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0103.565] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb59f8800, ftCreationTime.dwHighDateTime=0x1d5df70, ftLastAccessTime.dwLowDateTime=0xc20477f0, ftLastAccessTime.dwHighDateTime=0x1d5db5a, ftLastWriteTime.dwLowDateTime=0xc20477f0, ftLastWriteTime.dwHighDateTime=0x1d5db5a, nFileSizeHigh=0x0, nFileSizeLow=0x1207d, dwReserved0=0x24dddac, dwReserved1=0x4650a9ce, cFileName="6W5gI.csv", cAlternateFileName="")) returned 1 [0103.565] lstrcmpiW (lpString1="6W5gI.csv", lpString2=".") returned 1 [0103.566] lstrcmpiW (lpString1="6W5gI.csv", lpString2="..") returned 1 [0103.566] lstrcmpiW (lpString1="6W5gI.csv", lpString2="...") returned 1 [0103.566] lstrcmpiW (lpString1="6W5gI.csv", lpString2="windows") returned -1 [0103.566] lstrcmpiW (lpString1="6W5gI.csv", lpString2="$RECYCLE.BIN") returned 1 [0103.566] lstrcmpiW (lpString1="6W5gI.csv", lpString2="rsa") returned -1 [0103.566] lstrcmpiW (lpString1="6W5gI.csv", lpString2="log") returned -1 [0103.566] lstrcmpiW (lpString1="6W5gI.csv", lpString2="NTDETECT.COM") returned -1 [0103.566] lstrcmpiW (lpString1="6W5gI.csv", lpString2="ntldr") returned -1 [0103.566] lstrcmpiW (lpString1="6W5gI.csv", lpString2="MSDOS.SYS") returned -1 [0103.566] lstrcmpiW (lpString1="6W5gI.csv", lpString2="IO.SYS") returned -1 [0103.566] lstrcmpiW (lpString1="6W5gI.csv", lpString2="boot.ini") returned -1 [0103.566] lstrcmpiW (lpString1="6W5gI.csv", lpString2="AUTOEXEC.BAT") returned -1 [0103.566] lstrcmpiW (lpString1="6W5gI.csv", lpString2="ntuser.dat") returned -1 [0103.566] lstrcmpiW (lpString1="6W5gI.csv", lpString2="desktop.ini") returned -1 [0103.566] lstrcmpiW (lpString1="6W5gI.csv", lpString2="CONFIG.SYS") returned -1 [0103.566] lstrcmpiW (lpString1="6W5gI.csv", lpString2="RECYCLER") returned -1 [0103.566] lstrcmpiW (lpString1="6W5gI.csv", lpString2="BOOTSECT.BAK") returned -1 [0103.566] lstrcmpiW (lpString1="6W5gI.csv", lpString2="bootmgr") returned -1 [0103.566] lstrcmpiW (lpString1="6W5gI.csv", lpString2="programdata") returned -1 [0103.566] lstrcmpiW (lpString1="6W5gI.csv", lpString2="appdata") returned -1 [0103.566] lstrcmpiW (lpString1="6W5gI.csv", lpString2="program files") returned -1 [0103.566] lstrcmpiW (lpString1="6W5gI.csv", lpString2="program files (x86)") returned -1 [0103.566] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\" [0103.566] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\", lpString2="6W5gI.csv" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\6W5gI.csv") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\6W5gI.csv" [0103.566] PathFindExtensionW (pszPath="6W5gI.csv") returned=".csv" [0103.566] lstrcmpiW (lpString1=".csv", lpString2=".exe") returned -1 [0103.567] lstrcmpiW (lpString1=".csv", lpString2=".log") returned -1 [0103.567] lstrcmpiW (lpString1=".csv", lpString2=".cab") returned 1 [0103.567] lstrcmpiW (lpString1=".csv", lpString2=".cmd") returned 1 [0103.567] lstrcmpiW (lpString1=".csv", lpString2=".com") returned 1 [0103.567] lstrcmpiW (lpString1=".csv", lpString2=".cpl") returned 1 [0103.567] lstrcmpiW (lpString1=".csv", lpString2=".ini") returned -1 [0103.567] lstrcmpiW (lpString1=".csv", lpString2=".dll") returned -1 [0103.567] lstrcmpiW (lpString1=".csv", lpString2=".url") returned -1 [0103.567] lstrcmpiW (lpString1=".csv", lpString2=".ttf") returned -1 [0103.567] lstrcmpiW (lpString1=".csv", lpString2=".mp3") returned -1 [0103.567] lstrcmpiW (lpString1=".csv", lpString2=".pif") returned -1 [0103.567] lstrcmpiW (lpString1=".csv", lpString2=".mp4") returned -1 [0103.567] lstrcmpiW (lpString1=".csv", lpString2=".NEPHILIM") returned -1 [0103.567] lstrcmpiW (lpString1=".csv", lpString2=".msi") returned -1 [0103.567] lstrcmpiW (lpString1=".csv", lpString2=".lnk") returned -1 [0103.567] lstrcmpiW (lpString1="6W5gI.csv", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0103.567] lstrlenA (lpString="NEPHILIM") returned 8 [0103.567] GetProcessHeap () returned 0x4e0000 [0103.567] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x505080 [0103.567] lstrlenA (lpString="NEPHILIM") returned 8 [0103.567] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\6W5gI.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\x5140s3luj8ic32dytgg\\6w5gi.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0103.568] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=73853) returned 1 [0103.568] GetProcessHeap () returned 0x4e0000 [0103.568] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0103.568] GetProcessHeap () returned 0x4e0000 [0103.568] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0103.568] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0103.568] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0103.568] GetProcessHeap () returned 0x4e0000 [0103.568] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0103.568] GetProcessHeap () returned 0x4e0000 [0103.568] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0103.568] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0103.568] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0103.568] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x1207d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.568] SetLastError (dwErrCode=0x0) [0103.568] WriteFile (in: hFile=0xf0, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0103.569] GetLastError () returned 0x0 [0103.569] GetLastError () returned 0x0 [0103.569] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x1217d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.570] WriteFile (in: hFile=0xf0, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0103.570] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x1227d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.570] lstrlenA (lpString="NEPHILIM") returned 8 [0103.570] WriteFile (in: hFile=0xf0, lpBuffer=0x505080*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x505080*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0103.570] GetProcessHeap () returned 0x4e0000 [0103.570] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1207d) returned 0x50c8b0 [0103.570] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.570] ReadFile (in: hFile=0xf0, lpBuffer=0x50c8b0, nNumberOfBytesToRead=0x1207d, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50c8b0*, lpNumberOfBytesRead=0x24dddb0*=0x1207d, lpOverlapped=0x0) returned 1 [0103.574] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.574] WriteFile (in: hFile=0xf0, lpBuffer=0x50c8b0*, nNumberOfBytesToWrite=0x1207d, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50c8b0*, lpNumberOfBytesWritten=0x24dddbc*=0x1207d, lpOverlapped=0x0) returned 1 [0103.574] GetProcessHeap () returned 0x4e0000 [0103.575] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50c8b0 | out: hHeap=0x4e0000) returned 1 [0103.575] CloseHandle (hObject=0xf0) returned 1 [0103.579] GetProcessHeap () returned 0x4e0000 [0103.579] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0103.579] GetProcessHeap () returned 0x4e0000 [0103.579] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0103.579] GetProcessHeap () returned 0x4e0000 [0103.579] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0103.579] GetProcessHeap () returned 0x4e0000 [0103.579] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0103.579] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\6W5gI.csv" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\6W5gI.csv") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\6W5gI.csv" [0103.579] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\6W5gI.csv", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\6W5gI.csv.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\6W5gI.csv.NEPHILIM" [0103.579] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\6W5gI.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\x5140s3luj8ic32dytgg\\6w5gi.csv"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\6W5gI.csv.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\x5140s3luj8ic32dytgg\\6w5gi.csv.nephilim")) returned 1 [0103.580] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xace373d0, ftCreationTime.dwHighDateTime=0x1d5defc, ftLastAccessTime.dwLowDateTime=0x3f8933e0, ftLastAccessTime.dwHighDateTime=0x1d5e548, ftLastWriteTime.dwLowDateTime=0x3f8933e0, ftLastWriteTime.dwHighDateTime=0x1d5e548, nFileSizeHigh=0x0, nFileSizeLow=0x4db9, dwReserved0=0x24dddac, dwReserved1=0x4650a9ce, cFileName="do1sBE.xlsx", cAlternateFileName="DO1SBE~1.XLS")) returned 1 [0103.580] lstrcmpiW (lpString1="do1sBE.xlsx", lpString2=".") returned 1 [0103.580] lstrcmpiW (lpString1="do1sBE.xlsx", lpString2="..") returned 1 [0103.581] lstrcmpiW (lpString1="do1sBE.xlsx", lpString2="...") returned 1 [0103.581] lstrcmpiW (lpString1="do1sBE.xlsx", lpString2="windows") returned -1 [0103.581] lstrcmpiW (lpString1="do1sBE.xlsx", lpString2="$RECYCLE.BIN") returned 1 [0103.581] lstrcmpiW (lpString1="do1sBE.xlsx", lpString2="rsa") returned -1 [0103.581] lstrcmpiW (lpString1="do1sBE.xlsx", lpString2="log") returned -1 [0103.581] lstrcmpiW (lpString1="do1sBE.xlsx", lpString2="NTDETECT.COM") returned -1 [0103.581] lstrcmpiW (lpString1="do1sBE.xlsx", lpString2="ntldr") returned -1 [0103.581] lstrcmpiW (lpString1="do1sBE.xlsx", lpString2="MSDOS.SYS") returned -1 [0103.581] lstrcmpiW (lpString1="do1sBE.xlsx", lpString2="IO.SYS") returned -1 [0103.581] lstrcmpiW (lpString1="do1sBE.xlsx", lpString2="boot.ini") returned 1 [0103.581] lstrcmpiW (lpString1="do1sBE.xlsx", lpString2="AUTOEXEC.BAT") returned 1 [0103.581] lstrcmpiW (lpString1="do1sBE.xlsx", lpString2="ntuser.dat") returned -1 [0103.581] lstrcmpiW (lpString1="do1sBE.xlsx", lpString2="desktop.ini") returned 1 [0103.581] lstrcmpiW (lpString1="do1sBE.xlsx", lpString2="CONFIG.SYS") returned 1 [0103.581] lstrcmpiW (lpString1="do1sBE.xlsx", lpString2="RECYCLER") returned -1 [0103.581] lstrcmpiW (lpString1="do1sBE.xlsx", lpString2="BOOTSECT.BAK") returned 1 [0103.581] lstrcmpiW (lpString1="do1sBE.xlsx", lpString2="bootmgr") returned 1 [0103.581] lstrcmpiW (lpString1="do1sBE.xlsx", lpString2="programdata") returned -1 [0103.581] lstrcmpiW (lpString1="do1sBE.xlsx", lpString2="appdata") returned 1 [0103.581] lstrcmpiW (lpString1="do1sBE.xlsx", lpString2="program files") returned -1 [0103.581] lstrcmpiW (lpString1="do1sBE.xlsx", lpString2="program files (x86)") returned -1 [0103.581] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\" [0103.581] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\", lpString2="do1sBE.xlsx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\do1sBE.xlsx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\do1sBE.xlsx" [0103.581] PathFindExtensionW (pszPath="do1sBE.xlsx") returned=".xlsx" [0103.581] lstrcmpiW (lpString1=".xlsx", lpString2=".exe") returned 1 [0103.581] lstrcmpiW (lpString1=".xlsx", lpString2=".log") returned 1 [0103.581] lstrcmpiW (lpString1=".xlsx", lpString2=".cab") returned 1 [0103.582] lstrcmpiW (lpString1=".xlsx", lpString2=".cmd") returned 1 [0103.582] lstrcmpiW (lpString1=".xlsx", lpString2=".com") returned 1 [0103.582] lstrcmpiW (lpString1=".xlsx", lpString2=".cpl") returned 1 [0103.582] lstrcmpiW (lpString1=".xlsx", lpString2=".ini") returned 1 [0103.582] lstrcmpiW (lpString1=".xlsx", lpString2=".dll") returned 1 [0103.582] lstrcmpiW (lpString1=".xlsx", lpString2=".url") returned 1 [0103.582] lstrcmpiW (lpString1=".xlsx", lpString2=".ttf") returned 1 [0103.582] lstrcmpiW (lpString1=".xlsx", lpString2=".mp3") returned 1 [0103.582] lstrcmpiW (lpString1=".xlsx", lpString2=".pif") returned 1 [0103.582] lstrcmpiW (lpString1=".xlsx", lpString2=".mp4") returned 1 [0103.582] lstrcmpiW (lpString1=".xlsx", lpString2=".NEPHILIM") returned 1 [0103.582] lstrcmpiW (lpString1=".xlsx", lpString2=".msi") returned 1 [0103.582] lstrcmpiW (lpString1=".xlsx", lpString2=".lnk") returned 1 [0103.582] lstrcmpiW (lpString1="do1sBE.xlsx", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0103.582] lstrlenA (lpString="NEPHILIM") returned 8 [0103.582] GetProcessHeap () returned 0x4e0000 [0103.582] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x505090 [0103.582] lstrlenA (lpString="NEPHILIM") returned 8 [0103.582] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\do1sBE.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\x5140s3luj8ic32dytgg\\do1sbe.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0103.582] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=19897) returned 1 [0103.583] GetProcessHeap () returned 0x4e0000 [0103.583] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0103.583] GetProcessHeap () returned 0x4e0000 [0103.583] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0103.583] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0103.583] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0103.583] GetProcessHeap () returned 0x4e0000 [0103.583] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0103.583] GetProcessHeap () returned 0x4e0000 [0103.583] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0103.583] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0103.583] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0103.583] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x4db9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.583] SetLastError (dwErrCode=0x0) [0103.583] WriteFile (in: hFile=0xf0, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0103.584] GetLastError () returned 0x0 [0103.584] GetLastError () returned 0x0 [0103.584] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x4eb9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.584] WriteFile (in: hFile=0xf0, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0103.585] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x4fb9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.585] lstrlenA (lpString="NEPHILIM") returned 8 [0103.585] WriteFile (in: hFile=0xf0, lpBuffer=0x505090*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x505090*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0103.585] GetProcessHeap () returned 0x4e0000 [0103.585] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x4db9) returned 0x50c8b0 [0103.585] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.585] ReadFile (in: hFile=0xf0, lpBuffer=0x50c8b0, nNumberOfBytesToRead=0x4db9, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50c8b0*, lpNumberOfBytesRead=0x24dddb0*=0x4db9, lpOverlapped=0x0) returned 1 [0103.586] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.586] WriteFile (in: hFile=0xf0, lpBuffer=0x50c8b0*, nNumberOfBytesToWrite=0x4db9, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50c8b0*, lpNumberOfBytesWritten=0x24dddbc*=0x4db9, lpOverlapped=0x0) returned 1 [0103.586] GetProcessHeap () returned 0x4e0000 [0103.586] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50c8b0 | out: hHeap=0x4e0000) returned 1 [0103.586] CloseHandle (hObject=0xf0) returned 1 [0103.588] GetProcessHeap () returned 0x4e0000 [0103.588] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0103.588] GetProcessHeap () returned 0x4e0000 [0103.588] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0103.588] GetProcessHeap () returned 0x4e0000 [0103.588] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0103.588] GetProcessHeap () returned 0x4e0000 [0103.588] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0103.588] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\do1sBE.xlsx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\do1sBE.xlsx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\do1sBE.xlsx" [0103.588] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\do1sBE.xlsx", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\do1sBE.xlsx.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\do1sBE.xlsx.NEPHILIM" [0103.588] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\do1sBE.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\x5140s3luj8ic32dytgg\\do1sbe.xlsx"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\do1sBE.xlsx.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\x5140s3luj8ic32dytgg\\do1sbe.xlsx.nephilim")) returned 1 [0103.589] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2b9a380, ftCreationTime.dwHighDateTime=0x1d5e4bd, ftLastAccessTime.dwLowDateTime=0x644c5190, ftLastAccessTime.dwHighDateTime=0x1d5d8ae, ftLastWriteTime.dwLowDateTime=0x644c5190, ftLastWriteTime.dwHighDateTime=0x1d5d8ae, nFileSizeHigh=0x0, nFileSizeLow=0x15d80, dwReserved0=0x24dddac, dwReserved1=0x4650a9ce, cFileName="dV-HSrMn.ods", cAlternateFileName="")) returned 1 [0103.589] lstrcmpiW (lpString1="dV-HSrMn.ods", lpString2=".") returned 1 [0103.589] lstrcmpiW (lpString1="dV-HSrMn.ods", lpString2="..") returned 1 [0103.589] lstrcmpiW (lpString1="dV-HSrMn.ods", lpString2="...") returned 1 [0103.589] lstrcmpiW (lpString1="dV-HSrMn.ods", lpString2="windows") returned -1 [0103.589] lstrcmpiW (lpString1="dV-HSrMn.ods", lpString2="$RECYCLE.BIN") returned 1 [0103.589] lstrcmpiW (lpString1="dV-HSrMn.ods", lpString2="rsa") returned -1 [0103.589] lstrcmpiW (lpString1="dV-HSrMn.ods", lpString2="log") returned -1 [0103.589] lstrcmpiW (lpString1="dV-HSrMn.ods", lpString2="NTDETECT.COM") returned -1 [0103.589] lstrcmpiW (lpString1="dV-HSrMn.ods", lpString2="ntldr") returned -1 [0103.590] lstrcmpiW (lpString1="dV-HSrMn.ods", lpString2="MSDOS.SYS") returned -1 [0103.590] lstrcmpiW (lpString1="dV-HSrMn.ods", lpString2="IO.SYS") returned -1 [0103.590] lstrcmpiW (lpString1="dV-HSrMn.ods", lpString2="boot.ini") returned 1 [0103.590] lstrcmpiW (lpString1="dV-HSrMn.ods", lpString2="AUTOEXEC.BAT") returned 1 [0103.590] lstrcmpiW (lpString1="dV-HSrMn.ods", lpString2="ntuser.dat") returned -1 [0103.590] lstrcmpiW (lpString1="dV-HSrMn.ods", lpString2="desktop.ini") returned 1 [0103.590] lstrcmpiW (lpString1="dV-HSrMn.ods", lpString2="CONFIG.SYS") returned 1 [0103.590] lstrcmpiW (lpString1="dV-HSrMn.ods", lpString2="RECYCLER") returned -1 [0103.590] lstrcmpiW (lpString1="dV-HSrMn.ods", lpString2="BOOTSECT.BAK") returned 1 [0103.590] lstrcmpiW (lpString1="dV-HSrMn.ods", lpString2="bootmgr") returned 1 [0103.590] lstrcmpiW (lpString1="dV-HSrMn.ods", lpString2="programdata") returned -1 [0103.590] lstrcmpiW (lpString1="dV-HSrMn.ods", lpString2="appdata") returned 1 [0103.590] lstrcmpiW (lpString1="dV-HSrMn.ods", lpString2="program files") returned -1 [0103.590] lstrcmpiW (lpString1="dV-HSrMn.ods", lpString2="program files (x86)") returned -1 [0103.590] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\" [0103.590] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\", lpString2="dV-HSrMn.ods" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\dV-HSrMn.ods") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\dV-HSrMn.ods" [0103.590] PathFindExtensionW (pszPath="dV-HSrMn.ods") returned=".ods" [0103.590] lstrcmpiW (lpString1=".ods", lpString2=".exe") returned 1 [0103.590] lstrcmpiW (lpString1=".ods", lpString2=".log") returned 1 [0103.590] lstrcmpiW (lpString1=".ods", lpString2=".cab") returned 1 [0103.590] lstrcmpiW (lpString1=".ods", lpString2=".cmd") returned 1 [0103.590] lstrcmpiW (lpString1=".ods", lpString2=".com") returned 1 [0103.590] lstrcmpiW (lpString1=".ods", lpString2=".cpl") returned 1 [0103.590] lstrcmpiW (lpString1=".ods", lpString2=".ini") returned 1 [0103.590] lstrcmpiW (lpString1=".ods", lpString2=".dll") returned 1 [0103.590] lstrcmpiW (lpString1=".ods", lpString2=".url") returned -1 [0103.590] lstrcmpiW (lpString1=".ods", lpString2=".ttf") returned -1 [0103.590] lstrcmpiW (lpString1=".ods", lpString2=".mp3") returned 1 [0103.591] lstrcmpiW (lpString1=".ods", lpString2=".pif") returned -1 [0103.591] lstrcmpiW (lpString1=".ods", lpString2=".mp4") returned 1 [0103.591] lstrcmpiW (lpString1=".ods", lpString2=".NEPHILIM") returned 1 [0103.591] lstrcmpiW (lpString1=".ods", lpString2=".msi") returned 1 [0103.591] lstrcmpiW (lpString1=".ods", lpString2=".lnk") returned 1 [0103.591] lstrcmpiW (lpString1="dV-HSrMn.ods", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0103.591] lstrlenA (lpString="NEPHILIM") returned 8 [0103.591] GetProcessHeap () returned 0x4e0000 [0103.591] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x5050a0 [0103.591] lstrlenA (lpString="NEPHILIM") returned 8 [0103.591] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\dV-HSrMn.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\x5140s3luj8ic32dytgg\\dv-hsrmn.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0103.591] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=89472) returned 1 [0103.591] GetProcessHeap () returned 0x4e0000 [0103.591] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0103.591] GetProcessHeap () returned 0x4e0000 [0103.591] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0103.591] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0103.591] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0103.591] GetProcessHeap () returned 0x4e0000 [0103.591] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0103.591] GetProcessHeap () returned 0x4e0000 [0103.591] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0103.591] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0103.592] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0103.592] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x15d80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.592] SetLastError (dwErrCode=0x0) [0103.592] WriteFile (in: hFile=0xf0, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0103.593] GetLastError () returned 0x0 [0103.593] GetLastError () returned 0x0 [0103.593] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x15e80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.593] WriteFile (in: hFile=0xf0, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0103.593] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x15f80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.593] lstrlenA (lpString="NEPHILIM") returned 8 [0103.593] WriteFile (in: hFile=0xf0, lpBuffer=0x5050a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x5050a0*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0103.593] GetProcessHeap () returned 0x4e0000 [0103.593] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x15d80) returned 0x50c8b0 [0103.593] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.593] ReadFile (in: hFile=0xf0, lpBuffer=0x50c8b0, nNumberOfBytesToRead=0x15d80, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50c8b0*, lpNumberOfBytesRead=0x24dddb0*=0x15d80, lpOverlapped=0x0) returned 1 [0103.598] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.599] WriteFile (in: hFile=0xf0, lpBuffer=0x50c8b0*, nNumberOfBytesToWrite=0x15d80, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50c8b0*, lpNumberOfBytesWritten=0x24dddbc*=0x15d80, lpOverlapped=0x0) returned 1 [0103.599] GetProcessHeap () returned 0x4e0000 [0103.599] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50c8b0 | out: hHeap=0x4e0000) returned 1 [0103.599] CloseHandle (hObject=0xf0) returned 1 [0103.601] GetProcessHeap () returned 0x4e0000 [0103.601] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0103.601] GetProcessHeap () returned 0x4e0000 [0103.601] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0103.601] GetProcessHeap () returned 0x4e0000 [0103.601] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0103.601] GetProcessHeap () returned 0x4e0000 [0103.601] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0103.601] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\dV-HSrMn.ods" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\dV-HSrMn.ods") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\dV-HSrMn.ods" [0103.601] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\dV-HSrMn.ods", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\dV-HSrMn.ods.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\dV-HSrMn.ods.NEPHILIM" [0103.601] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\dV-HSrMn.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\x5140s3luj8ic32dytgg\\dv-hsrmn.ods"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\dV-HSrMn.ods.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\x5140s3luj8ic32dytgg\\dv-hsrmn.ods.nephilim")) returned 1 [0103.602] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb238da30, ftCreationTime.dwHighDateTime=0x1d5df6c, ftLastAccessTime.dwLowDateTime=0x2a01f020, ftLastAccessTime.dwHighDateTime=0x1d5deb3, ftLastWriteTime.dwLowDateTime=0x2a01f020, ftLastWriteTime.dwHighDateTime=0x1d5deb3, nFileSizeHigh=0x0, nFileSizeLow=0x1116f, dwReserved0=0x24dddac, dwReserved1=0x4650a9ce, cFileName="HK56cudxP vZ9.csv", cAlternateFileName="HK56CU~1.CSV")) returned 1 [0103.602] lstrcmpiW (lpString1="HK56cudxP vZ9.csv", lpString2=".") returned 1 [0103.602] lstrcmpiW (lpString1="HK56cudxP vZ9.csv", lpString2="..") returned 1 [0103.602] lstrcmpiW (lpString1="HK56cudxP vZ9.csv", lpString2="...") returned 1 [0103.602] lstrcmpiW (lpString1="HK56cudxP vZ9.csv", lpString2="windows") returned -1 [0103.602] lstrcmpiW (lpString1="HK56cudxP vZ9.csv", lpString2="$RECYCLE.BIN") returned 1 [0103.603] lstrcmpiW (lpString1="HK56cudxP vZ9.csv", lpString2="rsa") returned -1 [0103.603] lstrcmpiW (lpString1="HK56cudxP vZ9.csv", lpString2="log") returned -1 [0103.603] lstrcmpiW (lpString1="HK56cudxP vZ9.csv", lpString2="NTDETECT.COM") returned -1 [0103.603] lstrcmpiW (lpString1="HK56cudxP vZ9.csv", lpString2="ntldr") returned -1 [0103.603] lstrcmpiW (lpString1="HK56cudxP vZ9.csv", lpString2="MSDOS.SYS") returned -1 [0103.603] lstrcmpiW (lpString1="HK56cudxP vZ9.csv", lpString2="IO.SYS") returned -1 [0103.603] lstrcmpiW (lpString1="HK56cudxP vZ9.csv", lpString2="boot.ini") returned 1 [0103.603] lstrcmpiW (lpString1="HK56cudxP vZ9.csv", lpString2="AUTOEXEC.BAT") returned 1 [0103.603] lstrcmpiW (lpString1="HK56cudxP vZ9.csv", lpString2="ntuser.dat") returned -1 [0103.603] lstrcmpiW (lpString1="HK56cudxP vZ9.csv", lpString2="desktop.ini") returned 1 [0103.603] lstrcmpiW (lpString1="HK56cudxP vZ9.csv", lpString2="CONFIG.SYS") returned 1 [0103.603] lstrcmpiW (lpString1="HK56cudxP vZ9.csv", lpString2="RECYCLER") returned -1 [0103.603] lstrcmpiW (lpString1="HK56cudxP vZ9.csv", lpString2="BOOTSECT.BAK") returned 1 [0103.603] lstrcmpiW (lpString1="HK56cudxP vZ9.csv", lpString2="bootmgr") returned 1 [0103.603] lstrcmpiW (lpString1="HK56cudxP vZ9.csv", lpString2="programdata") returned -1 [0103.603] lstrcmpiW (lpString1="HK56cudxP vZ9.csv", lpString2="appdata") returned 1 [0103.603] lstrcmpiW (lpString1="HK56cudxP vZ9.csv", lpString2="program files") returned -1 [0103.603] lstrcmpiW (lpString1="HK56cudxP vZ9.csv", lpString2="program files (x86)") returned -1 [0103.603] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\" [0103.603] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\", lpString2="HK56cudxP vZ9.csv" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\HK56cudxP vZ9.csv") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\HK56cudxP vZ9.csv" [0103.603] PathFindExtensionW (pszPath="HK56cudxP vZ9.csv") returned=".csv" [0103.603] lstrcmpiW (lpString1=".csv", lpString2=".exe") returned -1 [0103.603] lstrcmpiW (lpString1=".csv", lpString2=".log") returned -1 [0103.604] lstrcmpiW (lpString1=".csv", lpString2=".cab") returned 1 [0103.604] lstrcmpiW (lpString1=".csv", lpString2=".cmd") returned 1 [0103.604] lstrcmpiW (lpString1=".csv", lpString2=".com") returned 1 [0103.604] lstrcmpiW (lpString1=".csv", lpString2=".cpl") returned 1 [0103.604] lstrcmpiW (lpString1=".csv", lpString2=".ini") returned -1 [0103.604] lstrcmpiW (lpString1=".csv", lpString2=".dll") returned -1 [0103.604] lstrcmpiW (lpString1=".csv", lpString2=".url") returned -1 [0103.604] lstrcmpiW (lpString1=".csv", lpString2=".ttf") returned -1 [0103.604] lstrcmpiW (lpString1=".csv", lpString2=".mp3") returned -1 [0103.604] lstrcmpiW (lpString1=".csv", lpString2=".pif") returned -1 [0103.604] lstrcmpiW (lpString1=".csv", lpString2=".mp4") returned -1 [0103.604] lstrcmpiW (lpString1=".csv", lpString2=".NEPHILIM") returned -1 [0103.604] lstrcmpiW (lpString1=".csv", lpString2=".msi") returned -1 [0103.604] lstrcmpiW (lpString1=".csv", lpString2=".lnk") returned -1 [0103.604] lstrcmpiW (lpString1="HK56cudxP vZ9.csv", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0103.604] lstrlenA (lpString="NEPHILIM") returned 8 [0103.604] GetProcessHeap () returned 0x4e0000 [0103.604] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x5050b0 [0103.604] lstrlenA (lpString="NEPHILIM") returned 8 [0103.604] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\HK56cudxP vZ9.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\x5140s3luj8ic32dytgg\\hk56cudxp vz9.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0103.605] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=69999) returned 1 [0103.605] GetProcessHeap () returned 0x4e0000 [0103.605] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0103.605] GetProcessHeap () returned 0x4e0000 [0103.605] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0103.605] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0103.605] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0103.605] GetProcessHeap () returned 0x4e0000 [0103.605] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0103.605] GetProcessHeap () returned 0x4e0000 [0103.605] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0103.605] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0103.605] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0103.605] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x1116f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.606] SetLastError (dwErrCode=0x0) [0103.606] WriteFile (in: hFile=0xf0, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0103.607] GetLastError () returned 0x0 [0103.607] GetLastError () returned 0x0 [0103.607] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x1126f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.607] WriteFile (in: hFile=0xf0, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0103.607] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x1136f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.607] lstrlenA (lpString="NEPHILIM") returned 8 [0103.607] WriteFile (in: hFile=0xf0, lpBuffer=0x5050b0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x5050b0*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0103.607] GetProcessHeap () returned 0x4e0000 [0103.607] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1116f) returned 0x50c8b0 [0103.607] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.607] ReadFile (in: hFile=0xf0, lpBuffer=0x50c8b0, nNumberOfBytesToRead=0x1116f, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50c8b0*, lpNumberOfBytesRead=0x24dddb0*=0x1116f, lpOverlapped=0x0) returned 1 [0103.614] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.614] WriteFile (in: hFile=0xf0, lpBuffer=0x50c8b0*, nNumberOfBytesToWrite=0x1116f, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50c8b0*, lpNumberOfBytesWritten=0x24dddbc*=0x1116f, lpOverlapped=0x0) returned 1 [0103.615] GetProcessHeap () returned 0x4e0000 [0103.615] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50c8b0 | out: hHeap=0x4e0000) returned 1 [0103.615] CloseHandle (hObject=0xf0) returned 1 [0103.620] GetProcessHeap () returned 0x4e0000 [0103.620] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0103.620] GetProcessHeap () returned 0x4e0000 [0103.620] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0103.620] GetProcessHeap () returned 0x4e0000 [0103.620] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0103.620] GetProcessHeap () returned 0x4e0000 [0103.620] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0103.620] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\HK56cudxP vZ9.csv" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\HK56cudxP vZ9.csv") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\HK56cudxP vZ9.csv" [0103.620] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\HK56cudxP vZ9.csv", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\HK56cudxP vZ9.csv.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\HK56cudxP vZ9.csv.NEPHILIM" [0103.620] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\HK56cudxP vZ9.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\x5140s3luj8ic32dytgg\\hk56cudxp vz9.csv"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\HK56cudxP vZ9.csv.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\x5140s3luj8ic32dytgg\\hk56cudxp vz9.csv.nephilim")) returned 1 [0103.621] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd6d7f390, ftCreationTime.dwHighDateTime=0x1d5dea3, ftLastAccessTime.dwLowDateTime=0x51789000, ftLastAccessTime.dwHighDateTime=0x1d5d7f6, ftLastWriteTime.dwLowDateTime=0x51789000, ftLastWriteTime.dwHighDateTime=0x1d5d7f6, nFileSizeHigh=0x0, nFileSizeLow=0xbe67, dwReserved0=0x24dddac, dwReserved1=0x4650a9ce, cFileName="PL0_s7sccV.pptx", cAlternateFileName="PL0_S7~1.PPT")) returned 1 [0103.621] lstrcmpiW (lpString1="PL0_s7sccV.pptx", lpString2=".") returned 1 [0103.621] lstrcmpiW (lpString1="PL0_s7sccV.pptx", lpString2="..") returned 1 [0103.622] lstrcmpiW (lpString1="PL0_s7sccV.pptx", lpString2="...") returned 1 [0103.622] lstrcmpiW (lpString1="PL0_s7sccV.pptx", lpString2="windows") returned -1 [0103.622] lstrcmpiW (lpString1="PL0_s7sccV.pptx", lpString2="$RECYCLE.BIN") returned 1 [0103.622] lstrcmpiW (lpString1="PL0_s7sccV.pptx", lpString2="rsa") returned -1 [0103.622] lstrcmpiW (lpString1="PL0_s7sccV.pptx", lpString2="log") returned 1 [0103.622] lstrcmpiW (lpString1="PL0_s7sccV.pptx", lpString2="NTDETECT.COM") returned 1 [0103.622] lstrcmpiW (lpString1="PL0_s7sccV.pptx", lpString2="ntldr") returned 1 [0103.622] lstrcmpiW (lpString1="PL0_s7sccV.pptx", lpString2="MSDOS.SYS") returned 1 [0103.622] lstrcmpiW (lpString1="PL0_s7sccV.pptx", lpString2="IO.SYS") returned 1 [0103.622] lstrcmpiW (lpString1="PL0_s7sccV.pptx", lpString2="boot.ini") returned 1 [0103.622] lstrcmpiW (lpString1="PL0_s7sccV.pptx", lpString2="AUTOEXEC.BAT") returned 1 [0103.622] lstrcmpiW (lpString1="PL0_s7sccV.pptx", lpString2="ntuser.dat") returned 1 [0103.622] lstrcmpiW (lpString1="PL0_s7sccV.pptx", lpString2="desktop.ini") returned 1 [0103.622] lstrcmpiW (lpString1="PL0_s7sccV.pptx", lpString2="CONFIG.SYS") returned 1 [0103.622] lstrcmpiW (lpString1="PL0_s7sccV.pptx", lpString2="RECYCLER") returned -1 [0103.622] lstrcmpiW (lpString1="PL0_s7sccV.pptx", lpString2="BOOTSECT.BAK") returned 1 [0103.622] lstrcmpiW (lpString1="PL0_s7sccV.pptx", lpString2="bootmgr") returned 1 [0103.622] lstrcmpiW (lpString1="PL0_s7sccV.pptx", lpString2="programdata") returned -1 [0103.622] lstrcmpiW (lpString1="PL0_s7sccV.pptx", lpString2="appdata") returned 1 [0103.622] lstrcmpiW (lpString1="PL0_s7sccV.pptx", lpString2="program files") returned -1 [0103.622] lstrcmpiW (lpString1="PL0_s7sccV.pptx", lpString2="program files (x86)") returned -1 [0103.622] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\" [0103.622] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\", lpString2="PL0_s7sccV.pptx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\PL0_s7sccV.pptx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\PL0_s7sccV.pptx" [0103.622] PathFindExtensionW (pszPath="PL0_s7sccV.pptx") returned=".pptx" [0103.622] lstrcmpiW (lpString1=".pptx", lpString2=".exe") returned 1 [0103.622] lstrcmpiW (lpString1=".pptx", lpString2=".log") returned 1 [0103.622] lstrcmpiW (lpString1=".pptx", lpString2=".cab") returned 1 [0103.624] lstrcmpiW (lpString1=".pptx", lpString2=".cmd") returned 1 [0103.624] lstrcmpiW (lpString1=".pptx", lpString2=".com") returned 1 [0103.624] lstrcmpiW (lpString1=".pptx", lpString2=".cpl") returned 1 [0103.624] lstrcmpiW (lpString1=".pptx", lpString2=".ini") returned 1 [0103.624] lstrcmpiW (lpString1=".pptx", lpString2=".dll") returned 1 [0103.624] lstrcmpiW (lpString1=".pptx", lpString2=".url") returned -1 [0103.624] lstrcmpiW (lpString1=".pptx", lpString2=".ttf") returned -1 [0103.624] lstrcmpiW (lpString1=".pptx", lpString2=".mp3") returned 1 [0103.625] lstrcmpiW (lpString1=".pptx", lpString2=".pif") returned 1 [0103.625] lstrcmpiW (lpString1=".pptx", lpString2=".mp4") returned 1 [0103.625] lstrcmpiW (lpString1=".pptx", lpString2=".NEPHILIM") returned 1 [0103.625] lstrcmpiW (lpString1=".pptx", lpString2=".msi") returned 1 [0103.625] lstrcmpiW (lpString1=".pptx", lpString2=".lnk") returned 1 [0103.625] lstrcmpiW (lpString1="PL0_s7sccV.pptx", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0103.625] lstrlenA (lpString="NEPHILIM") returned 8 [0103.625] GetProcessHeap () returned 0x4e0000 [0103.625] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x5050c0 [0103.625] lstrlenA (lpString="NEPHILIM") returned 8 [0103.625] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\PL0_s7sccV.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\x5140s3luj8ic32dytgg\\pl0_s7sccv.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0103.626] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=48743) returned 1 [0103.626] GetProcessHeap () returned 0x4e0000 [0103.626] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0103.626] GetProcessHeap () returned 0x4e0000 [0103.626] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0103.626] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0103.626] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0103.626] GetProcessHeap () returned 0x4e0000 [0103.626] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0103.626] GetProcessHeap () returned 0x4e0000 [0103.626] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0103.626] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0103.626] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0103.626] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xbe67, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.626] SetLastError (dwErrCode=0x0) [0103.626] WriteFile (in: hFile=0xf0, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0103.627] GetLastError () returned 0x0 [0103.627] GetLastError () returned 0x0 [0103.627] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xbf67, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.627] WriteFile (in: hFile=0xf0, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0103.628] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xc067, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.628] lstrlenA (lpString="NEPHILIM") returned 8 [0103.628] WriteFile (in: hFile=0xf0, lpBuffer=0x5050c0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x5050c0*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0103.628] GetProcessHeap () returned 0x4e0000 [0103.628] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xbe67) returned 0x50c8b0 [0103.628] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.628] ReadFile (in: hFile=0xf0, lpBuffer=0x50c8b0, nNumberOfBytesToRead=0xbe67, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50c8b0*, lpNumberOfBytesRead=0x24dddb0*=0xbe67, lpOverlapped=0x0) returned 1 [0103.631] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.631] WriteFile (in: hFile=0xf0, lpBuffer=0x50c8b0*, nNumberOfBytesToWrite=0xbe67, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50c8b0*, lpNumberOfBytesWritten=0x24dddbc*=0xbe67, lpOverlapped=0x0) returned 1 [0103.631] GetProcessHeap () returned 0x4e0000 [0103.631] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50c8b0 | out: hHeap=0x4e0000) returned 1 [0103.631] CloseHandle (hObject=0xf0) returned 1 [0103.633] GetProcessHeap () returned 0x4e0000 [0103.633] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0103.633] GetProcessHeap () returned 0x4e0000 [0103.633] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0103.633] GetProcessHeap () returned 0x4e0000 [0103.633] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0103.633] GetProcessHeap () returned 0x4e0000 [0103.633] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0103.633] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\PL0_s7sccV.pptx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\PL0_s7sccV.pptx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\PL0_s7sccV.pptx" [0103.633] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\PL0_s7sccV.pptx", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\PL0_s7sccV.pptx.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\PL0_s7sccV.pptx.NEPHILIM" [0103.633] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\PL0_s7sccV.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\x5140s3luj8ic32dytgg\\pl0_s7sccv.pptx"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\PL0_s7sccV.pptx.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\x5140s3luj8ic32dytgg\\pl0_s7sccv.pptx.nephilim")) returned 1 [0103.634] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdf7e68b0, ftCreationTime.dwHighDateTime=0x1d5dbfd, ftLastAccessTime.dwLowDateTime=0xe0626aa0, ftLastAccessTime.dwHighDateTime=0x1d5de6f, ftLastWriteTime.dwLowDateTime=0xe0626aa0, ftLastWriteTime.dwHighDateTime=0x1d5de6f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24dddac, dwReserved1=0x4650a9ce, cFileName="Rf87NKFT", cAlternateFileName="")) returned 1 [0103.634] lstrcmpiW (lpString1="Rf87NKFT", lpString2=".") returned 1 [0103.634] lstrcmpiW (lpString1="Rf87NKFT", lpString2="..") returned 1 [0103.634] lstrcmpiW (lpString1="Rf87NKFT", lpString2="...") returned 1 [0103.634] lstrcmpiW (lpString1="Rf87NKFT", lpString2="windows") returned -1 [0103.634] lstrcmpiW (lpString1="Rf87NKFT", lpString2="$RECYCLE.BIN") returned 1 [0103.634] lstrcmpiW (lpString1="Rf87NKFT", lpString2="rsa") returned -1 [0103.634] lstrcmpiW (lpString1="Rf87NKFT", lpString2="log") returned 1 [0103.634] lstrcmpiW (lpString1="Rf87NKFT", lpString2="NTDETECT.COM") returned 1 [0103.634] lstrcmpiW (lpString1="Rf87NKFT", lpString2="ntldr") returned 1 [0103.634] lstrcmpiW (lpString1="Rf87NKFT", lpString2="MSDOS.SYS") returned 1 [0103.634] lstrcmpiW (lpString1="Rf87NKFT", lpString2="IO.SYS") returned 1 [0103.634] lstrcmpiW (lpString1="Rf87NKFT", lpString2="boot.ini") returned 1 [0103.634] lstrcmpiW (lpString1="Rf87NKFT", lpString2="AUTOEXEC.BAT") returned 1 [0103.634] lstrcmpiW (lpString1="Rf87NKFT", lpString2="ntuser.dat") returned 1 [0103.635] lstrcmpiW (lpString1="Rf87NKFT", lpString2="desktop.ini") returned 1 [0103.635] lstrcmpiW (lpString1="Rf87NKFT", lpString2="CONFIG.SYS") returned 1 [0103.635] lstrcmpiW (lpString1="Rf87NKFT", lpString2="RECYCLER") returned 1 [0103.635] lstrcmpiW (lpString1="Rf87NKFT", lpString2="BOOTSECT.BAK") returned 1 [0103.635] lstrcmpiW (lpString1="Rf87NKFT", lpString2="bootmgr") returned 1 [0103.635] lstrcmpiW (lpString1="Rf87NKFT", lpString2="programdata") returned 1 [0103.635] lstrcmpiW (lpString1="Rf87NKFT", lpString2="appdata") returned 1 [0103.635] lstrcmpiW (lpString1="Rf87NKFT", lpString2="program files") returned 1 [0103.635] lstrcmpiW (lpString1="Rf87NKFT", lpString2="program files (x86)") returned 1 [0103.635] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\" [0103.635] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\", lpString2="Rf87NKFT" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT" [0103.635] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\" [0103.635] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\" [0103.635] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\", lpString2="*.*" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\*.*") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\*.*" [0103.635] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdf7e68b0, ftCreationTime.dwHighDateTime=0x1d5dbfd, ftLastAccessTime.dwLowDateTime=0xe0626aa0, ftLastAccessTime.dwHighDateTime=0x1d5de6f, ftLastWriteTime.dwLowDateTime=0xe0626aa0, ftLastWriteTime.dwHighDateTime=0x1d5de6f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24dd72c, dwReserved1=0x5af26689, cFileName=".", cAlternateFileName="")) returned 0x50a900 [0103.635] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0103.635] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdf7e68b0, ftCreationTime.dwHighDateTime=0x1d5dbfd, ftLastAccessTime.dwLowDateTime=0xe0626aa0, ftLastAccessTime.dwHighDateTime=0x1d5de6f, ftLastWriteTime.dwLowDateTime=0xe0626aa0, ftLastWriteTime.dwHighDateTime=0x1d5de6f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24dd72c, dwReserved1=0x5af26689, cFileName="..", cAlternateFileName="")) returned 1 [0103.635] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0103.636] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0103.636] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5ea26460, ftCreationTime.dwHighDateTime=0x1d5e1c7, ftLastAccessTime.dwLowDateTime=0x5b41a220, ftLastAccessTime.dwHighDateTime=0x1d5e304, ftLastWriteTime.dwLowDateTime=0x5b41a220, ftLastWriteTime.dwHighDateTime=0x1d5e304, nFileSizeHigh=0x0, nFileSizeLow=0x15c59, dwReserved0=0x24dd72c, dwReserved1=0x5af26689, cFileName="3nwYBHTjUPQgub53.doc", cAlternateFileName="3NWYBH~1.DOC")) returned 1 [0103.636] lstrcmpiW (lpString1="3nwYBHTjUPQgub53.doc", lpString2=".") returned 1 [0103.636] lstrcmpiW (lpString1="3nwYBHTjUPQgub53.doc", lpString2="..") returned 1 [0103.636] lstrcmpiW (lpString1="3nwYBHTjUPQgub53.doc", lpString2="...") returned 1 [0103.636] lstrcmpiW (lpString1="3nwYBHTjUPQgub53.doc", lpString2="windows") returned -1 [0103.636] lstrcmpiW (lpString1="3nwYBHTjUPQgub53.doc", lpString2="$RECYCLE.BIN") returned 1 [0103.636] lstrcmpiW (lpString1="3nwYBHTjUPQgub53.doc", lpString2="rsa") returned -1 [0103.636] lstrcmpiW (lpString1="3nwYBHTjUPQgub53.doc", lpString2="log") returned -1 [0103.636] lstrcmpiW (lpString1="3nwYBHTjUPQgub53.doc", lpString2="NTDETECT.COM") returned -1 [0103.636] lstrcmpiW (lpString1="3nwYBHTjUPQgub53.doc", lpString2="ntldr") returned -1 [0103.636] lstrcmpiW (lpString1="3nwYBHTjUPQgub53.doc", lpString2="MSDOS.SYS") returned -1 [0103.636] lstrcmpiW (lpString1="3nwYBHTjUPQgub53.doc", lpString2="IO.SYS") returned -1 [0103.636] lstrcmpiW (lpString1="3nwYBHTjUPQgub53.doc", lpString2="boot.ini") returned -1 [0103.636] lstrcmpiW (lpString1="3nwYBHTjUPQgub53.doc", lpString2="AUTOEXEC.BAT") returned -1 [0103.636] lstrcmpiW (lpString1="3nwYBHTjUPQgub53.doc", lpString2="ntuser.dat") returned -1 [0103.636] lstrcmpiW (lpString1="3nwYBHTjUPQgub53.doc", lpString2="desktop.ini") returned -1 [0103.636] lstrcmpiW (lpString1="3nwYBHTjUPQgub53.doc", lpString2="CONFIG.SYS") returned -1 [0103.636] lstrcmpiW (lpString1="3nwYBHTjUPQgub53.doc", lpString2="RECYCLER") returned -1 [0103.636] lstrcmpiW (lpString1="3nwYBHTjUPQgub53.doc", lpString2="BOOTSECT.BAK") returned -1 [0103.636] lstrcmpiW (lpString1="3nwYBHTjUPQgub53.doc", lpString2="bootmgr") returned -1 [0103.636] lstrcmpiW (lpString1="3nwYBHTjUPQgub53.doc", lpString2="programdata") returned -1 [0103.636] lstrcmpiW (lpString1="3nwYBHTjUPQgub53.doc", lpString2="appdata") returned -1 [0103.636] lstrcmpiW (lpString1="3nwYBHTjUPQgub53.doc", lpString2="program files") returned -1 [0103.636] lstrcmpiW (lpString1="3nwYBHTjUPQgub53.doc", lpString2="program files (x86)") returned -1 [0103.636] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\" [0103.636] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\", lpString2="3nwYBHTjUPQgub53.doc" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\3nwYBHTjUPQgub53.doc") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\3nwYBHTjUPQgub53.doc" [0103.637] PathFindExtensionW (pszPath="3nwYBHTjUPQgub53.doc") returned=".doc" [0103.637] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0103.637] lstrcmpiW (lpString1=".doc", lpString2=".log") returned -1 [0103.637] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0103.637] lstrcmpiW (lpString1=".doc", lpString2=".cmd") returned 1 [0103.637] lstrcmpiW (lpString1=".doc", lpString2=".com") returned 1 [0103.637] lstrcmpiW (lpString1=".doc", lpString2=".cpl") returned 1 [0103.637] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0103.637] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0103.637] lstrcmpiW (lpString1=".doc", lpString2=".url") returned -1 [0103.637] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0103.637] lstrcmpiW (lpString1=".doc", lpString2=".mp3") returned -1 [0103.637] lstrcmpiW (lpString1=".doc", lpString2=".pif") returned -1 [0103.637] lstrcmpiW (lpString1=".doc", lpString2=".mp4") returned -1 [0103.637] lstrcmpiW (lpString1=".doc", lpString2=".NEPHILIM") returned -1 [0103.637] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0103.637] lstrcmpiW (lpString1=".doc", lpString2=".lnk") returned -1 [0103.637] lstrcmpiW (lpString1="3nwYBHTjUPQgub53.doc", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0103.637] lstrlenA (lpString="NEPHILIM") returned 8 [0103.637] GetProcessHeap () returned 0x4e0000 [0103.637] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x5050d0 [0103.637] lstrlenA (lpString="NEPHILIM") returned 8 [0103.637] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\3nwYBHTjUPQgub53.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\x5140s3luj8ic32dytgg\\rf87nkft\\3nwybhtjupqgub53.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0103.638] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=89177) returned 1 [0103.638] GetProcessHeap () returned 0x4e0000 [0103.638] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0103.638] GetProcessHeap () returned 0x4e0000 [0103.638] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0103.638] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0103.638] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0103.638] GetProcessHeap () returned 0x4e0000 [0103.638] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0103.638] GetProcessHeap () returned 0x4e0000 [0103.638] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0103.638] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24dd508*=0x100) returned 1 [0103.638] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24dd504*=0x100) returned 1 [0103.638] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x15c59, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.639] SetLastError (dwErrCode=0x0) [0103.639] WriteFile (in: hFile=0xf4, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0103.640] GetLastError () returned 0x0 [0103.640] GetLastError () returned 0x0 [0103.640] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x15d59, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.640] WriteFile (in: hFile=0xf4, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0103.640] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x15e59, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.640] lstrlenA (lpString="NEPHILIM") returned 8 [0103.640] WriteFile (in: hFile=0xf4, lpBuffer=0x5050d0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x5050d0*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0103.640] GetProcessHeap () returned 0x4e0000 [0103.640] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x15c59) returned 0x50d8b8 [0103.640] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.640] ReadFile (in: hFile=0xf4, lpBuffer=0x50d8b8, nNumberOfBytesToRead=0x15c59, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x50d8b8*, lpNumberOfBytesRead=0x24dd730*=0x15c59, lpOverlapped=0x0) returned 1 [0103.646] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.646] WriteFile (in: hFile=0xf4, lpBuffer=0x50d8b8*, nNumberOfBytesToWrite=0x15c59, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50d8b8*, lpNumberOfBytesWritten=0x24dd73c*=0x15c59, lpOverlapped=0x0) returned 1 [0103.647] GetProcessHeap () returned 0x4e0000 [0103.647] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d8b8 | out: hHeap=0x4e0000) returned 1 [0103.647] CloseHandle (hObject=0xf4) returned 1 [0103.688] GetProcessHeap () returned 0x4e0000 [0103.688] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0103.688] GetProcessHeap () returned 0x4e0000 [0103.688] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0103.689] GetProcessHeap () returned 0x4e0000 [0103.689] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0103.689] GetProcessHeap () returned 0x4e0000 [0103.689] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0103.689] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\3nwYBHTjUPQgub53.doc" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\3nwYBHTjUPQgub53.doc") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\3nwYBHTjUPQgub53.doc" [0103.689] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\3nwYBHTjUPQgub53.doc", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\3nwYBHTjUPQgub53.doc.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\3nwYBHTjUPQgub53.doc.NEPHILIM" [0103.689] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\3nwYBHTjUPQgub53.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\x5140s3luj8ic32dytgg\\rf87nkft\\3nwybhtjupqgub53.doc"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\3nwYBHTjUPQgub53.doc.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\x5140s3luj8ic32dytgg\\rf87nkft\\3nwybhtjupqgub53.doc.nephilim")) returned 1 [0103.690] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbdf60e60, ftCreationTime.dwHighDateTime=0x1d5e3db, ftLastAccessTime.dwLowDateTime=0xd07393d0, ftLastAccessTime.dwHighDateTime=0x1d5dda7, ftLastWriteTime.dwLowDateTime=0xd07393d0, ftLastWriteTime.dwHighDateTime=0x1d5dda7, nFileSizeHigh=0x0, nFileSizeLow=0xc20a, dwReserved0=0x24dd72c, dwReserved1=0x5af26689, cFileName="4pymoj9sP.docx", cAlternateFileName="4PYMOJ~1.DOC")) returned 1 [0103.690] lstrcmpiW (lpString1="4pymoj9sP.docx", lpString2=".") returned 1 [0103.690] lstrcmpiW (lpString1="4pymoj9sP.docx", lpString2="..") returned 1 [0103.690] lstrcmpiW (lpString1="4pymoj9sP.docx", lpString2="...") returned 1 [0103.690] lstrcmpiW (lpString1="4pymoj9sP.docx", lpString2="windows") returned -1 [0103.690] lstrcmpiW (lpString1="4pymoj9sP.docx", lpString2="$RECYCLE.BIN") returned 1 [0103.690] lstrcmpiW (lpString1="4pymoj9sP.docx", lpString2="rsa") returned -1 [0103.690] lstrcmpiW (lpString1="4pymoj9sP.docx", lpString2="log") returned -1 [0103.690] lstrcmpiW (lpString1="4pymoj9sP.docx", lpString2="NTDETECT.COM") returned -1 [0103.690] lstrcmpiW (lpString1="4pymoj9sP.docx", lpString2="ntldr") returned -1 [0103.690] lstrcmpiW (lpString1="4pymoj9sP.docx", lpString2="MSDOS.SYS") returned -1 [0103.690] lstrcmpiW (lpString1="4pymoj9sP.docx", lpString2="IO.SYS") returned -1 [0103.690] lstrcmpiW (lpString1="4pymoj9sP.docx", lpString2="boot.ini") returned -1 [0103.690] lstrcmpiW (lpString1="4pymoj9sP.docx", lpString2="AUTOEXEC.BAT") returned -1 [0103.690] lstrcmpiW (lpString1="4pymoj9sP.docx", lpString2="ntuser.dat") returned -1 [0103.690] lstrcmpiW (lpString1="4pymoj9sP.docx", lpString2="desktop.ini") returned -1 [0103.690] lstrcmpiW (lpString1="4pymoj9sP.docx", lpString2="CONFIG.SYS") returned -1 [0103.690] lstrcmpiW (lpString1="4pymoj9sP.docx", lpString2="RECYCLER") returned -1 [0103.690] lstrcmpiW (lpString1="4pymoj9sP.docx", lpString2="BOOTSECT.BAK") returned -1 [0103.691] lstrcmpiW (lpString1="4pymoj9sP.docx", lpString2="bootmgr") returned -1 [0103.691] lstrcmpiW (lpString1="4pymoj9sP.docx", lpString2="programdata") returned -1 [0103.691] lstrcmpiW (lpString1="4pymoj9sP.docx", lpString2="appdata") returned -1 [0103.691] lstrcmpiW (lpString1="4pymoj9sP.docx", lpString2="program files") returned -1 [0103.691] lstrcmpiW (lpString1="4pymoj9sP.docx", lpString2="program files (x86)") returned -1 [0103.691] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\" [0103.691] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\", lpString2="4pymoj9sP.docx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\4pymoj9sP.docx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\4pymoj9sP.docx" [0103.691] PathFindExtensionW (pszPath="4pymoj9sP.docx") returned=".docx" [0103.691] lstrcmpiW (lpString1=".docx", lpString2=".exe") returned -1 [0103.691] lstrcmpiW (lpString1=".docx", lpString2=".log") returned -1 [0103.691] lstrcmpiW (lpString1=".docx", lpString2=".cab") returned 1 [0103.691] lstrcmpiW (lpString1=".docx", lpString2=".cmd") returned 1 [0103.691] lstrcmpiW (lpString1=".docx", lpString2=".com") returned 1 [0103.691] lstrcmpiW (lpString1=".docx", lpString2=".cpl") returned 1 [0103.691] lstrcmpiW (lpString1=".docx", lpString2=".ini") returned -1 [0103.691] lstrcmpiW (lpString1=".docx", lpString2=".dll") returned 1 [0103.691] lstrcmpiW (lpString1=".docx", lpString2=".url") returned -1 [0103.691] lstrcmpiW (lpString1=".docx", lpString2=".ttf") returned -1 [0103.691] lstrcmpiW (lpString1=".docx", lpString2=".mp3") returned -1 [0103.691] lstrcmpiW (lpString1=".docx", lpString2=".pif") returned -1 [0103.691] lstrcmpiW (lpString1=".docx", lpString2=".mp4") returned -1 [0103.691] lstrcmpiW (lpString1=".docx", lpString2=".NEPHILIM") returned -1 [0103.691] lstrcmpiW (lpString1=".docx", lpString2=".msi") returned -1 [0103.691] lstrcmpiW (lpString1=".docx", lpString2=".lnk") returned -1 [0103.691] lstrcmpiW (lpString1="4pymoj9sP.docx", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0103.692] lstrlenA (lpString="NEPHILIM") returned 8 [0103.692] GetProcessHeap () returned 0x4e0000 [0103.692] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x5050e0 [0103.692] lstrlenA (lpString="NEPHILIM") returned 8 [0103.692] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\4pymoj9sP.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\x5140s3luj8ic32dytgg\\rf87nkft\\4pymoj9sp.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0103.692] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=49674) returned 1 [0103.692] GetProcessHeap () returned 0x4e0000 [0103.692] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0103.692] GetProcessHeap () returned 0x4e0000 [0103.692] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0103.692] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0103.692] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0103.692] GetProcessHeap () returned 0x4e0000 [0103.692] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0103.692] GetProcessHeap () returned 0x4e0000 [0103.692] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0103.692] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24dd508*=0x100) returned 1 [0103.693] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24dd504*=0x100) returned 1 [0103.693] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xc20a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.693] SetLastError (dwErrCode=0x0) [0103.693] WriteFile (in: hFile=0xf4, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0103.694] GetLastError () returned 0x0 [0103.694] GetLastError () returned 0x0 [0103.694] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xc30a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.694] WriteFile (in: hFile=0xf4, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0103.694] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xc40a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.694] lstrlenA (lpString="NEPHILIM") returned 8 [0103.695] WriteFile (in: hFile=0xf4, lpBuffer=0x5050e0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x5050e0*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0103.695] GetProcessHeap () returned 0x4e0000 [0103.695] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xc20a) returned 0x50d8b8 [0103.695] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.695] ReadFile (in: hFile=0xf4, lpBuffer=0x50d8b8, nNumberOfBytesToRead=0xc20a, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x50d8b8*, lpNumberOfBytesRead=0x24dd730*=0xc20a, lpOverlapped=0x0) returned 1 [0103.698] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.698] WriteFile (in: hFile=0xf4, lpBuffer=0x50d8b8*, nNumberOfBytesToWrite=0xc20a, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50d8b8*, lpNumberOfBytesWritten=0x24dd73c*=0xc20a, lpOverlapped=0x0) returned 1 [0103.698] GetProcessHeap () returned 0x4e0000 [0103.698] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d8b8 | out: hHeap=0x4e0000) returned 1 [0103.698] CloseHandle (hObject=0xf4) returned 1 [0103.709] GetProcessHeap () returned 0x4e0000 [0103.709] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0103.709] GetProcessHeap () returned 0x4e0000 [0103.709] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0103.709] GetProcessHeap () returned 0x4e0000 [0103.709] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0103.709] GetProcessHeap () returned 0x4e0000 [0103.709] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0103.709] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\4pymoj9sP.docx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\4pymoj9sP.docx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\4pymoj9sP.docx" [0103.709] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\4pymoj9sP.docx", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\4pymoj9sP.docx.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\4pymoj9sP.docx.NEPHILIM" [0103.709] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\4pymoj9sP.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\x5140s3luj8ic32dytgg\\rf87nkft\\4pymoj9sp.docx"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\4pymoj9sP.docx.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\x5140s3luj8ic32dytgg\\rf87nkft\\4pymoj9sp.docx.nephilim")) returned 1 [0103.710] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1c042b0, ftCreationTime.dwHighDateTime=0x1d5e6a8, ftLastAccessTime.dwLowDateTime=0xaa2d24c0, ftLastAccessTime.dwHighDateTime=0x1d5e7c0, ftLastWriteTime.dwLowDateTime=0xaa2d24c0, ftLastWriteTime.dwHighDateTime=0x1d5e7c0, nFileSizeHigh=0x0, nFileSizeLow=0x7e90, dwReserved0=0x24dd72c, dwReserved1=0x5af26689, cFileName="4rFkQkbw6 fiW9Q.pptx", cAlternateFileName="4RFKQK~1.PPT")) returned 1 [0103.710] lstrcmpiW (lpString1="4rFkQkbw6 fiW9Q.pptx", lpString2=".") returned 1 [0103.710] lstrcmpiW (lpString1="4rFkQkbw6 fiW9Q.pptx", lpString2="..") returned 1 [0103.710] lstrcmpiW (lpString1="4rFkQkbw6 fiW9Q.pptx", lpString2="...") returned 1 [0103.710] lstrcmpiW (lpString1="4rFkQkbw6 fiW9Q.pptx", lpString2="windows") returned -1 [0103.711] lstrcmpiW (lpString1="4rFkQkbw6 fiW9Q.pptx", lpString2="$RECYCLE.BIN") returned 1 [0103.711] lstrcmpiW (lpString1="4rFkQkbw6 fiW9Q.pptx", lpString2="rsa") returned -1 [0103.711] lstrcmpiW (lpString1="4rFkQkbw6 fiW9Q.pptx", lpString2="log") returned -1 [0103.711] lstrcmpiW (lpString1="4rFkQkbw6 fiW9Q.pptx", lpString2="NTDETECT.COM") returned -1 [0103.711] lstrcmpiW (lpString1="4rFkQkbw6 fiW9Q.pptx", lpString2="ntldr") returned -1 [0103.711] lstrcmpiW (lpString1="4rFkQkbw6 fiW9Q.pptx", lpString2="MSDOS.SYS") returned -1 [0103.711] lstrcmpiW (lpString1="4rFkQkbw6 fiW9Q.pptx", lpString2="IO.SYS") returned -1 [0103.711] lstrcmpiW (lpString1="4rFkQkbw6 fiW9Q.pptx", lpString2="boot.ini") returned -1 [0103.711] lstrcmpiW (lpString1="4rFkQkbw6 fiW9Q.pptx", lpString2="AUTOEXEC.BAT") returned -1 [0103.711] lstrcmpiW (lpString1="4rFkQkbw6 fiW9Q.pptx", lpString2="ntuser.dat") returned -1 [0103.711] lstrcmpiW (lpString1="4rFkQkbw6 fiW9Q.pptx", lpString2="desktop.ini") returned -1 [0103.711] lstrcmpiW (lpString1="4rFkQkbw6 fiW9Q.pptx", lpString2="CONFIG.SYS") returned -1 [0103.711] lstrcmpiW (lpString1="4rFkQkbw6 fiW9Q.pptx", lpString2="RECYCLER") returned -1 [0103.711] lstrcmpiW (lpString1="4rFkQkbw6 fiW9Q.pptx", lpString2="BOOTSECT.BAK") returned -1 [0103.711] lstrcmpiW (lpString1="4rFkQkbw6 fiW9Q.pptx", lpString2="bootmgr") returned -1 [0103.711] lstrcmpiW (lpString1="4rFkQkbw6 fiW9Q.pptx", lpString2="programdata") returned -1 [0103.711] lstrcmpiW (lpString1="4rFkQkbw6 fiW9Q.pptx", lpString2="appdata") returned -1 [0103.711] lstrcmpiW (lpString1="4rFkQkbw6 fiW9Q.pptx", lpString2="program files") returned -1 [0103.711] lstrcmpiW (lpString1="4rFkQkbw6 fiW9Q.pptx", lpString2="program files (x86)") returned -1 [0103.711] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\" [0103.711] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\", lpString2="4rFkQkbw6 fiW9Q.pptx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\4rFkQkbw6 fiW9Q.pptx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\4rFkQkbw6 fiW9Q.pptx" [0103.712] PathFindExtensionW (pszPath="4rFkQkbw6 fiW9Q.pptx") returned=".pptx" [0103.712] lstrcmpiW (lpString1=".pptx", lpString2=".exe") returned 1 [0103.712] lstrcmpiW (lpString1=".pptx", lpString2=".log") returned 1 [0103.712] lstrcmpiW (lpString1=".pptx", lpString2=".cab") returned 1 [0103.712] lstrcmpiW (lpString1=".pptx", lpString2=".cmd") returned 1 [0103.712] lstrcmpiW (lpString1=".pptx", lpString2=".com") returned 1 [0103.712] lstrcmpiW (lpString1=".pptx", lpString2=".cpl") returned 1 [0103.712] lstrcmpiW (lpString1=".pptx", lpString2=".ini") returned 1 [0103.712] lstrcmpiW (lpString1=".pptx", lpString2=".dll") returned 1 [0103.712] lstrcmpiW (lpString1=".pptx", lpString2=".url") returned -1 [0103.712] lstrcmpiW (lpString1=".pptx", lpString2=".ttf") returned -1 [0103.712] lstrcmpiW (lpString1=".pptx", lpString2=".mp3") returned 1 [0103.712] lstrcmpiW (lpString1=".pptx", lpString2=".pif") returned 1 [0103.712] lstrcmpiW (lpString1=".pptx", lpString2=".mp4") returned 1 [0103.712] lstrcmpiW (lpString1=".pptx", lpString2=".NEPHILIM") returned 1 [0103.712] lstrcmpiW (lpString1=".pptx", lpString2=".msi") returned 1 [0103.712] lstrcmpiW (lpString1=".pptx", lpString2=".lnk") returned 1 [0103.712] lstrcmpiW (lpString1="4rFkQkbw6 fiW9Q.pptx", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0103.712] lstrlenA (lpString="NEPHILIM") returned 8 [0103.712] GetProcessHeap () returned 0x4e0000 [0103.712] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x5050f0 [0103.712] lstrlenA (lpString="NEPHILIM") returned 8 [0103.713] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\4rFkQkbw6 fiW9Q.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\x5140s3luj8ic32dytgg\\rf87nkft\\4rfkqkbw6 fiw9q.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0103.713] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=32400) returned 1 [0103.713] GetProcessHeap () returned 0x4e0000 [0103.713] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0103.713] GetProcessHeap () returned 0x4e0000 [0103.713] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0103.713] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0103.713] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0103.713] GetProcessHeap () returned 0x4e0000 [0103.713] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0103.713] GetProcessHeap () returned 0x4e0000 [0103.713] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0103.713] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24dd508*=0x100) returned 1 [0103.714] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24dd504*=0x100) returned 1 [0103.714] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x7e90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.714] SetLastError (dwErrCode=0x0) [0103.714] WriteFile (in: hFile=0xf4, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0103.715] GetLastError () returned 0x0 [0103.715] GetLastError () returned 0x0 [0103.715] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x7f90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.715] WriteFile (in: hFile=0xf4, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0103.716] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x8090, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.716] lstrlenA (lpString="NEPHILIM") returned 8 [0103.716] WriteFile (in: hFile=0xf4, lpBuffer=0x5050f0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x5050f0*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0103.716] GetProcessHeap () returned 0x4e0000 [0103.716] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x7e90) returned 0x50d8b8 [0103.716] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.716] ReadFile (in: hFile=0xf4, lpBuffer=0x50d8b8, nNumberOfBytesToRead=0x7e90, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x50d8b8*, lpNumberOfBytesRead=0x24dd730*=0x7e90, lpOverlapped=0x0) returned 1 [0103.718] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.718] WriteFile (in: hFile=0xf4, lpBuffer=0x50d8b8*, nNumberOfBytesToWrite=0x7e90, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50d8b8*, lpNumberOfBytesWritten=0x24dd73c*=0x7e90, lpOverlapped=0x0) returned 1 [0103.719] GetProcessHeap () returned 0x4e0000 [0103.720] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d8b8 | out: hHeap=0x4e0000) returned 1 [0103.720] CloseHandle (hObject=0xf4) returned 1 [0103.724] GetProcessHeap () returned 0x4e0000 [0103.724] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0103.724] GetProcessHeap () returned 0x4e0000 [0103.724] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0103.724] GetProcessHeap () returned 0x4e0000 [0103.724] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0103.724] GetProcessHeap () returned 0x4e0000 [0103.724] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0103.724] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\4rFkQkbw6 fiW9Q.pptx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\4rFkQkbw6 fiW9Q.pptx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\4rFkQkbw6 fiW9Q.pptx" [0103.724] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\4rFkQkbw6 fiW9Q.pptx", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\4rFkQkbw6 fiW9Q.pptx.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\4rFkQkbw6 fiW9Q.pptx.NEPHILIM" [0103.725] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\4rFkQkbw6 fiW9Q.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\x5140s3luj8ic32dytgg\\rf87nkft\\4rfkqkbw6 fiw9q.pptx"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\4rFkQkbw6 fiW9Q.pptx.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\x5140s3luj8ic32dytgg\\rf87nkft\\4rfkqkbw6 fiw9q.pptx.nephilim")) returned 1 [0103.725] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5adb8c10, ftCreationTime.dwHighDateTime=0x1d5e61f, ftLastAccessTime.dwLowDateTime=0x9bba09c0, ftLastAccessTime.dwHighDateTime=0x1d5d858, ftLastWriteTime.dwLowDateTime=0x9bba09c0, ftLastWriteTime.dwHighDateTime=0x1d5d858, nFileSizeHigh=0x0, nFileSizeLow=0x14a85, dwReserved0=0x24dd72c, dwReserved1=0x5af26689, cFileName="9B-2P.xls", cAlternateFileName="")) returned 1 [0103.725] lstrcmpiW (lpString1="9B-2P.xls", lpString2=".") returned 1 [0103.726] lstrcmpiW (lpString1="9B-2P.xls", lpString2="..") returned 1 [0103.726] lstrcmpiW (lpString1="9B-2P.xls", lpString2="...") returned 1 [0103.726] lstrcmpiW (lpString1="9B-2P.xls", lpString2="windows") returned -1 [0103.726] lstrcmpiW (lpString1="9B-2P.xls", lpString2="$RECYCLE.BIN") returned 1 [0103.726] lstrcmpiW (lpString1="9B-2P.xls", lpString2="rsa") returned -1 [0103.726] lstrcmpiW (lpString1="9B-2P.xls", lpString2="log") returned -1 [0103.726] lstrcmpiW (lpString1="9B-2P.xls", lpString2="NTDETECT.COM") returned -1 [0103.726] lstrcmpiW (lpString1="9B-2P.xls", lpString2="ntldr") returned -1 [0103.726] lstrcmpiW (lpString1="9B-2P.xls", lpString2="MSDOS.SYS") returned -1 [0103.726] lstrcmpiW (lpString1="9B-2P.xls", lpString2="IO.SYS") returned -1 [0103.726] lstrcmpiW (lpString1="9B-2P.xls", lpString2="boot.ini") returned -1 [0103.726] lstrcmpiW (lpString1="9B-2P.xls", lpString2="AUTOEXEC.BAT") returned -1 [0103.726] lstrcmpiW (lpString1="9B-2P.xls", lpString2="ntuser.dat") returned -1 [0103.726] lstrcmpiW (lpString1="9B-2P.xls", lpString2="desktop.ini") returned -1 [0103.726] lstrcmpiW (lpString1="9B-2P.xls", lpString2="CONFIG.SYS") returned -1 [0103.726] lstrcmpiW (lpString1="9B-2P.xls", lpString2="RECYCLER") returned -1 [0103.726] lstrcmpiW (lpString1="9B-2P.xls", lpString2="BOOTSECT.BAK") returned -1 [0103.726] lstrcmpiW (lpString1="9B-2P.xls", lpString2="bootmgr") returned -1 [0103.726] lstrcmpiW (lpString1="9B-2P.xls", lpString2="programdata") returned -1 [0103.726] lstrcmpiW (lpString1="9B-2P.xls", lpString2="appdata") returned -1 [0103.726] lstrcmpiW (lpString1="9B-2P.xls", lpString2="program files") returned -1 [0103.726] lstrcmpiW (lpString1="9B-2P.xls", lpString2="program files (x86)") returned -1 [0103.726] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\" [0103.726] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\", lpString2="9B-2P.xls" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\9B-2P.xls") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\9B-2P.xls" [0103.727] PathFindExtensionW (pszPath="9B-2P.xls") returned=".xls" [0103.727] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0103.727] lstrcmpiW (lpString1=".xls", lpString2=".log") returned 1 [0103.727] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0103.727] lstrcmpiW (lpString1=".xls", lpString2=".cmd") returned 1 [0103.727] lstrcmpiW (lpString1=".xls", lpString2=".com") returned 1 [0103.727] lstrcmpiW (lpString1=".xls", lpString2=".cpl") returned 1 [0103.727] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0103.727] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0103.727] lstrcmpiW (lpString1=".xls", lpString2=".url") returned 1 [0103.727] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0103.727] lstrcmpiW (lpString1=".xls", lpString2=".mp3") returned 1 [0103.727] lstrcmpiW (lpString1=".xls", lpString2=".pif") returned 1 [0103.727] lstrcmpiW (lpString1=".xls", lpString2=".mp4") returned 1 [0103.727] lstrcmpiW (lpString1=".xls", lpString2=".NEPHILIM") returned 1 [0103.727] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0103.727] lstrcmpiW (lpString1=".xls", lpString2=".lnk") returned 1 [0103.727] lstrcmpiW (lpString1="9B-2P.xls", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0103.727] lstrlenA (lpString="NEPHILIM") returned 8 [0103.727] GetProcessHeap () returned 0x4e0000 [0103.727] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x505100 [0103.728] lstrlenA (lpString="NEPHILIM") returned 8 [0103.728] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\9B-2P.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\x5140s3luj8ic32dytgg\\rf87nkft\\9b-2p.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0103.728] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=84613) returned 1 [0103.728] GetProcessHeap () returned 0x4e0000 [0103.728] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0103.728] GetProcessHeap () returned 0x4e0000 [0103.728] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0103.728] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0103.728] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0103.728] GetProcessHeap () returned 0x4e0000 [0103.728] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0103.728] GetProcessHeap () returned 0x4e0000 [0103.728] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0103.728] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24dd508*=0x100) returned 1 [0103.729] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24dd504*=0x100) returned 1 [0103.729] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x14a85, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.729] SetLastError (dwErrCode=0x0) [0103.729] WriteFile (in: hFile=0xf4, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0103.730] GetLastError () returned 0x0 [0103.730] GetLastError () returned 0x0 [0103.730] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x14b85, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.730] WriteFile (in: hFile=0xf4, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0103.730] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x14c85, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.731] lstrlenA (lpString="NEPHILIM") returned 8 [0103.731] WriteFile (in: hFile=0xf4, lpBuffer=0x505100*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x505100*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0103.731] GetProcessHeap () returned 0x4e0000 [0103.731] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x14a85) returned 0x50d8b8 [0103.731] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.731] ReadFile (in: hFile=0xf4, lpBuffer=0x50d8b8, nNumberOfBytesToRead=0x14a85, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x50d8b8*, lpNumberOfBytesRead=0x24dd730*=0x14a85, lpOverlapped=0x0) returned 1 [0103.738] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.738] WriteFile (in: hFile=0xf4, lpBuffer=0x50d8b8*, nNumberOfBytesToWrite=0x14a85, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50d8b8*, lpNumberOfBytesWritten=0x24dd73c*=0x14a85, lpOverlapped=0x0) returned 1 [0103.739] GetProcessHeap () returned 0x4e0000 [0103.739] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d8b8 | out: hHeap=0x4e0000) returned 1 [0103.739] CloseHandle (hObject=0xf4) returned 1 [0103.744] GetProcessHeap () returned 0x4e0000 [0103.744] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0103.744] GetProcessHeap () returned 0x4e0000 [0103.744] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0103.744] GetProcessHeap () returned 0x4e0000 [0103.744] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0103.744] GetProcessHeap () returned 0x4e0000 [0103.744] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0103.744] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\9B-2P.xls" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\9B-2P.xls") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\9B-2P.xls" [0103.745] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\9B-2P.xls", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\9B-2P.xls.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\9B-2P.xls.NEPHILIM" [0103.745] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\9B-2P.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\x5140s3luj8ic32dytgg\\rf87nkft\\9b-2p.xls"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\9B-2P.xls.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\x5140s3luj8ic32dytgg\\rf87nkft\\9b-2p.xls.nephilim")) returned 1 [0103.745] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad6b8820, ftCreationTime.dwHighDateTime=0x1d5dd52, ftLastAccessTime.dwLowDateTime=0x1a1d14c0, ftLastAccessTime.dwHighDateTime=0x1d5e267, ftLastWriteTime.dwLowDateTime=0x1a1d14c0, ftLastWriteTime.dwHighDateTime=0x1d5e267, nFileSizeHigh=0x0, nFileSizeLow=0xc42a, dwReserved0=0x24dd72c, dwReserved1=0x5af26689, cFileName="oAwRVtH56Okwzg.xls", cAlternateFileName="OAWRVT~1.XLS")) returned 1 [0103.745] lstrcmpiW (lpString1="oAwRVtH56Okwzg.xls", lpString2=".") returned 1 [0103.746] lstrcmpiW (lpString1="oAwRVtH56Okwzg.xls", lpString2="..") returned 1 [0103.746] lstrcmpiW (lpString1="oAwRVtH56Okwzg.xls", lpString2="...") returned 1 [0103.746] lstrcmpiW (lpString1="oAwRVtH56Okwzg.xls", lpString2="windows") returned -1 [0103.746] lstrcmpiW (lpString1="oAwRVtH56Okwzg.xls", lpString2="$RECYCLE.BIN") returned 1 [0103.746] lstrcmpiW (lpString1="oAwRVtH56Okwzg.xls", lpString2="rsa") returned -1 [0103.746] lstrcmpiW (lpString1="oAwRVtH56Okwzg.xls", lpString2="log") returned 1 [0103.746] lstrcmpiW (lpString1="oAwRVtH56Okwzg.xls", lpString2="NTDETECT.COM") returned 1 [0103.746] lstrcmpiW (lpString1="oAwRVtH56Okwzg.xls", lpString2="ntldr") returned 1 [0103.746] lstrcmpiW (lpString1="oAwRVtH56Okwzg.xls", lpString2="MSDOS.SYS") returned 1 [0103.746] lstrcmpiW (lpString1="oAwRVtH56Okwzg.xls", lpString2="IO.SYS") returned 1 [0103.746] lstrcmpiW (lpString1="oAwRVtH56Okwzg.xls", lpString2="boot.ini") returned 1 [0103.746] lstrcmpiW (lpString1="oAwRVtH56Okwzg.xls", lpString2="AUTOEXEC.BAT") returned 1 [0103.746] lstrcmpiW (lpString1="oAwRVtH56Okwzg.xls", lpString2="ntuser.dat") returned 1 [0103.746] lstrcmpiW (lpString1="oAwRVtH56Okwzg.xls", lpString2="desktop.ini") returned 1 [0103.746] lstrcmpiW (lpString1="oAwRVtH56Okwzg.xls", lpString2="CONFIG.SYS") returned 1 [0103.746] lstrcmpiW (lpString1="oAwRVtH56Okwzg.xls", lpString2="RECYCLER") returned -1 [0103.746] lstrcmpiW (lpString1="oAwRVtH56Okwzg.xls", lpString2="BOOTSECT.BAK") returned 1 [0103.746] lstrcmpiW (lpString1="oAwRVtH56Okwzg.xls", lpString2="bootmgr") returned 1 [0103.746] lstrcmpiW (lpString1="oAwRVtH56Okwzg.xls", lpString2="programdata") returned -1 [0103.746] lstrcmpiW (lpString1="oAwRVtH56Okwzg.xls", lpString2="appdata") returned 1 [0103.746] lstrcmpiW (lpString1="oAwRVtH56Okwzg.xls", lpString2="program files") returned -1 [0103.746] lstrcmpiW (lpString1="oAwRVtH56Okwzg.xls", lpString2="program files (x86)") returned -1 [0103.746] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\" [0103.746] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\", lpString2="oAwRVtH56Okwzg.xls" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\oAwRVtH56Okwzg.xls") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\oAwRVtH56Okwzg.xls" [0103.747] PathFindExtensionW (pszPath="oAwRVtH56Okwzg.xls") returned=".xls" [0103.747] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0103.747] lstrcmpiW (lpString1=".xls", lpString2=".log") returned 1 [0103.747] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0103.747] lstrcmpiW (lpString1=".xls", lpString2=".cmd") returned 1 [0103.747] lstrcmpiW (lpString1=".xls", lpString2=".com") returned 1 [0103.747] lstrcmpiW (lpString1=".xls", lpString2=".cpl") returned 1 [0103.747] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0103.747] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0103.747] lstrcmpiW (lpString1=".xls", lpString2=".url") returned 1 [0103.747] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0103.747] lstrcmpiW (lpString1=".xls", lpString2=".mp3") returned 1 [0103.747] lstrcmpiW (lpString1=".xls", lpString2=".pif") returned 1 [0103.747] lstrcmpiW (lpString1=".xls", lpString2=".mp4") returned 1 [0103.747] lstrcmpiW (lpString1=".xls", lpString2=".NEPHILIM") returned 1 [0103.747] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0103.747] lstrcmpiW (lpString1=".xls", lpString2=".lnk") returned 1 [0103.747] lstrcmpiW (lpString1="oAwRVtH56Okwzg.xls", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0103.747] lstrlenA (lpString="NEPHILIM") returned 8 [0103.747] GetProcessHeap () returned 0x4e0000 [0103.747] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x505110 [0103.747] lstrlenA (lpString="NEPHILIM") returned 8 [0103.747] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\oAwRVtH56Okwzg.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\x5140s3luj8ic32dytgg\\rf87nkft\\oawrvth56okwzg.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0103.748] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=50218) returned 1 [0103.748] GetProcessHeap () returned 0x4e0000 [0103.748] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0103.748] GetProcessHeap () returned 0x4e0000 [0103.748] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0103.748] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0103.748] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0103.748] GetProcessHeap () returned 0x4e0000 [0103.748] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0103.748] GetProcessHeap () returned 0x4e0000 [0103.748] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0103.748] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24dd508*=0x100) returned 1 [0103.748] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24dd504*=0x100) returned 1 [0103.749] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xc42a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.749] SetLastError (dwErrCode=0x0) [0103.749] WriteFile (in: hFile=0xf4, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0103.751] GetLastError () returned 0x0 [0103.751] GetLastError () returned 0x0 [0103.751] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xc52a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.751] WriteFile (in: hFile=0xf4, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0103.751] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xc62a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.751] lstrlenA (lpString="NEPHILIM") returned 8 [0103.751] WriteFile (in: hFile=0xf4, lpBuffer=0x505110*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x505110*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0103.751] GetProcessHeap () returned 0x4e0000 [0103.751] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xc42a) returned 0x50d8b8 [0103.751] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.751] ReadFile (in: hFile=0xf4, lpBuffer=0x50d8b8, nNumberOfBytesToRead=0xc42a, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x50d8b8*, lpNumberOfBytesRead=0x24dd730*=0xc42a, lpOverlapped=0x0) returned 1 [0103.754] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.754] WriteFile (in: hFile=0xf4, lpBuffer=0x50d8b8*, nNumberOfBytesToWrite=0xc42a, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50d8b8*, lpNumberOfBytesWritten=0x24dd73c*=0xc42a, lpOverlapped=0x0) returned 1 [0103.755] GetProcessHeap () returned 0x4e0000 [0103.755] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d8b8 | out: hHeap=0x4e0000) returned 1 [0103.755] CloseHandle (hObject=0xf4) returned 1 [0103.760] GetProcessHeap () returned 0x4e0000 [0103.760] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0103.760] GetProcessHeap () returned 0x4e0000 [0103.760] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0103.760] GetProcessHeap () returned 0x4e0000 [0103.760] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0103.760] GetProcessHeap () returned 0x4e0000 [0103.760] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0103.760] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\oAwRVtH56Okwzg.xls" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\oAwRVtH56Okwzg.xls") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\oAwRVtH56Okwzg.xls" [0103.760] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\oAwRVtH56Okwzg.xls", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\oAwRVtH56Okwzg.xls.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\oAwRVtH56Okwzg.xls.NEPHILIM" [0103.760] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\oAwRVtH56Okwzg.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\x5140s3luj8ic32dytgg\\rf87nkft\\oawrvth56okwzg.xls"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\oAwRVtH56Okwzg.xls.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\x5140s3luj8ic32dytgg\\rf87nkft\\oawrvth56okwzg.xls.nephilim")) returned 1 [0103.761] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf39658b0, ftCreationTime.dwHighDateTime=0x1d5e6ea, ftLastAccessTime.dwLowDateTime=0xd2ccfe20, ftLastAccessTime.dwHighDateTime=0x1d5e1ce, ftLastWriteTime.dwLowDateTime=0xd2ccfe20, ftLastWriteTime.dwHighDateTime=0x1d5e1ce, nFileSizeHigh=0x0, nFileSizeLow=0x509d, dwReserved0=0x24dd72c, dwReserved1=0x5af26689, cFileName="t61aX7t i.pps", cAlternateFileName="T61AX7~1.PPS")) returned 1 [0103.761] lstrcmpiW (lpString1="t61aX7t i.pps", lpString2=".") returned 1 [0103.761] lstrcmpiW (lpString1="t61aX7t i.pps", lpString2="..") returned 1 [0103.761] lstrcmpiW (lpString1="t61aX7t i.pps", lpString2="...") returned 1 [0103.761] lstrcmpiW (lpString1="t61aX7t i.pps", lpString2="windows") returned -1 [0103.762] lstrcmpiW (lpString1="t61aX7t i.pps", lpString2="$RECYCLE.BIN") returned 1 [0103.762] lstrcmpiW (lpString1="t61aX7t i.pps", lpString2="rsa") returned 1 [0103.762] lstrcmpiW (lpString1="t61aX7t i.pps", lpString2="log") returned 1 [0103.762] lstrcmpiW (lpString1="t61aX7t i.pps", lpString2="NTDETECT.COM") returned 1 [0103.762] lstrcmpiW (lpString1="t61aX7t i.pps", lpString2="ntldr") returned 1 [0103.762] lstrcmpiW (lpString1="t61aX7t i.pps", lpString2="MSDOS.SYS") returned 1 [0103.762] lstrcmpiW (lpString1="t61aX7t i.pps", lpString2="IO.SYS") returned 1 [0103.762] lstrcmpiW (lpString1="t61aX7t i.pps", lpString2="boot.ini") returned 1 [0103.762] lstrcmpiW (lpString1="t61aX7t i.pps", lpString2="AUTOEXEC.BAT") returned 1 [0103.762] lstrcmpiW (lpString1="t61aX7t i.pps", lpString2="ntuser.dat") returned 1 [0103.762] lstrcmpiW (lpString1="t61aX7t i.pps", lpString2="desktop.ini") returned 1 [0103.762] lstrcmpiW (lpString1="t61aX7t i.pps", lpString2="CONFIG.SYS") returned 1 [0103.762] lstrcmpiW (lpString1="t61aX7t i.pps", lpString2="RECYCLER") returned 1 [0103.762] lstrcmpiW (lpString1="t61aX7t i.pps", lpString2="BOOTSECT.BAK") returned 1 [0103.762] lstrcmpiW (lpString1="t61aX7t i.pps", lpString2="bootmgr") returned 1 [0103.762] lstrcmpiW (lpString1="t61aX7t i.pps", lpString2="programdata") returned 1 [0103.762] lstrcmpiW (lpString1="t61aX7t i.pps", lpString2="appdata") returned 1 [0103.762] lstrcmpiW (lpString1="t61aX7t i.pps", lpString2="program files") returned 1 [0103.762] lstrcmpiW (lpString1="t61aX7t i.pps", lpString2="program files (x86)") returned 1 [0103.762] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\" [0103.762] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\", lpString2="t61aX7t i.pps" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\t61aX7t i.pps") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\t61aX7t i.pps" [0103.762] PathFindExtensionW (pszPath="t61aX7t i.pps") returned=".pps" [0103.762] lstrcmpiW (lpString1=".pps", lpString2=".exe") returned 1 [0103.763] lstrcmpiW (lpString1=".pps", lpString2=".log") returned 1 [0103.763] lstrcmpiW (lpString1=".pps", lpString2=".cab") returned 1 [0103.763] lstrcmpiW (lpString1=".pps", lpString2=".cmd") returned 1 [0103.763] lstrcmpiW (lpString1=".pps", lpString2=".com") returned 1 [0103.763] lstrcmpiW (lpString1=".pps", lpString2=".cpl") returned 1 [0103.763] lstrcmpiW (lpString1=".pps", lpString2=".ini") returned 1 [0103.763] lstrcmpiW (lpString1=".pps", lpString2=".dll") returned 1 [0103.763] lstrcmpiW (lpString1=".pps", lpString2=".url") returned -1 [0103.763] lstrcmpiW (lpString1=".pps", lpString2=".ttf") returned -1 [0103.763] lstrcmpiW (lpString1=".pps", lpString2=".mp3") returned 1 [0103.763] lstrcmpiW (lpString1=".pps", lpString2=".pif") returned 1 [0103.763] lstrcmpiW (lpString1=".pps", lpString2=".mp4") returned 1 [0103.763] lstrcmpiW (lpString1=".pps", lpString2=".NEPHILIM") returned 1 [0103.763] lstrcmpiW (lpString1=".pps", lpString2=".msi") returned 1 [0103.763] lstrcmpiW (lpString1=".pps", lpString2=".lnk") returned 1 [0103.763] lstrcmpiW (lpString1="t61aX7t i.pps", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0103.763] lstrlenA (lpString="NEPHILIM") returned 8 [0103.763] GetProcessHeap () returned 0x4e0000 [0103.763] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x505120 [0103.763] lstrlenA (lpString="NEPHILIM") returned 8 [0103.763] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\t61aX7t i.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\x5140s3luj8ic32dytgg\\rf87nkft\\t61ax7t i.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0103.764] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=20637) returned 1 [0103.764] GetProcessHeap () returned 0x4e0000 [0103.764] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0103.764] GetProcessHeap () returned 0x4e0000 [0103.764] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0103.764] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0103.764] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0103.764] GetProcessHeap () returned 0x4e0000 [0103.764] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0103.764] GetProcessHeap () returned 0x4e0000 [0103.764] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0103.764] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24dd508*=0x100) returned 1 [0103.764] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24dd504*=0x100) returned 1 [0103.765] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x509d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.765] SetLastError (dwErrCode=0x0) [0103.765] WriteFile (in: hFile=0xf4, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0103.766] GetLastError () returned 0x0 [0103.766] GetLastError () returned 0x0 [0103.766] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x519d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.766] WriteFile (in: hFile=0xf4, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0103.766] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x529d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.766] lstrlenA (lpString="NEPHILIM") returned 8 [0103.766] WriteFile (in: hFile=0xf4, lpBuffer=0x505120*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x505120*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0103.767] GetProcessHeap () returned 0x4e0000 [0103.767] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x509d) returned 0x50d8b8 [0103.767] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.767] ReadFile (in: hFile=0xf4, lpBuffer=0x50d8b8, nNumberOfBytesToRead=0x509d, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x50d8b8*, lpNumberOfBytesRead=0x24dd730*=0x509d, lpOverlapped=0x0) returned 1 [0103.768] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.768] WriteFile (in: hFile=0xf4, lpBuffer=0x50d8b8*, nNumberOfBytesToWrite=0x509d, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50d8b8*, lpNumberOfBytesWritten=0x24dd73c*=0x509d, lpOverlapped=0x0) returned 1 [0103.768] GetProcessHeap () returned 0x4e0000 [0103.768] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d8b8 | out: hHeap=0x4e0000) returned 1 [0103.769] CloseHandle (hObject=0xf4) returned 1 [0103.770] GetProcessHeap () returned 0x4e0000 [0103.770] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0103.770] GetProcessHeap () returned 0x4e0000 [0103.770] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0103.770] GetProcessHeap () returned 0x4e0000 [0103.770] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0103.770] GetProcessHeap () returned 0x4e0000 [0103.770] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0103.770] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\t61aX7t i.pps" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\t61aX7t i.pps") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\t61aX7t i.pps" [0103.770] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\t61aX7t i.pps", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\t61aX7t i.pps.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\t61aX7t i.pps.NEPHILIM" [0103.770] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\t61aX7t i.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\x5140s3luj8ic32dytgg\\rf87nkft\\t61ax7t i.pps"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\t61aX7t i.pps.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\x5140s3luj8ic32dytgg\\rf87nkft\\t61ax7t i.pps.nephilim")) returned 1 [0103.771] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x38060560, ftCreationTime.dwHighDateTime=0x1d5dcf3, ftLastAccessTime.dwLowDateTime=0x7a240440, ftLastAccessTime.dwHighDateTime=0x1d5da2a, ftLastWriteTime.dwLowDateTime=0x7a240440, ftLastWriteTime.dwHighDateTime=0x1d5da2a, nFileSizeHigh=0x0, nFileSizeLow=0xd85e, dwReserved0=0x24dd72c, dwReserved1=0x5af26689, cFileName="wO1H005NmYKDORdxx.xls", cAlternateFileName="WO1H00~1.XLS")) returned 1 [0103.771] lstrcmpiW (lpString1="wO1H005NmYKDORdxx.xls", lpString2=".") returned 1 [0103.771] lstrcmpiW (lpString1="wO1H005NmYKDORdxx.xls", lpString2="..") returned 1 [0103.771] lstrcmpiW (lpString1="wO1H005NmYKDORdxx.xls", lpString2="...") returned 1 [0103.771] lstrcmpiW (lpString1="wO1H005NmYKDORdxx.xls", lpString2="windows") returned 1 [0103.771] lstrcmpiW (lpString1="wO1H005NmYKDORdxx.xls", lpString2="$RECYCLE.BIN") returned 1 [0103.771] lstrcmpiW (lpString1="wO1H005NmYKDORdxx.xls", lpString2="rsa") returned 1 [0103.771] lstrcmpiW (lpString1="wO1H005NmYKDORdxx.xls", lpString2="log") returned 1 [0103.771] lstrcmpiW (lpString1="wO1H005NmYKDORdxx.xls", lpString2="NTDETECT.COM") returned 1 [0103.771] lstrcmpiW (lpString1="wO1H005NmYKDORdxx.xls", lpString2="ntldr") returned 1 [0103.771] lstrcmpiW (lpString1="wO1H005NmYKDORdxx.xls", lpString2="MSDOS.SYS") returned 1 [0103.771] lstrcmpiW (lpString1="wO1H005NmYKDORdxx.xls", lpString2="IO.SYS") returned 1 [0103.771] lstrcmpiW (lpString1="wO1H005NmYKDORdxx.xls", lpString2="boot.ini") returned 1 [0103.771] lstrcmpiW (lpString1="wO1H005NmYKDORdxx.xls", lpString2="AUTOEXEC.BAT") returned 1 [0103.772] lstrcmpiW (lpString1="wO1H005NmYKDORdxx.xls", lpString2="ntuser.dat") returned 1 [0103.772] lstrcmpiW (lpString1="wO1H005NmYKDORdxx.xls", lpString2="desktop.ini") returned 1 [0103.772] lstrcmpiW (lpString1="wO1H005NmYKDORdxx.xls", lpString2="CONFIG.SYS") returned 1 [0103.772] lstrcmpiW (lpString1="wO1H005NmYKDORdxx.xls", lpString2="RECYCLER") returned 1 [0103.772] lstrcmpiW (lpString1="wO1H005NmYKDORdxx.xls", lpString2="BOOTSECT.BAK") returned 1 [0103.772] lstrcmpiW (lpString1="wO1H005NmYKDORdxx.xls", lpString2="bootmgr") returned 1 [0103.772] lstrcmpiW (lpString1="wO1H005NmYKDORdxx.xls", lpString2="programdata") returned 1 [0103.772] lstrcmpiW (lpString1="wO1H005NmYKDORdxx.xls", lpString2="appdata") returned 1 [0103.772] lstrcmpiW (lpString1="wO1H005NmYKDORdxx.xls", lpString2="program files") returned 1 [0103.772] lstrcmpiW (lpString1="wO1H005NmYKDORdxx.xls", lpString2="program files (x86)") returned 1 [0103.772] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\" [0103.772] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\", lpString2="wO1H005NmYKDORdxx.xls" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\wO1H005NmYKDORdxx.xls") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\wO1H005NmYKDORdxx.xls" [0103.772] PathFindExtensionW (pszPath="wO1H005NmYKDORdxx.xls") returned=".xls" [0103.772] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0103.772] lstrcmpiW (lpString1=".xls", lpString2=".log") returned 1 [0103.772] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0103.772] lstrcmpiW (lpString1=".xls", lpString2=".cmd") returned 1 [0103.772] lstrcmpiW (lpString1=".xls", lpString2=".com") returned 1 [0103.772] lstrcmpiW (lpString1=".xls", lpString2=".cpl") returned 1 [0103.772] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0103.772] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0103.772] lstrcmpiW (lpString1=".xls", lpString2=".url") returned 1 [0103.772] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0103.772] lstrcmpiW (lpString1=".xls", lpString2=".mp3") returned 1 [0103.772] lstrcmpiW (lpString1=".xls", lpString2=".pif") returned 1 [0103.773] lstrcmpiW (lpString1=".xls", lpString2=".mp4") returned 1 [0103.773] lstrcmpiW (lpString1=".xls", lpString2=".NEPHILIM") returned 1 [0103.773] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0103.773] lstrcmpiW (lpString1=".xls", lpString2=".lnk") returned 1 [0103.773] lstrcmpiW (lpString1="wO1H005NmYKDORdxx.xls", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0103.773] lstrlenA (lpString="NEPHILIM") returned 8 [0103.773] GetProcessHeap () returned 0x4e0000 [0103.773] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x505130 [0103.773] lstrlenA (lpString="NEPHILIM") returned 8 [0103.773] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\wO1H005NmYKDORdxx.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\x5140s3luj8ic32dytgg\\rf87nkft\\wo1h005nmykdordxx.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0103.773] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=55390) returned 1 [0103.773] GetProcessHeap () returned 0x4e0000 [0103.773] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0103.773] GetProcessHeap () returned 0x4e0000 [0103.773] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0103.773] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0103.773] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0103.773] GetProcessHeap () returned 0x4e0000 [0103.773] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0103.773] GetProcessHeap () returned 0x4e0000 [0103.773] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0103.773] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24dd508*=0x100) returned 1 [0103.774] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24dd504*=0x100) returned 1 [0103.774] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xd85e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.774] SetLastError (dwErrCode=0x0) [0103.774] WriteFile (in: hFile=0xf4, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0103.775] GetLastError () returned 0x0 [0103.775] GetLastError () returned 0x0 [0103.775] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xd95e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.775] WriteFile (in: hFile=0xf4, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0103.776] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xda5e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.776] lstrlenA (lpString="NEPHILIM") returned 8 [0103.776] WriteFile (in: hFile=0xf4, lpBuffer=0x505130*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x505130*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0103.776] GetProcessHeap () returned 0x4e0000 [0103.776] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xd85e) returned 0x50d8b8 [0103.776] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.776] ReadFile (in: hFile=0xf4, lpBuffer=0x50d8b8, nNumberOfBytesToRead=0xd85e, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x50d8b8*, lpNumberOfBytesRead=0x24dd730*=0xd85e, lpOverlapped=0x0) returned 1 [0103.780] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.780] WriteFile (in: hFile=0xf4, lpBuffer=0x50d8b8*, nNumberOfBytesToWrite=0xd85e, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50d8b8*, lpNumberOfBytesWritten=0x24dd73c*=0xd85e, lpOverlapped=0x0) returned 1 [0103.780] GetProcessHeap () returned 0x4e0000 [0103.780] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d8b8 | out: hHeap=0x4e0000) returned 1 [0103.780] CloseHandle (hObject=0xf4) returned 1 [0103.783] GetProcessHeap () returned 0x4e0000 [0103.783] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0103.783] GetProcessHeap () returned 0x4e0000 [0103.783] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0103.783] GetProcessHeap () returned 0x4e0000 [0103.783] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0103.784] GetProcessHeap () returned 0x4e0000 [0103.784] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0103.784] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\wO1H005NmYKDORdxx.xls" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\wO1H005NmYKDORdxx.xls") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\wO1H005NmYKDORdxx.xls" [0103.784] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\wO1H005NmYKDORdxx.xls", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\wO1H005NmYKDORdxx.xls.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\wO1H005NmYKDORdxx.xls.NEPHILIM" [0103.784] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\wO1H005NmYKDORdxx.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\x5140s3luj8ic32dytgg\\rf87nkft\\wo1h005nmykdordxx.xls"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\Rf87NKFT\\wO1H005NmYKDORdxx.xls.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\x5140s3luj8ic32dytgg\\rf87nkft\\wo1h005nmykdordxx.xls.nephilim")) returned 1 [0103.785] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x38060560, ftCreationTime.dwHighDateTime=0x1d5dcf3, ftLastAccessTime.dwLowDateTime=0x7a240440, ftLastAccessTime.dwHighDateTime=0x1d5da2a, ftLastWriteTime.dwLowDateTime=0x7a240440, ftLastWriteTime.dwHighDateTime=0x1d5da2a, nFileSizeHigh=0x0, nFileSizeLow=0xd85e, dwReserved0=0x24dd72c, dwReserved1=0x5af26689, cFileName="wO1H005NmYKDORdxx.xls", cAlternateFileName="WO1H00~1.XLS")) returned 0 [0103.785] FindClose (in: hFindFile=0x50a900 | out: hFindFile=0x50a900) returned 1 [0103.785] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d78be0, ftCreationTime.dwHighDateTime=0x1d5e30c, ftLastAccessTime.dwLowDateTime=0x8209c890, ftLastAccessTime.dwHighDateTime=0x1d5df73, ftLastWriteTime.dwLowDateTime=0x8209c890, ftLastWriteTime.dwHighDateTime=0x1d5df73, nFileSizeHigh=0x0, nFileSizeLow=0xed1, dwReserved0=0x24dddac, dwReserved1=0x4650a9ce, cFileName="wFtusCdv0.odt", cAlternateFileName="WFTUSC~1.ODT")) returned 1 [0103.785] lstrcmpiW (lpString1="wFtusCdv0.odt", lpString2=".") returned 1 [0103.785] lstrcmpiW (lpString1="wFtusCdv0.odt", lpString2="..") returned 1 [0103.785] lstrcmpiW (lpString1="wFtusCdv0.odt", lpString2="...") returned 1 [0103.785] lstrcmpiW (lpString1="wFtusCdv0.odt", lpString2="windows") returned -1 [0103.785] lstrcmpiW (lpString1="wFtusCdv0.odt", lpString2="$RECYCLE.BIN") returned 1 [0103.785] lstrcmpiW (lpString1="wFtusCdv0.odt", lpString2="rsa") returned 1 [0103.785] lstrcmpiW (lpString1="wFtusCdv0.odt", lpString2="log") returned 1 [0103.785] lstrcmpiW (lpString1="wFtusCdv0.odt", lpString2="NTDETECT.COM") returned 1 [0103.785] lstrcmpiW (lpString1="wFtusCdv0.odt", lpString2="ntldr") returned 1 [0103.785] lstrcmpiW (lpString1="wFtusCdv0.odt", lpString2="MSDOS.SYS") returned 1 [0103.785] lstrcmpiW (lpString1="wFtusCdv0.odt", lpString2="IO.SYS") returned 1 [0103.785] lstrcmpiW (lpString1="wFtusCdv0.odt", lpString2="boot.ini") returned 1 [0103.785] lstrcmpiW (lpString1="wFtusCdv0.odt", lpString2="AUTOEXEC.BAT") returned 1 [0103.785] lstrcmpiW (lpString1="wFtusCdv0.odt", lpString2="ntuser.dat") returned 1 [0103.785] lstrcmpiW (lpString1="wFtusCdv0.odt", lpString2="desktop.ini") returned 1 [0103.786] lstrcmpiW (lpString1="wFtusCdv0.odt", lpString2="CONFIG.SYS") returned 1 [0103.786] lstrcmpiW (lpString1="wFtusCdv0.odt", lpString2="RECYCLER") returned 1 [0103.786] lstrcmpiW (lpString1="wFtusCdv0.odt", lpString2="BOOTSECT.BAK") returned 1 [0103.786] lstrcmpiW (lpString1="wFtusCdv0.odt", lpString2="bootmgr") returned 1 [0103.786] lstrcmpiW (lpString1="wFtusCdv0.odt", lpString2="programdata") returned 1 [0103.786] lstrcmpiW (lpString1="wFtusCdv0.odt", lpString2="appdata") returned 1 [0103.786] lstrcmpiW (lpString1="wFtusCdv0.odt", lpString2="program files") returned 1 [0103.786] lstrcmpiW (lpString1="wFtusCdv0.odt", lpString2="program files (x86)") returned 1 [0103.786] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\" [0103.786] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\", lpString2="wFtusCdv0.odt" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\wFtusCdv0.odt") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\wFtusCdv0.odt" [0103.786] PathFindExtensionW (pszPath="wFtusCdv0.odt") returned=".odt" [0103.786] lstrcmpiW (lpString1=".odt", lpString2=".exe") returned 1 [0103.786] lstrcmpiW (lpString1=".odt", lpString2=".log") returned 1 [0103.786] lstrcmpiW (lpString1=".odt", lpString2=".cab") returned 1 [0103.786] lstrcmpiW (lpString1=".odt", lpString2=".cmd") returned 1 [0103.786] lstrcmpiW (lpString1=".odt", lpString2=".com") returned 1 [0103.786] lstrcmpiW (lpString1=".odt", lpString2=".cpl") returned 1 [0103.786] lstrcmpiW (lpString1=".odt", lpString2=".ini") returned 1 [0103.786] lstrcmpiW (lpString1=".odt", lpString2=".dll") returned 1 [0103.786] lstrcmpiW (lpString1=".odt", lpString2=".url") returned -1 [0103.786] lstrcmpiW (lpString1=".odt", lpString2=".ttf") returned -1 [0103.786] lstrcmpiW (lpString1=".odt", lpString2=".mp3") returned 1 [0103.786] lstrcmpiW (lpString1=".odt", lpString2=".pif") returned -1 [0103.786] lstrcmpiW (lpString1=".odt", lpString2=".mp4") returned 1 [0103.786] lstrcmpiW (lpString1=".odt", lpString2=".NEPHILIM") returned 1 [0103.786] lstrcmpiW (lpString1=".odt", lpString2=".msi") returned 1 [0103.787] lstrcmpiW (lpString1=".odt", lpString2=".lnk") returned 1 [0103.787] lstrcmpiW (lpString1="wFtusCdv0.odt", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0103.787] lstrlenA (lpString="NEPHILIM") returned 8 [0103.787] GetProcessHeap () returned 0x4e0000 [0103.787] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x505140 [0103.787] lstrlenA (lpString="NEPHILIM") returned 8 [0103.787] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\wFtusCdv0.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\x5140s3luj8ic32dytgg\\wftuscdv0.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0103.787] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=3793) returned 1 [0103.787] GetProcessHeap () returned 0x4e0000 [0103.787] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0103.787] GetProcessHeap () returned 0x4e0000 [0103.787] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0103.787] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0103.787] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0103.787] GetProcessHeap () returned 0x4e0000 [0103.787] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0103.787] GetProcessHeap () returned 0x4e0000 [0103.787] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0103.787] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0103.788] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0103.788] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xed1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.788] SetLastError (dwErrCode=0x0) [0103.788] WriteFile (in: hFile=0xf0, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0103.789] GetLastError () returned 0x0 [0103.789] GetLastError () returned 0x0 [0103.789] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xfd1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.789] WriteFile (in: hFile=0xf0, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0103.790] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x10d1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.790] lstrlenA (lpString="NEPHILIM") returned 8 [0103.790] WriteFile (in: hFile=0xf0, lpBuffer=0x505140*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x505140*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0103.790] GetProcessHeap () returned 0x4e0000 [0103.790] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xed1) returned 0x50c8b0 [0103.790] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.790] ReadFile (in: hFile=0xf0, lpBuffer=0x50c8b0, nNumberOfBytesToRead=0xed1, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50c8b0*, lpNumberOfBytesRead=0x24dddb0*=0xed1, lpOverlapped=0x0) returned 1 [0103.790] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.790] WriteFile (in: hFile=0xf0, lpBuffer=0x50c8b0*, nNumberOfBytesToWrite=0xed1, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50c8b0*, lpNumberOfBytesWritten=0x24dddbc*=0xed1, lpOverlapped=0x0) returned 1 [0103.791] GetProcessHeap () returned 0x4e0000 [0103.791] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50c8b0 | out: hHeap=0x4e0000) returned 1 [0103.791] CloseHandle (hObject=0xf0) returned 1 [0103.792] GetProcessHeap () returned 0x4e0000 [0103.792] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0103.792] GetProcessHeap () returned 0x4e0000 [0103.792] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0103.792] GetProcessHeap () returned 0x4e0000 [0103.792] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0103.792] GetProcessHeap () returned 0x4e0000 [0103.792] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0103.792] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\wFtusCdv0.odt" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\wFtusCdv0.odt") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\wFtusCdv0.odt" [0103.792] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\wFtusCdv0.odt", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\wFtusCdv0.odt.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\wFtusCdv0.odt.NEPHILIM" [0103.792] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\wFtusCdv0.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\x5140s3luj8ic32dytgg\\wftuscdv0.odt"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\X5140S3Luj8ic32Dytgg\\wFtusCdv0.odt.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\x5140s3luj8ic32dytgg\\wftuscdv0.odt.nephilim")) returned 1 [0103.793] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31d78be0, ftCreationTime.dwHighDateTime=0x1d5e30c, ftLastAccessTime.dwLowDateTime=0x8209c890, ftLastAccessTime.dwHighDateTime=0x1d5df73, ftLastWriteTime.dwLowDateTime=0x8209c890, ftLastWriteTime.dwHighDateTime=0x1d5df73, nFileSizeHigh=0x0, nFileSizeLow=0xed1, dwReserved0=0x24dddac, dwReserved1=0x4650a9ce, cFileName="wFtusCdv0.odt", cAlternateFileName="WFTUSC~1.ODT")) returned 0 [0103.793] FindClose (in: hFindFile=0x50a8c0 | out: hFindFile=0x50a8c0) returned 1 [0103.793] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf25e50, ftCreationTime.dwHighDateTime=0x1d589ca, ftLastAccessTime.dwLowDateTime=0x5935c8d0, ftLastAccessTime.dwHighDateTime=0x1d5d17a, ftLastWriteTime.dwLowDateTime=0x5935c8d0, ftLastWriteTime.dwHighDateTime=0x1d5d17a, nFileSizeHigh=0x0, nFileSizeLow=0x106bf, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="xnz7-n_50oeM8dJ.docx", cAlternateFileName="XNZ7-N~1.DOC")) returned 1 [0103.793] lstrcmpiW (lpString1="xnz7-n_50oeM8dJ.docx", lpString2=".") returned 1 [0103.793] lstrcmpiW (lpString1="xnz7-n_50oeM8dJ.docx", lpString2="..") returned 1 [0103.793] lstrcmpiW (lpString1="xnz7-n_50oeM8dJ.docx", lpString2="...") returned 1 [0103.793] lstrcmpiW (lpString1="xnz7-n_50oeM8dJ.docx", lpString2="windows") returned 1 [0103.793] lstrcmpiW (lpString1="xnz7-n_50oeM8dJ.docx", lpString2="$RECYCLE.BIN") returned 1 [0103.793] lstrcmpiW (lpString1="xnz7-n_50oeM8dJ.docx", lpString2="rsa") returned 1 [0103.793] lstrcmpiW (lpString1="xnz7-n_50oeM8dJ.docx", lpString2="log") returned 1 [0103.793] lstrcmpiW (lpString1="xnz7-n_50oeM8dJ.docx", lpString2="NTDETECT.COM") returned 1 [0103.794] lstrcmpiW (lpString1="xnz7-n_50oeM8dJ.docx", lpString2="ntldr") returned 1 [0103.794] lstrcmpiW (lpString1="xnz7-n_50oeM8dJ.docx", lpString2="MSDOS.SYS") returned 1 [0103.794] lstrcmpiW (lpString1="xnz7-n_50oeM8dJ.docx", lpString2="IO.SYS") returned 1 [0103.794] lstrcmpiW (lpString1="xnz7-n_50oeM8dJ.docx", lpString2="boot.ini") returned 1 [0103.794] lstrcmpiW (lpString1="xnz7-n_50oeM8dJ.docx", lpString2="AUTOEXEC.BAT") returned 1 [0103.794] lstrcmpiW (lpString1="xnz7-n_50oeM8dJ.docx", lpString2="ntuser.dat") returned 1 [0103.794] lstrcmpiW (lpString1="xnz7-n_50oeM8dJ.docx", lpString2="desktop.ini") returned 1 [0103.794] lstrcmpiW (lpString1="xnz7-n_50oeM8dJ.docx", lpString2="CONFIG.SYS") returned 1 [0103.794] lstrcmpiW (lpString1="xnz7-n_50oeM8dJ.docx", lpString2="RECYCLER") returned 1 [0103.794] lstrcmpiW (lpString1="xnz7-n_50oeM8dJ.docx", lpString2="BOOTSECT.BAK") returned 1 [0103.794] lstrcmpiW (lpString1="xnz7-n_50oeM8dJ.docx", lpString2="bootmgr") returned 1 [0103.794] lstrcmpiW (lpString1="xnz7-n_50oeM8dJ.docx", lpString2="programdata") returned 1 [0103.794] lstrcmpiW (lpString1="xnz7-n_50oeM8dJ.docx", lpString2="appdata") returned 1 [0103.794] lstrcmpiW (lpString1="xnz7-n_50oeM8dJ.docx", lpString2="program files") returned 1 [0103.794] lstrcmpiW (lpString1="xnz7-n_50oeM8dJ.docx", lpString2="program files (x86)") returned 1 [0103.794] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0103.794] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="xnz7-n_50oeM8dJ.docx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xnz7-n_50oeM8dJ.docx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xnz7-n_50oeM8dJ.docx" [0103.794] PathFindExtensionW (pszPath="xnz7-n_50oeM8dJ.docx") returned=".docx" [0103.794] lstrcmpiW (lpString1=".docx", lpString2=".exe") returned -1 [0103.794] lstrcmpiW (lpString1=".docx", lpString2=".log") returned -1 [0103.794] lstrcmpiW (lpString1=".docx", lpString2=".cab") returned 1 [0103.794] lstrcmpiW (lpString1=".docx", lpString2=".cmd") returned 1 [0103.794] lstrcmpiW (lpString1=".docx", lpString2=".com") returned 1 [0103.794] lstrcmpiW (lpString1=".docx", lpString2=".cpl") returned 1 [0103.795] lstrcmpiW (lpString1=".docx", lpString2=".ini") returned -1 [0103.795] lstrcmpiW (lpString1=".docx", lpString2=".dll") returned 1 [0103.795] lstrcmpiW (lpString1=".docx", lpString2=".url") returned -1 [0103.795] lstrcmpiW (lpString1=".docx", lpString2=".ttf") returned -1 [0103.795] lstrcmpiW (lpString1=".docx", lpString2=".mp3") returned -1 [0103.795] lstrcmpiW (lpString1=".docx", lpString2=".pif") returned -1 [0103.795] lstrcmpiW (lpString1=".docx", lpString2=".mp4") returned -1 [0103.795] lstrcmpiW (lpString1=".docx", lpString2=".NEPHILIM") returned -1 [0103.795] lstrcmpiW (lpString1=".docx", lpString2=".msi") returned -1 [0103.795] lstrcmpiW (lpString1=".docx", lpString2=".lnk") returned -1 [0103.795] lstrcmpiW (lpString1="xnz7-n_50oeM8dJ.docx", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0103.795] lstrlenA (lpString="NEPHILIM") returned 8 [0103.795] GetProcessHeap () returned 0x4e0000 [0103.795] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x505150 [0103.795] lstrlenA (lpString="NEPHILIM") returned 8 [0103.795] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xnz7-n_50oeM8dJ.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\xnz7-n_50oem8dj.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0103.795] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=67263) returned 1 [0103.795] GetProcessHeap () returned 0x4e0000 [0103.795] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0103.795] GetProcessHeap () returned 0x4e0000 [0103.796] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0103.796] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0103.796] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0103.796] GetProcessHeap () returned 0x4e0000 [0103.796] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0103.796] GetProcessHeap () returned 0x4e0000 [0103.796] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0103.796] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de208*=0x100) returned 1 [0103.796] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de204*=0x100) returned 1 [0103.796] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x106bf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.796] SetLastError (dwErrCode=0x0) [0103.797] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.798] GetLastError () returned 0x0 [0103.798] GetLastError () returned 0x0 [0103.798] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x107bf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.798] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.798] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x108bf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.798] lstrlenA (lpString="NEPHILIM") returned 8 [0103.798] WriteFile (in: hFile=0xec, lpBuffer=0x505150*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x505150*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0103.798] GetProcessHeap () returned 0x4e0000 [0103.798] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x106bf) returned 0x50b8a8 [0103.798] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.798] ReadFile (in: hFile=0xec, lpBuffer=0x50b8a8, nNumberOfBytesToRead=0x106bf, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50b8a8*, lpNumberOfBytesRead=0x24de430*=0x106bf, lpOverlapped=0x0) returned 1 [0103.803] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.803] WriteFile (in: hFile=0xec, lpBuffer=0x50b8a8*, nNumberOfBytesToWrite=0x106bf, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50b8a8*, lpNumberOfBytesWritten=0x24de43c*=0x106bf, lpOverlapped=0x0) returned 1 [0103.803] GetProcessHeap () returned 0x4e0000 [0103.803] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50b8a8 | out: hHeap=0x4e0000) returned 1 [0103.803] CloseHandle (hObject=0xec) returned 1 [0103.805] GetProcessHeap () returned 0x4e0000 [0103.805] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0103.805] GetProcessHeap () returned 0x4e0000 [0103.805] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0103.805] GetProcessHeap () returned 0x4e0000 [0103.805] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0103.805] GetProcessHeap () returned 0x4e0000 [0103.805] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0103.805] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xnz7-n_50oeM8dJ.docx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xnz7-n_50oeM8dJ.docx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xnz7-n_50oeM8dJ.docx" [0103.806] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xnz7-n_50oeM8dJ.docx", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xnz7-n_50oeM8dJ.docx.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xnz7-n_50oeM8dJ.docx.NEPHILIM" [0103.806] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xnz7-n_50oeM8dJ.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\xnz7-n_50oem8dj.docx"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xnz7-n_50oeM8dJ.docx.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\xnz7-n_50oem8dj.docx.nephilim")) returned 1 [0103.807] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x456f9110, ftCreationTime.dwHighDateTime=0x1d5838b, ftLastAccessTime.dwLowDateTime=0x63f46b50, ftLastAccessTime.dwHighDateTime=0x1d59778, ftLastWriteTime.dwLowDateTime=0x63f46b50, ftLastWriteTime.dwHighDateTime=0x1d59778, nFileSizeHigh=0x0, nFileSizeLow=0x161b0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="xuUTvNixNZQ9.xlsx", cAlternateFileName="XUUTVN~1.XLS")) returned 1 [0103.807] lstrcmpiW (lpString1="xuUTvNixNZQ9.xlsx", lpString2=".") returned 1 [0103.807] lstrcmpiW (lpString1="xuUTvNixNZQ9.xlsx", lpString2="..") returned 1 [0103.807] lstrcmpiW (lpString1="xuUTvNixNZQ9.xlsx", lpString2="...") returned 1 [0103.807] lstrcmpiW (lpString1="xuUTvNixNZQ9.xlsx", lpString2="windows") returned 1 [0103.807] lstrcmpiW (lpString1="xuUTvNixNZQ9.xlsx", lpString2="$RECYCLE.BIN") returned 1 [0103.807] lstrcmpiW (lpString1="xuUTvNixNZQ9.xlsx", lpString2="rsa") returned 1 [0103.807] lstrcmpiW (lpString1="xuUTvNixNZQ9.xlsx", lpString2="log") returned 1 [0103.807] lstrcmpiW (lpString1="xuUTvNixNZQ9.xlsx", lpString2="NTDETECT.COM") returned 1 [0103.807] lstrcmpiW (lpString1="xuUTvNixNZQ9.xlsx", lpString2="ntldr") returned 1 [0103.807] lstrcmpiW (lpString1="xuUTvNixNZQ9.xlsx", lpString2="MSDOS.SYS") returned 1 [0103.807] lstrcmpiW (lpString1="xuUTvNixNZQ9.xlsx", lpString2="IO.SYS") returned 1 [0103.807] lstrcmpiW (lpString1="xuUTvNixNZQ9.xlsx", lpString2="boot.ini") returned 1 [0103.807] lstrcmpiW (lpString1="xuUTvNixNZQ9.xlsx", lpString2="AUTOEXEC.BAT") returned 1 [0103.807] lstrcmpiW (lpString1="xuUTvNixNZQ9.xlsx", lpString2="ntuser.dat") returned 1 [0103.807] lstrcmpiW (lpString1="xuUTvNixNZQ9.xlsx", lpString2="desktop.ini") returned 1 [0103.808] lstrcmpiW (lpString1="xuUTvNixNZQ9.xlsx", lpString2="CONFIG.SYS") returned 1 [0103.808] lstrcmpiW (lpString1="xuUTvNixNZQ9.xlsx", lpString2="RECYCLER") returned 1 [0103.808] lstrcmpiW (lpString1="xuUTvNixNZQ9.xlsx", lpString2="BOOTSECT.BAK") returned 1 [0103.808] lstrcmpiW (lpString1="xuUTvNixNZQ9.xlsx", lpString2="bootmgr") returned 1 [0103.808] lstrcmpiW (lpString1="xuUTvNixNZQ9.xlsx", lpString2="programdata") returned 1 [0103.808] lstrcmpiW (lpString1="xuUTvNixNZQ9.xlsx", lpString2="appdata") returned 1 [0103.808] lstrcmpiW (lpString1="xuUTvNixNZQ9.xlsx", lpString2="program files") returned 1 [0103.808] lstrcmpiW (lpString1="xuUTvNixNZQ9.xlsx", lpString2="program files (x86)") returned 1 [0103.808] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0103.808] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="xuUTvNixNZQ9.xlsx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xuUTvNixNZQ9.xlsx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xuUTvNixNZQ9.xlsx" [0103.808] PathFindExtensionW (pszPath="xuUTvNixNZQ9.xlsx") returned=".xlsx" [0103.808] lstrcmpiW (lpString1=".xlsx", lpString2=".exe") returned 1 [0103.808] lstrcmpiW (lpString1=".xlsx", lpString2=".log") returned 1 [0103.808] lstrcmpiW (lpString1=".xlsx", lpString2=".cab") returned 1 [0103.808] lstrcmpiW (lpString1=".xlsx", lpString2=".cmd") returned 1 [0103.808] lstrcmpiW (lpString1=".xlsx", lpString2=".com") returned 1 [0103.808] lstrcmpiW (lpString1=".xlsx", lpString2=".cpl") returned 1 [0103.808] lstrcmpiW (lpString1=".xlsx", lpString2=".ini") returned 1 [0103.808] lstrcmpiW (lpString1=".xlsx", lpString2=".dll") returned 1 [0103.808] lstrcmpiW (lpString1=".xlsx", lpString2=".url") returned 1 [0103.808] lstrcmpiW (lpString1=".xlsx", lpString2=".ttf") returned 1 [0103.808] lstrcmpiW (lpString1=".xlsx", lpString2=".mp3") returned 1 [0103.808] lstrcmpiW (lpString1=".xlsx", lpString2=".pif") returned 1 [0103.808] lstrcmpiW (lpString1=".xlsx", lpString2=".mp4") returned 1 [0103.808] lstrcmpiW (lpString1=".xlsx", lpString2=".NEPHILIM") returned 1 [0103.808] lstrcmpiW (lpString1=".xlsx", lpString2=".msi") returned 1 [0103.809] lstrcmpiW (lpString1=".xlsx", lpString2=".lnk") returned 1 [0103.809] lstrcmpiW (lpString1="xuUTvNixNZQ9.xlsx", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0103.809] lstrlenA (lpString="NEPHILIM") returned 8 [0103.809] GetProcessHeap () returned 0x4e0000 [0103.809] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x505160 [0103.809] lstrlenA (lpString="NEPHILIM") returned 8 [0103.809] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xuUTvNixNZQ9.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\xuutvnixnzq9.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0103.809] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=90544) returned 1 [0103.809] GetProcessHeap () returned 0x4e0000 [0103.809] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0103.809] GetProcessHeap () returned 0x4e0000 [0103.809] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0103.809] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0103.809] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0103.809] GetProcessHeap () returned 0x4e0000 [0103.809] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0103.809] GetProcessHeap () returned 0x4e0000 [0103.809] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0103.809] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de208*=0x100) returned 1 [0103.810] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de204*=0x100) returned 1 [0103.810] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x161b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.810] SetLastError (dwErrCode=0x0) [0103.810] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.811] GetLastError () returned 0x0 [0103.811] GetLastError () returned 0x0 [0103.811] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x162b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.811] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.812] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x163b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.812] lstrlenA (lpString="NEPHILIM") returned 8 [0103.812] WriteFile (in: hFile=0xec, lpBuffer=0x505160*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x505160*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0103.812] GetProcessHeap () returned 0x4e0000 [0103.812] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x161b0) returned 0x50b8a8 [0103.812] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.812] ReadFile (in: hFile=0xec, lpBuffer=0x50b8a8, nNumberOfBytesToRead=0x161b0, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50b8a8*, lpNumberOfBytesRead=0x24de430*=0x161b0, lpOverlapped=0x0) returned 1 [0103.819] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.819] WriteFile (in: hFile=0xec, lpBuffer=0x50b8a8*, nNumberOfBytesToWrite=0x161b0, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50b8a8*, lpNumberOfBytesWritten=0x24de43c*=0x161b0, lpOverlapped=0x0) returned 1 [0103.819] GetProcessHeap () returned 0x4e0000 [0103.819] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50b8a8 | out: hHeap=0x4e0000) returned 1 [0103.819] CloseHandle (hObject=0xec) returned 1 [0103.821] GetProcessHeap () returned 0x4e0000 [0103.821] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0103.821] GetProcessHeap () returned 0x4e0000 [0103.821] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0103.821] GetProcessHeap () returned 0x4e0000 [0103.821] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0103.821] GetProcessHeap () returned 0x4e0000 [0103.821] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0103.821] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xuUTvNixNZQ9.xlsx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xuUTvNixNZQ9.xlsx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xuUTvNixNZQ9.xlsx" [0103.822] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xuUTvNixNZQ9.xlsx", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xuUTvNixNZQ9.xlsx.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xuUTvNixNZQ9.xlsx.NEPHILIM" [0103.822] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xuUTvNixNZQ9.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\xuutvnixnzq9.xlsx"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xuUTvNixNZQ9.xlsx.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\xuutvnixnzq9.xlsx.nephilim")) returned 1 [0103.823] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc6ac5120, ftCreationTime.dwHighDateTime=0x1d5db86, ftLastAccessTime.dwLowDateTime=0x8e6ceb20, ftLastAccessTime.dwHighDateTime=0x1d5e2ad, ftLastWriteTime.dwLowDateTime=0x8e6ceb20, ftLastWriteTime.dwHighDateTime=0x1d5e2ad, nFileSizeHigh=0x0, nFileSizeLow=0x10110, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="z8I3rJ8jHANzTdsg.csv", cAlternateFileName="Z8I3RJ~1.CSV")) returned 1 [0103.823] lstrcmpiW (lpString1="z8I3rJ8jHANzTdsg.csv", lpString2=".") returned 1 [0103.823] lstrcmpiW (lpString1="z8I3rJ8jHANzTdsg.csv", lpString2="..") returned 1 [0103.823] lstrcmpiW (lpString1="z8I3rJ8jHANzTdsg.csv", lpString2="...") returned 1 [0103.823] lstrcmpiW (lpString1="z8I3rJ8jHANzTdsg.csv", lpString2="windows") returned 1 [0103.823] lstrcmpiW (lpString1="z8I3rJ8jHANzTdsg.csv", lpString2="$RECYCLE.BIN") returned 1 [0103.823] lstrcmpiW (lpString1="z8I3rJ8jHANzTdsg.csv", lpString2="rsa") returned 1 [0103.823] lstrcmpiW (lpString1="z8I3rJ8jHANzTdsg.csv", lpString2="log") returned 1 [0103.823] lstrcmpiW (lpString1="z8I3rJ8jHANzTdsg.csv", lpString2="NTDETECT.COM") returned 1 [0103.823] lstrcmpiW (lpString1="z8I3rJ8jHANzTdsg.csv", lpString2="ntldr") returned 1 [0103.823] lstrcmpiW (lpString1="z8I3rJ8jHANzTdsg.csv", lpString2="MSDOS.SYS") returned 1 [0103.823] lstrcmpiW (lpString1="z8I3rJ8jHANzTdsg.csv", lpString2="IO.SYS") returned 1 [0103.823] lstrcmpiW (lpString1="z8I3rJ8jHANzTdsg.csv", lpString2="boot.ini") returned 1 [0103.823] lstrcmpiW (lpString1="z8I3rJ8jHANzTdsg.csv", lpString2="AUTOEXEC.BAT") returned 1 [0103.823] lstrcmpiW (lpString1="z8I3rJ8jHANzTdsg.csv", lpString2="ntuser.dat") returned 1 [0103.823] lstrcmpiW (lpString1="z8I3rJ8jHANzTdsg.csv", lpString2="desktop.ini") returned 1 [0103.823] lstrcmpiW (lpString1="z8I3rJ8jHANzTdsg.csv", lpString2="CONFIG.SYS") returned 1 [0103.823] lstrcmpiW (lpString1="z8I3rJ8jHANzTdsg.csv", lpString2="RECYCLER") returned 1 [0103.823] lstrcmpiW (lpString1="z8I3rJ8jHANzTdsg.csv", lpString2="BOOTSECT.BAK") returned 1 [0103.823] lstrcmpiW (lpString1="z8I3rJ8jHANzTdsg.csv", lpString2="bootmgr") returned 1 [0103.823] lstrcmpiW (lpString1="z8I3rJ8jHANzTdsg.csv", lpString2="programdata") returned 1 [0103.823] lstrcmpiW (lpString1="z8I3rJ8jHANzTdsg.csv", lpString2="appdata") returned 1 [0103.823] lstrcmpiW (lpString1="z8I3rJ8jHANzTdsg.csv", lpString2="program files") returned 1 [0103.823] lstrcmpiW (lpString1="z8I3rJ8jHANzTdsg.csv", lpString2="program files (x86)") returned 1 [0103.823] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0103.824] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="z8I3rJ8jHANzTdsg.csv" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\z8I3rJ8jHANzTdsg.csv") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\z8I3rJ8jHANzTdsg.csv" [0103.824] PathFindExtensionW (pszPath="z8I3rJ8jHANzTdsg.csv") returned=".csv" [0103.824] lstrcmpiW (lpString1=".csv", lpString2=".exe") returned -1 [0103.824] lstrcmpiW (lpString1=".csv", lpString2=".log") returned -1 [0103.824] lstrcmpiW (lpString1=".csv", lpString2=".cab") returned 1 [0103.824] lstrcmpiW (lpString1=".csv", lpString2=".cmd") returned 1 [0103.824] lstrcmpiW (lpString1=".csv", lpString2=".com") returned 1 [0103.824] lstrcmpiW (lpString1=".csv", lpString2=".cpl") returned 1 [0103.824] lstrcmpiW (lpString1=".csv", lpString2=".ini") returned -1 [0103.824] lstrcmpiW (lpString1=".csv", lpString2=".dll") returned -1 [0103.824] lstrcmpiW (lpString1=".csv", lpString2=".url") returned -1 [0103.824] lstrcmpiW (lpString1=".csv", lpString2=".ttf") returned -1 [0103.824] lstrcmpiW (lpString1=".csv", lpString2=".mp3") returned -1 [0103.824] lstrcmpiW (lpString1=".csv", lpString2=".pif") returned -1 [0103.824] lstrcmpiW (lpString1=".csv", lpString2=".mp4") returned -1 [0103.824] lstrcmpiW (lpString1=".csv", lpString2=".NEPHILIM") returned -1 [0103.824] lstrcmpiW (lpString1=".csv", lpString2=".msi") returned -1 [0103.824] lstrcmpiW (lpString1=".csv", lpString2=".lnk") returned -1 [0103.824] lstrcmpiW (lpString1="z8I3rJ8jHANzTdsg.csv", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0103.824] lstrlenA (lpString="NEPHILIM") returned 8 [0103.824] GetProcessHeap () returned 0x4e0000 [0103.824] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x505170 [0103.824] lstrlenA (lpString="NEPHILIM") returned 8 [0103.824] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\z8I3rJ8jHANzTdsg.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\z8i3rj8jhanztdsg.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0103.825] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=65808) returned 1 [0103.825] GetProcessHeap () returned 0x4e0000 [0103.825] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0103.825] GetProcessHeap () returned 0x4e0000 [0103.825] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0103.825] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0103.825] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0103.825] GetProcessHeap () returned 0x4e0000 [0103.825] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0103.825] GetProcessHeap () returned 0x4e0000 [0103.825] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0103.825] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de208*=0x100) returned 1 [0103.825] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de204*=0x100) returned 1 [0103.826] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x10110, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.826] SetLastError (dwErrCode=0x0) [0103.826] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.827] GetLastError () returned 0x0 [0103.827] GetLastError () returned 0x0 [0103.827] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x10210, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.827] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.827] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x10310, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.827] lstrlenA (lpString="NEPHILIM") returned 8 [0103.827] WriteFile (in: hFile=0xec, lpBuffer=0x505170*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x505170*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0103.827] GetProcessHeap () returned 0x4e0000 [0103.827] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10110) returned 0x50b8a8 [0103.827] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.827] ReadFile (in: hFile=0xec, lpBuffer=0x50b8a8, nNumberOfBytesToRead=0x10110, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50b8a8*, lpNumberOfBytesRead=0x24de430*=0x10110, lpOverlapped=0x0) returned 1 [0103.833] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.833] WriteFile (in: hFile=0xec, lpBuffer=0x50b8a8*, nNumberOfBytesToWrite=0x10110, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50b8a8*, lpNumberOfBytesWritten=0x24de43c*=0x10110, lpOverlapped=0x0) returned 1 [0103.833] GetProcessHeap () returned 0x4e0000 [0103.833] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50b8a8 | out: hHeap=0x4e0000) returned 1 [0103.833] CloseHandle (hObject=0xec) returned 1 [0103.835] GetProcessHeap () returned 0x4e0000 [0103.835] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0103.835] GetProcessHeap () returned 0x4e0000 [0103.835] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0103.835] GetProcessHeap () returned 0x4e0000 [0103.835] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0103.835] GetProcessHeap () returned 0x4e0000 [0103.835] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0103.835] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\z8I3rJ8jHANzTdsg.csv" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\z8I3rJ8jHANzTdsg.csv") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\z8I3rJ8jHANzTdsg.csv" [0103.835] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\z8I3rJ8jHANzTdsg.csv", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\z8I3rJ8jHANzTdsg.csv.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\z8I3rJ8jHANzTdsg.csv.NEPHILIM" [0103.835] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\z8I3rJ8jHANzTdsg.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\z8i3rj8jhanztdsg.csv"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\z8I3rJ8jHANzTdsg.csv.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\z8i3rj8jhanztdsg.csv.nephilim")) returned 1 [0103.836] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f99c070, ftCreationTime.dwHighDateTime=0x1d574d2, ftLastAccessTime.dwLowDateTime=0xe8d1c820, ftLastAccessTime.dwHighDateTime=0x1d569e4, ftLastWriteTime.dwLowDateTime=0xe8d1c820, ftLastWriteTime.dwHighDateTime=0x1d569e4, nFileSizeHigh=0x0, nFileSizeLow=0x2827, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="ZPw3gPQ4dX2oz9KXEQL5.docx", cAlternateFileName="ZPW3GP~1.DOC")) returned 1 [0103.836] lstrcmpiW (lpString1="ZPw3gPQ4dX2oz9KXEQL5.docx", lpString2=".") returned 1 [0103.836] lstrcmpiW (lpString1="ZPw3gPQ4dX2oz9KXEQL5.docx", lpString2="..") returned 1 [0103.836] lstrcmpiW (lpString1="ZPw3gPQ4dX2oz9KXEQL5.docx", lpString2="...") returned 1 [0103.836] lstrcmpiW (lpString1="ZPw3gPQ4dX2oz9KXEQL5.docx", lpString2="windows") returned 1 [0103.836] lstrcmpiW (lpString1="ZPw3gPQ4dX2oz9KXEQL5.docx", lpString2="$RECYCLE.BIN") returned 1 [0103.836] lstrcmpiW (lpString1="ZPw3gPQ4dX2oz9KXEQL5.docx", lpString2="rsa") returned 1 [0103.836] lstrcmpiW (lpString1="ZPw3gPQ4dX2oz9KXEQL5.docx", lpString2="log") returned 1 [0103.836] lstrcmpiW (lpString1="ZPw3gPQ4dX2oz9KXEQL5.docx", lpString2="NTDETECT.COM") returned 1 [0103.837] lstrcmpiW (lpString1="ZPw3gPQ4dX2oz9KXEQL5.docx", lpString2="ntldr") returned 1 [0103.837] lstrcmpiW (lpString1="ZPw3gPQ4dX2oz9KXEQL5.docx", lpString2="MSDOS.SYS") returned 1 [0103.837] lstrcmpiW (lpString1="ZPw3gPQ4dX2oz9KXEQL5.docx", lpString2="IO.SYS") returned 1 [0103.837] lstrcmpiW (lpString1="ZPw3gPQ4dX2oz9KXEQL5.docx", lpString2="boot.ini") returned 1 [0103.837] lstrcmpiW (lpString1="ZPw3gPQ4dX2oz9KXEQL5.docx", lpString2="AUTOEXEC.BAT") returned 1 [0103.837] lstrcmpiW (lpString1="ZPw3gPQ4dX2oz9KXEQL5.docx", lpString2="ntuser.dat") returned 1 [0103.837] lstrcmpiW (lpString1="ZPw3gPQ4dX2oz9KXEQL5.docx", lpString2="desktop.ini") returned 1 [0103.837] lstrcmpiW (lpString1="ZPw3gPQ4dX2oz9KXEQL5.docx", lpString2="CONFIG.SYS") returned 1 [0103.837] lstrcmpiW (lpString1="ZPw3gPQ4dX2oz9KXEQL5.docx", lpString2="RECYCLER") returned 1 [0103.837] lstrcmpiW (lpString1="ZPw3gPQ4dX2oz9KXEQL5.docx", lpString2="BOOTSECT.BAK") returned 1 [0103.837] lstrcmpiW (lpString1="ZPw3gPQ4dX2oz9KXEQL5.docx", lpString2="bootmgr") returned 1 [0103.837] lstrcmpiW (lpString1="ZPw3gPQ4dX2oz9KXEQL5.docx", lpString2="programdata") returned 1 [0103.837] lstrcmpiW (lpString1="ZPw3gPQ4dX2oz9KXEQL5.docx", lpString2="appdata") returned 1 [0103.837] lstrcmpiW (lpString1="ZPw3gPQ4dX2oz9KXEQL5.docx", lpString2="program files") returned 1 [0103.837] lstrcmpiW (lpString1="ZPw3gPQ4dX2oz9KXEQL5.docx", lpString2="program files (x86)") returned 1 [0103.837] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0103.837] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="ZPw3gPQ4dX2oz9KXEQL5.docx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ZPw3gPQ4dX2oz9KXEQL5.docx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ZPw3gPQ4dX2oz9KXEQL5.docx" [0103.837] PathFindExtensionW (pszPath="ZPw3gPQ4dX2oz9KXEQL5.docx") returned=".docx" [0103.837] lstrcmpiW (lpString1=".docx", lpString2=".exe") returned -1 [0103.837] lstrcmpiW (lpString1=".docx", lpString2=".log") returned -1 [0103.837] lstrcmpiW (lpString1=".docx", lpString2=".cab") returned 1 [0103.837] lstrcmpiW (lpString1=".docx", lpString2=".cmd") returned 1 [0103.837] lstrcmpiW (lpString1=".docx", lpString2=".com") returned 1 [0103.837] lstrcmpiW (lpString1=".docx", lpString2=".cpl") returned 1 [0103.837] lstrcmpiW (lpString1=".docx", lpString2=".ini") returned -1 [0103.837] lstrcmpiW (lpString1=".docx", lpString2=".dll") returned 1 [0103.838] lstrcmpiW (lpString1=".docx", lpString2=".url") returned -1 [0103.838] lstrcmpiW (lpString1=".docx", lpString2=".ttf") returned -1 [0103.838] lstrcmpiW (lpString1=".docx", lpString2=".mp3") returned -1 [0103.838] lstrcmpiW (lpString1=".docx", lpString2=".pif") returned -1 [0103.838] lstrcmpiW (lpString1=".docx", lpString2=".mp4") returned -1 [0103.838] lstrcmpiW (lpString1=".docx", lpString2=".NEPHILIM") returned -1 [0103.838] lstrcmpiW (lpString1=".docx", lpString2=".msi") returned -1 [0103.838] lstrcmpiW (lpString1=".docx", lpString2=".lnk") returned -1 [0103.838] lstrcmpiW (lpString1="ZPw3gPQ4dX2oz9KXEQL5.docx", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0103.838] lstrlenA (lpString="NEPHILIM") returned 8 [0103.838] GetProcessHeap () returned 0x4e0000 [0103.838] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x505180 [0103.838] lstrlenA (lpString="NEPHILIM") returned 8 [0103.838] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ZPw3gPQ4dX2oz9KXEQL5.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\zpw3gpq4dx2oz9kxeql5.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0103.838] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=10279) returned 1 [0103.838] GetProcessHeap () returned 0x4e0000 [0103.838] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0103.838] GetProcessHeap () returned 0x4e0000 [0103.838] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0103.838] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0103.839] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0103.839] GetProcessHeap () returned 0x4e0000 [0103.839] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0103.839] GetProcessHeap () returned 0x4e0000 [0103.839] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0103.839] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de208*=0x100) returned 1 [0103.839] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de204*=0x100) returned 1 [0103.839] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x2827, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.839] SetLastError (dwErrCode=0x0) [0103.839] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.840] GetLastError () returned 0x0 [0103.841] GetLastError () returned 0x0 [0103.841] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x2927, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.841] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0103.841] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x2a27, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.841] lstrlenA (lpString="NEPHILIM") returned 8 [0103.841] WriteFile (in: hFile=0xec, lpBuffer=0x505180*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x505180*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0103.841] GetProcessHeap () returned 0x4e0000 [0103.841] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x2827) returned 0x50b8a8 [0103.841] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.841] ReadFile (in: hFile=0xec, lpBuffer=0x50b8a8, nNumberOfBytesToRead=0x2827, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50b8a8*, lpNumberOfBytesRead=0x24de430*=0x2827, lpOverlapped=0x0) returned 1 [0103.842] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.842] WriteFile (in: hFile=0xec, lpBuffer=0x50b8a8*, nNumberOfBytesToWrite=0x2827, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50b8a8*, lpNumberOfBytesWritten=0x24de43c*=0x2827, lpOverlapped=0x0) returned 1 [0103.842] GetProcessHeap () returned 0x4e0000 [0103.842] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50b8a8 | out: hHeap=0x4e0000) returned 1 [0103.842] CloseHandle (hObject=0xec) returned 1 [0103.893] GetProcessHeap () returned 0x4e0000 [0103.893] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0103.893] GetProcessHeap () returned 0x4e0000 [0103.893] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0103.893] GetProcessHeap () returned 0x4e0000 [0103.893] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0103.893] GetProcessHeap () returned 0x4e0000 [0103.893] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0103.894] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ZPw3gPQ4dX2oz9KXEQL5.docx" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ZPw3gPQ4dX2oz9KXEQL5.docx") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ZPw3gPQ4dX2oz9KXEQL5.docx" [0103.894] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ZPw3gPQ4dX2oz9KXEQL5.docx", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ZPw3gPQ4dX2oz9KXEQL5.docx.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ZPw3gPQ4dX2oz9KXEQL5.docx.NEPHILIM" [0103.894] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ZPw3gPQ4dX2oz9KXEQL5.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\zpw3gpq4dx2oz9kxeql5.docx"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ZPw3gPQ4dX2oz9KXEQL5.docx.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\zpw3gpq4dx2oz9kxeql5.docx.nephilim")) returned 1 [0103.895] FindNextFileW (in: hFindFile=0x502830, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f99c070, ftCreationTime.dwHighDateTime=0x1d574d2, ftLastAccessTime.dwLowDateTime=0xe8d1c820, ftLastAccessTime.dwHighDateTime=0x1d569e4, ftLastWriteTime.dwLowDateTime=0xe8d1c820, ftLastWriteTime.dwHighDateTime=0x1d569e4, nFileSizeHigh=0x0, nFileSizeLow=0x2827, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="ZPw3gPQ4dX2oz9KXEQL5.docx", cAlternateFileName="ZPW3GP~1.DOC")) returned 0 [0103.895] FindClose (in: hFindFile=0x502830 | out: hFindFile=0x502830) returned 1 [0103.895] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0103.895] lstrcmpiW (lpString1="Downloads", lpString2=".") returned 1 [0103.895] lstrcmpiW (lpString1="Downloads", lpString2="..") returned 1 [0103.895] lstrcmpiW (lpString1="Downloads", lpString2="...") returned 1 [0103.895] lstrcmpiW (lpString1="Downloads", lpString2="windows") returned -1 [0103.895] lstrcmpiW (lpString1="Downloads", lpString2="$RECYCLE.BIN") returned 1 [0103.895] lstrcmpiW (lpString1="Downloads", lpString2="rsa") returned -1 [0103.895] lstrcmpiW (lpString1="Downloads", lpString2="log") returned -1 [0103.895] lstrcmpiW (lpString1="Downloads", lpString2="NTDETECT.COM") returned -1 [0103.895] lstrcmpiW (lpString1="Downloads", lpString2="ntldr") returned -1 [0103.895] lstrcmpiW (lpString1="Downloads", lpString2="MSDOS.SYS") returned -1 [0103.895] lstrcmpiW (lpString1="Downloads", lpString2="IO.SYS") returned -1 [0103.895] lstrcmpiW (lpString1="Downloads", lpString2="boot.ini") returned 1 [0103.895] lstrcmpiW (lpString1="Downloads", lpString2="AUTOEXEC.BAT") returned 1 [0103.895] lstrcmpiW (lpString1="Downloads", lpString2="ntuser.dat") returned -1 [0103.895] lstrcmpiW (lpString1="Downloads", lpString2="desktop.ini") returned 1 [0103.895] lstrcmpiW (lpString1="Downloads", lpString2="CONFIG.SYS") returned 1 [0103.896] lstrcmpiW (lpString1="Downloads", lpString2="RECYCLER") returned -1 [0103.896] lstrcmpiW (lpString1="Downloads", lpString2="BOOTSECT.BAK") returned 1 [0103.896] lstrcmpiW (lpString1="Downloads", lpString2="bootmgr") returned 1 [0103.896] lstrcmpiW (lpString1="Downloads", lpString2="programdata") returned -1 [0103.896] lstrcmpiW (lpString1="Downloads", lpString2="appdata") returned 1 [0103.896] lstrcmpiW (lpString1="Downloads", lpString2="program files") returned -1 [0103.896] lstrcmpiW (lpString1="Downloads", lpString2="program files (x86)") returned -1 [0103.896] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" [0103.896] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Downloads" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads" [0103.896] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\" [0103.896] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\" [0103.896] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\", lpString2="*.*" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\*.*") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\*.*" [0103.896] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x50a8c0 [0103.896] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0103.896] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0103.897] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0103.897] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0103.897] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0103.897] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0103.897] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0103.897] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0103.897] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0103.897] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0103.897] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0103.897] lstrcmpiW (lpString1="desktop.ini", lpString2="log") returned -1 [0103.897] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0103.897] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0103.897] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0103.897] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0103.897] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0103.897] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0103.897] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0103.897] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0103.897] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0103.897] FindClose (in: hFindFile=0x50a8c0 | out: hFindFile=0x50a8c0) returned 1 [0103.897] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0103.897] lstrcmpiW (lpString1="Favorites", lpString2=".") returned 1 [0103.897] lstrcmpiW (lpString1="Favorites", lpString2="..") returned 1 [0103.898] lstrcmpiW (lpString1="Favorites", lpString2="...") returned 1 [0103.898] lstrcmpiW (lpString1="Favorites", lpString2="windows") returned -1 [0103.898] lstrcmpiW (lpString1="Favorites", lpString2="$RECYCLE.BIN") returned 1 [0103.898] lstrcmpiW (lpString1="Favorites", lpString2="rsa") returned -1 [0103.898] lstrcmpiW (lpString1="Favorites", lpString2="log") returned -1 [0103.898] lstrcmpiW (lpString1="Favorites", lpString2="NTDETECT.COM") returned -1 [0103.898] lstrcmpiW (lpString1="Favorites", lpString2="ntldr") returned -1 [0103.898] lstrcmpiW (lpString1="Favorites", lpString2="MSDOS.SYS") returned -1 [0103.898] lstrcmpiW (lpString1="Favorites", lpString2="IO.SYS") returned -1 [0103.898] lstrcmpiW (lpString1="Favorites", lpString2="boot.ini") returned 1 [0103.898] lstrcmpiW (lpString1="Favorites", lpString2="AUTOEXEC.BAT") returned 1 [0103.898] lstrcmpiW (lpString1="Favorites", lpString2="ntuser.dat") returned -1 [0103.898] lstrcmpiW (lpString1="Favorites", lpString2="desktop.ini") returned 1 [0103.898] lstrcmpiW (lpString1="Favorites", lpString2="CONFIG.SYS") returned 1 [0103.898] lstrcmpiW (lpString1="Favorites", lpString2="RECYCLER") returned -1 [0103.898] lstrcmpiW (lpString1="Favorites", lpString2="BOOTSECT.BAK") returned 1 [0103.898] lstrcmpiW (lpString1="Favorites", lpString2="bootmgr") returned 1 [0103.898] lstrcmpiW (lpString1="Favorites", lpString2="programdata") returned -1 [0103.898] lstrcmpiW (lpString1="Favorites", lpString2="appdata") returned 1 [0103.898] lstrcmpiW (lpString1="Favorites", lpString2="program files") returned -1 [0103.898] lstrcmpiW (lpString1="Favorites", lpString2="program files (x86)") returned -1 [0103.898] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" [0103.898] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Favorites" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites" [0103.898] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\" [0103.898] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\" [0103.898] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\", lpString2="*.*" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*.*") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*.*" [0103.899] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x50a8c0 [0103.899] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0103.899] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0103.899] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0103.899] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0103.899] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0103.899] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0103.899] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0103.899] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0103.899] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0103.899] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0103.899] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0103.899] lstrcmpiW (lpString1="desktop.ini", lpString2="log") returned -1 [0103.899] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0103.899] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0103.899] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0103.899] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0103.899] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0103.899] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0103.899] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0103.900] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0103.900] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x52cd1930, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbae0ad90, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="Links", cAlternateFileName="")) returned 1 [0103.900] lstrcmpiW (lpString1="Links", lpString2=".") returned 1 [0103.900] lstrcmpiW (lpString1="Links", lpString2="..") returned 1 [0103.900] lstrcmpiW (lpString1="Links", lpString2="...") returned 1 [0103.900] lstrcmpiW (lpString1="Links", lpString2="windows") returned -1 [0103.900] lstrcmpiW (lpString1="Links", lpString2="$RECYCLE.BIN") returned 1 [0103.900] lstrcmpiW (lpString1="Links", lpString2="rsa") returned -1 [0103.900] lstrcmpiW (lpString1="Links", lpString2="log") returned -1 [0103.900] lstrcmpiW (lpString1="Links", lpString2="NTDETECT.COM") returned -1 [0103.900] lstrcmpiW (lpString1="Links", lpString2="ntldr") returned -1 [0103.900] lstrcmpiW (lpString1="Links", lpString2="MSDOS.SYS") returned -1 [0103.900] lstrcmpiW (lpString1="Links", lpString2="IO.SYS") returned 1 [0103.900] lstrcmpiW (lpString1="Links", lpString2="boot.ini") returned 1 [0103.900] lstrcmpiW (lpString1="Links", lpString2="AUTOEXEC.BAT") returned 1 [0103.900] lstrcmpiW (lpString1="Links", lpString2="ntuser.dat") returned -1 [0103.900] lstrcmpiW (lpString1="Links", lpString2="desktop.ini") returned 1 [0103.900] lstrcmpiW (lpString1="Links", lpString2="CONFIG.SYS") returned 1 [0103.900] lstrcmpiW (lpString1="Links", lpString2="RECYCLER") returned -1 [0103.900] lstrcmpiW (lpString1="Links", lpString2="BOOTSECT.BAK") returned 1 [0103.900] lstrcmpiW (lpString1="Links", lpString2="bootmgr") returned 1 [0103.900] lstrcmpiW (lpString1="Links", lpString2="programdata") returned -1 [0103.900] lstrcmpiW (lpString1="Links", lpString2="appdata") returned 1 [0103.900] lstrcmpiW (lpString1="Links", lpString2="program files") returned -1 [0103.900] lstrcmpiW (lpString1="Links", lpString2="program files (x86)") returned -1 [0103.900] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\" [0103.900] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\", lpString2="Links" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links" [0103.901] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\" [0103.901] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\" [0103.901] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\", lpString2="*.*" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\*.*") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\*.*" [0103.901] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x52cd1930, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbae0ad90, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a900 [0103.901] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0103.901] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x52cd1930, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbae0ad90, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0103.901] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0103.901] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0103.901] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xbae0ad90, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x580056, dwReserved1=0x24de8e0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0103.901] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0103.901] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0103.901] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0103.901] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0103.901] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0103.901] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0103.901] lstrcmpiW (lpString1="desktop.ini", lpString2="log") returned -1 [0103.901] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0103.902] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0103.902] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0103.902] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0103.902] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0103.902] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0103.902] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0103.902] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0103.902] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52cd1930, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x52cd1930, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x52fcb4b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xec, dwReserved0=0x580056, dwReserved1=0x24de8e0, cFileName="Suggested Sites.url", cAlternateFileName="SUGGES~1.URL")) returned 1 [0103.902] lstrcmpiW (lpString1="Suggested Sites.url", lpString2=".") returned 1 [0103.902] lstrcmpiW (lpString1="Suggested Sites.url", lpString2="..") returned 1 [0103.902] lstrcmpiW (lpString1="Suggested Sites.url", lpString2="...") returned 1 [0103.902] lstrcmpiW (lpString1="Suggested Sites.url", lpString2="windows") returned -1 [0103.902] lstrcmpiW (lpString1="Suggested Sites.url", lpString2="$RECYCLE.BIN") returned 1 [0103.902] lstrcmpiW (lpString1="Suggested Sites.url", lpString2="rsa") returned 1 [0103.902] lstrcmpiW (lpString1="Suggested Sites.url", lpString2="log") returned 1 [0103.902] lstrcmpiW (lpString1="Suggested Sites.url", lpString2="NTDETECT.COM") returned 1 [0103.902] lstrcmpiW (lpString1="Suggested Sites.url", lpString2="ntldr") returned 1 [0103.902] lstrcmpiW (lpString1="Suggested Sites.url", lpString2="MSDOS.SYS") returned 1 [0103.902] lstrcmpiW (lpString1="Suggested Sites.url", lpString2="IO.SYS") returned 1 [0103.902] lstrcmpiW (lpString1="Suggested Sites.url", lpString2="boot.ini") returned 1 [0103.902] lstrcmpiW (lpString1="Suggested Sites.url", lpString2="AUTOEXEC.BAT") returned 1 [0103.902] lstrcmpiW (lpString1="Suggested Sites.url", lpString2="ntuser.dat") returned 1 [0103.902] lstrcmpiW (lpString1="Suggested Sites.url", lpString2="desktop.ini") returned 1 [0103.902] lstrcmpiW (lpString1="Suggested Sites.url", lpString2="CONFIG.SYS") returned 1 [0103.902] lstrcmpiW (lpString1="Suggested Sites.url", lpString2="RECYCLER") returned 1 [0103.902] lstrcmpiW (lpString1="Suggested Sites.url", lpString2="BOOTSECT.BAK") returned 1 [0103.903] lstrcmpiW (lpString1="Suggested Sites.url", lpString2="bootmgr") returned 1 [0103.903] lstrcmpiW (lpString1="Suggested Sites.url", lpString2="programdata") returned 1 [0103.903] lstrcmpiW (lpString1="Suggested Sites.url", lpString2="appdata") returned 1 [0103.903] lstrcmpiW (lpString1="Suggested Sites.url", lpString2="program files") returned 1 [0103.903] lstrcmpiW (lpString1="Suggested Sites.url", lpString2="program files (x86)") returned 1 [0103.903] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\" [0103.903] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\", lpString2="Suggested Sites.url" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url" [0103.903] PathFindExtensionW (pszPath="Suggested Sites.url") returned=".url" [0103.903] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0103.903] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0103.903] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0103.903] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0103.903] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0103.903] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0103.903] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0103.903] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0103.903] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0103.903] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d9517a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0xe2, dwReserved0=0x580056, dwReserved1=0x24de8e0, cFileName="Web Slice Gallery.url", cAlternateFileName="WEBSLI~1.URL")) returned 1 [0103.903] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2=".") returned 1 [0103.903] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="..") returned 1 [0103.903] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="...") returned 1 [0103.903] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="windows") returned -1 [0103.903] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="$RECYCLE.BIN") returned 1 [0103.903] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="rsa") returned 1 [0103.904] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="log") returned 1 [0103.904] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="NTDETECT.COM") returned 1 [0103.904] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="ntldr") returned 1 [0103.904] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="MSDOS.SYS") returned 1 [0103.904] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="IO.SYS") returned 1 [0103.904] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="boot.ini") returned 1 [0103.904] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="AUTOEXEC.BAT") returned 1 [0103.904] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="ntuser.dat") returned 1 [0103.904] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="desktop.ini") returned 1 [0103.904] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="CONFIG.SYS") returned 1 [0103.904] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="RECYCLER") returned 1 [0103.904] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="BOOTSECT.BAK") returned 1 [0103.904] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="bootmgr") returned 1 [0103.904] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="programdata") returned 1 [0103.904] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="appdata") returned 1 [0103.904] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="program files") returned 1 [0103.904] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="program files (x86)") returned 1 [0103.904] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\" [0103.904] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\", lpString2="Web Slice Gallery.url" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url" [0103.904] PathFindExtensionW (pszPath="Web Slice Gallery.url") returned=".url" [0103.904] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0103.904] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0103.904] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0103.904] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0103.905] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0103.905] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0103.905] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0103.905] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0103.905] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0103.905] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d9517a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0xe2, dwReserved0=0x580056, dwReserved1=0x24de8e0, cFileName="Web Slice Gallery.url", cAlternateFileName="WEBSLI~1.URL")) returned 0 [0103.905] FindClose (in: hFindFile=0x50a900 | out: hFindFile=0x50a900) returned 1 [0103.905] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="Microsoft Websites", cAlternateFileName="MICROS~1")) returned 1 [0103.905] lstrcmpiW (lpString1="Microsoft Websites", lpString2=".") returned 1 [0103.905] lstrcmpiW (lpString1="Microsoft Websites", lpString2="..") returned 1 [0103.905] lstrcmpiW (lpString1="Microsoft Websites", lpString2="...") returned 1 [0103.905] lstrcmpiW (lpString1="Microsoft Websites", lpString2="windows") returned -1 [0103.905] lstrcmpiW (lpString1="Microsoft Websites", lpString2="$RECYCLE.BIN") returned 1 [0103.905] lstrcmpiW (lpString1="Microsoft Websites", lpString2="rsa") returned -1 [0103.905] lstrcmpiW (lpString1="Microsoft Websites", lpString2="log") returned 1 [0103.905] lstrcmpiW (lpString1="Microsoft Websites", lpString2="NTDETECT.COM") returned -1 [0103.905] lstrcmpiW (lpString1="Microsoft Websites", lpString2="ntldr") returned -1 [0103.905] lstrcmpiW (lpString1="Microsoft Websites", lpString2="MSDOS.SYS") returned -1 [0103.905] lstrcmpiW (lpString1="Microsoft Websites", lpString2="IO.SYS") returned 1 [0103.905] lstrcmpiW (lpString1="Microsoft Websites", lpString2="boot.ini") returned 1 [0103.905] lstrcmpiW (lpString1="Microsoft Websites", lpString2="AUTOEXEC.BAT") returned 1 [0103.906] lstrcmpiW (lpString1="Microsoft Websites", lpString2="ntuser.dat") returned -1 [0103.906] lstrcmpiW (lpString1="Microsoft Websites", lpString2="desktop.ini") returned 1 [0103.906] lstrcmpiW (lpString1="Microsoft Websites", lpString2="CONFIG.SYS") returned 1 [0103.906] lstrcmpiW (lpString1="Microsoft Websites", lpString2="RECYCLER") returned -1 [0103.906] lstrcmpiW (lpString1="Microsoft Websites", lpString2="BOOTSECT.BAK") returned 1 [0103.906] lstrcmpiW (lpString1="Microsoft Websites", lpString2="bootmgr") returned 1 [0103.906] lstrcmpiW (lpString1="Microsoft Websites", lpString2="programdata") returned -1 [0103.906] lstrcmpiW (lpString1="Microsoft Websites", lpString2="appdata") returned 1 [0103.906] lstrcmpiW (lpString1="Microsoft Websites", lpString2="program files") returned -1 [0103.906] lstrcmpiW (lpString1="Microsoft Websites", lpString2="program files (x86)") returned -1 [0103.906] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\" [0103.906] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\", lpString2="Microsoft Websites" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites" [0103.906] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\" [0103.906] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\" [0103.906] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\", lpString2="*.*" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\*.*") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\*.*" [0103.906] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a900 [0104.006] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0104.006] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0104.007] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0104.007] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0104.007] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x580056, dwReserved1=0x24de8e0, cFileName="IE Add-on site.url", cAlternateFileName="IEADD-~1.URL")) returned 1 [0104.007] lstrcmpiW (lpString1="IE Add-on site.url", lpString2=".") returned 1 [0104.007] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="..") returned 1 [0104.007] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="...") returned 1 [0104.007] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="windows") returned -1 [0104.007] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="$RECYCLE.BIN") returned 1 [0104.007] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="rsa") returned -1 [0104.007] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="log") returned -1 [0104.007] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="NTDETECT.COM") returned -1 [0104.007] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="ntldr") returned -1 [0104.007] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="MSDOS.SYS") returned -1 [0104.007] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="IO.SYS") returned -1 [0104.007] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="boot.ini") returned 1 [0104.007] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="AUTOEXEC.BAT") returned 1 [0104.007] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="ntuser.dat") returned -1 [0104.007] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="desktop.ini") returned 1 [0104.007] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="CONFIG.SYS") returned 1 [0104.007] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="RECYCLER") returned -1 [0104.008] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="BOOTSECT.BAK") returned 1 [0104.008] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="bootmgr") returned 1 [0104.008] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="programdata") returned -1 [0104.008] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="appdata") returned 1 [0104.008] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="program files") returned -1 [0104.008] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="program files (x86)") returned -1 [0104.008] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\" [0104.008] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\", lpString2="IE Add-on site.url" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url" [0104.008] PathFindExtensionW (pszPath="IE Add-on site.url") returned=".url" [0104.008] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0104.008] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0104.008] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0104.008] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0104.008] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0104.008] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0104.008] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0104.008] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0104.008] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0104.008] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x580056, dwReserved1=0x24de8e0, cFileName="IE site on Microsoft.com.url", cAlternateFileName="IESITE~1.URL")) returned 1 [0104.008] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2=".") returned 1 [0104.008] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="..") returned 1 [0104.008] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="...") returned 1 [0104.008] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="windows") returned -1 [0104.008] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="$RECYCLE.BIN") returned 1 [0104.009] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="rsa") returned -1 [0104.009] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="log") returned -1 [0104.009] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="NTDETECT.COM") returned -1 [0104.009] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="ntldr") returned -1 [0104.009] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="MSDOS.SYS") returned -1 [0104.009] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="IO.SYS") returned -1 [0104.009] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="boot.ini") returned 1 [0104.009] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="AUTOEXEC.BAT") returned 1 [0104.009] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="ntuser.dat") returned -1 [0104.009] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="desktop.ini") returned 1 [0104.009] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="CONFIG.SYS") returned 1 [0104.009] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="RECYCLER") returned -1 [0104.009] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="BOOTSECT.BAK") returned 1 [0104.009] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="bootmgr") returned 1 [0104.009] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="programdata") returned -1 [0104.009] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="appdata") returned 1 [0104.009] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="program files") returned -1 [0104.009] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="program files (x86)") returned -1 [0104.009] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\" [0104.009] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\", lpString2="IE site on Microsoft.com.url" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url" [0104.009] PathFindExtensionW (pszPath="IE site on Microsoft.com.url") returned=".url" [0104.009] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0104.009] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0104.009] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0104.009] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0104.009] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0104.010] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0104.010] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0104.010] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0104.010] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0104.010] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x580056, dwReserved1=0x24de8e0, cFileName="Microsoft At Home.url", cAlternateFileName="MICROS~3.URL")) returned 1 [0104.010] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2=".") returned 1 [0104.010] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="..") returned 1 [0104.010] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="...") returned 1 [0104.010] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="windows") returned -1 [0104.010] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="$RECYCLE.BIN") returned 1 [0104.010] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="rsa") returned -1 [0104.010] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="log") returned 1 [0104.010] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="NTDETECT.COM") returned -1 [0104.010] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="ntldr") returned -1 [0104.010] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="MSDOS.SYS") returned -1 [0104.010] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="IO.SYS") returned 1 [0104.010] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="boot.ini") returned 1 [0104.010] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="AUTOEXEC.BAT") returned 1 [0104.010] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="ntuser.dat") returned -1 [0104.010] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="desktop.ini") returned 1 [0104.010] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="CONFIG.SYS") returned 1 [0104.010] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="RECYCLER") returned -1 [0104.010] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="BOOTSECT.BAK") returned 1 [0104.010] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="bootmgr") returned 1 [0104.010] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="programdata") returned -1 [0104.010] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="appdata") returned 1 [0104.010] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="program files") returned -1 [0104.011] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="program files (x86)") returned -1 [0104.011] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\" [0104.011] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\", lpString2="Microsoft At Home.url" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url" [0104.011] PathFindExtensionW (pszPath="Microsoft At Home.url") returned=".url" [0104.011] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0104.011] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0104.011] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0104.011] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0104.011] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0104.011] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0104.011] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0104.011] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0104.011] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0104.011] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x580056, dwReserved1=0x24de8e0, cFileName="Microsoft At Work.url", cAlternateFileName="MICROS~2.URL")) returned 1 [0104.011] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2=".") returned 1 [0104.011] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="..") returned 1 [0104.011] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="...") returned 1 [0104.011] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="windows") returned -1 [0104.011] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="$RECYCLE.BIN") returned 1 [0104.011] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="rsa") returned -1 [0104.011] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="log") returned 1 [0104.011] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="NTDETECT.COM") returned -1 [0104.011] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="ntldr") returned -1 [0104.011] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="MSDOS.SYS") returned -1 [0104.011] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="IO.SYS") returned 1 [0104.012] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="boot.ini") returned 1 [0104.012] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="AUTOEXEC.BAT") returned 1 [0104.012] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="ntuser.dat") returned -1 [0104.012] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="desktop.ini") returned 1 [0104.012] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="CONFIG.SYS") returned 1 [0104.012] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="RECYCLER") returned -1 [0104.012] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="BOOTSECT.BAK") returned 1 [0104.012] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="bootmgr") returned 1 [0104.012] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="programdata") returned -1 [0104.012] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="appdata") returned 1 [0104.012] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="program files") returned -1 [0104.012] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="program files (x86)") returned -1 [0104.012] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\" [0104.012] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\", lpString2="Microsoft At Work.url" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url" [0104.012] PathFindExtensionW (pszPath="Microsoft At Work.url") returned=".url" [0104.012] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0104.012] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0104.012] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0104.012] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0104.012] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0104.012] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0104.012] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0104.012] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0104.012] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0104.012] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d8930c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x86, dwReserved0=0x580056, dwReserved1=0x24de8e0, cFileName="Microsoft Store.url", cAlternateFileName="MICROS~1.URL")) returned 1 [0104.013] lstrcmpiW (lpString1="Microsoft Store.url", lpString2=".") returned 1 [0104.013] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="..") returned 1 [0104.013] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="...") returned 1 [0104.013] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="windows") returned -1 [0104.013] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="$RECYCLE.BIN") returned 1 [0104.013] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="rsa") returned -1 [0104.013] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="log") returned 1 [0104.013] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="NTDETECT.COM") returned -1 [0104.013] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="ntldr") returned -1 [0104.013] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="MSDOS.SYS") returned -1 [0104.013] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="IO.SYS") returned 1 [0104.013] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="boot.ini") returned 1 [0104.013] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="AUTOEXEC.BAT") returned 1 [0104.013] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="ntuser.dat") returned -1 [0104.013] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="desktop.ini") returned 1 [0104.013] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="CONFIG.SYS") returned 1 [0104.013] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="RECYCLER") returned -1 [0104.013] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="BOOTSECT.BAK") returned 1 [0104.013] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="bootmgr") returned 1 [0104.013] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="programdata") returned -1 [0104.013] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="appdata") returned 1 [0104.013] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="program files") returned -1 [0104.013] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="program files (x86)") returned -1 [0104.013] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\" [0104.013] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\", lpString2="Microsoft Store.url" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url" [0104.013] PathFindExtensionW (pszPath="Microsoft Store.url") returned=".url" [0104.013] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0104.014] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0104.014] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0104.014] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0104.014] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0104.014] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0104.014] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0104.014] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0104.014] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0104.014] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d8930c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x86, dwReserved0=0x580056, dwReserved1=0x24de8e0, cFileName="Microsoft Store.url", cAlternateFileName="MICROS~1.URL")) returned 0 [0104.014] FindClose (in: hFindFile=0x50a900 | out: hFindFile=0x50a900) returned 1 [0104.015] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe4d4ebc, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="MSN Websites", cAlternateFileName="MSNWEB~1")) returned 1 [0104.015] lstrcmpiW (lpString1="MSN Websites", lpString2=".") returned 1 [0104.015] lstrcmpiW (lpString1="MSN Websites", lpString2="..") returned 1 [0104.015] lstrcmpiW (lpString1="MSN Websites", lpString2="...") returned 1 [0104.015] lstrcmpiW (lpString1="MSN Websites", lpString2="windows") returned -1 [0104.015] lstrcmpiW (lpString1="MSN Websites", lpString2="$RECYCLE.BIN") returned 1 [0104.016] lstrcmpiW (lpString1="MSN Websites", lpString2="rsa") returned -1 [0104.016] lstrcmpiW (lpString1="MSN Websites", lpString2="log") returned 1 [0104.016] lstrcmpiW (lpString1="MSN Websites", lpString2="NTDETECT.COM") returned -1 [0104.016] lstrcmpiW (lpString1="MSN Websites", lpString2="ntldr") returned -1 [0104.016] lstrcmpiW (lpString1="MSN Websites", lpString2="MSDOS.SYS") returned 1 [0104.016] lstrcmpiW (lpString1="MSN Websites", lpString2="IO.SYS") returned 1 [0104.016] lstrcmpiW (lpString1="MSN Websites", lpString2="boot.ini") returned 1 [0104.016] lstrcmpiW (lpString1="MSN Websites", lpString2="AUTOEXEC.BAT") returned 1 [0104.016] lstrcmpiW (lpString1="MSN Websites", lpString2="ntuser.dat") returned -1 [0104.016] lstrcmpiW (lpString1="MSN Websites", lpString2="desktop.ini") returned 1 [0104.016] lstrcmpiW (lpString1="MSN Websites", lpString2="CONFIG.SYS") returned 1 [0104.016] lstrcmpiW (lpString1="MSN Websites", lpString2="RECYCLER") returned -1 [0104.016] lstrcmpiW (lpString1="MSN Websites", lpString2="BOOTSECT.BAK") returned 1 [0104.016] lstrcmpiW (lpString1="MSN Websites", lpString2="bootmgr") returned 1 [0104.016] lstrcmpiW (lpString1="MSN Websites", lpString2="programdata") returned -1 [0104.016] lstrcmpiW (lpString1="MSN Websites", lpString2="appdata") returned 1 [0104.016] lstrcmpiW (lpString1="MSN Websites", lpString2="program files") returned -1 [0104.016] lstrcmpiW (lpString1="MSN Websites", lpString2="program files (x86)") returned -1 [0104.016] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\" [0104.016] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\", lpString2="MSN Websites" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" [0104.016] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\" [0104.016] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\" [0104.016] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\", lpString2="*.*" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\*.*") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\*.*" [0104.016] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe4d4ebc, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a900 [0104.041] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0104.041] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe4d4ebc, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0104.041] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0104.041] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0104.041] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d8930c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x580056, dwReserved1=0x24de8e0, cFileName="MSN Autos.url", cAlternateFileName="MSNAUT~1.URL")) returned 1 [0104.041] lstrcmpiW (lpString1="MSN Autos.url", lpString2=".") returned 1 [0104.041] lstrcmpiW (lpString1="MSN Autos.url", lpString2="..") returned 1 [0104.041] lstrcmpiW (lpString1="MSN Autos.url", lpString2="...") returned 1 [0104.041] lstrcmpiW (lpString1="MSN Autos.url", lpString2="windows") returned -1 [0104.042] lstrcmpiW (lpString1="MSN Autos.url", lpString2="$RECYCLE.BIN") returned 1 [0104.042] lstrcmpiW (lpString1="MSN Autos.url", lpString2="rsa") returned -1 [0104.042] lstrcmpiW (lpString1="MSN Autos.url", lpString2="log") returned 1 [0104.042] lstrcmpiW (lpString1="MSN Autos.url", lpString2="NTDETECT.COM") returned -1 [0104.042] lstrcmpiW (lpString1="MSN Autos.url", lpString2="ntldr") returned -1 [0104.042] lstrcmpiW (lpString1="MSN Autos.url", lpString2="MSDOS.SYS") returned 1 [0104.042] lstrcmpiW (lpString1="MSN Autos.url", lpString2="IO.SYS") returned 1 [0104.042] lstrcmpiW (lpString1="MSN Autos.url", lpString2="boot.ini") returned 1 [0104.042] lstrcmpiW (lpString1="MSN Autos.url", lpString2="AUTOEXEC.BAT") returned 1 [0104.042] lstrcmpiW (lpString1="MSN Autos.url", lpString2="ntuser.dat") returned -1 [0104.042] lstrcmpiW (lpString1="MSN Autos.url", lpString2="desktop.ini") returned 1 [0104.042] lstrcmpiW (lpString1="MSN Autos.url", lpString2="CONFIG.SYS") returned 1 [0104.042] lstrcmpiW (lpString1="MSN Autos.url", lpString2="RECYCLER") returned -1 [0104.042] lstrcmpiW (lpString1="MSN Autos.url", lpString2="BOOTSECT.BAK") returned 1 [0104.042] lstrcmpiW (lpString1="MSN Autos.url", lpString2="bootmgr") returned 1 [0104.042] lstrcmpiW (lpString1="MSN Autos.url", lpString2="programdata") returned -1 [0104.042] lstrcmpiW (lpString1="MSN Autos.url", lpString2="appdata") returned 1 [0104.042] lstrcmpiW (lpString1="MSN Autos.url", lpString2="program files") returned -1 [0104.042] lstrcmpiW (lpString1="MSN Autos.url", lpString2="program files (x86)") returned -1 [0104.042] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\" [0104.042] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\", lpString2="MSN Autos.url" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url" [0104.042] PathFindExtensionW (pszPath="MSN Autos.url") returned=".url" [0104.042] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0104.042] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0104.042] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0104.042] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0104.043] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0104.043] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0104.043] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0104.043] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0104.043] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0104.043] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x580056, dwReserved1=0x24de8e0, cFileName="MSN Entertainment.url", cAlternateFileName="MSNENT~1.URL")) returned 1 [0104.043] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2=".") returned 1 [0104.043] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="..") returned 1 [0104.043] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="...") returned 1 [0104.043] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="windows") returned -1 [0104.043] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="$RECYCLE.BIN") returned 1 [0104.043] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="rsa") returned -1 [0104.043] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="log") returned 1 [0104.043] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="NTDETECT.COM") returned -1 [0104.043] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="ntldr") returned -1 [0104.043] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="MSDOS.SYS") returned 1 [0104.043] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="IO.SYS") returned 1 [0104.043] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="boot.ini") returned 1 [0104.043] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="AUTOEXEC.BAT") returned 1 [0104.043] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="ntuser.dat") returned -1 [0104.043] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="desktop.ini") returned 1 [0104.043] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="CONFIG.SYS") returned 1 [0104.043] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="RECYCLER") returned -1 [0104.043] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="BOOTSECT.BAK") returned 1 [0104.043] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="bootmgr") returned 1 [0104.043] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="programdata") returned -1 [0104.043] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="appdata") returned 1 [0104.044] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="program files") returned -1 [0104.044] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="program files (x86)") returned -1 [0104.044] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\" [0104.044] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\", lpString2="MSN Entertainment.url" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url" [0104.044] PathFindExtensionW (pszPath="MSN Entertainment.url") returned=".url" [0104.044] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0104.044] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0104.044] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0104.044] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0104.044] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0104.044] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0104.044] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0104.044] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0104.044] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0104.044] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x580056, dwReserved1=0x24de8e0, cFileName="MSN Money.url", cAlternateFileName="MSNMON~1.URL")) returned 1 [0104.044] lstrcmpiW (lpString1="MSN Money.url", lpString2=".") returned 1 [0104.044] lstrcmpiW (lpString1="MSN Money.url", lpString2="..") returned 1 [0104.044] lstrcmpiW (lpString1="MSN Money.url", lpString2="...") returned 1 [0104.044] lstrcmpiW (lpString1="MSN Money.url", lpString2="windows") returned -1 [0104.044] lstrcmpiW (lpString1="MSN Money.url", lpString2="$RECYCLE.BIN") returned 1 [0104.044] lstrcmpiW (lpString1="MSN Money.url", lpString2="rsa") returned -1 [0104.044] lstrcmpiW (lpString1="MSN Money.url", lpString2="log") returned 1 [0104.044] lstrcmpiW (lpString1="MSN Money.url", lpString2="NTDETECT.COM") returned -1 [0104.044] lstrcmpiW (lpString1="MSN Money.url", lpString2="ntldr") returned -1 [0104.044] lstrcmpiW (lpString1="MSN Money.url", lpString2="MSDOS.SYS") returned 1 [0104.044] lstrcmpiW (lpString1="MSN Money.url", lpString2="IO.SYS") returned 1 [0104.045] lstrcmpiW (lpString1="MSN Money.url", lpString2="boot.ini") returned 1 [0104.045] lstrcmpiW (lpString1="MSN Money.url", lpString2="AUTOEXEC.BAT") returned 1 [0104.045] lstrcmpiW (lpString1="MSN Money.url", lpString2="ntuser.dat") returned -1 [0104.045] lstrcmpiW (lpString1="MSN Money.url", lpString2="desktop.ini") returned 1 [0104.045] lstrcmpiW (lpString1="MSN Money.url", lpString2="CONFIG.SYS") returned 1 [0104.045] lstrcmpiW (lpString1="MSN Money.url", lpString2="RECYCLER") returned -1 [0104.045] lstrcmpiW (lpString1="MSN Money.url", lpString2="BOOTSECT.BAK") returned 1 [0104.045] lstrcmpiW (lpString1="MSN Money.url", lpString2="bootmgr") returned 1 [0104.045] lstrcmpiW (lpString1="MSN Money.url", lpString2="programdata") returned -1 [0104.045] lstrcmpiW (lpString1="MSN Money.url", lpString2="appdata") returned 1 [0104.045] lstrcmpiW (lpString1="MSN Money.url", lpString2="program files") returned -1 [0104.045] lstrcmpiW (lpString1="MSN Money.url", lpString2="program files (x86)") returned -1 [0104.045] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\" [0104.045] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\", lpString2="MSN Money.url" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url" [0104.045] PathFindExtensionW (pszPath="MSN Money.url") returned=".url" [0104.045] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0104.045] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0104.045] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0104.045] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0104.045] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0104.045] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0104.045] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0104.045] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0104.045] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0104.045] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x580056, dwReserved1=0x24de8e0, cFileName="MSN Sports.url", cAlternateFileName="MSNSPO~1.URL")) returned 1 [0104.045] lstrcmpiW (lpString1="MSN Sports.url", lpString2=".") returned 1 [0104.045] lstrcmpiW (lpString1="MSN Sports.url", lpString2="..") returned 1 [0104.046] lstrcmpiW (lpString1="MSN Sports.url", lpString2="...") returned 1 [0104.046] lstrcmpiW (lpString1="MSN Sports.url", lpString2="windows") returned -1 [0104.046] lstrcmpiW (lpString1="MSN Sports.url", lpString2="$RECYCLE.BIN") returned 1 [0104.046] lstrcmpiW (lpString1="MSN Sports.url", lpString2="rsa") returned -1 [0104.046] lstrcmpiW (lpString1="MSN Sports.url", lpString2="log") returned 1 [0104.046] lstrcmpiW (lpString1="MSN Sports.url", lpString2="NTDETECT.COM") returned -1 [0104.046] lstrcmpiW (lpString1="MSN Sports.url", lpString2="ntldr") returned -1 [0104.046] lstrcmpiW (lpString1="MSN Sports.url", lpString2="MSDOS.SYS") returned 1 [0104.046] lstrcmpiW (lpString1="MSN Sports.url", lpString2="IO.SYS") returned 1 [0104.046] lstrcmpiW (lpString1="MSN Sports.url", lpString2="boot.ini") returned 1 [0104.046] lstrcmpiW (lpString1="MSN Sports.url", lpString2="AUTOEXEC.BAT") returned 1 [0104.046] lstrcmpiW (lpString1="MSN Sports.url", lpString2="ntuser.dat") returned -1 [0104.046] lstrcmpiW (lpString1="MSN Sports.url", lpString2="desktop.ini") returned 1 [0104.046] lstrcmpiW (lpString1="MSN Sports.url", lpString2="CONFIG.SYS") returned 1 [0104.046] lstrcmpiW (lpString1="MSN Sports.url", lpString2="RECYCLER") returned -1 [0104.046] lstrcmpiW (lpString1="MSN Sports.url", lpString2="BOOTSECT.BAK") returned 1 [0104.046] lstrcmpiW (lpString1="MSN Sports.url", lpString2="bootmgr") returned 1 [0104.046] lstrcmpiW (lpString1="MSN Sports.url", lpString2="programdata") returned -1 [0104.046] lstrcmpiW (lpString1="MSN Sports.url", lpString2="appdata") returned 1 [0104.046] lstrcmpiW (lpString1="MSN Sports.url", lpString2="program files") returned -1 [0104.046] lstrcmpiW (lpString1="MSN Sports.url", lpString2="program files (x86)") returned -1 [0104.046] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\" [0104.046] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\", lpString2="MSN Sports.url" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url" [0104.046] PathFindExtensionW (pszPath="MSN Sports.url") returned=".url" [0104.047] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0104.047] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0104.047] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0104.047] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0104.047] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0104.047] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0104.047] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0104.047] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0104.047] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0104.047] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x580056, dwReserved1=0x24de8e0, cFileName="MSN.url", cAlternateFileName="")) returned 1 [0104.047] lstrcmpiW (lpString1="MSN.url", lpString2=".") returned 1 [0104.047] lstrcmpiW (lpString1="MSN.url", lpString2="..") returned 1 [0104.047] lstrcmpiW (lpString1="MSN.url", lpString2="...") returned 1 [0104.047] lstrcmpiW (lpString1="MSN.url", lpString2="windows") returned -1 [0104.047] lstrcmpiW (lpString1="MSN.url", lpString2="$RECYCLE.BIN") returned 1 [0104.047] lstrcmpiW (lpString1="MSN.url", lpString2="rsa") returned -1 [0104.047] lstrcmpiW (lpString1="MSN.url", lpString2="log") returned 1 [0104.047] lstrcmpiW (lpString1="MSN.url", lpString2="NTDETECT.COM") returned -1 [0104.047] lstrcmpiW (lpString1="MSN.url", lpString2="ntldr") returned -1 [0104.047] lstrcmpiW (lpString1="MSN.url", lpString2="MSDOS.SYS") returned 1 [0104.047] lstrcmpiW (lpString1="MSN.url", lpString2="IO.SYS") returned 1 [0104.047] lstrcmpiW (lpString1="MSN.url", lpString2="boot.ini") returned 1 [0104.047] lstrcmpiW (lpString1="MSN.url", lpString2="AUTOEXEC.BAT") returned 1 [0104.047] lstrcmpiW (lpString1="MSN.url", lpString2="ntuser.dat") returned -1 [0104.047] lstrcmpiW (lpString1="MSN.url", lpString2="desktop.ini") returned 1 [0104.047] lstrcmpiW (lpString1="MSN.url", lpString2="CONFIG.SYS") returned 1 [0104.047] lstrcmpiW (lpString1="MSN.url", lpString2="RECYCLER") returned -1 [0104.048] lstrcmpiW (lpString1="MSN.url", lpString2="BOOTSECT.BAK") returned 1 [0104.048] lstrcmpiW (lpString1="MSN.url", lpString2="bootmgr") returned 1 [0104.048] lstrcmpiW (lpString1="MSN.url", lpString2="programdata") returned -1 [0104.048] lstrcmpiW (lpString1="MSN.url", lpString2="appdata") returned 1 [0104.048] lstrcmpiW (lpString1="MSN.url", lpString2="program files") returned -1 [0104.048] lstrcmpiW (lpString1="MSN.url", lpString2="program files (x86)") returned -1 [0104.048] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\" [0104.048] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\", lpString2="MSN.url" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url" [0104.048] PathFindExtensionW (pszPath="MSN.url") returned=".url" [0104.048] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0104.048] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0104.048] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0104.048] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0104.048] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0104.048] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0104.048] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0104.048] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0104.048] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0104.048] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x580056, dwReserved1=0x24de8e0, cFileName="MSNBC News.url", cAlternateFileName="MSNBCN~1.URL")) returned 1 [0104.048] lstrcmpiW (lpString1="MSNBC News.url", lpString2=".") returned 1 [0104.048] lstrcmpiW (lpString1="MSNBC News.url", lpString2="..") returned 1 [0104.048] lstrcmpiW (lpString1="MSNBC News.url", lpString2="...") returned 1 [0104.048] lstrcmpiW (lpString1="MSNBC News.url", lpString2="windows") returned -1 [0104.048] lstrcmpiW (lpString1="MSNBC News.url", lpString2="$RECYCLE.BIN") returned 1 [0104.048] lstrcmpiW (lpString1="MSNBC News.url", lpString2="rsa") returned -1 [0104.048] lstrcmpiW (lpString1="MSNBC News.url", lpString2="log") returned 1 [0104.048] lstrcmpiW (lpString1="MSNBC News.url", lpString2="NTDETECT.COM") returned -1 [0104.048] lstrcmpiW (lpString1="MSNBC News.url", lpString2="ntldr") returned -1 [0104.049] lstrcmpiW (lpString1="MSNBC News.url", lpString2="MSDOS.SYS") returned 1 [0104.049] lstrcmpiW (lpString1="MSNBC News.url", lpString2="IO.SYS") returned 1 [0104.049] lstrcmpiW (lpString1="MSNBC News.url", lpString2="boot.ini") returned 1 [0104.049] lstrcmpiW (lpString1="MSNBC News.url", lpString2="AUTOEXEC.BAT") returned 1 [0104.049] lstrcmpiW (lpString1="MSNBC News.url", lpString2="ntuser.dat") returned -1 [0104.049] lstrcmpiW (lpString1="MSNBC News.url", lpString2="desktop.ini") returned 1 [0104.049] lstrcmpiW (lpString1="MSNBC News.url", lpString2="CONFIG.SYS") returned 1 [0104.049] lstrcmpiW (lpString1="MSNBC News.url", lpString2="RECYCLER") returned -1 [0104.049] lstrcmpiW (lpString1="MSNBC News.url", lpString2="BOOTSECT.BAK") returned 1 [0104.049] lstrcmpiW (lpString1="MSNBC News.url", lpString2="bootmgr") returned 1 [0104.049] lstrcmpiW (lpString1="MSNBC News.url", lpString2="programdata") returned -1 [0104.049] lstrcmpiW (lpString1="MSNBC News.url", lpString2="appdata") returned 1 [0104.049] lstrcmpiW (lpString1="MSNBC News.url", lpString2="program files") returned -1 [0104.049] lstrcmpiW (lpString1="MSNBC News.url", lpString2="program files (x86)") returned -1 [0104.049] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\" [0104.049] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\", lpString2="MSNBC News.url" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url" [0104.049] PathFindExtensionW (pszPath="MSNBC News.url") returned=".url" [0104.049] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0104.049] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0104.049] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0104.049] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0104.049] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0104.049] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0104.049] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0104.049] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0104.049] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0104.049] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x580056, dwReserved1=0x24de8e0, cFileName="MSNBC News.url", cAlternateFileName="MSNBCN~1.URL")) returned 0 [0104.050] FindClose (in: hFindFile=0x50a900 | out: hFindFile=0x50a900) returned 1 [0104.051] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="Windows Live", cAlternateFileName="WINDOW~1")) returned 1 [0104.051] lstrcmpiW (lpString1="Windows Live", lpString2=".") returned 1 [0104.051] lstrcmpiW (lpString1="Windows Live", lpString2="..") returned 1 [0104.051] lstrcmpiW (lpString1="Windows Live", lpString2="...") returned 1 [0104.051] lstrcmpiW (lpString1="Windows Live", lpString2="windows") returned 1 [0104.051] lstrcmpiW (lpString1="Windows Live", lpString2="$RECYCLE.BIN") returned 1 [0104.051] lstrcmpiW (lpString1="Windows Live", lpString2="rsa") returned 1 [0104.051] lstrcmpiW (lpString1="Windows Live", lpString2="log") returned 1 [0104.051] lstrcmpiW (lpString1="Windows Live", lpString2="NTDETECT.COM") returned 1 [0104.051] lstrcmpiW (lpString1="Windows Live", lpString2="ntldr") returned 1 [0104.051] lstrcmpiW (lpString1="Windows Live", lpString2="MSDOS.SYS") returned 1 [0104.051] lstrcmpiW (lpString1="Windows Live", lpString2="IO.SYS") returned 1 [0104.051] lstrcmpiW (lpString1="Windows Live", lpString2="boot.ini") returned 1 [0104.051] lstrcmpiW (lpString1="Windows Live", lpString2="AUTOEXEC.BAT") returned 1 [0104.051] lstrcmpiW (lpString1="Windows Live", lpString2="ntuser.dat") returned 1 [0104.051] lstrcmpiW (lpString1="Windows Live", lpString2="desktop.ini") returned 1 [0104.051] lstrcmpiW (lpString1="Windows Live", lpString2="CONFIG.SYS") returned 1 [0104.051] lstrcmpiW (lpString1="Windows Live", lpString2="RECYCLER") returned 1 [0104.051] lstrcmpiW (lpString1="Windows Live", lpString2="BOOTSECT.BAK") returned 1 [0104.051] lstrcmpiW (lpString1="Windows Live", lpString2="bootmgr") returned 1 [0104.051] lstrcmpiW (lpString1="Windows Live", lpString2="programdata") returned 1 [0104.051] lstrcmpiW (lpString1="Windows Live", lpString2="appdata") returned 1 [0104.051] lstrcmpiW (lpString1="Windows Live", lpString2="program files") returned 1 [0104.052] lstrcmpiW (lpString1="Windows Live", lpString2="program files (x86)") returned 1 [0104.052] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\" [0104.052] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\", lpString2="Windows Live" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live" [0104.052] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\" [0104.052] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\" [0104.052] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\", lpString2="*.*" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\*.*") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\*.*" [0104.052] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a900 [0104.232] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0104.232] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0104.232] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0104.232] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0104.233] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d8930c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x580056, dwReserved1=0x24de8e0, cFileName="Get Windows Live.url", cAlternateFileName="GETWIN~1.URL")) returned 1 [0104.233] lstrcmpiW (lpString1="Get Windows Live.url", lpString2=".") returned 1 [0104.233] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="..") returned 1 [0104.233] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="...") returned 1 [0104.233] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="windows") returned -1 [0104.233] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="$RECYCLE.BIN") returned 1 [0104.233] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="rsa") returned -1 [0104.233] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="log") returned -1 [0104.233] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="NTDETECT.COM") returned -1 [0104.233] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="ntldr") returned -1 [0104.233] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="MSDOS.SYS") returned -1 [0104.233] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="IO.SYS") returned -1 [0104.233] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="boot.ini") returned 1 [0104.233] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="AUTOEXEC.BAT") returned 1 [0104.233] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="ntuser.dat") returned -1 [0104.233] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="desktop.ini") returned 1 [0104.233] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="CONFIG.SYS") returned 1 [0104.233] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="RECYCLER") returned -1 [0104.233] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="BOOTSECT.BAK") returned 1 [0104.233] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="bootmgr") returned 1 [0104.233] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="programdata") returned -1 [0104.233] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="appdata") returned 1 [0104.233] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="program files") returned -1 [0104.233] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="program files (x86)") returned -1 [0104.233] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\" [0104.234] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\", lpString2="Get Windows Live.url" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url" [0104.234] PathFindExtensionW (pszPath="Get Windows Live.url") returned=".url" [0104.234] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0104.234] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0104.234] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0104.234] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0104.234] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0104.234] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0104.234] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0104.234] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0104.234] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0104.234] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d8930c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x580056, dwReserved1=0x24de8e0, cFileName="Windows Live Gallery.url", cAlternateFileName="WINDOW~2.URL")) returned 1 [0104.234] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2=".") returned 1 [0104.234] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="..") returned 1 [0104.234] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="...") returned 1 [0104.234] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="windows") returned 1 [0104.234] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="$RECYCLE.BIN") returned 1 [0104.234] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="rsa") returned 1 [0104.234] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="log") returned 1 [0104.234] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="NTDETECT.COM") returned 1 [0104.234] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="ntldr") returned 1 [0104.234] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="MSDOS.SYS") returned 1 [0104.234] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="IO.SYS") returned 1 [0104.234] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="boot.ini") returned 1 [0104.234] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="AUTOEXEC.BAT") returned 1 [0104.234] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="ntuser.dat") returned 1 [0104.235] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="desktop.ini") returned 1 [0104.235] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="CONFIG.SYS") returned 1 [0104.235] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="RECYCLER") returned 1 [0104.235] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="BOOTSECT.BAK") returned 1 [0104.235] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="bootmgr") returned 1 [0104.235] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="programdata") returned 1 [0104.235] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="appdata") returned 1 [0104.235] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="program files") returned 1 [0104.235] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="program files (x86)") returned 1 [0104.235] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\" [0104.235] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\", lpString2="Windows Live Gallery.url" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url" [0104.235] PathFindExtensionW (pszPath="Windows Live Gallery.url") returned=".url" [0104.235] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0104.235] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0104.235] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0104.235] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0104.235] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0104.235] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0104.235] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0104.235] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0104.235] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0104.235] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d8930c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x580056, dwReserved1=0x24de8e0, cFileName="Windows Live Mail.url", cAlternateFileName="WINDOW~1.URL")) returned 1 [0104.235] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2=".") returned 1 [0104.235] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="..") returned 1 [0104.235] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="...") returned 1 [0104.236] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="windows") returned 1 [0104.236] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="$RECYCLE.BIN") returned 1 [0104.236] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="rsa") returned 1 [0104.236] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="log") returned 1 [0104.236] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="NTDETECT.COM") returned 1 [0104.236] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="ntldr") returned 1 [0104.236] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="MSDOS.SYS") returned 1 [0104.236] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="IO.SYS") returned 1 [0104.236] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="boot.ini") returned 1 [0104.236] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="AUTOEXEC.BAT") returned 1 [0104.236] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="ntuser.dat") returned 1 [0104.236] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="desktop.ini") returned 1 [0104.236] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="CONFIG.SYS") returned 1 [0104.236] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="RECYCLER") returned 1 [0104.236] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="BOOTSECT.BAK") returned 1 [0104.236] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="bootmgr") returned 1 [0104.236] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="programdata") returned 1 [0104.236] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="appdata") returned 1 [0104.236] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="program files") returned 1 [0104.236] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="program files (x86)") returned 1 [0104.236] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\" [0104.236] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\", lpString2="Windows Live Mail.url" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url" [0104.236] PathFindExtensionW (pszPath="Windows Live Mail.url") returned=".url" [0104.236] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0104.236] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0104.236] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0104.236] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0104.237] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0104.237] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0104.237] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0104.237] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0104.237] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0104.237] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d8930c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x580056, dwReserved1=0x24de8e0, cFileName="Windows Live Spaces.url", cAlternateFileName="WINDOW~3.URL")) returned 1 [0104.237] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2=".") returned 1 [0104.237] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="..") returned 1 [0104.237] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="...") returned 1 [0104.237] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="windows") returned 1 [0104.237] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="$RECYCLE.BIN") returned 1 [0104.237] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="rsa") returned 1 [0104.237] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="log") returned 1 [0104.237] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="NTDETECT.COM") returned 1 [0104.237] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="ntldr") returned 1 [0104.237] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="MSDOS.SYS") returned 1 [0104.237] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="IO.SYS") returned 1 [0104.237] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="boot.ini") returned 1 [0104.237] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="AUTOEXEC.BAT") returned 1 [0104.237] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="ntuser.dat") returned 1 [0104.237] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="desktop.ini") returned 1 [0104.237] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="CONFIG.SYS") returned 1 [0104.237] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="RECYCLER") returned 1 [0104.237] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="BOOTSECT.BAK") returned 1 [0104.237] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="bootmgr") returned 1 [0104.237] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="programdata") returned 1 [0104.238] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="appdata") returned 1 [0104.238] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="program files") returned 1 [0104.238] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="program files (x86)") returned 1 [0104.238] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\" [0104.238] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\", lpString2="Windows Live Spaces.url" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url" [0104.238] PathFindExtensionW (pszPath="Windows Live Spaces.url") returned=".url" [0104.238] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0104.238] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0104.238] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0104.238] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0104.238] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0104.238] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0104.238] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0104.238] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0104.238] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0104.238] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d8930c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x580056, dwReserved1=0x24de8e0, cFileName="Windows Live Spaces.url", cAlternateFileName="WINDOW~3.URL")) returned 0 [0104.238] FindClose (in: hFindFile=0x50a900 | out: hFindFile=0x50a900) returned 1 [0104.239] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="Windows Live", cAlternateFileName="WINDOW~1")) returned 0 [0104.239] FindClose (in: hFindFile=0x50a8c0 | out: hFindFile=0x50a8c0) returned 1 [0104.239] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Links", cAlternateFileName="")) returned 1 [0104.239] lstrcmpiW (lpString1="Links", lpString2=".") returned 1 [0104.239] lstrcmpiW (lpString1="Links", lpString2="..") returned 1 [0104.240] lstrcmpiW (lpString1="Links", lpString2="...") returned 1 [0104.240] lstrcmpiW (lpString1="Links", lpString2="windows") returned -1 [0104.240] lstrcmpiW (lpString1="Links", lpString2="$RECYCLE.BIN") returned 1 [0104.240] lstrcmpiW (lpString1="Links", lpString2="rsa") returned -1 [0104.240] lstrcmpiW (lpString1="Links", lpString2="log") returned -1 [0104.240] lstrcmpiW (lpString1="Links", lpString2="NTDETECT.COM") returned -1 [0104.240] lstrcmpiW (lpString1="Links", lpString2="ntldr") returned -1 [0104.240] lstrcmpiW (lpString1="Links", lpString2="MSDOS.SYS") returned -1 [0104.240] lstrcmpiW (lpString1="Links", lpString2="IO.SYS") returned 1 [0104.240] lstrcmpiW (lpString1="Links", lpString2="boot.ini") returned 1 [0104.240] lstrcmpiW (lpString1="Links", lpString2="AUTOEXEC.BAT") returned 1 [0104.240] lstrcmpiW (lpString1="Links", lpString2="ntuser.dat") returned -1 [0104.240] lstrcmpiW (lpString1="Links", lpString2="desktop.ini") returned 1 [0104.240] lstrcmpiW (lpString1="Links", lpString2="CONFIG.SYS") returned 1 [0104.240] lstrcmpiW (lpString1="Links", lpString2="RECYCLER") returned -1 [0104.240] lstrcmpiW (lpString1="Links", lpString2="BOOTSECT.BAK") returned 1 [0104.240] lstrcmpiW (lpString1="Links", lpString2="bootmgr") returned 1 [0104.240] lstrcmpiW (lpString1="Links", lpString2="programdata") returned -1 [0104.240] lstrcmpiW (lpString1="Links", lpString2="appdata") returned 1 [0104.240] lstrcmpiW (lpString1="Links", lpString2="program files") returned -1 [0104.240] lstrcmpiW (lpString1="Links", lpString2="program files (x86)") returned -1 [0104.240] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" [0104.240] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Links" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links" [0104.240] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\" [0104.240] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\" [0104.240] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\", lpString2="*.*" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*.*") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*.*" [0104.241] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x50a8c0 [0104.241] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0104.241] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0104.241] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0104.241] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0104.241] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x244, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0104.241] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0104.241] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0104.241] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0104.241] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0104.241] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0104.241] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0104.241] lstrcmpiW (lpString1="desktop.ini", lpString2="log") returned -1 [0104.241] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0104.241] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0104.241] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0104.241] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0104.241] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0104.241] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0104.241] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0104.242] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0104.242] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1e6, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="Desktop.lnk", cAlternateFileName="")) returned 1 [0104.242] lstrcmpiW (lpString1="Desktop.lnk", lpString2=".") returned 1 [0104.242] lstrcmpiW (lpString1="Desktop.lnk", lpString2="..") returned 1 [0104.242] lstrcmpiW (lpString1="Desktop.lnk", lpString2="...") returned 1 [0104.242] lstrcmpiW (lpString1="Desktop.lnk", lpString2="windows") returned -1 [0104.242] lstrcmpiW (lpString1="Desktop.lnk", lpString2="$RECYCLE.BIN") returned 1 [0104.242] lstrcmpiW (lpString1="Desktop.lnk", lpString2="rsa") returned -1 [0104.242] lstrcmpiW (lpString1="Desktop.lnk", lpString2="log") returned -1 [0104.242] lstrcmpiW (lpString1="Desktop.lnk", lpString2="NTDETECT.COM") returned -1 [0104.242] lstrcmpiW (lpString1="Desktop.lnk", lpString2="ntldr") returned -1 [0104.242] lstrcmpiW (lpString1="Desktop.lnk", lpString2="MSDOS.SYS") returned -1 [0104.242] lstrcmpiW (lpString1="Desktop.lnk", lpString2="IO.SYS") returned -1 [0104.242] lstrcmpiW (lpString1="Desktop.lnk", lpString2="boot.ini") returned 1 [0104.242] lstrcmpiW (lpString1="Desktop.lnk", lpString2="AUTOEXEC.BAT") returned 1 [0104.242] lstrcmpiW (lpString1="Desktop.lnk", lpString2="ntuser.dat") returned -1 [0104.242] lstrcmpiW (lpString1="Desktop.lnk", lpString2="desktop.ini") returned 1 [0104.242] lstrcmpiW (lpString1="Desktop.lnk", lpString2="CONFIG.SYS") returned 1 [0104.242] lstrcmpiW (lpString1="Desktop.lnk", lpString2="RECYCLER") returned -1 [0104.242] lstrcmpiW (lpString1="Desktop.lnk", lpString2="BOOTSECT.BAK") returned 1 [0104.242] lstrcmpiW (lpString1="Desktop.lnk", lpString2="bootmgr") returned 1 [0104.242] lstrcmpiW (lpString1="Desktop.lnk", lpString2="programdata") returned -1 [0104.242] lstrcmpiW (lpString1="Desktop.lnk", lpString2="appdata") returned 1 [0104.242] lstrcmpiW (lpString1="Desktop.lnk", lpString2="program files") returned -1 [0104.242] lstrcmpiW (lpString1="Desktop.lnk", lpString2="program files (x86)") returned -1 [0104.242] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\" [0104.242] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\", lpString2="Desktop.lnk" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk" [0104.243] PathFindExtensionW (pszPath="Desktop.lnk") returned=".lnk" [0104.243] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0104.243] lstrcmpiW (lpString1=".lnk", lpString2=".log") returned -1 [0104.243] lstrcmpiW (lpString1=".lnk", lpString2=".cab") returned 1 [0104.243] lstrcmpiW (lpString1=".lnk", lpString2=".cmd") returned 1 [0104.243] lstrcmpiW (lpString1=".lnk", lpString2=".com") returned 1 [0104.243] lstrcmpiW (lpString1=".lnk", lpString2=".cpl") returned 1 [0104.243] lstrcmpiW (lpString1=".lnk", lpString2=".ini") returned 1 [0104.243] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0104.243] lstrcmpiW (lpString1=".lnk", lpString2=".url") returned -1 [0104.243] lstrcmpiW (lpString1=".lnk", lpString2=".ttf") returned -1 [0104.243] lstrcmpiW (lpString1=".lnk", lpString2=".mp3") returned -1 [0104.243] lstrcmpiW (lpString1=".lnk", lpString2=".pif") returned -1 [0104.243] lstrcmpiW (lpString1=".lnk", lpString2=".mp4") returned -1 [0104.243] lstrcmpiW (lpString1=".lnk", lpString2=".NEPHILIM") returned -1 [0104.243] lstrcmpiW (lpString1=".lnk", lpString2=".msi") returned -1 [0104.243] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0104.243] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x3a1, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="Downloads.lnk", cAlternateFileName="DOWNLO~1.LNK")) returned 1 [0104.243] lstrcmpiW (lpString1="Downloads.lnk", lpString2=".") returned 1 [0104.243] lstrcmpiW (lpString1="Downloads.lnk", lpString2="..") returned 1 [0104.243] lstrcmpiW (lpString1="Downloads.lnk", lpString2="...") returned 1 [0104.243] lstrcmpiW (lpString1="Downloads.lnk", lpString2="windows") returned -1 [0104.243] lstrcmpiW (lpString1="Downloads.lnk", lpString2="$RECYCLE.BIN") returned 1 [0104.243] lstrcmpiW (lpString1="Downloads.lnk", lpString2="rsa") returned -1 [0104.243] lstrcmpiW (lpString1="Downloads.lnk", lpString2="log") returned -1 [0104.243] lstrcmpiW (lpString1="Downloads.lnk", lpString2="NTDETECT.COM") returned -1 [0104.243] lstrcmpiW (lpString1="Downloads.lnk", lpString2="ntldr") returned -1 [0104.244] lstrcmpiW (lpString1="Downloads.lnk", lpString2="MSDOS.SYS") returned -1 [0104.244] lstrcmpiW (lpString1="Downloads.lnk", lpString2="IO.SYS") returned -1 [0104.244] lstrcmpiW (lpString1="Downloads.lnk", lpString2="boot.ini") returned 1 [0104.244] lstrcmpiW (lpString1="Downloads.lnk", lpString2="AUTOEXEC.BAT") returned 1 [0104.244] lstrcmpiW (lpString1="Downloads.lnk", lpString2="ntuser.dat") returned -1 [0104.244] lstrcmpiW (lpString1="Downloads.lnk", lpString2="desktop.ini") returned 1 [0104.244] lstrcmpiW (lpString1="Downloads.lnk", lpString2="CONFIG.SYS") returned 1 [0104.244] lstrcmpiW (lpString1="Downloads.lnk", lpString2="RECYCLER") returned -1 [0104.244] lstrcmpiW (lpString1="Downloads.lnk", lpString2="BOOTSECT.BAK") returned 1 [0104.244] lstrcmpiW (lpString1="Downloads.lnk", lpString2="bootmgr") returned 1 [0104.244] lstrcmpiW (lpString1="Downloads.lnk", lpString2="programdata") returned -1 [0104.244] lstrcmpiW (lpString1="Downloads.lnk", lpString2="appdata") returned 1 [0104.244] lstrcmpiW (lpString1="Downloads.lnk", lpString2="program files") returned -1 [0104.244] lstrcmpiW (lpString1="Downloads.lnk", lpString2="program files (x86)") returned -1 [0104.244] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\" [0104.244] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\", lpString2="Downloads.lnk" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk" [0104.244] PathFindExtensionW (pszPath="Downloads.lnk") returned=".lnk" [0104.244] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0104.244] lstrcmpiW (lpString1=".lnk", lpString2=".log") returned -1 [0104.244] lstrcmpiW (lpString1=".lnk", lpString2=".cab") returned 1 [0104.244] lstrcmpiW (lpString1=".lnk", lpString2=".cmd") returned 1 [0104.244] lstrcmpiW (lpString1=".lnk", lpString2=".com") returned 1 [0104.244] lstrcmpiW (lpString1=".lnk", lpString2=".cpl") returned 1 [0104.244] lstrcmpiW (lpString1=".lnk", lpString2=".ini") returned 1 [0104.244] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0104.244] lstrcmpiW (lpString1=".lnk", lpString2=".url") returned -1 [0104.244] lstrcmpiW (lpString1=".lnk", lpString2=".ttf") returned -1 [0104.245] lstrcmpiW (lpString1=".lnk", lpString2=".mp3") returned -1 [0104.245] lstrcmpiW (lpString1=".lnk", lpString2=".pif") returned -1 [0104.245] lstrcmpiW (lpString1=".lnk", lpString2=".mp4") returned -1 [0104.245] lstrcmpiW (lpString1=".lnk", lpString2=".NEPHILIM") returned -1 [0104.245] lstrcmpiW (lpString1=".lnk", lpString2=".msi") returned -1 [0104.245] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0104.245] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x16b, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="RecentPlaces.lnk", cAlternateFileName="RECENT~1.LNK")) returned 1 [0104.245] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2=".") returned 1 [0104.245] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="..") returned 1 [0104.245] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="...") returned 1 [0104.245] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="windows") returned -1 [0104.245] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="$RECYCLE.BIN") returned 1 [0104.245] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="rsa") returned -1 [0104.245] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="log") returned 1 [0104.245] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="NTDETECT.COM") returned 1 [0104.245] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="ntldr") returned 1 [0104.245] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="MSDOS.SYS") returned 1 [0104.245] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="IO.SYS") returned 1 [0104.245] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="boot.ini") returned 1 [0104.245] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="AUTOEXEC.BAT") returned 1 [0104.245] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="ntuser.dat") returned 1 [0104.245] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="desktop.ini") returned 1 [0104.245] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="CONFIG.SYS") returned 1 [0104.245] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="RECYCLER") returned -1 [0104.245] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="BOOTSECT.BAK") returned 1 [0104.245] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="bootmgr") returned 1 [0104.245] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="programdata") returned 1 [0104.246] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="appdata") returned 1 [0104.246] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="program files") returned 1 [0104.246] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="program files (x86)") returned 1 [0104.246] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\" [0104.246] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\", lpString2="RecentPlaces.lnk" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk" [0104.246] PathFindExtensionW (pszPath="RecentPlaces.lnk") returned=".lnk" [0104.246] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0104.246] lstrcmpiW (lpString1=".lnk", lpString2=".log") returned -1 [0104.246] lstrcmpiW (lpString1=".lnk", lpString2=".cab") returned 1 [0104.246] lstrcmpiW (lpString1=".lnk", lpString2=".cmd") returned 1 [0104.246] lstrcmpiW (lpString1=".lnk", lpString2=".com") returned 1 [0104.246] lstrcmpiW (lpString1=".lnk", lpString2=".cpl") returned 1 [0104.246] lstrcmpiW (lpString1=".lnk", lpString2=".ini") returned 1 [0104.246] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0104.246] lstrcmpiW (lpString1=".lnk", lpString2=".url") returned -1 [0104.246] lstrcmpiW (lpString1=".lnk", lpString2=".ttf") returned -1 [0104.246] lstrcmpiW (lpString1=".lnk", lpString2=".mp3") returned -1 [0104.246] lstrcmpiW (lpString1=".lnk", lpString2=".pif") returned -1 [0104.246] lstrcmpiW (lpString1=".lnk", lpString2=".mp4") returned -1 [0104.246] lstrcmpiW (lpString1=".lnk", lpString2=".NEPHILIM") returned -1 [0104.246] lstrcmpiW (lpString1=".lnk", lpString2=".msi") returned -1 [0104.246] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0104.246] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x16b, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="RecentPlaces.lnk", cAlternateFileName="RECENT~1.LNK")) returned 0 [0104.246] FindClose (in: hFindFile=0x50a8c0 | out: hFindFile=0x50a8c0) returned 1 [0104.247] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x2914fe20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0104.247] lstrcmpiW (lpString1="Local Settings", lpString2=".") returned 1 [0104.247] lstrcmpiW (lpString1="Local Settings", lpString2="..") returned 1 [0104.247] lstrcmpiW (lpString1="Local Settings", lpString2="...") returned 1 [0104.247] lstrcmpiW (lpString1="Local Settings", lpString2="windows") returned -1 [0104.247] lstrcmpiW (lpString1="Local Settings", lpString2="$RECYCLE.BIN") returned 1 [0104.247] lstrcmpiW (lpString1="Local Settings", lpString2="rsa") returned -1 [0104.247] lstrcmpiW (lpString1="Local Settings", lpString2="log") returned -1 [0104.247] lstrcmpiW (lpString1="Local Settings", lpString2="NTDETECT.COM") returned -1 [0104.247] lstrcmpiW (lpString1="Local Settings", lpString2="ntldr") returned -1 [0104.247] lstrcmpiW (lpString1="Local Settings", lpString2="MSDOS.SYS") returned -1 [0104.247] lstrcmpiW (lpString1="Local Settings", lpString2="IO.SYS") returned 1 [0104.247] lstrcmpiW (lpString1="Local Settings", lpString2="boot.ini") returned 1 [0104.247] lstrcmpiW (lpString1="Local Settings", lpString2="AUTOEXEC.BAT") returned 1 [0104.247] lstrcmpiW (lpString1="Local Settings", lpString2="ntuser.dat") returned -1 [0104.247] lstrcmpiW (lpString1="Local Settings", lpString2="desktop.ini") returned 1 [0104.247] lstrcmpiW (lpString1="Local Settings", lpString2="CONFIG.SYS") returned 1 [0104.247] lstrcmpiW (lpString1="Local Settings", lpString2="RECYCLER") returned -1 [0104.247] lstrcmpiW (lpString1="Local Settings", lpString2="BOOTSECT.BAK") returned 1 [0104.247] lstrcmpiW (lpString1="Local Settings", lpString2="bootmgr") returned 1 [0104.247] lstrcmpiW (lpString1="Local Settings", lpString2="programdata") returned -1 [0104.247] lstrcmpiW (lpString1="Local Settings", lpString2="appdata") returned 1 [0104.247] lstrcmpiW (lpString1="Local Settings", lpString2="program files") returned -1 [0104.247] lstrcmpiW (lpString1="Local Settings", lpString2="program files (x86)") returned -1 [0104.247] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" [0104.248] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Local Settings" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Local Settings") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Local Settings" [0104.248] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Local Settings", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Local Settings\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Local Settings\\" [0104.248] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Local Settings\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Local Settings\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Local Settings\\" [0104.248] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Local Settings\\", lpString2="*.*" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Local Settings\\*.*") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Local Settings\\*.*" [0104.248] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Local Settings\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x16b, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="RecentPlaces.lnk", cAlternateFileName="RECENT~1.LNK")) returned 0xffffffff [0104.248] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xde469600, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xde469600, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Music", cAlternateFileName="")) returned 1 [0104.248] lstrcmpiW (lpString1="Music", lpString2=".") returned 1 [0104.248] lstrcmpiW (lpString1="Music", lpString2="..") returned 1 [0104.248] lstrcmpiW (lpString1="Music", lpString2="...") returned 1 [0104.248] lstrcmpiW (lpString1="Music", lpString2="windows") returned -1 [0104.248] lstrcmpiW (lpString1="Music", lpString2="$RECYCLE.BIN") returned 1 [0104.248] lstrcmpiW (lpString1="Music", lpString2="rsa") returned -1 [0104.248] lstrcmpiW (lpString1="Music", lpString2="log") returned 1 [0104.248] lstrcmpiW (lpString1="Music", lpString2="NTDETECT.COM") returned -1 [0104.248] lstrcmpiW (lpString1="Music", lpString2="ntldr") returned -1 [0104.248] lstrcmpiW (lpString1="Music", lpString2="MSDOS.SYS") returned 1 [0104.248] lstrcmpiW (lpString1="Music", lpString2="IO.SYS") returned 1 [0104.249] lstrcmpiW (lpString1="Music", lpString2="boot.ini") returned 1 [0104.249] lstrcmpiW (lpString1="Music", lpString2="AUTOEXEC.BAT") returned 1 [0104.249] lstrcmpiW (lpString1="Music", lpString2="ntuser.dat") returned -1 [0104.249] lstrcmpiW (lpString1="Music", lpString2="desktop.ini") returned 1 [0104.249] lstrcmpiW (lpString1="Music", lpString2="CONFIG.SYS") returned 1 [0104.249] lstrcmpiW (lpString1="Music", lpString2="RECYCLER") returned -1 [0104.249] lstrcmpiW (lpString1="Music", lpString2="BOOTSECT.BAK") returned 1 [0104.249] lstrcmpiW (lpString1="Music", lpString2="bootmgr") returned 1 [0104.249] lstrcmpiW (lpString1="Music", lpString2="programdata") returned -1 [0104.377] lstrcmpiW (lpString1="Music", lpString2="appdata") returned 1 [0104.377] lstrcmpiW (lpString1="Music", lpString2="program files") returned -1 [0104.377] lstrcmpiW (lpString1="Music", lpString2="program files (x86)") returned -1 [0104.377] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" [0104.377] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Music" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music" [0104.377] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\" [0104.377] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\" [0104.377] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\", lpString2="*.*" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*" [0104.377] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xde469600, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xde469600, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x50a8c0 [0104.377] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0104.378] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xde469600, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xde469600, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0104.378] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0104.378] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0104.378] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x957a6fa0, ftCreationTime.dwHighDateTime=0x1d5dcb8, ftLastAccessTime.dwLowDateTime=0xbce08770, ftLastAccessTime.dwHighDateTime=0x1d5e422, ftLastWriteTime.dwLowDateTime=0xbce08770, ftLastWriteTime.dwHighDateTime=0x1d5e422, nFileSizeHigh=0x0, nFileSizeLow=0x15a75, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="Bw4bl.m4a", cAlternateFileName="")) returned 1 [0104.378] lstrcmpiW (lpString1="Bw4bl.m4a", lpString2=".") returned 1 [0104.378] lstrcmpiW (lpString1="Bw4bl.m4a", lpString2="..") returned 1 [0104.378] lstrcmpiW (lpString1="Bw4bl.m4a", lpString2="...") returned 1 [0104.378] lstrcmpiW (lpString1="Bw4bl.m4a", lpString2="windows") returned -1 [0104.378] lstrcmpiW (lpString1="Bw4bl.m4a", lpString2="$RECYCLE.BIN") returned 1 [0104.378] lstrcmpiW (lpString1="Bw4bl.m4a", lpString2="rsa") returned -1 [0104.378] lstrcmpiW (lpString1="Bw4bl.m4a", lpString2="log") returned -1 [0104.378] lstrcmpiW (lpString1="Bw4bl.m4a", lpString2="NTDETECT.COM") returned -1 [0104.378] lstrcmpiW (lpString1="Bw4bl.m4a", lpString2="ntldr") returned -1 [0104.378] lstrcmpiW (lpString1="Bw4bl.m4a", lpString2="MSDOS.SYS") returned -1 [0104.378] lstrcmpiW (lpString1="Bw4bl.m4a", lpString2="IO.SYS") returned -1 [0104.378] lstrcmpiW (lpString1="Bw4bl.m4a", lpString2="boot.ini") returned 1 [0104.378] lstrcmpiW (lpString1="Bw4bl.m4a", lpString2="AUTOEXEC.BAT") returned 1 [0104.378] lstrcmpiW (lpString1="Bw4bl.m4a", lpString2="ntuser.dat") returned -1 [0104.378] lstrcmpiW (lpString1="Bw4bl.m4a", lpString2="desktop.ini") returned -1 [0104.378] lstrcmpiW (lpString1="Bw4bl.m4a", lpString2="CONFIG.SYS") returned -1 [0104.378] lstrcmpiW (lpString1="Bw4bl.m4a", lpString2="RECYCLER") returned -1 [0104.378] lstrcmpiW (lpString1="Bw4bl.m4a", lpString2="BOOTSECT.BAK") returned 1 [0104.378] lstrcmpiW (lpString1="Bw4bl.m4a", lpString2="bootmgr") returned 1 [0104.378] lstrcmpiW (lpString1="Bw4bl.m4a", lpString2="programdata") returned -1 [0104.378] lstrcmpiW (lpString1="Bw4bl.m4a", lpString2="appdata") returned 1 [0104.379] lstrcmpiW (lpString1="Bw4bl.m4a", lpString2="program files") returned -1 [0104.379] lstrcmpiW (lpString1="Bw4bl.m4a", lpString2="program files (x86)") returned -1 [0104.379] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\" [0104.379] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\", lpString2="Bw4bl.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Bw4bl.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Bw4bl.m4a" [0104.379] PathFindExtensionW (pszPath="Bw4bl.m4a") returned=".m4a" [0104.379] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0104.379] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0104.379] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0104.379] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0104.379] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0104.379] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0104.379] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0104.379] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0104.379] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0104.379] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0104.379] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0104.379] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0104.379] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0104.379] lstrcmpiW (lpString1=".m4a", lpString2=".NEPHILIM") returned -1 [0104.379] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0104.379] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0104.379] lstrcmpiW (lpString1="Bw4bl.m4a", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0104.379] lstrlenA (lpString="NEPHILIM") returned 8 [0104.379] GetProcessHeap () returned 0x4e0000 [0104.379] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x505190 [0104.380] lstrlenA (lpString="NEPHILIM") returned 8 [0104.380] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Bw4bl.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\bw4bl.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0104.380] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=88693) returned 1 [0104.380] GetProcessHeap () returned 0x4e0000 [0104.380] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0104.380] GetProcessHeap () returned 0x4e0000 [0104.380] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0104.380] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0104.380] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0104.380] GetProcessHeap () returned 0x4e0000 [0104.380] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0104.380] GetProcessHeap () returned 0x4e0000 [0104.380] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0104.380] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de208*=0x100) returned 1 [0104.381] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de204*=0x100) returned 1 [0104.381] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x15a75, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.381] SetLastError (dwErrCode=0x0) [0104.381] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0104.383] GetLastError () returned 0x0 [0104.383] GetLastError () returned 0x0 [0104.383] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x15b75, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.383] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0104.383] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x15c75, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.383] lstrlenA (lpString="NEPHILIM") returned 8 [0104.383] WriteFile (in: hFile=0xec, lpBuffer=0x505190*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x505190*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0104.383] GetProcessHeap () returned 0x4e0000 [0104.383] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x15a75) returned 0x50b8a8 [0104.383] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.383] ReadFile (in: hFile=0xec, lpBuffer=0x50b8a8, nNumberOfBytesToRead=0x15a75, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50b8a8*, lpNumberOfBytesRead=0x24de430*=0x15a75, lpOverlapped=0x0) returned 1 [0104.389] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.390] WriteFile (in: hFile=0xec, lpBuffer=0x50b8a8*, nNumberOfBytesToWrite=0x15a75, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50b8a8*, lpNumberOfBytesWritten=0x24de43c*=0x15a75, lpOverlapped=0x0) returned 1 [0104.390] GetProcessHeap () returned 0x4e0000 [0104.390] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50b8a8 | out: hHeap=0x4e0000) returned 1 [0104.390] CloseHandle (hObject=0xec) returned 1 [0104.392] GetProcessHeap () returned 0x4e0000 [0104.392] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0104.392] GetProcessHeap () returned 0x4e0000 [0104.392] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0104.392] GetProcessHeap () returned 0x4e0000 [0104.392] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0104.393] GetProcessHeap () returned 0x4e0000 [0104.393] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0104.393] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Bw4bl.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Bw4bl.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Bw4bl.m4a" [0104.393] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Bw4bl.m4a", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Bw4bl.m4a.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Bw4bl.m4a.NEPHILIM" [0104.393] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Bw4bl.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\bw4bl.m4a"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Bw4bl.m4a.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\bw4bl.m4a.nephilim")) returned 1 [0104.394] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0104.394] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0104.394] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0104.394] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0104.394] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0104.394] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0104.394] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0104.394] lstrcmpiW (lpString1="desktop.ini", lpString2="log") returned -1 [0104.394] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0104.394] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0104.394] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0104.394] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0104.394] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0104.394] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0104.394] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0104.394] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0104.394] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34a34d20, ftCreationTime.dwHighDateTime=0x1d5d8e7, ftLastAccessTime.dwLowDateTime=0xacc59b40, ftLastAccessTime.dwHighDateTime=0x1d5d85c, ftLastWriteTime.dwLowDateTime=0xacc59b40, ftLastWriteTime.dwHighDateTime=0x1d5d85c, nFileSizeHigh=0x0, nFileSizeLow=0xff45, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="HqgjNkX6ZE.mp3", cAlternateFileName="HQGJNK~1.MP3")) returned 1 [0104.394] lstrcmpiW (lpString1="HqgjNkX6ZE.mp3", lpString2=".") returned 1 [0104.394] lstrcmpiW (lpString1="HqgjNkX6ZE.mp3", lpString2="..") returned 1 [0104.394] lstrcmpiW (lpString1="HqgjNkX6ZE.mp3", lpString2="...") returned 1 [0104.394] lstrcmpiW (lpString1="HqgjNkX6ZE.mp3", lpString2="windows") returned -1 [0104.394] lstrcmpiW (lpString1="HqgjNkX6ZE.mp3", lpString2="$RECYCLE.BIN") returned 1 [0104.394] lstrcmpiW (lpString1="HqgjNkX6ZE.mp3", lpString2="rsa") returned -1 [0104.394] lstrcmpiW (lpString1="HqgjNkX6ZE.mp3", lpString2="log") returned -1 [0104.395] lstrcmpiW (lpString1="HqgjNkX6ZE.mp3", lpString2="NTDETECT.COM") returned -1 [0104.395] lstrcmpiW (lpString1="HqgjNkX6ZE.mp3", lpString2="ntldr") returned -1 [0104.395] lstrcmpiW (lpString1="HqgjNkX6ZE.mp3", lpString2="MSDOS.SYS") returned -1 [0104.395] lstrcmpiW (lpString1="HqgjNkX6ZE.mp3", lpString2="IO.SYS") returned -1 [0104.395] lstrcmpiW (lpString1="HqgjNkX6ZE.mp3", lpString2="boot.ini") returned 1 [0104.395] lstrcmpiW (lpString1="HqgjNkX6ZE.mp3", lpString2="AUTOEXEC.BAT") returned 1 [0104.395] lstrcmpiW (lpString1="HqgjNkX6ZE.mp3", lpString2="ntuser.dat") returned -1 [0104.395] lstrcmpiW (lpString1="HqgjNkX6ZE.mp3", lpString2="desktop.ini") returned 1 [0104.395] lstrcmpiW (lpString1="HqgjNkX6ZE.mp3", lpString2="CONFIG.SYS") returned 1 [0104.395] lstrcmpiW (lpString1="HqgjNkX6ZE.mp3", lpString2="RECYCLER") returned -1 [0104.395] lstrcmpiW (lpString1="HqgjNkX6ZE.mp3", lpString2="BOOTSECT.BAK") returned 1 [0104.395] lstrcmpiW (lpString1="HqgjNkX6ZE.mp3", lpString2="bootmgr") returned 1 [0104.395] lstrcmpiW (lpString1="HqgjNkX6ZE.mp3", lpString2="programdata") returned -1 [0104.395] lstrcmpiW (lpString1="HqgjNkX6ZE.mp3", lpString2="appdata") returned 1 [0104.395] lstrcmpiW (lpString1="HqgjNkX6ZE.mp3", lpString2="program files") returned -1 [0104.395] lstrcmpiW (lpString1="HqgjNkX6ZE.mp3", lpString2="program files (x86)") returned -1 [0104.395] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\" [0104.395] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\", lpString2="HqgjNkX6ZE.mp3" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\HqgjNkX6ZE.mp3") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\HqgjNkX6ZE.mp3" [0104.395] PathFindExtensionW (pszPath="HqgjNkX6ZE.mp3") returned=".mp3" [0104.395] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0104.395] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0104.395] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0104.395] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0104.395] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0104.395] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0104.395] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0104.396] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0104.396] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0104.396] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0104.396] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0104.396] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dcf97b0, ftCreationTime.dwHighDateTime=0x1d5e24e, ftLastAccessTime.dwLowDateTime=0x939eb930, ftLastAccessTime.dwHighDateTime=0x1d5dba4, ftLastWriteTime.dwLowDateTime=0x939eb930, ftLastWriteTime.dwHighDateTime=0x1d5dba4, nFileSizeHigh=0x0, nFileSizeLow=0x6e4f, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="IpIqiuJ3ucU_wteAE7f.mp3", cAlternateFileName="IPIQIU~1.MP3")) returned 1 [0104.396] lstrcmpiW (lpString1="IpIqiuJ3ucU_wteAE7f.mp3", lpString2=".") returned 1 [0104.396] lstrcmpiW (lpString1="IpIqiuJ3ucU_wteAE7f.mp3", lpString2="..") returned 1 [0104.396] lstrcmpiW (lpString1="IpIqiuJ3ucU_wteAE7f.mp3", lpString2="...") returned 1 [0104.396] lstrcmpiW (lpString1="IpIqiuJ3ucU_wteAE7f.mp3", lpString2="windows") returned -1 [0104.396] lstrcmpiW (lpString1="IpIqiuJ3ucU_wteAE7f.mp3", lpString2="$RECYCLE.BIN") returned 1 [0104.396] lstrcmpiW (lpString1="IpIqiuJ3ucU_wteAE7f.mp3", lpString2="rsa") returned -1 [0104.396] lstrcmpiW (lpString1="IpIqiuJ3ucU_wteAE7f.mp3", lpString2="log") returned -1 [0104.396] lstrcmpiW (lpString1="IpIqiuJ3ucU_wteAE7f.mp3", lpString2="NTDETECT.COM") returned -1 [0104.396] lstrcmpiW (lpString1="IpIqiuJ3ucU_wteAE7f.mp3", lpString2="ntldr") returned -1 [0104.396] lstrcmpiW (lpString1="IpIqiuJ3ucU_wteAE7f.mp3", lpString2="MSDOS.SYS") returned -1 [0104.396] lstrcmpiW (lpString1="IpIqiuJ3ucU_wteAE7f.mp3", lpString2="IO.SYS") returned 1 [0104.396] lstrcmpiW (lpString1="IpIqiuJ3ucU_wteAE7f.mp3", lpString2="boot.ini") returned 1 [0104.396] lstrcmpiW (lpString1="IpIqiuJ3ucU_wteAE7f.mp3", lpString2="AUTOEXEC.BAT") returned 1 [0104.396] lstrcmpiW (lpString1="IpIqiuJ3ucU_wteAE7f.mp3", lpString2="ntuser.dat") returned -1 [0104.396] lstrcmpiW (lpString1="IpIqiuJ3ucU_wteAE7f.mp3", lpString2="desktop.ini") returned 1 [0104.396] lstrcmpiW (lpString1="IpIqiuJ3ucU_wteAE7f.mp3", lpString2="CONFIG.SYS") returned 1 [0104.396] lstrcmpiW (lpString1="IpIqiuJ3ucU_wteAE7f.mp3", lpString2="RECYCLER") returned -1 [0104.396] lstrcmpiW (lpString1="IpIqiuJ3ucU_wteAE7f.mp3", lpString2="BOOTSECT.BAK") returned 1 [0104.396] lstrcmpiW (lpString1="IpIqiuJ3ucU_wteAE7f.mp3", lpString2="bootmgr") returned 1 [0104.396] lstrcmpiW (lpString1="IpIqiuJ3ucU_wteAE7f.mp3", lpString2="programdata") returned -1 [0104.396] lstrcmpiW (lpString1="IpIqiuJ3ucU_wteAE7f.mp3", lpString2="appdata") returned 1 [0104.396] lstrcmpiW (lpString1="IpIqiuJ3ucU_wteAE7f.mp3", lpString2="program files") returned -1 [0104.397] lstrcmpiW (lpString1="IpIqiuJ3ucU_wteAE7f.mp3", lpString2="program files (x86)") returned -1 [0104.397] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\" [0104.397] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\", lpString2="IpIqiuJ3ucU_wteAE7f.mp3" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\IpIqiuJ3ucU_wteAE7f.mp3") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\IpIqiuJ3ucU_wteAE7f.mp3" [0104.397] PathFindExtensionW (pszPath="IpIqiuJ3ucU_wteAE7f.mp3") returned=".mp3" [0104.397] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0104.397] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0104.397] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0104.397] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0104.397] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0104.397] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0104.397] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0104.397] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0104.397] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0104.397] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0104.397] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0104.397] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17946970, ftCreationTime.dwHighDateTime=0x1d5de06, ftLastAccessTime.dwLowDateTime=0x9040ad0, ftLastAccessTime.dwHighDateTime=0x1d5dac5, ftLastWriteTime.dwLowDateTime=0x9040ad0, ftLastWriteTime.dwHighDateTime=0x1d5dac5, nFileSizeHigh=0x0, nFileSizeLow=0x15759, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="jrC27p-IO0j2Kbl.wav", cAlternateFileName="JRC27P~1.WAV")) returned 1 [0104.397] lstrcmpiW (lpString1="jrC27p-IO0j2Kbl.wav", lpString2=".") returned 1 [0104.397] lstrcmpiW (lpString1="jrC27p-IO0j2Kbl.wav", lpString2="..") returned 1 [0104.397] lstrcmpiW (lpString1="jrC27p-IO0j2Kbl.wav", lpString2="...") returned 1 [0104.397] lstrcmpiW (lpString1="jrC27p-IO0j2Kbl.wav", lpString2="windows") returned -1 [0104.397] lstrcmpiW (lpString1="jrC27p-IO0j2Kbl.wav", lpString2="$RECYCLE.BIN") returned 1 [0104.397] lstrcmpiW (lpString1="jrC27p-IO0j2Kbl.wav", lpString2="rsa") returned -1 [0104.397] lstrcmpiW (lpString1="jrC27p-IO0j2Kbl.wav", lpString2="log") returned -1 [0104.397] lstrcmpiW (lpString1="jrC27p-IO0j2Kbl.wav", lpString2="NTDETECT.COM") returned -1 [0104.397] lstrcmpiW (lpString1="jrC27p-IO0j2Kbl.wav", lpString2="ntldr") returned -1 [0104.397] lstrcmpiW (lpString1="jrC27p-IO0j2Kbl.wav", lpString2="MSDOS.SYS") returned -1 [0104.398] lstrcmpiW (lpString1="jrC27p-IO0j2Kbl.wav", lpString2="IO.SYS") returned 1 [0104.398] lstrcmpiW (lpString1="jrC27p-IO0j2Kbl.wav", lpString2="boot.ini") returned 1 [0104.398] lstrcmpiW (lpString1="jrC27p-IO0j2Kbl.wav", lpString2="AUTOEXEC.BAT") returned 1 [0104.398] lstrcmpiW (lpString1="jrC27p-IO0j2Kbl.wav", lpString2="ntuser.dat") returned -1 [0104.398] lstrcmpiW (lpString1="jrC27p-IO0j2Kbl.wav", lpString2="desktop.ini") returned 1 [0104.398] lstrcmpiW (lpString1="jrC27p-IO0j2Kbl.wav", lpString2="CONFIG.SYS") returned 1 [0104.398] lstrcmpiW (lpString1="jrC27p-IO0j2Kbl.wav", lpString2="RECYCLER") returned -1 [0104.398] lstrcmpiW (lpString1="jrC27p-IO0j2Kbl.wav", lpString2="BOOTSECT.BAK") returned 1 [0104.398] lstrcmpiW (lpString1="jrC27p-IO0j2Kbl.wav", lpString2="bootmgr") returned 1 [0104.398] lstrcmpiW (lpString1="jrC27p-IO0j2Kbl.wav", lpString2="programdata") returned -1 [0104.398] lstrcmpiW (lpString1="jrC27p-IO0j2Kbl.wav", lpString2="appdata") returned 1 [0104.398] lstrcmpiW (lpString1="jrC27p-IO0j2Kbl.wav", lpString2="program files") returned -1 [0104.398] lstrcmpiW (lpString1="jrC27p-IO0j2Kbl.wav", lpString2="program files (x86)") returned -1 [0104.398] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\" [0104.398] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\", lpString2="jrC27p-IO0j2Kbl.wav" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\jrC27p-IO0j2Kbl.wav") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\jrC27p-IO0j2Kbl.wav" [0104.398] PathFindExtensionW (pszPath="jrC27p-IO0j2Kbl.wav") returned=".wav" [0104.398] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0104.398] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0104.398] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0104.398] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0104.398] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0104.398] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0104.398] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0104.398] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0104.398] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0104.398] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0104.398] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0104.399] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0104.399] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0104.399] lstrcmpiW (lpString1=".wav", lpString2=".NEPHILIM") returned 1 [0104.399] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0104.399] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0104.399] lstrcmpiW (lpString1="jrC27p-IO0j2Kbl.wav", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0104.399] lstrlenA (lpString="NEPHILIM") returned 8 [0104.399] GetProcessHeap () returned 0x4e0000 [0104.399] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x5051a0 [0104.399] lstrlenA (lpString="NEPHILIM") returned 8 [0104.399] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\jrC27p-IO0j2Kbl.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\jrc27p-io0j2kbl.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0104.399] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=87897) returned 1 [0104.399] GetProcessHeap () returned 0x4e0000 [0104.399] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0104.399] GetProcessHeap () returned 0x4e0000 [0104.399] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0104.399] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0104.399] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0104.399] GetProcessHeap () returned 0x4e0000 [0104.400] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0104.400] GetProcessHeap () returned 0x4e0000 [0104.400] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0104.400] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de208*=0x100) returned 1 [0104.400] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de204*=0x100) returned 1 [0104.400] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x15759, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.400] SetLastError (dwErrCode=0x0) [0104.400] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0104.401] GetLastError () returned 0x0 [0104.401] GetLastError () returned 0x0 [0104.402] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x15859, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.402] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0104.402] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x15959, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.402] lstrlenA (lpString="NEPHILIM") returned 8 [0104.402] WriteFile (in: hFile=0xec, lpBuffer=0x5051a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5051a0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0104.402] GetProcessHeap () returned 0x4e0000 [0104.402] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x15759) returned 0x50b8a8 [0104.402] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.402] ReadFile (in: hFile=0xec, lpBuffer=0x50b8a8, nNumberOfBytesToRead=0x15759, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50b8a8*, lpNumberOfBytesRead=0x24de430*=0x15759, lpOverlapped=0x0) returned 1 [0104.408] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.408] WriteFile (in: hFile=0xec, lpBuffer=0x50b8a8*, nNumberOfBytesToWrite=0x15759, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50b8a8*, lpNumberOfBytesWritten=0x24de43c*=0x15759, lpOverlapped=0x0) returned 1 [0104.409] GetProcessHeap () returned 0x4e0000 [0104.409] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50b8a8 | out: hHeap=0x4e0000) returned 1 [0104.409] CloseHandle (hObject=0xec) returned 1 [0104.411] GetProcessHeap () returned 0x4e0000 [0104.411] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0104.411] GetProcessHeap () returned 0x4e0000 [0104.412] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0104.412] GetProcessHeap () returned 0x4e0000 [0104.412] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0104.412] GetProcessHeap () returned 0x4e0000 [0104.412] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0104.412] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\jrC27p-IO0j2Kbl.wav" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\jrC27p-IO0j2Kbl.wav") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\jrC27p-IO0j2Kbl.wav" [0104.412] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\jrC27p-IO0j2Kbl.wav", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\jrC27p-IO0j2Kbl.wav.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\jrC27p-IO0j2Kbl.wav.NEPHILIM" [0104.412] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\jrC27p-IO0j2Kbl.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\jrc27p-io0j2kbl.wav"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\jrC27p-IO0j2Kbl.wav.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\jrc27p-io0j2kbl.wav.nephilim")) returned 1 [0104.413] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b50a750, ftCreationTime.dwHighDateTime=0x1d5de78, ftLastAccessTime.dwLowDateTime=0xb0fc3f80, ftLastAccessTime.dwHighDateTime=0x1d5d7ed, ftLastWriteTime.dwLowDateTime=0xb0fc3f80, ftLastWriteTime.dwHighDateTime=0x1d5d7ed, nFileSizeHigh=0x0, nFileSizeLow=0xfaf3, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="ldONxLUYalN.wav", cAlternateFileName="LDONXL~1.WAV")) returned 1 [0104.413] lstrcmpiW (lpString1="ldONxLUYalN.wav", lpString2=".") returned 1 [0104.413] lstrcmpiW (lpString1="ldONxLUYalN.wav", lpString2="..") returned 1 [0104.413] lstrcmpiW (lpString1="ldONxLUYalN.wav", lpString2="...") returned 1 [0104.413] lstrcmpiW (lpString1="ldONxLUYalN.wav", lpString2="windows") returned -1 [0104.413] lstrcmpiW (lpString1="ldONxLUYalN.wav", lpString2="$RECYCLE.BIN") returned 1 [0104.413] lstrcmpiW (lpString1="ldONxLUYalN.wav", lpString2="rsa") returned -1 [0104.413] lstrcmpiW (lpString1="ldONxLUYalN.wav", lpString2="log") returned -1 [0104.413] lstrcmpiW (lpString1="ldONxLUYalN.wav", lpString2="NTDETECT.COM") returned -1 [0104.413] lstrcmpiW (lpString1="ldONxLUYalN.wav", lpString2="ntldr") returned -1 [0104.413] lstrcmpiW (lpString1="ldONxLUYalN.wav", lpString2="MSDOS.SYS") returned -1 [0104.413] lstrcmpiW (lpString1="ldONxLUYalN.wav", lpString2="IO.SYS") returned 1 [0104.413] lstrcmpiW (lpString1="ldONxLUYalN.wav", lpString2="boot.ini") returned 1 [0104.413] lstrcmpiW (lpString1="ldONxLUYalN.wav", lpString2="AUTOEXEC.BAT") returned 1 [0104.413] lstrcmpiW (lpString1="ldONxLUYalN.wav", lpString2="ntuser.dat") returned -1 [0104.413] lstrcmpiW (lpString1="ldONxLUYalN.wav", lpString2="desktop.ini") returned 1 [0104.413] lstrcmpiW (lpString1="ldONxLUYalN.wav", lpString2="CONFIG.SYS") returned 1 [0104.413] lstrcmpiW (lpString1="ldONxLUYalN.wav", lpString2="RECYCLER") returned -1 [0104.413] lstrcmpiW (lpString1="ldONxLUYalN.wav", lpString2="BOOTSECT.BAK") returned 1 [0104.413] lstrcmpiW (lpString1="ldONxLUYalN.wav", lpString2="bootmgr") returned 1 [0104.413] lstrcmpiW (lpString1="ldONxLUYalN.wav", lpString2="programdata") returned -1 [0104.413] lstrcmpiW (lpString1="ldONxLUYalN.wav", lpString2="appdata") returned 1 [0104.413] lstrcmpiW (lpString1="ldONxLUYalN.wav", lpString2="program files") returned -1 [0104.414] lstrcmpiW (lpString1="ldONxLUYalN.wav", lpString2="program files (x86)") returned -1 [0104.414] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\" [0104.414] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\", lpString2="ldONxLUYalN.wav" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ldONxLUYalN.wav") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ldONxLUYalN.wav" [0104.414] PathFindExtensionW (pszPath="ldONxLUYalN.wav") returned=".wav" [0104.414] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0104.414] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0104.414] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0104.414] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0104.414] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0104.414] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0104.414] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0104.414] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0104.414] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0104.414] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0104.414] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0104.414] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0104.414] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0104.414] lstrcmpiW (lpString1=".wav", lpString2=".NEPHILIM") returned 1 [0104.414] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0104.414] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0104.414] lstrcmpiW (lpString1="ldONxLUYalN.wav", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0104.414] lstrlenA (lpString="NEPHILIM") returned 8 [0104.414] GetProcessHeap () returned 0x4e0000 [0104.414] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x5051b0 [0104.414] lstrlenA (lpString="NEPHILIM") returned 8 [0104.415] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ldONxLUYalN.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ldonxluyaln.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0104.415] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=64243) returned 1 [0104.415] GetProcessHeap () returned 0x4e0000 [0104.415] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0104.415] GetProcessHeap () returned 0x4e0000 [0104.415] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0104.415] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0104.415] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0104.415] GetProcessHeap () returned 0x4e0000 [0104.415] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0104.415] GetProcessHeap () returned 0x4e0000 [0104.415] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0104.415] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de208*=0x100) returned 1 [0104.415] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de204*=0x100) returned 1 [0104.416] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfaf3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.416] SetLastError (dwErrCode=0x0) [0104.416] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0104.417] GetLastError () returned 0x0 [0104.417] GetLastError () returned 0x0 [0104.417] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfbf3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.417] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0104.417] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfcf3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.417] lstrlenA (lpString="NEPHILIM") returned 8 [0104.417] WriteFile (in: hFile=0xec, lpBuffer=0x5051b0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5051b0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0104.418] GetProcessHeap () returned 0x4e0000 [0104.418] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xfaf3) returned 0x50b8a8 [0104.418] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.418] ReadFile (in: hFile=0xec, lpBuffer=0x50b8a8, nNumberOfBytesToRead=0xfaf3, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50b8a8*, lpNumberOfBytesRead=0x24de430*=0xfaf3, lpOverlapped=0x0) returned 1 [0104.444] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.444] WriteFile (in: hFile=0xec, lpBuffer=0x50b8a8*, nNumberOfBytesToWrite=0xfaf3, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50b8a8*, lpNumberOfBytesWritten=0x24de43c*=0xfaf3, lpOverlapped=0x0) returned 1 [0104.444] GetProcessHeap () returned 0x4e0000 [0104.444] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50b8a8 | out: hHeap=0x4e0000) returned 1 [0104.444] CloseHandle (hObject=0xec) returned 1 [0104.446] GetProcessHeap () returned 0x4e0000 [0104.446] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0104.446] GetProcessHeap () returned 0x4e0000 [0104.446] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0104.446] GetProcessHeap () returned 0x4e0000 [0104.446] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0104.446] GetProcessHeap () returned 0x4e0000 [0104.446] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0104.446] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ldONxLUYalN.wav" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ldONxLUYalN.wav") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ldONxLUYalN.wav" [0104.447] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ldONxLUYalN.wav", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ldONxLUYalN.wav.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ldONxLUYalN.wav.NEPHILIM" [0104.447] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ldONxLUYalN.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ldonxluyaln.wav"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ldONxLUYalN.wav.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ldonxluyaln.wav.nephilim")) returned 1 [0104.447] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27b0d550, ftCreationTime.dwHighDateTime=0x1d5df91, ftLastAccessTime.dwLowDateTime=0xaf5594e0, ftLastAccessTime.dwHighDateTime=0x1d5de02, ftLastWriteTime.dwLowDateTime=0xaf5594e0, ftLastWriteTime.dwHighDateTime=0x1d5de02, nFileSizeHigh=0x0, nFileSizeLow=0x1827, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="m0glIt.m4a", cAlternateFileName="")) returned 1 [0104.447] lstrcmpiW (lpString1="m0glIt.m4a", lpString2=".") returned 1 [0104.447] lstrcmpiW (lpString1="m0glIt.m4a", lpString2="..") returned 1 [0104.447] lstrcmpiW (lpString1="m0glIt.m4a", lpString2="...") returned 1 [0104.447] lstrcmpiW (lpString1="m0glIt.m4a", lpString2="windows") returned -1 [0104.448] lstrcmpiW (lpString1="m0glIt.m4a", lpString2="$RECYCLE.BIN") returned 1 [0104.448] lstrcmpiW (lpString1="m0glIt.m4a", lpString2="rsa") returned -1 [0104.448] lstrcmpiW (lpString1="m0glIt.m4a", lpString2="log") returned 1 [0104.448] lstrcmpiW (lpString1="m0glIt.m4a", lpString2="NTDETECT.COM") returned -1 [0104.448] lstrcmpiW (lpString1="m0glIt.m4a", lpString2="ntldr") returned -1 [0104.448] lstrcmpiW (lpString1="m0glIt.m4a", lpString2="MSDOS.SYS") returned -1 [0104.448] lstrcmpiW (lpString1="m0glIt.m4a", lpString2="IO.SYS") returned 1 [0104.448] lstrcmpiW (lpString1="m0glIt.m4a", lpString2="boot.ini") returned 1 [0104.448] lstrcmpiW (lpString1="m0glIt.m4a", lpString2="AUTOEXEC.BAT") returned 1 [0104.448] lstrcmpiW (lpString1="m0glIt.m4a", lpString2="ntuser.dat") returned -1 [0104.448] lstrcmpiW (lpString1="m0glIt.m4a", lpString2="desktop.ini") returned 1 [0104.448] lstrcmpiW (lpString1="m0glIt.m4a", lpString2="CONFIG.SYS") returned 1 [0104.448] lstrcmpiW (lpString1="m0glIt.m4a", lpString2="RECYCLER") returned -1 [0104.448] lstrcmpiW (lpString1="m0glIt.m4a", lpString2="BOOTSECT.BAK") returned 1 [0104.448] lstrcmpiW (lpString1="m0glIt.m4a", lpString2="bootmgr") returned 1 [0104.448] lstrcmpiW (lpString1="m0glIt.m4a", lpString2="programdata") returned -1 [0104.448] lstrcmpiW (lpString1="m0glIt.m4a", lpString2="appdata") returned 1 [0104.448] lstrcmpiW (lpString1="m0glIt.m4a", lpString2="program files") returned -1 [0104.448] lstrcmpiW (lpString1="m0glIt.m4a", lpString2="program files (x86)") returned -1 [0104.448] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\" [0104.448] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\", lpString2="m0glIt.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\m0glIt.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\m0glIt.m4a" [0104.448] PathFindExtensionW (pszPath="m0glIt.m4a") returned=".m4a" [0104.448] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0104.448] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0104.448] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0104.448] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0104.449] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0104.449] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0104.449] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0104.449] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0104.449] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0104.449] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0104.449] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0104.449] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0104.449] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0104.449] lstrcmpiW (lpString1=".m4a", lpString2=".NEPHILIM") returned -1 [0104.449] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0104.449] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0104.449] lstrcmpiW (lpString1="m0glIt.m4a", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0104.449] lstrlenA (lpString="NEPHILIM") returned 8 [0104.449] GetProcessHeap () returned 0x4e0000 [0104.449] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x5051c0 [0104.449] lstrlenA (lpString="NEPHILIM") returned 8 [0104.449] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\m0glIt.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\m0glit.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0104.449] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=6183) returned 1 [0104.449] GetProcessHeap () returned 0x4e0000 [0104.449] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0104.449] GetProcessHeap () returned 0x4e0000 [0104.449] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0104.450] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0104.450] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0104.450] GetProcessHeap () returned 0x4e0000 [0104.450] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0104.450] GetProcessHeap () returned 0x4e0000 [0104.450] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0104.450] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de208*=0x100) returned 1 [0104.450] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de204*=0x100) returned 1 [0104.450] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x1827, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.450] SetLastError (dwErrCode=0x0) [0104.450] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0104.452] GetLastError () returned 0x0 [0104.452] GetLastError () returned 0x0 [0104.452] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x1927, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.452] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0104.453] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x1a27, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.453] lstrlenA (lpString="NEPHILIM") returned 8 [0104.453] WriteFile (in: hFile=0xec, lpBuffer=0x5051c0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5051c0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0104.453] GetProcessHeap () returned 0x4e0000 [0104.453] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1827) returned 0x50b8a8 [0104.453] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.453] ReadFile (in: hFile=0xec, lpBuffer=0x50b8a8, nNumberOfBytesToRead=0x1827, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50b8a8*, lpNumberOfBytesRead=0x24de430*=0x1827, lpOverlapped=0x0) returned 1 [0104.453] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.453] WriteFile (in: hFile=0xec, lpBuffer=0x50b8a8*, nNumberOfBytesToWrite=0x1827, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50b8a8*, lpNumberOfBytesWritten=0x24de43c*=0x1827, lpOverlapped=0x0) returned 1 [0104.454] GetProcessHeap () returned 0x4e0000 [0104.454] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50b8a8 | out: hHeap=0x4e0000) returned 1 [0104.454] CloseHandle (hObject=0xec) returned 1 [0104.456] GetProcessHeap () returned 0x4e0000 [0104.456] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0104.456] GetProcessHeap () returned 0x4e0000 [0104.456] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0104.456] GetProcessHeap () returned 0x4e0000 [0104.456] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0104.456] GetProcessHeap () returned 0x4e0000 [0104.456] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0104.457] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\m0glIt.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\m0glIt.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\m0glIt.m4a" [0104.457] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\m0glIt.m4a", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\m0glIt.m4a.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\m0glIt.m4a.NEPHILIM" [0104.457] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\m0glIt.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\m0glit.m4a"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\m0glIt.m4a.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\m0glit.m4a.nephilim")) returned 1 [0104.457] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe811e60, ftCreationTime.dwHighDateTime=0x1d5e00c, ftLastAccessTime.dwLowDateTime=0xab87b720, ftLastAccessTime.dwHighDateTime=0x1d5d827, ftLastWriteTime.dwLowDateTime=0xab87b720, ftLastWriteTime.dwHighDateTime=0x1d5d827, nFileSizeHigh=0x0, nFileSizeLow=0x11c12, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="NGnj_ h1E _6.m4a", cAlternateFileName="NGNJ_H~1.M4A")) returned 1 [0104.457] lstrcmpiW (lpString1="NGnj_ h1E _6.m4a", lpString2=".") returned 1 [0104.457] lstrcmpiW (lpString1="NGnj_ h1E _6.m4a", lpString2="..") returned 1 [0104.458] lstrcmpiW (lpString1="NGnj_ h1E _6.m4a", lpString2="...") returned 1 [0104.458] lstrcmpiW (lpString1="NGnj_ h1E _6.m4a", lpString2="windows") returned -1 [0104.458] lstrcmpiW (lpString1="NGnj_ h1E _6.m4a", lpString2="$RECYCLE.BIN") returned 1 [0104.458] lstrcmpiW (lpString1="NGnj_ h1E _6.m4a", lpString2="rsa") returned -1 [0104.458] lstrcmpiW (lpString1="NGnj_ h1E _6.m4a", lpString2="log") returned 1 [0104.458] lstrcmpiW (lpString1="NGnj_ h1E _6.m4a", lpString2="NTDETECT.COM") returned -1 [0104.458] lstrcmpiW (lpString1="NGnj_ h1E _6.m4a", lpString2="ntldr") returned -1 [0104.458] lstrcmpiW (lpString1="NGnj_ h1E _6.m4a", lpString2="MSDOS.SYS") returned 1 [0104.458] lstrcmpiW (lpString1="NGnj_ h1E _6.m4a", lpString2="IO.SYS") returned 1 [0104.458] lstrcmpiW (lpString1="NGnj_ h1E _6.m4a", lpString2="boot.ini") returned 1 [0104.458] lstrcmpiW (lpString1="NGnj_ h1E _6.m4a", lpString2="AUTOEXEC.BAT") returned 1 [0104.458] lstrcmpiW (lpString1="NGnj_ h1E _6.m4a", lpString2="ntuser.dat") returned -1 [0104.458] lstrcmpiW (lpString1="NGnj_ h1E _6.m4a", lpString2="desktop.ini") returned 1 [0104.458] lstrcmpiW (lpString1="NGnj_ h1E _6.m4a", lpString2="CONFIG.SYS") returned 1 [0104.458] lstrcmpiW (lpString1="NGnj_ h1E _6.m4a", lpString2="RECYCLER") returned -1 [0104.458] lstrcmpiW (lpString1="NGnj_ h1E _6.m4a", lpString2="BOOTSECT.BAK") returned 1 [0104.458] lstrcmpiW (lpString1="NGnj_ h1E _6.m4a", lpString2="bootmgr") returned 1 [0104.458] lstrcmpiW (lpString1="NGnj_ h1E _6.m4a", lpString2="programdata") returned -1 [0104.458] lstrcmpiW (lpString1="NGnj_ h1E _6.m4a", lpString2="appdata") returned 1 [0104.458] lstrcmpiW (lpString1="NGnj_ h1E _6.m4a", lpString2="program files") returned -1 [0104.458] lstrcmpiW (lpString1="NGnj_ h1E _6.m4a", lpString2="program files (x86)") returned -1 [0104.458] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\" [0104.458] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\", lpString2="NGnj_ h1E _6.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\NGnj_ h1E _6.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\NGnj_ h1E _6.m4a" [0104.458] PathFindExtensionW (pszPath="NGnj_ h1E _6.m4a") returned=".m4a" [0104.458] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0104.458] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0104.459] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0104.459] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0104.459] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0104.459] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0104.459] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0104.459] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0104.459] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0104.459] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0104.459] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0104.459] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0104.459] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0104.459] lstrcmpiW (lpString1=".m4a", lpString2=".NEPHILIM") returned -1 [0104.459] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0104.459] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0104.459] lstrcmpiW (lpString1="NGnj_ h1E _6.m4a", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0104.459] lstrlenA (lpString="NEPHILIM") returned 8 [0104.459] GetProcessHeap () returned 0x4e0000 [0104.459] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x5051d0 [0104.459] lstrlenA (lpString="NEPHILIM") returned 8 [0104.459] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\NGnj_ h1E _6.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ngnj_ h1e _6.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0104.459] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=72722) returned 1 [0104.459] GetProcessHeap () returned 0x4e0000 [0104.460] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0104.460] GetProcessHeap () returned 0x4e0000 [0104.460] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0104.460] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0104.460] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0104.460] GetProcessHeap () returned 0x4e0000 [0104.460] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0104.460] GetProcessHeap () returned 0x4e0000 [0104.460] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0104.460] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de208*=0x100) returned 1 [0104.460] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de204*=0x100) returned 1 [0104.460] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x11c12, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.460] SetLastError (dwErrCode=0x0) [0104.460] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0104.462] GetLastError () returned 0x0 [0104.462] GetLastError () returned 0x0 [0104.462] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x11d12, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.462] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0104.462] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x11e12, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.462] lstrlenA (lpString="NEPHILIM") returned 8 [0104.462] WriteFile (in: hFile=0xec, lpBuffer=0x5051d0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5051d0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0104.462] GetProcessHeap () returned 0x4e0000 [0104.462] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x11c12) returned 0x50b8a8 [0104.462] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.462] ReadFile (in: hFile=0xec, lpBuffer=0x50b8a8, nNumberOfBytesToRead=0x11c12, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50b8a8*, lpNumberOfBytesRead=0x24de430*=0x11c12, lpOverlapped=0x0) returned 1 [0104.467] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.467] WriteFile (in: hFile=0xec, lpBuffer=0x50b8a8*, nNumberOfBytesToWrite=0x11c12, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50b8a8*, lpNumberOfBytesWritten=0x24de43c*=0x11c12, lpOverlapped=0x0) returned 1 [0104.468] GetProcessHeap () returned 0x4e0000 [0104.468] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50b8a8 | out: hHeap=0x4e0000) returned 1 [0104.468] CloseHandle (hObject=0xec) returned 1 [0104.469] GetProcessHeap () returned 0x4e0000 [0104.470] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0104.470] GetProcessHeap () returned 0x4e0000 [0104.470] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0104.470] GetProcessHeap () returned 0x4e0000 [0104.470] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0104.470] GetProcessHeap () returned 0x4e0000 [0104.470] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0104.470] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\NGnj_ h1E _6.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\NGnj_ h1E _6.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\NGnj_ h1E _6.m4a" [0104.470] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\NGnj_ h1E _6.m4a", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\NGnj_ h1E _6.m4a.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\NGnj_ h1E _6.m4a.NEPHILIM" [0104.470] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\NGnj_ h1E _6.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ngnj_ h1e _6.m4a"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\NGnj_ h1E _6.m4a.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ngnj_ h1e _6.m4a.nephilim")) returned 1 [0104.471] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x66f65000, ftCreationTime.dwHighDateTime=0x1d5dd9d, ftLastAccessTime.dwLowDateTime=0x3b171a0, ftLastAccessTime.dwHighDateTime=0x1d5e79d, ftLastWriteTime.dwLowDateTime=0x3b171a0, ftLastWriteTime.dwHighDateTime=0x1d5e79d, nFileSizeHigh=0x0, nFileSizeLow=0x3134, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="OCpJ_5bxkAc1Z.wav", cAlternateFileName="OCPJ_5~1.WAV")) returned 1 [0104.471] lstrcmpiW (lpString1="OCpJ_5bxkAc1Z.wav", lpString2=".") returned 1 [0104.471] lstrcmpiW (lpString1="OCpJ_5bxkAc1Z.wav", lpString2="..") returned 1 [0104.471] lstrcmpiW (lpString1="OCpJ_5bxkAc1Z.wav", lpString2="...") returned 1 [0104.471] lstrcmpiW (lpString1="OCpJ_5bxkAc1Z.wav", lpString2="windows") returned -1 [0104.471] lstrcmpiW (lpString1="OCpJ_5bxkAc1Z.wav", lpString2="$RECYCLE.BIN") returned 1 [0104.471] lstrcmpiW (lpString1="OCpJ_5bxkAc1Z.wav", lpString2="rsa") returned -1 [0104.471] lstrcmpiW (lpString1="OCpJ_5bxkAc1Z.wav", lpString2="log") returned 1 [0104.471] lstrcmpiW (lpString1="OCpJ_5bxkAc1Z.wav", lpString2="NTDETECT.COM") returned 1 [0104.471] lstrcmpiW (lpString1="OCpJ_5bxkAc1Z.wav", lpString2="ntldr") returned 1 [0104.471] lstrcmpiW (lpString1="OCpJ_5bxkAc1Z.wav", lpString2="MSDOS.SYS") returned 1 [0104.471] lstrcmpiW (lpString1="OCpJ_5bxkAc1Z.wav", lpString2="IO.SYS") returned 1 [0104.471] lstrcmpiW (lpString1="OCpJ_5bxkAc1Z.wav", lpString2="boot.ini") returned 1 [0104.471] lstrcmpiW (lpString1="OCpJ_5bxkAc1Z.wav", lpString2="AUTOEXEC.BAT") returned 1 [0104.471] lstrcmpiW (lpString1="OCpJ_5bxkAc1Z.wav", lpString2="ntuser.dat") returned 1 [0104.471] lstrcmpiW (lpString1="OCpJ_5bxkAc1Z.wav", lpString2="desktop.ini") returned 1 [0104.472] lstrcmpiW (lpString1="OCpJ_5bxkAc1Z.wav", lpString2="CONFIG.SYS") returned 1 [0104.472] lstrcmpiW (lpString1="OCpJ_5bxkAc1Z.wav", lpString2="RECYCLER") returned -1 [0104.472] lstrcmpiW (lpString1="OCpJ_5bxkAc1Z.wav", lpString2="BOOTSECT.BAK") returned 1 [0104.472] lstrcmpiW (lpString1="OCpJ_5bxkAc1Z.wav", lpString2="bootmgr") returned 1 [0104.472] lstrcmpiW (lpString1="OCpJ_5bxkAc1Z.wav", lpString2="programdata") returned -1 [0104.472] lstrcmpiW (lpString1="OCpJ_5bxkAc1Z.wav", lpString2="appdata") returned 1 [0104.472] lstrcmpiW (lpString1="OCpJ_5bxkAc1Z.wav", lpString2="program files") returned -1 [0104.472] lstrcmpiW (lpString1="OCpJ_5bxkAc1Z.wav", lpString2="program files (x86)") returned -1 [0104.472] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\" [0104.472] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\", lpString2="OCpJ_5bxkAc1Z.wav" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\OCpJ_5bxkAc1Z.wav") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\OCpJ_5bxkAc1Z.wav" [0104.472] PathFindExtensionW (pszPath="OCpJ_5bxkAc1Z.wav") returned=".wav" [0104.472] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0104.472] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0104.472] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0104.472] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0104.472] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0104.472] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0104.472] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0104.472] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0104.472] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0104.472] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0104.472] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0104.472] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0104.473] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0104.473] lstrcmpiW (lpString1=".wav", lpString2=".NEPHILIM") returned 1 [0104.473] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0104.473] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0104.473] lstrcmpiW (lpString1="OCpJ_5bxkAc1Z.wav", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0104.473] lstrlenA (lpString="NEPHILIM") returned 8 [0104.473] GetProcessHeap () returned 0x4e0000 [0104.473] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x5051e0 [0104.473] lstrlenA (lpString="NEPHILIM") returned 8 [0104.473] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\OCpJ_5bxkAc1Z.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ocpj_5bxkac1z.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0104.473] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=12596) returned 1 [0104.473] GetProcessHeap () returned 0x4e0000 [0104.473] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0104.473] GetProcessHeap () returned 0x4e0000 [0104.473] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0104.473] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0104.473] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0104.473] GetProcessHeap () returned 0x4e0000 [0104.473] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0104.473] GetProcessHeap () returned 0x4e0000 [0104.474] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0104.474] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de208*=0x100) returned 1 [0104.474] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de204*=0x100) returned 1 [0104.474] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x3134, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.474] SetLastError (dwErrCode=0x0) [0104.474] WriteFile (in: hFile=0xec, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0104.475] GetLastError () returned 0x0 [0104.475] GetLastError () returned 0x0 [0104.475] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x3234, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.476] WriteFile (in: hFile=0xec, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0104.476] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x3334, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.476] lstrlenA (lpString="NEPHILIM") returned 8 [0104.476] WriteFile (in: hFile=0xec, lpBuffer=0x5051e0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x5051e0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0104.476] GetProcessHeap () returned 0x4e0000 [0104.476] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x3134) returned 0x50b8a8 [0104.476] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.476] ReadFile (in: hFile=0xec, lpBuffer=0x50b8a8, nNumberOfBytesToRead=0x3134, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50b8a8*, lpNumberOfBytesRead=0x24de430*=0x3134, lpOverlapped=0x0) returned 1 [0104.477] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.477] WriteFile (in: hFile=0xec, lpBuffer=0x50b8a8*, nNumberOfBytesToWrite=0x3134, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50b8a8*, lpNumberOfBytesWritten=0x24de43c*=0x3134, lpOverlapped=0x0) returned 1 [0104.477] GetProcessHeap () returned 0x4e0000 [0104.477] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50b8a8 | out: hHeap=0x4e0000) returned 1 [0104.477] CloseHandle (hObject=0xec) returned 1 [0104.478] GetProcessHeap () returned 0x4e0000 [0104.478] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0104.478] GetProcessHeap () returned 0x4e0000 [0104.479] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0104.479] GetProcessHeap () returned 0x4e0000 [0104.479] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0104.479] GetProcessHeap () returned 0x4e0000 [0104.479] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0104.479] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\OCpJ_5bxkAc1Z.wav" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\OCpJ_5bxkAc1Z.wav") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\OCpJ_5bxkAc1Z.wav" [0104.479] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\OCpJ_5bxkAc1Z.wav", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\OCpJ_5bxkAc1Z.wav.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\OCpJ_5bxkAc1Z.wav.NEPHILIM" [0104.479] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\OCpJ_5bxkAc1Z.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ocpj_5bxkac1z.wav"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\OCpJ_5bxkAc1Z.wav.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ocpj_5bxkac1z.wav.nephilim")) returned 1 [0104.480] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb6311e80, ftCreationTime.dwHighDateTime=0x1d5e332, ftLastAccessTime.dwLowDateTime=0x4a79adf0, ftLastAccessTime.dwHighDateTime=0x1d5dd9d, ftLastWriteTime.dwLowDateTime=0x4a79adf0, ftLastWriteTime.dwHighDateTime=0x1d5dd9d, nFileSizeHigh=0x0, nFileSizeLow=0xdbb5, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="PvAKvpMmONp.mp3", cAlternateFileName="PVAKVP~1.MP3")) returned 1 [0104.480] lstrcmpiW (lpString1="PvAKvpMmONp.mp3", lpString2=".") returned 1 [0104.480] lstrcmpiW (lpString1="PvAKvpMmONp.mp3", lpString2="..") returned 1 [0104.480] lstrcmpiW (lpString1="PvAKvpMmONp.mp3", lpString2="...") returned 1 [0104.480] lstrcmpiW (lpString1="PvAKvpMmONp.mp3", lpString2="windows") returned -1 [0104.480] lstrcmpiW (lpString1="PvAKvpMmONp.mp3", lpString2="$RECYCLE.BIN") returned 1 [0104.480] lstrcmpiW (lpString1="PvAKvpMmONp.mp3", lpString2="rsa") returned -1 [0104.480] lstrcmpiW (lpString1="PvAKvpMmONp.mp3", lpString2="log") returned 1 [0104.480] lstrcmpiW (lpString1="PvAKvpMmONp.mp3", lpString2="NTDETECT.COM") returned 1 [0104.480] lstrcmpiW (lpString1="PvAKvpMmONp.mp3", lpString2="ntldr") returned 1 [0104.480] lstrcmpiW (lpString1="PvAKvpMmONp.mp3", lpString2="MSDOS.SYS") returned 1 [0104.480] lstrcmpiW (lpString1="PvAKvpMmONp.mp3", lpString2="IO.SYS") returned 1 [0104.480] lstrcmpiW (lpString1="PvAKvpMmONp.mp3", lpString2="boot.ini") returned 1 [0104.480] lstrcmpiW (lpString1="PvAKvpMmONp.mp3", lpString2="AUTOEXEC.BAT") returned 1 [0104.480] lstrcmpiW (lpString1="PvAKvpMmONp.mp3", lpString2="ntuser.dat") returned 1 [0104.480] lstrcmpiW (lpString1="PvAKvpMmONp.mp3", lpString2="desktop.ini") returned 1 [0104.480] lstrcmpiW (lpString1="PvAKvpMmONp.mp3", lpString2="CONFIG.SYS") returned 1 [0104.480] lstrcmpiW (lpString1="PvAKvpMmONp.mp3", lpString2="RECYCLER") returned -1 [0104.480] lstrcmpiW (lpString1="PvAKvpMmONp.mp3", lpString2="BOOTSECT.BAK") returned 1 [0104.480] lstrcmpiW (lpString1="PvAKvpMmONp.mp3", lpString2="bootmgr") returned 1 [0104.480] lstrcmpiW (lpString1="PvAKvpMmONp.mp3", lpString2="programdata") returned 1 [0104.480] lstrcmpiW (lpString1="PvAKvpMmONp.mp3", lpString2="appdata") returned 1 [0104.480] lstrcmpiW (lpString1="PvAKvpMmONp.mp3", lpString2="program files") returned 1 [0104.481] lstrcmpiW (lpString1="PvAKvpMmONp.mp3", lpString2="program files (x86)") returned 1 [0104.481] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\" [0104.481] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\", lpString2="PvAKvpMmONp.mp3" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\PvAKvpMmONp.mp3") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\PvAKvpMmONp.mp3" [0104.481] PathFindExtensionW (pszPath="PvAKvpMmONp.mp3") returned=".mp3" [0104.481] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0104.481] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0104.481] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0104.481] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0104.481] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0104.481] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0104.481] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0104.481] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0104.481] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0104.481] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0104.481] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0104.481] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x66ef0060, ftCreationTime.dwHighDateTime=0x1d5d8e4, ftLastAccessTime.dwLowDateTime=0x689e6fd0, ftLastAccessTime.dwHighDateTime=0x1d5e763, ftLastWriteTime.dwLowDateTime=0x689e6fd0, ftLastWriteTime.dwHighDateTime=0x1d5e763, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="UEL4L3jO9WoSQ7Qozz6", cAlternateFileName="UEL4L3~1")) returned 1 [0104.481] lstrcmpiW (lpString1="UEL4L3jO9WoSQ7Qozz6", lpString2=".") returned 1 [0104.481] lstrcmpiW (lpString1="UEL4L3jO9WoSQ7Qozz6", lpString2="..") returned 1 [0104.481] lstrcmpiW (lpString1="UEL4L3jO9WoSQ7Qozz6", lpString2="...") returned 1 [0104.481] lstrcmpiW (lpString1="UEL4L3jO9WoSQ7Qozz6", lpString2="windows") returned -1 [0104.481] lstrcmpiW (lpString1="UEL4L3jO9WoSQ7Qozz6", lpString2="$RECYCLE.BIN") returned 1 [0104.481] lstrcmpiW (lpString1="UEL4L3jO9WoSQ7Qozz6", lpString2="rsa") returned 1 [0104.481] lstrcmpiW (lpString1="UEL4L3jO9WoSQ7Qozz6", lpString2="log") returned 1 [0104.481] lstrcmpiW (lpString1="UEL4L3jO9WoSQ7Qozz6", lpString2="NTDETECT.COM") returned 1 [0104.481] lstrcmpiW (lpString1="UEL4L3jO9WoSQ7Qozz6", lpString2="ntldr") returned 1 [0104.482] lstrcmpiW (lpString1="UEL4L3jO9WoSQ7Qozz6", lpString2="MSDOS.SYS") returned 1 [0104.482] lstrcmpiW (lpString1="UEL4L3jO9WoSQ7Qozz6", lpString2="IO.SYS") returned 1 [0104.482] lstrcmpiW (lpString1="UEL4L3jO9WoSQ7Qozz6", lpString2="boot.ini") returned 1 [0104.482] lstrcmpiW (lpString1="UEL4L3jO9WoSQ7Qozz6", lpString2="AUTOEXEC.BAT") returned 1 [0104.482] lstrcmpiW (lpString1="UEL4L3jO9WoSQ7Qozz6", lpString2="ntuser.dat") returned 1 [0104.482] lstrcmpiW (lpString1="UEL4L3jO9WoSQ7Qozz6", lpString2="desktop.ini") returned 1 [0104.482] lstrcmpiW (lpString1="UEL4L3jO9WoSQ7Qozz6", lpString2="CONFIG.SYS") returned 1 [0104.482] lstrcmpiW (lpString1="UEL4L3jO9WoSQ7Qozz6", lpString2="RECYCLER") returned 1 [0104.482] lstrcmpiW (lpString1="UEL4L3jO9WoSQ7Qozz6", lpString2="BOOTSECT.BAK") returned 1 [0104.482] lstrcmpiW (lpString1="UEL4L3jO9WoSQ7Qozz6", lpString2="bootmgr") returned 1 [0104.482] lstrcmpiW (lpString1="UEL4L3jO9WoSQ7Qozz6", lpString2="programdata") returned 1 [0104.482] lstrcmpiW (lpString1="UEL4L3jO9WoSQ7Qozz6", lpString2="appdata") returned 1 [0104.482] lstrcmpiW (lpString1="UEL4L3jO9WoSQ7Qozz6", lpString2="program files") returned 1 [0104.482] lstrcmpiW (lpString1="UEL4L3jO9WoSQ7Qozz6", lpString2="program files (x86)") returned 1 [0104.482] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\" [0104.482] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\", lpString2="UEL4L3jO9WoSQ7Qozz6" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6" [0104.482] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\" [0104.482] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\" [0104.482] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\", lpString2="*.*" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\*.*") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\*.*" [0104.482] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x66ef0060, ftCreationTime.dwHighDateTime=0x1d5d8e4, ftLastAccessTime.dwLowDateTime=0x689e6fd0, ftLastAccessTime.dwHighDateTime=0x1d5e763, ftLastWriteTime.dwLowDateTime=0x689e6fd0, ftLastWriteTime.dwHighDateTime=0x1d5e763, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24dddac, dwReserved1=0xb237799d, cFileName=".", cAlternateFileName="")) returned 0x50a900 [0104.482] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0104.483] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x66ef0060, ftCreationTime.dwHighDateTime=0x1d5d8e4, ftLastAccessTime.dwLowDateTime=0x689e6fd0, ftLastAccessTime.dwHighDateTime=0x1d5e763, ftLastWriteTime.dwLowDateTime=0x689e6fd0, ftLastWriteTime.dwHighDateTime=0x1d5e763, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24dddac, dwReserved1=0xb237799d, cFileName="..", cAlternateFileName="")) returned 1 [0104.483] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0104.483] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0104.483] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d825c10, ftCreationTime.dwHighDateTime=0x1d5d968, ftLastAccessTime.dwLowDateTime=0x835f0a60, ftLastAccessTime.dwHighDateTime=0x1d5e53c, ftLastWriteTime.dwLowDateTime=0x835f0a60, ftLastWriteTime.dwHighDateTime=0x1d5e53c, nFileSizeHigh=0x0, nFileSizeLow=0x176f0, dwReserved0=0x24dddac, dwReserved1=0xb237799d, cFileName="2fDth.wav", cAlternateFileName="")) returned 1 [0104.483] lstrcmpiW (lpString1="2fDth.wav", lpString2=".") returned 1 [0104.483] lstrcmpiW (lpString1="2fDth.wav", lpString2="..") returned 1 [0104.483] lstrcmpiW (lpString1="2fDth.wav", lpString2="...") returned 1 [0104.483] lstrcmpiW (lpString1="2fDth.wav", lpString2="windows") returned -1 [0104.483] lstrcmpiW (lpString1="2fDth.wav", lpString2="$RECYCLE.BIN") returned 1 [0104.483] lstrcmpiW (lpString1="2fDth.wav", lpString2="rsa") returned -1 [0104.483] lstrcmpiW (lpString1="2fDth.wav", lpString2="log") returned -1 [0104.483] lstrcmpiW (lpString1="2fDth.wav", lpString2="NTDETECT.COM") returned -1 [0104.483] lstrcmpiW (lpString1="2fDth.wav", lpString2="ntldr") returned -1 [0104.483] lstrcmpiW (lpString1="2fDth.wav", lpString2="MSDOS.SYS") returned -1 [0104.511] lstrcmpiW (lpString1="2fDth.wav", lpString2="IO.SYS") returned -1 [0104.512] lstrcmpiW (lpString1="2fDth.wav", lpString2="boot.ini") returned -1 [0104.512] lstrcmpiW (lpString1="2fDth.wav", lpString2="AUTOEXEC.BAT") returned -1 [0104.512] lstrcmpiW (lpString1="2fDth.wav", lpString2="ntuser.dat") returned -1 [0104.512] lstrcmpiW (lpString1="2fDth.wav", lpString2="desktop.ini") returned -1 [0104.512] lstrcmpiW (lpString1="2fDth.wav", lpString2="CONFIG.SYS") returned -1 [0104.512] lstrcmpiW (lpString1="2fDth.wav", lpString2="RECYCLER") returned -1 [0104.512] lstrcmpiW (lpString1="2fDth.wav", lpString2="BOOTSECT.BAK") returned -1 [0104.512] lstrcmpiW (lpString1="2fDth.wav", lpString2="bootmgr") returned -1 [0104.512] lstrcmpiW (lpString1="2fDth.wav", lpString2="programdata") returned -1 [0104.512] lstrcmpiW (lpString1="2fDth.wav", lpString2="appdata") returned -1 [0104.512] lstrcmpiW (lpString1="2fDth.wav", lpString2="program files") returned -1 [0104.512] lstrcmpiW (lpString1="2fDth.wav", lpString2="program files (x86)") returned -1 [0104.512] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\" [0104.512] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\", lpString2="2fDth.wav" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\2fDth.wav") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\2fDth.wav" [0104.512] PathFindExtensionW (pszPath="2fDth.wav") returned=".wav" [0104.512] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0104.512] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0104.512] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0104.512] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0104.512] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0104.512] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0104.512] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0104.512] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0104.512] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0104.512] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0104.512] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0104.513] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0104.513] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0104.513] lstrcmpiW (lpString1=".wav", lpString2=".NEPHILIM") returned 1 [0104.513] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0104.513] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0104.513] lstrcmpiW (lpString1="2fDth.wav", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0104.513] lstrlenA (lpString="NEPHILIM") returned 8 [0104.513] GetProcessHeap () returned 0x4e0000 [0104.513] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x5051f0 [0104.513] lstrlenA (lpString="NEPHILIM") returned 8 [0104.513] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\2fDth.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\2fdth.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0104.513] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=95984) returned 1 [0104.513] GetProcessHeap () returned 0x4e0000 [0104.513] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0104.513] GetProcessHeap () returned 0x4e0000 [0104.513] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0104.513] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0104.514] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0104.514] GetProcessHeap () returned 0x4e0000 [0104.514] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0104.514] GetProcessHeap () returned 0x4e0000 [0104.514] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0104.514] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0104.514] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0104.515] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x176f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.515] SetLastError (dwErrCode=0x0) [0104.515] WriteFile (in: hFile=0xf0, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0104.516] GetLastError () returned 0x0 [0104.516] GetLastError () returned 0x0 [0104.516] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x177f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.516] WriteFile (in: hFile=0xf0, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0104.516] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x178f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.516] lstrlenA (lpString="NEPHILIM") returned 8 [0104.516] WriteFile (in: hFile=0xf0, lpBuffer=0x5051f0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x5051f0*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0104.516] GetProcessHeap () returned 0x4e0000 [0104.516] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x176f0) returned 0x50c8b0 [0104.516] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.516] ReadFile (in: hFile=0xf0, lpBuffer=0x50c8b0, nNumberOfBytesToRead=0x176f0, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50c8b0*, lpNumberOfBytesRead=0x24dddb0*=0x176f0, lpOverlapped=0x0) returned 1 [0104.523] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.523] WriteFile (in: hFile=0xf0, lpBuffer=0x50c8b0*, nNumberOfBytesToWrite=0x176f0, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50c8b0*, lpNumberOfBytesWritten=0x24dddbc*=0x176f0, lpOverlapped=0x0) returned 1 [0104.523] GetProcessHeap () returned 0x4e0000 [0104.524] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50c8b0 | out: hHeap=0x4e0000) returned 1 [0104.524] CloseHandle (hObject=0xf0) returned 1 [0104.525] GetProcessHeap () returned 0x4e0000 [0104.526] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0104.526] GetProcessHeap () returned 0x4e0000 [0104.526] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0104.526] GetProcessHeap () returned 0x4e0000 [0104.526] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0104.526] GetProcessHeap () returned 0x4e0000 [0104.526] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0104.526] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\2fDth.wav" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\2fDth.wav") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\2fDth.wav" [0104.526] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\2fDth.wav", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\2fDth.wav.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\2fDth.wav.NEPHILIM" [0104.526] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\2fDth.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\2fdth.wav"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\2fDth.wav.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\2fdth.wav.nephilim")) returned 1 [0104.527] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29053720, ftCreationTime.dwHighDateTime=0x1d5dde3, ftLastAccessTime.dwLowDateTime=0xf2c49830, ftLastAccessTime.dwHighDateTime=0x1d5e365, ftLastWriteTime.dwLowDateTime=0xf2c49830, ftLastWriteTime.dwHighDateTime=0x1d5e365, nFileSizeHigh=0x0, nFileSizeLow=0x8a8f, dwReserved0=0x24dddac, dwReserved1=0xb237799d, cFileName="Aqc3Tj23FJcwNCLyRx5q.m4a", cAlternateFileName="AQC3TJ~1.M4A")) returned 1 [0104.527] lstrcmpiW (lpString1="Aqc3Tj23FJcwNCLyRx5q.m4a", lpString2=".") returned 1 [0104.527] lstrcmpiW (lpString1="Aqc3Tj23FJcwNCLyRx5q.m4a", lpString2="..") returned 1 [0104.527] lstrcmpiW (lpString1="Aqc3Tj23FJcwNCLyRx5q.m4a", lpString2="...") returned 1 [0104.527] lstrcmpiW (lpString1="Aqc3Tj23FJcwNCLyRx5q.m4a", lpString2="windows") returned -1 [0104.527] lstrcmpiW (lpString1="Aqc3Tj23FJcwNCLyRx5q.m4a", lpString2="$RECYCLE.BIN") returned 1 [0104.527] lstrcmpiW (lpString1="Aqc3Tj23FJcwNCLyRx5q.m4a", lpString2="rsa") returned -1 [0104.527] lstrcmpiW (lpString1="Aqc3Tj23FJcwNCLyRx5q.m4a", lpString2="log") returned -1 [0104.527] lstrcmpiW (lpString1="Aqc3Tj23FJcwNCLyRx5q.m4a", lpString2="NTDETECT.COM") returned -1 [0104.527] lstrcmpiW (lpString1="Aqc3Tj23FJcwNCLyRx5q.m4a", lpString2="ntldr") returned -1 [0104.527] lstrcmpiW (lpString1="Aqc3Tj23FJcwNCLyRx5q.m4a", lpString2="MSDOS.SYS") returned -1 [0104.527] lstrcmpiW (lpString1="Aqc3Tj23FJcwNCLyRx5q.m4a", lpString2="IO.SYS") returned -1 [0104.527] lstrcmpiW (lpString1="Aqc3Tj23FJcwNCLyRx5q.m4a", lpString2="boot.ini") returned -1 [0104.527] lstrcmpiW (lpString1="Aqc3Tj23FJcwNCLyRx5q.m4a", lpString2="AUTOEXEC.BAT") returned -1 [0104.527] lstrcmpiW (lpString1="Aqc3Tj23FJcwNCLyRx5q.m4a", lpString2="ntuser.dat") returned -1 [0104.527] lstrcmpiW (lpString1="Aqc3Tj23FJcwNCLyRx5q.m4a", lpString2="desktop.ini") returned -1 [0104.527] lstrcmpiW (lpString1="Aqc3Tj23FJcwNCLyRx5q.m4a", lpString2="CONFIG.SYS") returned -1 [0104.527] lstrcmpiW (lpString1="Aqc3Tj23FJcwNCLyRx5q.m4a", lpString2="RECYCLER") returned -1 [0104.528] lstrcmpiW (lpString1="Aqc3Tj23FJcwNCLyRx5q.m4a", lpString2="BOOTSECT.BAK") returned -1 [0104.528] lstrcmpiW (lpString1="Aqc3Tj23FJcwNCLyRx5q.m4a", lpString2="bootmgr") returned -1 [0104.528] lstrcmpiW (lpString1="Aqc3Tj23FJcwNCLyRx5q.m4a", lpString2="programdata") returned -1 [0104.528] lstrcmpiW (lpString1="Aqc3Tj23FJcwNCLyRx5q.m4a", lpString2="appdata") returned 1 [0104.528] lstrcmpiW (lpString1="Aqc3Tj23FJcwNCLyRx5q.m4a", lpString2="program files") returned -1 [0104.528] lstrcmpiW (lpString1="Aqc3Tj23FJcwNCLyRx5q.m4a", lpString2="program files (x86)") returned -1 [0104.528] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\" [0104.528] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\", lpString2="Aqc3Tj23FJcwNCLyRx5q.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\Aqc3Tj23FJcwNCLyRx5q.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\Aqc3Tj23FJcwNCLyRx5q.m4a" [0104.528] PathFindExtensionW (pszPath="Aqc3Tj23FJcwNCLyRx5q.m4a") returned=".m4a" [0104.528] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0104.528] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0104.528] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0104.528] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0104.528] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0104.528] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0104.528] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0104.528] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0104.528] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0104.528] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0104.528] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0104.528] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0104.528] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0104.528] lstrcmpiW (lpString1=".m4a", lpString2=".NEPHILIM") returned -1 [0104.528] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0104.528] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0104.528] lstrcmpiW (lpString1="Aqc3Tj23FJcwNCLyRx5q.m4a", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0104.529] lstrlenA (lpString="NEPHILIM") returned 8 [0104.529] GetProcessHeap () returned 0x4e0000 [0104.529] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x505200 [0104.529] lstrlenA (lpString="NEPHILIM") returned 8 [0104.529] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\Aqc3Tj23FJcwNCLyRx5q.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\aqc3tj23fjcwnclyrx5q.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0104.529] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=35471) returned 1 [0104.529] GetProcessHeap () returned 0x4e0000 [0104.529] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0104.529] GetProcessHeap () returned 0x4e0000 [0104.529] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0104.529] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0104.529] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0104.529] GetProcessHeap () returned 0x4e0000 [0104.529] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0104.529] GetProcessHeap () returned 0x4e0000 [0104.529] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0104.529] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0104.530] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0104.530] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x8a8f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.530] SetLastError (dwErrCode=0x0) [0104.530] WriteFile (in: hFile=0xf0, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0104.531] GetLastError () returned 0x0 [0104.531] GetLastError () returned 0x0 [0104.531] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x8b8f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.531] WriteFile (in: hFile=0xf0, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0104.531] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x8c8f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.531] lstrlenA (lpString="NEPHILIM") returned 8 [0104.531] WriteFile (in: hFile=0xf0, lpBuffer=0x505200*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x505200*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0104.532] GetProcessHeap () returned 0x4e0000 [0104.532] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8a8f) returned 0x50c8b0 [0104.532] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.532] ReadFile (in: hFile=0xf0, lpBuffer=0x50c8b0, nNumberOfBytesToRead=0x8a8f, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50c8b0*, lpNumberOfBytesRead=0x24dddb0*=0x8a8f, lpOverlapped=0x0) returned 1 [0104.534] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.534] WriteFile (in: hFile=0xf0, lpBuffer=0x50c8b0*, nNumberOfBytesToWrite=0x8a8f, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50c8b0*, lpNumberOfBytesWritten=0x24dddbc*=0x8a8f, lpOverlapped=0x0) returned 1 [0104.534] GetProcessHeap () returned 0x4e0000 [0104.535] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50c8b0 | out: hHeap=0x4e0000) returned 1 [0104.535] CloseHandle (hObject=0xf0) returned 1 [0104.536] GetProcessHeap () returned 0x4e0000 [0104.536] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0104.536] GetProcessHeap () returned 0x4e0000 [0104.536] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0104.536] GetProcessHeap () returned 0x4e0000 [0104.536] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0104.536] GetProcessHeap () returned 0x4e0000 [0104.536] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0104.536] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\Aqc3Tj23FJcwNCLyRx5q.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\Aqc3Tj23FJcwNCLyRx5q.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\Aqc3Tj23FJcwNCLyRx5q.m4a" [0104.536] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\Aqc3Tj23FJcwNCLyRx5q.m4a", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\Aqc3Tj23FJcwNCLyRx5q.m4a.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\Aqc3Tj23FJcwNCLyRx5q.m4a.NEPHILIM" [0104.536] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\Aqc3Tj23FJcwNCLyRx5q.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\aqc3tj23fjcwnclyrx5q.m4a"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\Aqc3Tj23FJcwNCLyRx5q.m4a.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\aqc3tj23fjcwnclyrx5q.m4a.nephilim")) returned 1 [0104.537] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0214600, ftCreationTime.dwHighDateTime=0x1d5df5f, ftLastAccessTime.dwLowDateTime=0xf5e81500, ftLastAccessTime.dwHighDateTime=0x1d5e536, ftLastWriteTime.dwLowDateTime=0xf5e81500, ftLastWriteTime.dwHighDateTime=0x1d5e536, nFileSizeHigh=0x0, nFileSizeLow=0x6df6, dwReserved0=0x24dddac, dwReserved1=0xb237799d, cFileName="D YYwZ_lgFw4_5bNPRct.m4a", cAlternateFileName="DYYWZ_~1.M4A")) returned 1 [0104.537] lstrcmpiW (lpString1="D YYwZ_lgFw4_5bNPRct.m4a", lpString2=".") returned 1 [0104.537] lstrcmpiW (lpString1="D YYwZ_lgFw4_5bNPRct.m4a", lpString2="..") returned 1 [0104.537] lstrcmpiW (lpString1="D YYwZ_lgFw4_5bNPRct.m4a", lpString2="...") returned 1 [0104.537] lstrcmpiW (lpString1="D YYwZ_lgFw4_5bNPRct.m4a", lpString2="windows") returned -1 [0104.537] lstrcmpiW (lpString1="D YYwZ_lgFw4_5bNPRct.m4a", lpString2="$RECYCLE.BIN") returned 1 [0104.537] lstrcmpiW (lpString1="D YYwZ_lgFw4_5bNPRct.m4a", lpString2="rsa") returned -1 [0104.537] lstrcmpiW (lpString1="D YYwZ_lgFw4_5bNPRct.m4a", lpString2="log") returned -1 [0104.537] lstrcmpiW (lpString1="D YYwZ_lgFw4_5bNPRct.m4a", lpString2="NTDETECT.COM") returned -1 [0104.537] lstrcmpiW (lpString1="D YYwZ_lgFw4_5bNPRct.m4a", lpString2="ntldr") returned -1 [0104.537] lstrcmpiW (lpString1="D YYwZ_lgFw4_5bNPRct.m4a", lpString2="MSDOS.SYS") returned -1 [0104.538] lstrcmpiW (lpString1="D YYwZ_lgFw4_5bNPRct.m4a", lpString2="IO.SYS") returned -1 [0104.538] lstrcmpiW (lpString1="D YYwZ_lgFw4_5bNPRct.m4a", lpString2="boot.ini") returned 1 [0104.538] lstrcmpiW (lpString1="D YYwZ_lgFw4_5bNPRct.m4a", lpString2="AUTOEXEC.BAT") returned 1 [0104.538] lstrcmpiW (lpString1="D YYwZ_lgFw4_5bNPRct.m4a", lpString2="ntuser.dat") returned -1 [0104.538] lstrcmpiW (lpString1="D YYwZ_lgFw4_5bNPRct.m4a", lpString2="desktop.ini") returned -1 [0104.538] lstrcmpiW (lpString1="D YYwZ_lgFw4_5bNPRct.m4a", lpString2="CONFIG.SYS") returned 1 [0104.538] lstrcmpiW (lpString1="D YYwZ_lgFw4_5bNPRct.m4a", lpString2="RECYCLER") returned -1 [0104.538] lstrcmpiW (lpString1="D YYwZ_lgFw4_5bNPRct.m4a", lpString2="BOOTSECT.BAK") returned 1 [0104.538] lstrcmpiW (lpString1="D YYwZ_lgFw4_5bNPRct.m4a", lpString2="bootmgr") returned 1 [0104.538] lstrcmpiW (lpString1="D YYwZ_lgFw4_5bNPRct.m4a", lpString2="programdata") returned -1 [0104.538] lstrcmpiW (lpString1="D YYwZ_lgFw4_5bNPRct.m4a", lpString2="appdata") returned 1 [0104.538] lstrcmpiW (lpString1="D YYwZ_lgFw4_5bNPRct.m4a", lpString2="program files") returned -1 [0104.538] lstrcmpiW (lpString1="D YYwZ_lgFw4_5bNPRct.m4a", lpString2="program files (x86)") returned -1 [0104.538] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\" [0104.538] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\", lpString2="D YYwZ_lgFw4_5bNPRct.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D YYwZ_lgFw4_5bNPRct.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D YYwZ_lgFw4_5bNPRct.m4a" [0104.538] PathFindExtensionW (pszPath="D YYwZ_lgFw4_5bNPRct.m4a") returned=".m4a" [0104.538] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0104.538] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0104.538] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0104.538] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0104.538] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0104.538] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0104.538] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0104.538] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0104.538] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0104.539] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0104.539] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0104.539] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0104.539] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0104.539] lstrcmpiW (lpString1=".m4a", lpString2=".NEPHILIM") returned -1 [0104.539] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0104.539] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0104.539] lstrcmpiW (lpString1="D YYwZ_lgFw4_5bNPRct.m4a", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0104.539] lstrlenA (lpString="NEPHILIM") returned 8 [0104.539] GetProcessHeap () returned 0x4e0000 [0104.539] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x505210 [0104.539] lstrlenA (lpString="NEPHILIM") returned 8 [0104.539] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D YYwZ_lgFw4_5bNPRct.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\d yywz_lgfw4_5bnprct.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0104.539] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=28150) returned 1 [0104.544] GetProcessHeap () returned 0x4e0000 [0104.544] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0104.544] GetProcessHeap () returned 0x4e0000 [0104.544] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0104.544] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0104.544] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0104.544] GetProcessHeap () returned 0x4e0000 [0104.545] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0104.545] GetProcessHeap () returned 0x4e0000 [0104.545] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0104.545] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0104.545] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0104.545] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x6df6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.547] SetLastError (dwErrCode=0x0) [0104.547] WriteFile (in: hFile=0xf0, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0104.548] GetLastError () returned 0x0 [0104.548] GetLastError () returned 0x0 [0104.548] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x6ef6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.548] WriteFile (in: hFile=0xf0, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0104.549] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x6ff6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.549] lstrlenA (lpString="NEPHILIM") returned 8 [0104.549] WriteFile (in: hFile=0xf0, lpBuffer=0x505210*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x505210*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0104.549] GetProcessHeap () returned 0x4e0000 [0104.549] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x6df6) returned 0x50c8b0 [0104.549] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.549] ReadFile (in: hFile=0xf0, lpBuffer=0x50c8b0, nNumberOfBytesToRead=0x6df6, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50c8b0*, lpNumberOfBytesRead=0x24dddb0*=0x6df6, lpOverlapped=0x0) returned 1 [0104.551] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.551] WriteFile (in: hFile=0xf0, lpBuffer=0x50c8b0*, nNumberOfBytesToWrite=0x6df6, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50c8b0*, lpNumberOfBytesWritten=0x24dddbc*=0x6df6, lpOverlapped=0x0) returned 1 [0104.551] GetProcessHeap () returned 0x4e0000 [0104.551] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50c8b0 | out: hHeap=0x4e0000) returned 1 [0104.551] CloseHandle (hObject=0xf0) returned 1 [0104.553] GetProcessHeap () returned 0x4e0000 [0104.553] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0104.553] GetProcessHeap () returned 0x4e0000 [0104.553] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0104.553] GetProcessHeap () returned 0x4e0000 [0104.553] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0104.553] GetProcessHeap () returned 0x4e0000 [0104.553] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0104.553] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D YYwZ_lgFw4_5bNPRct.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D YYwZ_lgFw4_5bNPRct.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D YYwZ_lgFw4_5bNPRct.m4a" [0104.553] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D YYwZ_lgFw4_5bNPRct.m4a", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D YYwZ_lgFw4_5bNPRct.m4a.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D YYwZ_lgFw4_5bNPRct.m4a.NEPHILIM" [0104.553] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D YYwZ_lgFw4_5bNPRct.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\d yywz_lgfw4_5bnprct.m4a"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D YYwZ_lgFw4_5bNPRct.m4a.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\d yywz_lgfw4_5bnprct.m4a.nephilim")) returned 1 [0104.554] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2ac232e0, ftCreationTime.dwHighDateTime=0x1d5e395, ftLastAccessTime.dwLowDateTime=0xa102e9b0, ftLastAccessTime.dwHighDateTime=0x1d5dcbd, ftLastWriteTime.dwLowDateTime=0xa102e9b0, ftLastWriteTime.dwHighDateTime=0x1d5dcbd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24dddac, dwReserved1=0xb237799d, cFileName="D918ob_hACUbatXR", cAlternateFileName="D918OB~1")) returned 1 [0104.555] lstrcmpiW (lpString1="D918ob_hACUbatXR", lpString2=".") returned 1 [0104.555] lstrcmpiW (lpString1="D918ob_hACUbatXR", lpString2="..") returned 1 [0104.555] lstrcmpiW (lpString1="D918ob_hACUbatXR", lpString2="...") returned 1 [0104.555] lstrcmpiW (lpString1="D918ob_hACUbatXR", lpString2="windows") returned -1 [0104.555] lstrcmpiW (lpString1="D918ob_hACUbatXR", lpString2="$RECYCLE.BIN") returned 1 [0104.555] lstrcmpiW (lpString1="D918ob_hACUbatXR", lpString2="rsa") returned -1 [0104.555] lstrcmpiW (lpString1="D918ob_hACUbatXR", lpString2="log") returned -1 [0104.555] lstrcmpiW (lpString1="D918ob_hACUbatXR", lpString2="NTDETECT.COM") returned -1 [0104.555] lstrcmpiW (lpString1="D918ob_hACUbatXR", lpString2="ntldr") returned -1 [0104.555] lstrcmpiW (lpString1="D918ob_hACUbatXR", lpString2="MSDOS.SYS") returned -1 [0104.555] lstrcmpiW (lpString1="D918ob_hACUbatXR", lpString2="IO.SYS") returned -1 [0104.555] lstrcmpiW (lpString1="D918ob_hACUbatXR", lpString2="boot.ini") returned 1 [0104.555] lstrcmpiW (lpString1="D918ob_hACUbatXR", lpString2="AUTOEXEC.BAT") returned 1 [0104.555] lstrcmpiW (lpString1="D918ob_hACUbatXR", lpString2="ntuser.dat") returned -1 [0104.555] lstrcmpiW (lpString1="D918ob_hACUbatXR", lpString2="desktop.ini") returned -1 [0104.555] lstrcmpiW (lpString1="D918ob_hACUbatXR", lpString2="CONFIG.SYS") returned 1 [0104.555] lstrcmpiW (lpString1="D918ob_hACUbatXR", lpString2="RECYCLER") returned -1 [0104.555] lstrcmpiW (lpString1="D918ob_hACUbatXR", lpString2="BOOTSECT.BAK") returned 1 [0104.555] lstrcmpiW (lpString1="D918ob_hACUbatXR", lpString2="bootmgr") returned 1 [0104.555] lstrcmpiW (lpString1="D918ob_hACUbatXR", lpString2="programdata") returned -1 [0104.555] lstrcmpiW (lpString1="D918ob_hACUbatXR", lpString2="appdata") returned 1 [0104.555] lstrcmpiW (lpString1="D918ob_hACUbatXR", lpString2="program files") returned -1 [0104.555] lstrcmpiW (lpString1="D918ob_hACUbatXR", lpString2="program files (x86)") returned -1 [0104.555] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\" [0104.555] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\", lpString2="D918ob_hACUbatXR" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR" [0104.556] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\" [0104.556] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\" [0104.556] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\", lpString2="*.*" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\*.*") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\*.*" [0104.556] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2ac232e0, ftCreationTime.dwHighDateTime=0x1d5e395, ftLastAccessTime.dwLowDateTime=0xa102e9b0, ftLastAccessTime.dwHighDateTime=0x1d5dcbd, ftLastWriteTime.dwLowDateTime=0xa102e9b0, ftLastWriteTime.dwHighDateTime=0x1d5dcbd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24dd72c, dwReserved1=0xe5919b5e, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0104.556] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0104.556] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2ac232e0, ftCreationTime.dwHighDateTime=0x1d5e395, ftLastAccessTime.dwLowDateTime=0xa102e9b0, ftLastAccessTime.dwHighDateTime=0x1d5dcbd, ftLastWriteTime.dwLowDateTime=0xa102e9b0, ftLastWriteTime.dwHighDateTime=0x1d5dcbd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24dd72c, dwReserved1=0xe5919b5e, cFileName="..", cAlternateFileName="")) returned 1 [0104.556] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0104.556] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0104.556] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcff194b0, ftCreationTime.dwHighDateTime=0x1d5e5cd, ftLastAccessTime.dwLowDateTime=0xd7893750, ftLastAccessTime.dwHighDateTime=0x1d5db23, ftLastWriteTime.dwLowDateTime=0xd7893750, ftLastWriteTime.dwHighDateTime=0x1d5db23, nFileSizeHigh=0x0, nFileSizeLow=0xca7e, dwReserved0=0x24dd72c, dwReserved1=0xe5919b5e, cFileName="ExY795tfOc4MdI3s0X3U.wav", cAlternateFileName="EXY795~1.WAV")) returned 1 [0104.556] lstrcmpiW (lpString1="ExY795tfOc4MdI3s0X3U.wav", lpString2=".") returned 1 [0104.556] lstrcmpiW (lpString1="ExY795tfOc4MdI3s0X3U.wav", lpString2="..") returned 1 [0104.556] lstrcmpiW (lpString1="ExY795tfOc4MdI3s0X3U.wav", lpString2="...") returned 1 [0104.556] lstrcmpiW (lpString1="ExY795tfOc4MdI3s0X3U.wav", lpString2="windows") returned -1 [0104.556] lstrcmpiW (lpString1="ExY795tfOc4MdI3s0X3U.wav", lpString2="$RECYCLE.BIN") returned 1 [0104.556] lstrcmpiW (lpString1="ExY795tfOc4MdI3s0X3U.wav", lpString2="rsa") returned -1 [0104.556] lstrcmpiW (lpString1="ExY795tfOc4MdI3s0X3U.wav", lpString2="log") returned -1 [0104.556] lstrcmpiW (lpString1="ExY795tfOc4MdI3s0X3U.wav", lpString2="NTDETECT.COM") returned -1 [0104.556] lstrcmpiW (lpString1="ExY795tfOc4MdI3s0X3U.wav", lpString2="ntldr") returned -1 [0104.557] lstrcmpiW (lpString1="ExY795tfOc4MdI3s0X3U.wav", lpString2="MSDOS.SYS") returned -1 [0104.557] lstrcmpiW (lpString1="ExY795tfOc4MdI3s0X3U.wav", lpString2="IO.SYS") returned -1 [0104.557] lstrcmpiW (lpString1="ExY795tfOc4MdI3s0X3U.wav", lpString2="boot.ini") returned 1 [0104.557] lstrcmpiW (lpString1="ExY795tfOc4MdI3s0X3U.wav", lpString2="AUTOEXEC.BAT") returned 1 [0104.557] lstrcmpiW (lpString1="ExY795tfOc4MdI3s0X3U.wav", lpString2="ntuser.dat") returned -1 [0104.557] lstrcmpiW (lpString1="ExY795tfOc4MdI3s0X3U.wav", lpString2="desktop.ini") returned 1 [0104.557] lstrcmpiW (lpString1="ExY795tfOc4MdI3s0X3U.wav", lpString2="CONFIG.SYS") returned 1 [0104.557] lstrcmpiW (lpString1="ExY795tfOc4MdI3s0X3U.wav", lpString2="RECYCLER") returned -1 [0104.557] lstrcmpiW (lpString1="ExY795tfOc4MdI3s0X3U.wav", lpString2="BOOTSECT.BAK") returned 1 [0104.557] lstrcmpiW (lpString1="ExY795tfOc4MdI3s0X3U.wav", lpString2="bootmgr") returned 1 [0104.557] lstrcmpiW (lpString1="ExY795tfOc4MdI3s0X3U.wav", lpString2="programdata") returned -1 [0104.557] lstrcmpiW (lpString1="ExY795tfOc4MdI3s0X3U.wav", lpString2="appdata") returned 1 [0104.557] lstrcmpiW (lpString1="ExY795tfOc4MdI3s0X3U.wav", lpString2="program files") returned -1 [0104.557] lstrcmpiW (lpString1="ExY795tfOc4MdI3s0X3U.wav", lpString2="program files (x86)") returned -1 [0104.557] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\" [0104.557] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\", lpString2="ExY795tfOc4MdI3s0X3U.wav" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\ExY795tfOc4MdI3s0X3U.wav") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\ExY795tfOc4MdI3s0X3U.wav" [0104.557] PathFindExtensionW (pszPath="ExY795tfOc4MdI3s0X3U.wav") returned=".wav" [0104.557] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0104.557] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0104.557] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0104.557] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0104.557] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0104.557] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0104.557] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0104.557] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0104.558] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0104.558] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0104.558] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0104.558] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0104.558] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0104.558] lstrcmpiW (lpString1=".wav", lpString2=".NEPHILIM") returned 1 [0104.558] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0104.558] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0104.558] lstrcmpiW (lpString1="ExY795tfOc4MdI3s0X3U.wav", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0104.558] lstrlenA (lpString="NEPHILIM") returned 8 [0104.558] GetProcessHeap () returned 0x4e0000 [0104.558] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x505220 [0104.558] lstrlenA (lpString="NEPHILIM") returned 8 [0104.558] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\ExY795tfOc4MdI3s0X3U.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\d918ob_hacubatxr\\exy795tfoc4mdi3s0x3u.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0104.558] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=51838) returned 1 [0104.558] GetProcessHeap () returned 0x4e0000 [0104.558] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0104.559] GetProcessHeap () returned 0x4e0000 [0104.559] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0104.559] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0104.559] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0104.559] GetProcessHeap () returned 0x4e0000 [0104.559] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0104.559] GetProcessHeap () returned 0x4e0000 [0104.559] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0104.559] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24dd508*=0x100) returned 1 [0104.559] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24dd504*=0x100) returned 1 [0104.559] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xca7e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.559] SetLastError (dwErrCode=0x0) [0104.559] WriteFile (in: hFile=0xf4, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0104.561] GetLastError () returned 0x0 [0104.561] GetLastError () returned 0x0 [0104.561] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xcb7e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.561] WriteFile (in: hFile=0xf4, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0104.562] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xcc7e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.562] lstrlenA (lpString="NEPHILIM") returned 8 [0104.562] WriteFile (in: hFile=0xf4, lpBuffer=0x505220*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x505220*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0104.562] GetProcessHeap () returned 0x4e0000 [0104.562] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xca7e) returned 0x50d8b8 [0104.562] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.562] ReadFile (in: hFile=0xf4, lpBuffer=0x50d8b8, nNumberOfBytesToRead=0xca7e, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x50d8b8*, lpNumberOfBytesRead=0x24dd730*=0xca7e, lpOverlapped=0x0) returned 1 [0104.566] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.566] WriteFile (in: hFile=0xf4, lpBuffer=0x50d8b8*, nNumberOfBytesToWrite=0xca7e, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50d8b8*, lpNumberOfBytesWritten=0x24dd73c*=0xca7e, lpOverlapped=0x0) returned 1 [0104.566] GetProcessHeap () returned 0x4e0000 [0104.566] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d8b8 | out: hHeap=0x4e0000) returned 1 [0104.567] CloseHandle (hObject=0xf4) returned 1 [0104.576] GetProcessHeap () returned 0x4e0000 [0104.576] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0104.576] GetProcessHeap () returned 0x4e0000 [0104.576] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0104.576] GetProcessHeap () returned 0x4e0000 [0104.576] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0104.576] GetProcessHeap () returned 0x4e0000 [0104.576] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0104.576] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\ExY795tfOc4MdI3s0X3U.wav" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\ExY795tfOc4MdI3s0X3U.wav") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\ExY795tfOc4MdI3s0X3U.wav" [0104.577] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\ExY795tfOc4MdI3s0X3U.wav", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\ExY795tfOc4MdI3s0X3U.wav.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\ExY795tfOc4MdI3s0X3U.wav.NEPHILIM" [0104.577] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\ExY795tfOc4MdI3s0X3U.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\d918ob_hacubatxr\\exy795tfoc4mdi3s0x3u.wav"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\ExY795tfOc4MdI3s0X3U.wav.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\d918ob_hacubatxr\\exy795tfoc4mdi3s0x3u.wav.nephilim")) returned 1 [0104.580] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1b993f0, ftCreationTime.dwHighDateTime=0x1d5e3df, ftLastAccessTime.dwLowDateTime=0xf78881c0, ftLastAccessTime.dwHighDateTime=0x1d5e7ab, ftLastWriteTime.dwLowDateTime=0xf78881c0, ftLastWriteTime.dwHighDateTime=0x1d5e7ab, nFileSizeHigh=0x0, nFileSizeLow=0xe752, dwReserved0=0x24dd72c, dwReserved1=0xe5919b5e, cFileName="GC6ETPphsGdG.wav", cAlternateFileName="GC6ETP~1.WAV")) returned 1 [0104.580] lstrcmpiW (lpString1="GC6ETPphsGdG.wav", lpString2=".") returned 1 [0104.580] lstrcmpiW (lpString1="GC6ETPphsGdG.wav", lpString2="..") returned 1 [0104.580] lstrcmpiW (lpString1="GC6ETPphsGdG.wav", lpString2="...") returned 1 [0104.580] lstrcmpiW (lpString1="GC6ETPphsGdG.wav", lpString2="windows") returned -1 [0104.580] lstrcmpiW (lpString1="GC6ETPphsGdG.wav", lpString2="$RECYCLE.BIN") returned 1 [0104.580] lstrcmpiW (lpString1="GC6ETPphsGdG.wav", lpString2="rsa") returned -1 [0104.580] lstrcmpiW (lpString1="GC6ETPphsGdG.wav", lpString2="log") returned -1 [0104.580] lstrcmpiW (lpString1="GC6ETPphsGdG.wav", lpString2="NTDETECT.COM") returned -1 [0104.580] lstrcmpiW (lpString1="GC6ETPphsGdG.wav", lpString2="ntldr") returned -1 [0104.580] lstrcmpiW (lpString1="GC6ETPphsGdG.wav", lpString2="MSDOS.SYS") returned -1 [0104.580] lstrcmpiW (lpString1="GC6ETPphsGdG.wav", lpString2="IO.SYS") returned -1 [0104.580] lstrcmpiW (lpString1="GC6ETPphsGdG.wav", lpString2="boot.ini") returned 1 [0104.580] lstrcmpiW (lpString1="GC6ETPphsGdG.wav", lpString2="AUTOEXEC.BAT") returned 1 [0104.580] lstrcmpiW (lpString1="GC6ETPphsGdG.wav", lpString2="ntuser.dat") returned -1 [0104.580] lstrcmpiW (lpString1="GC6ETPphsGdG.wav", lpString2="desktop.ini") returned 1 [0104.581] lstrcmpiW (lpString1="GC6ETPphsGdG.wav", lpString2="CONFIG.SYS") returned 1 [0104.581] lstrcmpiW (lpString1="GC6ETPphsGdG.wav", lpString2="RECYCLER") returned -1 [0104.581] lstrcmpiW (lpString1="GC6ETPphsGdG.wav", lpString2="BOOTSECT.BAK") returned 1 [0104.581] lstrcmpiW (lpString1="GC6ETPphsGdG.wav", lpString2="bootmgr") returned 1 [0104.581] lstrcmpiW (lpString1="GC6ETPphsGdG.wav", lpString2="programdata") returned -1 [0104.581] lstrcmpiW (lpString1="GC6ETPphsGdG.wav", lpString2="appdata") returned 1 [0104.581] lstrcmpiW (lpString1="GC6ETPphsGdG.wav", lpString2="program files") returned -1 [0104.581] lstrcmpiW (lpString1="GC6ETPphsGdG.wav", lpString2="program files (x86)") returned -1 [0104.581] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\" [0104.581] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\", lpString2="GC6ETPphsGdG.wav" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\GC6ETPphsGdG.wav") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\GC6ETPphsGdG.wav" [0104.581] PathFindExtensionW (pszPath="GC6ETPphsGdG.wav") returned=".wav" [0104.581] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0104.581] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0104.581] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0104.581] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0104.581] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0104.581] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0104.581] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0104.581] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0104.581] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0104.581] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0104.581] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0104.581] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0104.581] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0104.581] lstrcmpiW (lpString1=".wav", lpString2=".NEPHILIM") returned 1 [0104.581] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0104.582] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0104.582] lstrcmpiW (lpString1="GC6ETPphsGdG.wav", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0104.582] lstrlenA (lpString="NEPHILIM") returned 8 [0104.582] GetProcessHeap () returned 0x4e0000 [0104.582] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x505230 [0104.582] lstrlenA (lpString="NEPHILIM") returned 8 [0104.582] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\GC6ETPphsGdG.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\d918ob_hacubatxr\\gc6etpphsgdg.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0104.582] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=59218) returned 1 [0104.582] GetProcessHeap () returned 0x4e0000 [0104.582] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0104.582] GetProcessHeap () returned 0x4e0000 [0104.582] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0104.582] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0104.582] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0104.582] GetProcessHeap () returned 0x4e0000 [0104.582] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0104.582] GetProcessHeap () returned 0x4e0000 [0104.582] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0104.583] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24dd508*=0x100) returned 1 [0104.583] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24dd504*=0x100) returned 1 [0104.583] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xe752, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.583] SetLastError (dwErrCode=0x0) [0104.583] WriteFile (in: hFile=0xf4, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0104.584] GetLastError () returned 0x0 [0104.584] GetLastError () returned 0x0 [0104.584] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xe852, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.585] WriteFile (in: hFile=0xf4, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0104.585] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xe952, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.585] lstrlenA (lpString="NEPHILIM") returned 8 [0104.585] WriteFile (in: hFile=0xf4, lpBuffer=0x505230*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x505230*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0104.585] GetProcessHeap () returned 0x4e0000 [0104.585] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xe752) returned 0x50d8b8 [0104.585] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.585] ReadFile (in: hFile=0xf4, lpBuffer=0x50d8b8, nNumberOfBytesToRead=0xe752, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x50d8b8*, lpNumberOfBytesRead=0x24dd730*=0xe752, lpOverlapped=0x0) returned 1 [0104.589] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.589] WriteFile (in: hFile=0xf4, lpBuffer=0x50d8b8*, nNumberOfBytesToWrite=0xe752, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50d8b8*, lpNumberOfBytesWritten=0x24dd73c*=0xe752, lpOverlapped=0x0) returned 1 [0104.589] GetProcessHeap () returned 0x4e0000 [0104.590] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d8b8 | out: hHeap=0x4e0000) returned 1 [0104.590] CloseHandle (hObject=0xf4) returned 1 [0104.593] GetProcessHeap () returned 0x4e0000 [0104.593] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0104.593] GetProcessHeap () returned 0x4e0000 [0104.593] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0104.593] GetProcessHeap () returned 0x4e0000 [0104.593] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0104.593] GetProcessHeap () returned 0x4e0000 [0104.593] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0104.593] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\GC6ETPphsGdG.wav" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\GC6ETPphsGdG.wav") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\GC6ETPphsGdG.wav" [0104.593] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\GC6ETPphsGdG.wav", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\GC6ETPphsGdG.wav.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\GC6ETPphsGdG.wav.NEPHILIM" [0104.593] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\GC6ETPphsGdG.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\d918ob_hacubatxr\\gc6etpphsgdg.wav"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\GC6ETPphsGdG.wav.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\d918ob_hacubatxr\\gc6etpphsgdg.wav.nephilim")) returned 1 [0104.594] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xedee1630, ftCreationTime.dwHighDateTime=0x1d5e660, ftLastAccessTime.dwLowDateTime=0xc08d9cd0, ftLastAccessTime.dwHighDateTime=0x1d5e686, ftLastWriteTime.dwLowDateTime=0xc08d9cd0, ftLastWriteTime.dwHighDateTime=0x1d5e686, nFileSizeHigh=0x0, nFileSizeLow=0x99cf, dwReserved0=0x24dd72c, dwReserved1=0xe5919b5e, cFileName="GkT80-gRsdkeVwdlzDg.m4a", cAlternateFileName="GKT80-~1.M4A")) returned 1 [0104.594] lstrcmpiW (lpString1="GkT80-gRsdkeVwdlzDg.m4a", lpString2=".") returned 1 [0104.594] lstrcmpiW (lpString1="GkT80-gRsdkeVwdlzDg.m4a", lpString2="..") returned 1 [0104.594] lstrcmpiW (lpString1="GkT80-gRsdkeVwdlzDg.m4a", lpString2="...") returned 1 [0104.594] lstrcmpiW (lpString1="GkT80-gRsdkeVwdlzDg.m4a", lpString2="windows") returned -1 [0104.594] lstrcmpiW (lpString1="GkT80-gRsdkeVwdlzDg.m4a", lpString2="$RECYCLE.BIN") returned 1 [0104.594] lstrcmpiW (lpString1="GkT80-gRsdkeVwdlzDg.m4a", lpString2="rsa") returned -1 [0104.594] lstrcmpiW (lpString1="GkT80-gRsdkeVwdlzDg.m4a", lpString2="log") returned -1 [0104.594] lstrcmpiW (lpString1="GkT80-gRsdkeVwdlzDg.m4a", lpString2="NTDETECT.COM") returned -1 [0104.594] lstrcmpiW (lpString1="GkT80-gRsdkeVwdlzDg.m4a", lpString2="ntldr") returned -1 [0104.594] lstrcmpiW (lpString1="GkT80-gRsdkeVwdlzDg.m4a", lpString2="MSDOS.SYS") returned -1 [0104.594] lstrcmpiW (lpString1="GkT80-gRsdkeVwdlzDg.m4a", lpString2="IO.SYS") returned -1 [0104.594] lstrcmpiW (lpString1="GkT80-gRsdkeVwdlzDg.m4a", lpString2="boot.ini") returned 1 [0104.594] lstrcmpiW (lpString1="GkT80-gRsdkeVwdlzDg.m4a", lpString2="AUTOEXEC.BAT") returned 1 [0104.594] lstrcmpiW (lpString1="GkT80-gRsdkeVwdlzDg.m4a", lpString2="ntuser.dat") returned -1 [0104.594] lstrcmpiW (lpString1="GkT80-gRsdkeVwdlzDg.m4a", lpString2="desktop.ini") returned 1 [0104.594] lstrcmpiW (lpString1="GkT80-gRsdkeVwdlzDg.m4a", lpString2="CONFIG.SYS") returned 1 [0104.594] lstrcmpiW (lpString1="GkT80-gRsdkeVwdlzDg.m4a", lpString2="RECYCLER") returned -1 [0104.595] lstrcmpiW (lpString1="GkT80-gRsdkeVwdlzDg.m4a", lpString2="BOOTSECT.BAK") returned 1 [0104.595] lstrcmpiW (lpString1="GkT80-gRsdkeVwdlzDg.m4a", lpString2="bootmgr") returned 1 [0104.595] lstrcmpiW (lpString1="GkT80-gRsdkeVwdlzDg.m4a", lpString2="programdata") returned -1 [0104.595] lstrcmpiW (lpString1="GkT80-gRsdkeVwdlzDg.m4a", lpString2="appdata") returned 1 [0104.595] lstrcmpiW (lpString1="GkT80-gRsdkeVwdlzDg.m4a", lpString2="program files") returned -1 [0104.595] lstrcmpiW (lpString1="GkT80-gRsdkeVwdlzDg.m4a", lpString2="program files (x86)") returned -1 [0104.595] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\" [0104.595] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\", lpString2="GkT80-gRsdkeVwdlzDg.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\GkT80-gRsdkeVwdlzDg.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\GkT80-gRsdkeVwdlzDg.m4a" [0104.595] PathFindExtensionW (pszPath="GkT80-gRsdkeVwdlzDg.m4a") returned=".m4a" [0104.595] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0104.595] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0104.595] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0104.595] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0104.595] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0104.595] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0104.595] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0104.595] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0104.595] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0104.595] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0104.595] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0104.595] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0104.595] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0104.595] lstrcmpiW (lpString1=".m4a", lpString2=".NEPHILIM") returned -1 [0104.595] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0104.595] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0104.595] lstrcmpiW (lpString1="GkT80-gRsdkeVwdlzDg.m4a", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0104.596] lstrlenA (lpString="NEPHILIM") returned 8 [0104.596] GetProcessHeap () returned 0x4e0000 [0104.596] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x505240 [0104.596] lstrlenA (lpString="NEPHILIM") returned 8 [0104.596] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\GkT80-gRsdkeVwdlzDg.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\d918ob_hacubatxr\\gkt80-grsdkevwdlzdg.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0104.596] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=39375) returned 1 [0104.596] GetProcessHeap () returned 0x4e0000 [0104.596] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0104.596] GetProcessHeap () returned 0x4e0000 [0104.596] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0104.596] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0104.596] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0104.596] GetProcessHeap () returned 0x4e0000 [0104.596] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0104.596] GetProcessHeap () returned 0x4e0000 [0104.596] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0104.596] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24dd508*=0x100) returned 1 [0104.597] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24dd504*=0x100) returned 1 [0104.597] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x99cf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.597] SetLastError (dwErrCode=0x0) [0104.597] WriteFile (in: hFile=0xf4, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0104.598] GetLastError () returned 0x0 [0104.598] GetLastError () returned 0x0 [0104.598] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x9acf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.598] WriteFile (in: hFile=0xf4, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0104.598] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x9bcf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.599] lstrlenA (lpString="NEPHILIM") returned 8 [0104.599] WriteFile (in: hFile=0xf4, lpBuffer=0x505240*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x505240*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0104.599] GetProcessHeap () returned 0x4e0000 [0104.599] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x99cf) returned 0x50d8b8 [0104.599] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.599] ReadFile (in: hFile=0xf4, lpBuffer=0x50d8b8, nNumberOfBytesToRead=0x99cf, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x50d8b8*, lpNumberOfBytesRead=0x24dd730*=0x99cf, lpOverlapped=0x0) returned 1 [0104.602] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.602] WriteFile (in: hFile=0xf4, lpBuffer=0x50d8b8*, nNumberOfBytesToWrite=0x99cf, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50d8b8*, lpNumberOfBytesWritten=0x24dd73c*=0x99cf, lpOverlapped=0x0) returned 1 [0104.602] GetProcessHeap () returned 0x4e0000 [0104.602] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d8b8 | out: hHeap=0x4e0000) returned 1 [0104.602] CloseHandle (hObject=0xf4) returned 1 [0104.604] GetProcessHeap () returned 0x4e0000 [0104.604] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0104.604] GetProcessHeap () returned 0x4e0000 [0104.604] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0104.604] GetProcessHeap () returned 0x4e0000 [0104.604] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0104.604] GetProcessHeap () returned 0x4e0000 [0104.604] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0104.604] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\GkT80-gRsdkeVwdlzDg.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\GkT80-gRsdkeVwdlzDg.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\GkT80-gRsdkeVwdlzDg.m4a" [0104.604] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\GkT80-gRsdkeVwdlzDg.m4a", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\GkT80-gRsdkeVwdlzDg.m4a.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\GkT80-gRsdkeVwdlzDg.m4a.NEPHILIM" [0104.604] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\GkT80-gRsdkeVwdlzDg.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\d918ob_hacubatxr\\gkt80-grsdkevwdlzdg.m4a"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\GkT80-gRsdkeVwdlzDg.m4a.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\d918ob_hacubatxr\\gkt80-grsdkevwdlzdg.m4a.nephilim")) returned 1 [0104.605] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a8a0b40, ftCreationTime.dwHighDateTime=0x1d5e28a, ftLastAccessTime.dwLowDateTime=0xb97bd190, ftLastAccessTime.dwHighDateTime=0x1d5e7a4, ftLastWriteTime.dwLowDateTime=0xb97bd190, ftLastWriteTime.dwHighDateTime=0x1d5e7a4, nFileSizeHigh=0x0, nFileSizeLow=0x3a77, dwReserved0=0x24dd72c, dwReserved1=0xe5919b5e, cFileName="gpN SombXrD-0I0aj.mp3", cAlternateFileName="GPNSOM~1.MP3")) returned 1 [0104.605] lstrcmpiW (lpString1="gpN SombXrD-0I0aj.mp3", lpString2=".") returned 1 [0104.605] lstrcmpiW (lpString1="gpN SombXrD-0I0aj.mp3", lpString2="..") returned 1 [0104.605] lstrcmpiW (lpString1="gpN SombXrD-0I0aj.mp3", lpString2="...") returned 1 [0104.605] lstrcmpiW (lpString1="gpN SombXrD-0I0aj.mp3", lpString2="windows") returned -1 [0104.605] lstrcmpiW (lpString1="gpN SombXrD-0I0aj.mp3", lpString2="$RECYCLE.BIN") returned 1 [0104.605] lstrcmpiW (lpString1="gpN SombXrD-0I0aj.mp3", lpString2="rsa") returned -1 [0104.605] lstrcmpiW (lpString1="gpN SombXrD-0I0aj.mp3", lpString2="log") returned -1 [0104.605] lstrcmpiW (lpString1="gpN SombXrD-0I0aj.mp3", lpString2="NTDETECT.COM") returned -1 [0104.605] lstrcmpiW (lpString1="gpN SombXrD-0I0aj.mp3", lpString2="ntldr") returned -1 [0104.605] lstrcmpiW (lpString1="gpN SombXrD-0I0aj.mp3", lpString2="MSDOS.SYS") returned -1 [0104.606] lstrcmpiW (lpString1="gpN SombXrD-0I0aj.mp3", lpString2="IO.SYS") returned -1 [0104.606] lstrcmpiW (lpString1="gpN SombXrD-0I0aj.mp3", lpString2="boot.ini") returned 1 [0104.606] lstrcmpiW (lpString1="gpN SombXrD-0I0aj.mp3", lpString2="AUTOEXEC.BAT") returned 1 [0104.606] lstrcmpiW (lpString1="gpN SombXrD-0I0aj.mp3", lpString2="ntuser.dat") returned -1 [0104.606] lstrcmpiW (lpString1="gpN SombXrD-0I0aj.mp3", lpString2="desktop.ini") returned 1 [0104.606] lstrcmpiW (lpString1="gpN SombXrD-0I0aj.mp3", lpString2="CONFIG.SYS") returned 1 [0104.606] lstrcmpiW (lpString1="gpN SombXrD-0I0aj.mp3", lpString2="RECYCLER") returned -1 [0104.606] lstrcmpiW (lpString1="gpN SombXrD-0I0aj.mp3", lpString2="BOOTSECT.BAK") returned 1 [0104.606] lstrcmpiW (lpString1="gpN SombXrD-0I0aj.mp3", lpString2="bootmgr") returned 1 [0104.606] lstrcmpiW (lpString1="gpN SombXrD-0I0aj.mp3", lpString2="programdata") returned -1 [0104.606] lstrcmpiW (lpString1="gpN SombXrD-0I0aj.mp3", lpString2="appdata") returned 1 [0104.606] lstrcmpiW (lpString1="gpN SombXrD-0I0aj.mp3", lpString2="program files") returned -1 [0104.606] lstrcmpiW (lpString1="gpN SombXrD-0I0aj.mp3", lpString2="program files (x86)") returned -1 [0104.606] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\" [0104.606] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\", lpString2="gpN SombXrD-0I0aj.mp3" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\gpN SombXrD-0I0aj.mp3") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\gpN SombXrD-0I0aj.mp3" [0104.606] PathFindExtensionW (pszPath="gpN SombXrD-0I0aj.mp3") returned=".mp3" [0104.606] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0104.606] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0104.606] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0104.606] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0104.606] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0104.606] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0104.606] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0104.606] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0104.606] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0104.606] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0104.607] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0104.607] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc99b040, ftCreationTime.dwHighDateTime=0x1d5dd18, ftLastAccessTime.dwLowDateTime=0xcb7b74a0, ftLastAccessTime.dwHighDateTime=0x1d5df24, ftLastWriteTime.dwLowDateTime=0xcb7b74a0, ftLastWriteTime.dwHighDateTime=0x1d5df24, nFileSizeHigh=0x0, nFileSizeLow=0x4ab2, dwReserved0=0x24dd72c, dwReserved1=0xe5919b5e, cFileName="NAfcIR.wav", cAlternateFileName="")) returned 1 [0104.607] lstrcmpiW (lpString1="NAfcIR.wav", lpString2=".") returned 1 [0104.607] lstrcmpiW (lpString1="NAfcIR.wav", lpString2="..") returned 1 [0104.607] lstrcmpiW (lpString1="NAfcIR.wav", lpString2="...") returned 1 [0104.607] lstrcmpiW (lpString1="NAfcIR.wav", lpString2="windows") returned -1 [0104.607] lstrcmpiW (lpString1="NAfcIR.wav", lpString2="$RECYCLE.BIN") returned 1 [0104.607] lstrcmpiW (lpString1="NAfcIR.wav", lpString2="rsa") returned -1 [0104.607] lstrcmpiW (lpString1="NAfcIR.wav", lpString2="log") returned 1 [0104.607] lstrcmpiW (lpString1="NAfcIR.wav", lpString2="NTDETECT.COM") returned -1 [0104.607] lstrcmpiW (lpString1="NAfcIR.wav", lpString2="ntldr") returned -1 [0104.607] lstrcmpiW (lpString1="NAfcIR.wav", lpString2="MSDOS.SYS") returned 1 [0104.607] lstrcmpiW (lpString1="NAfcIR.wav", lpString2="IO.SYS") returned 1 [0104.607] lstrcmpiW (lpString1="NAfcIR.wav", lpString2="boot.ini") returned 1 [0104.607] lstrcmpiW (lpString1="NAfcIR.wav", lpString2="AUTOEXEC.BAT") returned 1 [0104.607] lstrcmpiW (lpString1="NAfcIR.wav", lpString2="ntuser.dat") returned -1 [0104.607] lstrcmpiW (lpString1="NAfcIR.wav", lpString2="desktop.ini") returned 1 [0104.607] lstrcmpiW (lpString1="NAfcIR.wav", lpString2="CONFIG.SYS") returned 1 [0104.607] lstrcmpiW (lpString1="NAfcIR.wav", lpString2="RECYCLER") returned -1 [0104.607] lstrcmpiW (lpString1="NAfcIR.wav", lpString2="BOOTSECT.BAK") returned 1 [0104.607] lstrcmpiW (lpString1="NAfcIR.wav", lpString2="bootmgr") returned 1 [0104.607] lstrcmpiW (lpString1="NAfcIR.wav", lpString2="programdata") returned -1 [0104.607] lstrcmpiW (lpString1="NAfcIR.wav", lpString2="appdata") returned 1 [0104.607] lstrcmpiW (lpString1="NAfcIR.wav", lpString2="program files") returned -1 [0104.607] lstrcmpiW (lpString1="NAfcIR.wav", lpString2="program files (x86)") returned -1 [0104.607] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\" [0104.608] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\", lpString2="NAfcIR.wav" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\NAfcIR.wav") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\NAfcIR.wav" [0104.608] PathFindExtensionW (pszPath="NAfcIR.wav") returned=".wav" [0104.608] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0104.626] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0104.626] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0104.626] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0104.626] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0104.626] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0104.626] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0104.626] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0104.626] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0104.626] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0104.626] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0104.626] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0104.626] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0104.626] lstrcmpiW (lpString1=".wav", lpString2=".NEPHILIM") returned 1 [0104.626] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0104.626] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0104.626] lstrcmpiW (lpString1="NAfcIR.wav", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0104.626] lstrlenA (lpString="NEPHILIM") returned 8 [0104.626] GetProcessHeap () returned 0x4e0000 [0104.626] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x505250 [0104.626] lstrlenA (lpString="NEPHILIM") returned 8 [0104.626] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\NAfcIR.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\d918ob_hacubatxr\\nafcir.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0104.627] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=19122) returned 1 [0104.627] GetProcessHeap () returned 0x4e0000 [0104.627] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0104.627] GetProcessHeap () returned 0x4e0000 [0104.627] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0104.627] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0104.627] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0104.627] GetProcessHeap () returned 0x4e0000 [0104.627] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0104.627] GetProcessHeap () returned 0x4e0000 [0104.627] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0104.627] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24dd508*=0x100) returned 1 [0104.628] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24dd504*=0x100) returned 1 [0104.628] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x4ab2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.628] SetLastError (dwErrCode=0x0) [0104.628] WriteFile (in: hFile=0xf4, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0104.629] GetLastError () returned 0x0 [0104.629] GetLastError () returned 0x0 [0104.629] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x4bb2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.629] WriteFile (in: hFile=0xf4, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0104.629] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x4cb2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.629] lstrlenA (lpString="NEPHILIM") returned 8 [0104.629] WriteFile (in: hFile=0xf4, lpBuffer=0x505250*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x505250*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0104.630] GetProcessHeap () returned 0x4e0000 [0104.630] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x4ab2) returned 0x50d8b8 [0104.630] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.630] ReadFile (in: hFile=0xf4, lpBuffer=0x50d8b8, nNumberOfBytesToRead=0x4ab2, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x50d8b8*, lpNumberOfBytesRead=0x24dd730*=0x4ab2, lpOverlapped=0x0) returned 1 [0104.631] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.631] WriteFile (in: hFile=0xf4, lpBuffer=0x50d8b8*, nNumberOfBytesToWrite=0x4ab2, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50d8b8*, lpNumberOfBytesWritten=0x24dd73c*=0x4ab2, lpOverlapped=0x0) returned 1 [0104.631] GetProcessHeap () returned 0x4e0000 [0104.631] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d8b8 | out: hHeap=0x4e0000) returned 1 [0104.631] CloseHandle (hObject=0xf4) returned 1 [0104.633] GetProcessHeap () returned 0x4e0000 [0104.633] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0104.633] GetProcessHeap () returned 0x4e0000 [0104.633] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0104.633] GetProcessHeap () returned 0x4e0000 [0104.633] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0104.633] GetProcessHeap () returned 0x4e0000 [0104.633] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0104.633] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\NAfcIR.wav" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\NAfcIR.wav") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\NAfcIR.wav" [0104.633] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\NAfcIR.wav", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\NAfcIR.wav.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\NAfcIR.wav.NEPHILIM" [0104.633] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\NAfcIR.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\d918ob_hacubatxr\\nafcir.wav"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\NAfcIR.wav.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\d918ob_hacubatxr\\nafcir.wav.nephilim")) returned 1 [0104.634] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x455ca5d0, ftCreationTime.dwHighDateTime=0x1d5da31, ftLastAccessTime.dwLowDateTime=0x7a0aa470, ftLastAccessTime.dwHighDateTime=0x1d5e4e1, ftLastWriteTime.dwLowDateTime=0x7a0aa470, ftLastWriteTime.dwHighDateTime=0x1d5e4e1, nFileSizeHigh=0x0, nFileSizeLow=0x8c8c, dwReserved0=0x24dd72c, dwReserved1=0xe5919b5e, cFileName="OFXLLTsK4.mp3", cAlternateFileName="OFXLLT~1.MP3")) returned 1 [0104.634] lstrcmpiW (lpString1="OFXLLTsK4.mp3", lpString2=".") returned 1 [0104.634] lstrcmpiW (lpString1="OFXLLTsK4.mp3", lpString2="..") returned 1 [0104.634] lstrcmpiW (lpString1="OFXLLTsK4.mp3", lpString2="...") returned 1 [0104.634] lstrcmpiW (lpString1="OFXLLTsK4.mp3", lpString2="windows") returned -1 [0104.634] lstrcmpiW (lpString1="OFXLLTsK4.mp3", lpString2="$RECYCLE.BIN") returned 1 [0104.634] lstrcmpiW (lpString1="OFXLLTsK4.mp3", lpString2="rsa") returned -1 [0104.634] lstrcmpiW (lpString1="OFXLLTsK4.mp3", lpString2="log") returned 1 [0104.634] lstrcmpiW (lpString1="OFXLLTsK4.mp3", lpString2="NTDETECT.COM") returned 1 [0104.634] lstrcmpiW (lpString1="OFXLLTsK4.mp3", lpString2="ntldr") returned 1 [0104.634] lstrcmpiW (lpString1="OFXLLTsK4.mp3", lpString2="MSDOS.SYS") returned 1 [0104.634] lstrcmpiW (lpString1="OFXLLTsK4.mp3", lpString2="IO.SYS") returned 1 [0104.634] lstrcmpiW (lpString1="OFXLLTsK4.mp3", lpString2="boot.ini") returned 1 [0104.635] lstrcmpiW (lpString1="OFXLLTsK4.mp3", lpString2="AUTOEXEC.BAT") returned 1 [0104.635] lstrcmpiW (lpString1="OFXLLTsK4.mp3", lpString2="ntuser.dat") returned 1 [0104.635] lstrcmpiW (lpString1="OFXLLTsK4.mp3", lpString2="desktop.ini") returned 1 [0104.635] lstrcmpiW (lpString1="OFXLLTsK4.mp3", lpString2="CONFIG.SYS") returned 1 [0104.635] lstrcmpiW (lpString1="OFXLLTsK4.mp3", lpString2="RECYCLER") returned -1 [0104.635] lstrcmpiW (lpString1="OFXLLTsK4.mp3", lpString2="BOOTSECT.BAK") returned 1 [0104.635] lstrcmpiW (lpString1="OFXLLTsK4.mp3", lpString2="bootmgr") returned 1 [0104.635] lstrcmpiW (lpString1="OFXLLTsK4.mp3", lpString2="programdata") returned -1 [0104.635] lstrcmpiW (lpString1="OFXLLTsK4.mp3", lpString2="appdata") returned 1 [0104.635] lstrcmpiW (lpString1="OFXLLTsK4.mp3", lpString2="program files") returned -1 [0104.635] lstrcmpiW (lpString1="OFXLLTsK4.mp3", lpString2="program files (x86)") returned -1 [0104.635] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\" [0104.635] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\", lpString2="OFXLLTsK4.mp3" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\OFXLLTsK4.mp3") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\OFXLLTsK4.mp3" [0104.635] PathFindExtensionW (pszPath="OFXLLTsK4.mp3") returned=".mp3" [0104.635] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0104.635] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0104.635] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0104.635] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0104.635] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0104.635] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0104.635] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0104.635] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0104.635] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0104.635] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0104.635] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0104.636] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1c0d590, ftCreationTime.dwHighDateTime=0x1d5da17, ftLastAccessTime.dwLowDateTime=0xb63606e0, ftLastAccessTime.dwHighDateTime=0x1d5e0c9, ftLastWriteTime.dwLowDateTime=0xb63606e0, ftLastWriteTime.dwHighDateTime=0x1d5e0c9, nFileSizeHigh=0x0, nFileSizeLow=0x8c69, dwReserved0=0x24dd72c, dwReserved1=0xe5919b5e, cFileName="OLdQwjjqWYt_V.m4a", cAlternateFileName="OLDQWJ~1.M4A")) returned 1 [0104.636] lstrcmpiW (lpString1="OLdQwjjqWYt_V.m4a", lpString2=".") returned 1 [0104.636] lstrcmpiW (lpString1="OLdQwjjqWYt_V.m4a", lpString2="..") returned 1 [0104.636] lstrcmpiW (lpString1="OLdQwjjqWYt_V.m4a", lpString2="...") returned 1 [0104.636] lstrcmpiW (lpString1="OLdQwjjqWYt_V.m4a", lpString2="windows") returned -1 [0104.636] lstrcmpiW (lpString1="OLdQwjjqWYt_V.m4a", lpString2="$RECYCLE.BIN") returned 1 [0104.636] lstrcmpiW (lpString1="OLdQwjjqWYt_V.m4a", lpString2="rsa") returned -1 [0104.636] lstrcmpiW (lpString1="OLdQwjjqWYt_V.m4a", lpString2="log") returned 1 [0104.636] lstrcmpiW (lpString1="OLdQwjjqWYt_V.m4a", lpString2="NTDETECT.COM") returned 1 [0104.636] lstrcmpiW (lpString1="OLdQwjjqWYt_V.m4a", lpString2="ntldr") returned 1 [0104.636] lstrcmpiW (lpString1="OLdQwjjqWYt_V.m4a", lpString2="MSDOS.SYS") returned 1 [0104.636] lstrcmpiW (lpString1="OLdQwjjqWYt_V.m4a", lpString2="IO.SYS") returned 1 [0104.636] lstrcmpiW (lpString1="OLdQwjjqWYt_V.m4a", lpString2="boot.ini") returned 1 [0104.636] lstrcmpiW (lpString1="OLdQwjjqWYt_V.m4a", lpString2="AUTOEXEC.BAT") returned 1 [0104.636] lstrcmpiW (lpString1="OLdQwjjqWYt_V.m4a", lpString2="ntuser.dat") returned 1 [0104.636] lstrcmpiW (lpString1="OLdQwjjqWYt_V.m4a", lpString2="desktop.ini") returned 1 [0104.636] lstrcmpiW (lpString1="OLdQwjjqWYt_V.m4a", lpString2="CONFIG.SYS") returned 1 [0104.636] lstrcmpiW (lpString1="OLdQwjjqWYt_V.m4a", lpString2="RECYCLER") returned -1 [0104.636] lstrcmpiW (lpString1="OLdQwjjqWYt_V.m4a", lpString2="BOOTSECT.BAK") returned 1 [0104.636] lstrcmpiW (lpString1="OLdQwjjqWYt_V.m4a", lpString2="bootmgr") returned 1 [0104.636] lstrcmpiW (lpString1="OLdQwjjqWYt_V.m4a", lpString2="programdata") returned -1 [0104.636] lstrcmpiW (lpString1="OLdQwjjqWYt_V.m4a", lpString2="appdata") returned 1 [0104.636] lstrcmpiW (lpString1="OLdQwjjqWYt_V.m4a", lpString2="program files") returned -1 [0104.636] lstrcmpiW (lpString1="OLdQwjjqWYt_V.m4a", lpString2="program files (x86)") returned -1 [0104.636] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\" [0104.636] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\", lpString2="OLdQwjjqWYt_V.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\OLdQwjjqWYt_V.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\OLdQwjjqWYt_V.m4a" [0104.637] PathFindExtensionW (pszPath="OLdQwjjqWYt_V.m4a") returned=".m4a" [0104.637] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0104.637] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0104.637] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0104.637] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0104.637] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0104.637] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0104.637] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0104.637] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0104.637] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0104.637] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0104.637] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0104.637] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0104.637] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0104.637] lstrcmpiW (lpString1=".m4a", lpString2=".NEPHILIM") returned -1 [0104.637] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0104.637] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0104.637] lstrcmpiW (lpString1="OLdQwjjqWYt_V.m4a", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0104.637] lstrlenA (lpString="NEPHILIM") returned 8 [0104.637] GetProcessHeap () returned 0x4e0000 [0104.637] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d8d0 [0104.637] lstrlenA (lpString="NEPHILIM") returned 8 [0104.637] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\OLdQwjjqWYt_V.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\d918ob_hacubatxr\\oldqwjjqwyt_v.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0104.638] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=35945) returned 1 [0104.638] GetProcessHeap () returned 0x4e0000 [0104.638] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0104.638] GetProcessHeap () returned 0x4e0000 [0104.638] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0104.638] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0104.638] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0104.638] GetProcessHeap () returned 0x4e0000 [0104.638] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0104.638] GetProcessHeap () returned 0x4e0000 [0104.638] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0104.638] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24dd508*=0x100) returned 1 [0104.638] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24dd504*=0x100) returned 1 [0104.638] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x8c69, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.638] SetLastError (dwErrCode=0x0) [0104.638] WriteFile (in: hFile=0xf4, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0104.640] GetLastError () returned 0x0 [0104.640] GetLastError () returned 0x0 [0104.640] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x8d69, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.640] WriteFile (in: hFile=0xf4, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0104.640] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x8e69, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.640] lstrlenA (lpString="NEPHILIM") returned 8 [0104.640] WriteFile (in: hFile=0xf4, lpBuffer=0x50d8d0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50d8d0*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0104.640] GetProcessHeap () returned 0x4e0000 [0104.640] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8c69) returned 0x50dcb8 [0104.640] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.640] ReadFile (in: hFile=0xf4, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x8c69, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24dd730*=0x8c69, lpOverlapped=0x0) returned 1 [0104.642] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.642] WriteFile (in: hFile=0xf4, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x8c69, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24dd73c*=0x8c69, lpOverlapped=0x0) returned 1 [0104.642] GetProcessHeap () returned 0x4e0000 [0104.642] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0104.642] CloseHandle (hObject=0xf4) returned 1 [0104.644] GetProcessHeap () returned 0x4e0000 [0104.644] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0104.644] GetProcessHeap () returned 0x4e0000 [0104.644] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0104.645] GetProcessHeap () returned 0x4e0000 [0104.645] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0104.645] GetProcessHeap () returned 0x4e0000 [0104.645] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0104.645] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\OLdQwjjqWYt_V.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\OLdQwjjqWYt_V.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\OLdQwjjqWYt_V.m4a" [0104.645] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\OLdQwjjqWYt_V.m4a", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\OLdQwjjqWYt_V.m4a.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\OLdQwjjqWYt_V.m4a.NEPHILIM" [0104.645] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\OLdQwjjqWYt_V.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\d918ob_hacubatxr\\oldqwjjqwyt_v.m4a"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\OLdQwjjqWYt_V.m4a.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\d918ob_hacubatxr\\oldqwjjqwyt_v.m4a.nephilim")) returned 1 [0104.646] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf42cce10, ftCreationTime.dwHighDateTime=0x1d5e773, ftLastAccessTime.dwLowDateTime=0xedd718a0, ftLastAccessTime.dwHighDateTime=0x1d5e4e8, ftLastWriteTime.dwLowDateTime=0xedd718a0, ftLastWriteTime.dwHighDateTime=0x1d5e4e8, nFileSizeHigh=0x0, nFileSizeLow=0x166d5, dwReserved0=0x24dd72c, dwReserved1=0xe5919b5e, cFileName="SMnF6e.m4a", cAlternateFileName="")) returned 1 [0104.646] lstrcmpiW (lpString1="SMnF6e.m4a", lpString2=".") returned 1 [0104.646] lstrcmpiW (lpString1="SMnF6e.m4a", lpString2="..") returned 1 [0104.646] lstrcmpiW (lpString1="SMnF6e.m4a", lpString2="...") returned 1 [0104.646] lstrcmpiW (lpString1="SMnF6e.m4a", lpString2="windows") returned -1 [0104.646] lstrcmpiW (lpString1="SMnF6e.m4a", lpString2="$RECYCLE.BIN") returned 1 [0104.646] lstrcmpiW (lpString1="SMnF6e.m4a", lpString2="rsa") returned 1 [0104.646] lstrcmpiW (lpString1="SMnF6e.m4a", lpString2="log") returned 1 [0104.646] lstrcmpiW (lpString1="SMnF6e.m4a", lpString2="NTDETECT.COM") returned 1 [0104.646] lstrcmpiW (lpString1="SMnF6e.m4a", lpString2="ntldr") returned 1 [0104.646] lstrcmpiW (lpString1="SMnF6e.m4a", lpString2="MSDOS.SYS") returned 1 [0104.646] lstrcmpiW (lpString1="SMnF6e.m4a", lpString2="IO.SYS") returned 1 [0104.646] lstrcmpiW (lpString1="SMnF6e.m4a", lpString2="boot.ini") returned 1 [0104.646] lstrcmpiW (lpString1="SMnF6e.m4a", lpString2="AUTOEXEC.BAT") returned 1 [0104.646] lstrcmpiW (lpString1="SMnF6e.m4a", lpString2="ntuser.dat") returned 1 [0104.646] lstrcmpiW (lpString1="SMnF6e.m4a", lpString2="desktop.ini") returned 1 [0104.646] lstrcmpiW (lpString1="SMnF6e.m4a", lpString2="CONFIG.SYS") returned 1 [0104.646] lstrcmpiW (lpString1="SMnF6e.m4a", lpString2="RECYCLER") returned 1 [0104.646] lstrcmpiW (lpString1="SMnF6e.m4a", lpString2="BOOTSECT.BAK") returned 1 [0104.646] lstrcmpiW (lpString1="SMnF6e.m4a", lpString2="bootmgr") returned 1 [0104.646] lstrcmpiW (lpString1="SMnF6e.m4a", lpString2="programdata") returned 1 [0104.647] lstrcmpiW (lpString1="SMnF6e.m4a", lpString2="appdata") returned 1 [0104.647] lstrcmpiW (lpString1="SMnF6e.m4a", lpString2="program files") returned 1 [0104.647] lstrcmpiW (lpString1="SMnF6e.m4a", lpString2="program files (x86)") returned 1 [0104.647] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\" [0104.647] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\", lpString2="SMnF6e.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\SMnF6e.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\SMnF6e.m4a" [0104.647] PathFindExtensionW (pszPath="SMnF6e.m4a") returned=".m4a" [0104.647] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0104.647] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0104.647] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0104.647] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0104.647] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0104.647] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0104.647] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0104.647] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0104.647] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0104.647] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0104.647] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0104.647] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0104.647] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0104.647] lstrcmpiW (lpString1=".m4a", lpString2=".NEPHILIM") returned -1 [0104.647] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0104.647] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0104.647] lstrcmpiW (lpString1="SMnF6e.m4a", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0104.647] lstrlenA (lpString="NEPHILIM") returned 8 [0104.647] GetProcessHeap () returned 0x4e0000 [0104.647] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d8e0 [0104.647] lstrlenA (lpString="NEPHILIM") returned 8 [0104.647] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\SMnF6e.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\d918ob_hacubatxr\\smnf6e.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0104.648] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=91861) returned 1 [0104.648] GetProcessHeap () returned 0x4e0000 [0104.648] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0104.648] GetProcessHeap () returned 0x4e0000 [0104.648] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0104.648] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0104.648] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0104.648] GetProcessHeap () returned 0x4e0000 [0104.648] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0104.648] GetProcessHeap () returned 0x4e0000 [0104.648] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0104.648] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24dd508*=0x100) returned 1 [0104.648] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24dd504*=0x100) returned 1 [0104.648] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x166d5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.648] SetLastError (dwErrCode=0x0) [0104.648] WriteFile (in: hFile=0xf4, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0104.649] GetLastError () returned 0x0 [0104.649] GetLastError () returned 0x0 [0104.649] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x167d5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.649] WriteFile (in: hFile=0xf4, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0104.650] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x168d5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.650] lstrlenA (lpString="NEPHILIM") returned 8 [0104.650] WriteFile (in: hFile=0xf4, lpBuffer=0x50d8e0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50d8e0*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0104.650] GetProcessHeap () returned 0x4e0000 [0104.650] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x166d5) returned 0x50dcb8 [0104.650] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.650] ReadFile (in: hFile=0xf4, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x166d5, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24dd730*=0x166d5, lpOverlapped=0x0) returned 1 [0104.654] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.654] WriteFile (in: hFile=0xf4, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x166d5, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24dd73c*=0x166d5, lpOverlapped=0x0) returned 1 [0104.665] GetProcessHeap () returned 0x4e0000 [0104.665] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0104.665] CloseHandle (hObject=0xf4) returned 1 [0104.668] GetProcessHeap () returned 0x4e0000 [0104.668] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0104.668] GetProcessHeap () returned 0x4e0000 [0104.668] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0104.668] GetProcessHeap () returned 0x4e0000 [0104.668] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0104.668] GetProcessHeap () returned 0x4e0000 [0104.668] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0104.668] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\SMnF6e.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\SMnF6e.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\SMnF6e.m4a" [0104.668] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\SMnF6e.m4a", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\SMnF6e.m4a.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\SMnF6e.m4a.NEPHILIM" [0104.668] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\SMnF6e.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\d918ob_hacubatxr\\smnf6e.m4a"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\SMnF6e.m4a.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\d918ob_hacubatxr\\smnf6e.m4a.nephilim")) returned 1 [0104.669] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ed27f0, ftCreationTime.dwHighDateTime=0x1d5dbf8, ftLastAccessTime.dwLowDateTime=0x1148d240, ftLastAccessTime.dwHighDateTime=0x1d5de51, ftLastWriteTime.dwLowDateTime=0x1148d240, ftLastWriteTime.dwHighDateTime=0x1d5de51, nFileSizeHigh=0x0, nFileSizeLow=0x4dfb, dwReserved0=0x24dd72c, dwReserved1=0xe5919b5e, cFileName="TkvglmLL3W EQ2X.wav", cAlternateFileName="TKVGLM~1.WAV")) returned 1 [0104.669] lstrcmpiW (lpString1="TkvglmLL3W EQ2X.wav", lpString2=".") returned 1 [0104.669] lstrcmpiW (lpString1="TkvglmLL3W EQ2X.wav", lpString2="..") returned 1 [0104.669] lstrcmpiW (lpString1="TkvglmLL3W EQ2X.wav", lpString2="...") returned 1 [0104.669] lstrcmpiW (lpString1="TkvglmLL3W EQ2X.wav", lpString2="windows") returned -1 [0104.669] lstrcmpiW (lpString1="TkvglmLL3W EQ2X.wav", lpString2="$RECYCLE.BIN") returned 1 [0104.669] lstrcmpiW (lpString1="TkvglmLL3W EQ2X.wav", lpString2="rsa") returned 1 [0104.669] lstrcmpiW (lpString1="TkvglmLL3W EQ2X.wav", lpString2="log") returned 1 [0104.669] lstrcmpiW (lpString1="TkvglmLL3W EQ2X.wav", lpString2="NTDETECT.COM") returned 1 [0104.669] lstrcmpiW (lpString1="TkvglmLL3W EQ2X.wav", lpString2="ntldr") returned 1 [0104.669] lstrcmpiW (lpString1="TkvglmLL3W EQ2X.wav", lpString2="MSDOS.SYS") returned 1 [0104.669] lstrcmpiW (lpString1="TkvglmLL3W EQ2X.wav", lpString2="IO.SYS") returned 1 [0104.669] lstrcmpiW (lpString1="TkvglmLL3W EQ2X.wav", lpString2="boot.ini") returned 1 [0104.669] lstrcmpiW (lpString1="TkvglmLL3W EQ2X.wav", lpString2="AUTOEXEC.BAT") returned 1 [0104.669] lstrcmpiW (lpString1="TkvglmLL3W EQ2X.wav", lpString2="ntuser.dat") returned 1 [0104.669] lstrcmpiW (lpString1="TkvglmLL3W EQ2X.wav", lpString2="desktop.ini") returned 1 [0104.669] lstrcmpiW (lpString1="TkvglmLL3W EQ2X.wav", lpString2="CONFIG.SYS") returned 1 [0104.669] lstrcmpiW (lpString1="TkvglmLL3W EQ2X.wav", lpString2="RECYCLER") returned 1 [0104.669] lstrcmpiW (lpString1="TkvglmLL3W EQ2X.wav", lpString2="BOOTSECT.BAK") returned 1 [0104.669] lstrcmpiW (lpString1="TkvglmLL3W EQ2X.wav", lpString2="bootmgr") returned 1 [0104.669] lstrcmpiW (lpString1="TkvglmLL3W EQ2X.wav", lpString2="programdata") returned 1 [0104.669] lstrcmpiW (lpString1="TkvglmLL3W EQ2X.wav", lpString2="appdata") returned 1 [0104.669] lstrcmpiW (lpString1="TkvglmLL3W EQ2X.wav", lpString2="program files") returned 1 [0104.669] lstrcmpiW (lpString1="TkvglmLL3W EQ2X.wav", lpString2="program files (x86)") returned 1 [0104.669] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\" [0104.670] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\", lpString2="TkvglmLL3W EQ2X.wav" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\TkvglmLL3W EQ2X.wav") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\TkvglmLL3W EQ2X.wav" [0104.670] PathFindExtensionW (pszPath="TkvglmLL3W EQ2X.wav") returned=".wav" [0104.670] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0104.670] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0104.670] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0104.670] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0104.670] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0104.670] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0104.670] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0104.670] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0104.670] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0104.670] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0104.670] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0104.670] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0104.670] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0104.673] lstrcmpiW (lpString1=".wav", lpString2=".NEPHILIM") returned 1 [0104.673] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0104.673] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0104.673] lstrcmpiW (lpString1="TkvglmLL3W EQ2X.wav", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0104.673] lstrlenA (lpString="NEPHILIM") returned 8 [0104.673] GetProcessHeap () returned 0x4e0000 [0104.673] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d8f0 [0104.673] lstrlenA (lpString="NEPHILIM") returned 8 [0104.673] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\TkvglmLL3W EQ2X.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\d918ob_hacubatxr\\tkvglmll3w eq2x.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0104.673] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=19963) returned 1 [0104.673] GetProcessHeap () returned 0x4e0000 [0104.673] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0104.673] GetProcessHeap () returned 0x4e0000 [0104.674] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0104.674] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0104.674] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0104.674] GetProcessHeap () returned 0x4e0000 [0104.674] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0104.674] GetProcessHeap () returned 0x4e0000 [0104.674] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0104.674] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24dd508*=0x100) returned 1 [0104.674] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24dd504*=0x100) returned 1 [0104.674] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x4dfb, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.674] SetLastError (dwErrCode=0x0) [0104.674] WriteFile (in: hFile=0xf4, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0104.675] GetLastError () returned 0x0 [0104.675] GetLastError () returned 0x0 [0104.675] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x4efb, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.675] WriteFile (in: hFile=0xf4, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0104.675] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x4ffb, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.675] lstrlenA (lpString="NEPHILIM") returned 8 [0104.675] WriteFile (in: hFile=0xf4, lpBuffer=0x50d8f0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50d8f0*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0104.676] GetProcessHeap () returned 0x4e0000 [0104.676] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x4dfb) returned 0x50dcb8 [0104.676] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.676] ReadFile (in: hFile=0xf4, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x4dfb, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24dd730*=0x4dfb, lpOverlapped=0x0) returned 1 [0104.677] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.677] WriteFile (in: hFile=0xf4, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x4dfb, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24dd73c*=0x4dfb, lpOverlapped=0x0) returned 1 [0104.677] GetProcessHeap () returned 0x4e0000 [0104.677] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0104.677] CloseHandle (hObject=0xf4) returned 1 [0104.678] GetProcessHeap () returned 0x4e0000 [0104.678] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0104.679] GetProcessHeap () returned 0x4e0000 [0104.679] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0104.679] GetProcessHeap () returned 0x4e0000 [0104.679] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0104.679] GetProcessHeap () returned 0x4e0000 [0104.679] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0104.679] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\TkvglmLL3W EQ2X.wav" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\TkvglmLL3W EQ2X.wav") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\TkvglmLL3W EQ2X.wav" [0104.679] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\TkvglmLL3W EQ2X.wav", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\TkvglmLL3W EQ2X.wav.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\TkvglmLL3W EQ2X.wav.NEPHILIM" [0104.679] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\TkvglmLL3W EQ2X.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\d918ob_hacubatxr\\tkvglmll3w eq2x.wav"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\TkvglmLL3W EQ2X.wav.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\d918ob_hacubatxr\\tkvglmll3w eq2x.wav.nephilim")) returned 1 [0104.680] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63f8def0, ftCreationTime.dwHighDateTime=0x1d5ddd3, ftLastAccessTime.dwLowDateTime=0xa6a13c20, ftLastAccessTime.dwHighDateTime=0x1d5e742, ftLastWriteTime.dwLowDateTime=0xa6a13c20, ftLastWriteTime.dwHighDateTime=0x1d5e742, nFileSizeHigh=0x0, nFileSizeLow=0x5999, dwReserved0=0x24dd72c, dwReserved1=0xe5919b5e, cFileName="TX1GXbOfCY.mp3", cAlternateFileName="TX1GXB~1.MP3")) returned 1 [0104.680] lstrcmpiW (lpString1="TX1GXbOfCY.mp3", lpString2=".") returned 1 [0104.680] lstrcmpiW (lpString1="TX1GXbOfCY.mp3", lpString2="..") returned 1 [0104.680] lstrcmpiW (lpString1="TX1GXbOfCY.mp3", lpString2="...") returned 1 [0104.680] lstrcmpiW (lpString1="TX1GXbOfCY.mp3", lpString2="windows") returned -1 [0104.680] lstrcmpiW (lpString1="TX1GXbOfCY.mp3", lpString2="$RECYCLE.BIN") returned 1 [0104.680] lstrcmpiW (lpString1="TX1GXbOfCY.mp3", lpString2="rsa") returned 1 [0104.680] lstrcmpiW (lpString1="TX1GXbOfCY.mp3", lpString2="log") returned 1 [0104.680] lstrcmpiW (lpString1="TX1GXbOfCY.mp3", lpString2="NTDETECT.COM") returned 1 [0104.680] lstrcmpiW (lpString1="TX1GXbOfCY.mp3", lpString2="ntldr") returned 1 [0104.680] lstrcmpiW (lpString1="TX1GXbOfCY.mp3", lpString2="MSDOS.SYS") returned 1 [0104.680] lstrcmpiW (lpString1="TX1GXbOfCY.mp3", lpString2="IO.SYS") returned 1 [0104.680] lstrcmpiW (lpString1="TX1GXbOfCY.mp3", lpString2="boot.ini") returned 1 [0104.680] lstrcmpiW (lpString1="TX1GXbOfCY.mp3", lpString2="AUTOEXEC.BAT") returned 1 [0104.680] lstrcmpiW (lpString1="TX1GXbOfCY.mp3", lpString2="ntuser.dat") returned 1 [0104.680] lstrcmpiW (lpString1="TX1GXbOfCY.mp3", lpString2="desktop.ini") returned 1 [0104.680] lstrcmpiW (lpString1="TX1GXbOfCY.mp3", lpString2="CONFIG.SYS") returned 1 [0104.680] lstrcmpiW (lpString1="TX1GXbOfCY.mp3", lpString2="RECYCLER") returned 1 [0104.680] lstrcmpiW (lpString1="TX1GXbOfCY.mp3", lpString2="BOOTSECT.BAK") returned 1 [0104.680] lstrcmpiW (lpString1="TX1GXbOfCY.mp3", lpString2="bootmgr") returned 1 [0104.680] lstrcmpiW (lpString1="TX1GXbOfCY.mp3", lpString2="programdata") returned 1 [0104.680] lstrcmpiW (lpString1="TX1GXbOfCY.mp3", lpString2="appdata") returned 1 [0104.680] lstrcmpiW (lpString1="TX1GXbOfCY.mp3", lpString2="program files") returned 1 [0104.680] lstrcmpiW (lpString1="TX1GXbOfCY.mp3", lpString2="program files (x86)") returned 1 [0104.680] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\" [0104.680] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\", lpString2="TX1GXbOfCY.mp3" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\TX1GXbOfCY.mp3") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\TX1GXbOfCY.mp3" [0104.680] PathFindExtensionW (pszPath="TX1GXbOfCY.mp3") returned=".mp3" [0104.680] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0104.680] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0104.680] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0104.681] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0104.681] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0104.681] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0104.681] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0104.681] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0104.681] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0104.681] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0104.681] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0104.681] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8aea860, ftCreationTime.dwHighDateTime=0x1d5e13a, ftLastAccessTime.dwLowDateTime=0x266b61c0, ftLastAccessTime.dwHighDateTime=0x1d5dff9, ftLastWriteTime.dwLowDateTime=0x266b61c0, ftLastWriteTime.dwHighDateTime=0x1d5dff9, nFileSizeHigh=0x0, nFileSizeLow=0x10a24, dwReserved0=0x24dd72c, dwReserved1=0xe5919b5e, cFileName="Wql_H564x5E5Zo.m4a", cAlternateFileName="WQL_H5~1.M4A")) returned 1 [0104.681] lstrcmpiW (lpString1="Wql_H564x5E5Zo.m4a", lpString2=".") returned 1 [0104.681] lstrcmpiW (lpString1="Wql_H564x5E5Zo.m4a", lpString2="..") returned 1 [0104.681] lstrcmpiW (lpString1="Wql_H564x5E5Zo.m4a", lpString2="...") returned 1 [0104.681] lstrcmpiW (lpString1="Wql_H564x5E5Zo.m4a", lpString2="windows") returned 1 [0104.681] lstrcmpiW (lpString1="Wql_H564x5E5Zo.m4a", lpString2="$RECYCLE.BIN") returned 1 [0104.681] lstrcmpiW (lpString1="Wql_H564x5E5Zo.m4a", lpString2="rsa") returned 1 [0104.681] lstrcmpiW (lpString1="Wql_H564x5E5Zo.m4a", lpString2="log") returned 1 [0104.681] lstrcmpiW (lpString1="Wql_H564x5E5Zo.m4a", lpString2="NTDETECT.COM") returned 1 [0104.681] lstrcmpiW (lpString1="Wql_H564x5E5Zo.m4a", lpString2="ntldr") returned 1 [0104.681] lstrcmpiW (lpString1="Wql_H564x5E5Zo.m4a", lpString2="MSDOS.SYS") returned 1 [0104.681] lstrcmpiW (lpString1="Wql_H564x5E5Zo.m4a", lpString2="IO.SYS") returned 1 [0104.681] lstrcmpiW (lpString1="Wql_H564x5E5Zo.m4a", lpString2="boot.ini") returned 1 [0104.681] lstrcmpiW (lpString1="Wql_H564x5E5Zo.m4a", lpString2="AUTOEXEC.BAT") returned 1 [0104.681] lstrcmpiW (lpString1="Wql_H564x5E5Zo.m4a", lpString2="ntuser.dat") returned 1 [0104.681] lstrcmpiW (lpString1="Wql_H564x5E5Zo.m4a", lpString2="desktop.ini") returned 1 [0104.681] lstrcmpiW (lpString1="Wql_H564x5E5Zo.m4a", lpString2="CONFIG.SYS") returned 1 [0104.681] lstrcmpiW (lpString1="Wql_H564x5E5Zo.m4a", lpString2="RECYCLER") returned 1 [0104.681] lstrcmpiW (lpString1="Wql_H564x5E5Zo.m4a", lpString2="BOOTSECT.BAK") returned 1 [0104.681] lstrcmpiW (lpString1="Wql_H564x5E5Zo.m4a", lpString2="bootmgr") returned 1 [0104.681] lstrcmpiW (lpString1="Wql_H564x5E5Zo.m4a", lpString2="programdata") returned 1 [0104.681] lstrcmpiW (lpString1="Wql_H564x5E5Zo.m4a", lpString2="appdata") returned 1 [0104.681] lstrcmpiW (lpString1="Wql_H564x5E5Zo.m4a", lpString2="program files") returned 1 [0104.681] lstrcmpiW (lpString1="Wql_H564x5E5Zo.m4a", lpString2="program files (x86)") returned 1 [0104.682] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\" [0104.682] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\", lpString2="Wql_H564x5E5Zo.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\Wql_H564x5E5Zo.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\Wql_H564x5E5Zo.m4a" [0104.682] PathFindExtensionW (pszPath="Wql_H564x5E5Zo.m4a") returned=".m4a" [0104.682] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0104.682] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0104.682] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0104.682] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0104.682] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0104.682] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0104.682] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0104.682] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0104.682] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0104.682] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0104.682] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0104.682] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0104.682] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0104.682] lstrcmpiW (lpString1=".m4a", lpString2=".NEPHILIM") returned -1 [0104.682] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0104.682] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0104.682] lstrcmpiW (lpString1="Wql_H564x5E5Zo.m4a", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0104.682] lstrlenA (lpString="NEPHILIM") returned 8 [0104.682] GetProcessHeap () returned 0x4e0000 [0104.682] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d900 [0104.682] lstrlenA (lpString="NEPHILIM") returned 8 [0104.682] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\Wql_H564x5E5Zo.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\d918ob_hacubatxr\\wql_h564x5e5zo.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0104.682] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=68132) returned 1 [0104.683] GetProcessHeap () returned 0x4e0000 [0104.683] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0104.683] GetProcessHeap () returned 0x4e0000 [0104.683] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0104.683] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0104.683] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0104.683] GetProcessHeap () returned 0x4e0000 [0104.683] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0104.683] GetProcessHeap () returned 0x4e0000 [0104.683] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0104.683] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24dd508*=0x100) returned 1 [0104.683] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24dd504*=0x100) returned 1 [0104.683] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x10a24, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.683] SetLastError (dwErrCode=0x0) [0104.683] WriteFile (in: hFile=0xf4, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0104.684] GetLastError () returned 0x0 [0104.684] GetLastError () returned 0x0 [0104.684] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x10b24, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.684] WriteFile (in: hFile=0xf4, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0104.684] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x10c24, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.684] lstrlenA (lpString="NEPHILIM") returned 8 [0104.684] WriteFile (in: hFile=0xf4, lpBuffer=0x50d900*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50d900*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0104.684] GetProcessHeap () returned 0x4e0000 [0104.684] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10a24) returned 0x50dcb8 [0104.685] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.685] ReadFile (in: hFile=0xf4, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x10a24, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24dd730*=0x10a24, lpOverlapped=0x0) returned 1 [0104.689] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.689] WriteFile (in: hFile=0xf4, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x10a24, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24dd73c*=0x10a24, lpOverlapped=0x0) returned 1 [0104.689] GetProcessHeap () returned 0x4e0000 [0104.689] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0104.690] CloseHandle (hObject=0xf4) returned 1 [0104.691] GetProcessHeap () returned 0x4e0000 [0104.691] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0104.691] GetProcessHeap () returned 0x4e0000 [0104.691] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0104.691] GetProcessHeap () returned 0x4e0000 [0104.692] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0104.692] GetProcessHeap () returned 0x4e0000 [0104.692] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0104.692] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\Wql_H564x5E5Zo.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\Wql_H564x5E5Zo.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\Wql_H564x5E5Zo.m4a" [0104.692] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\Wql_H564x5E5Zo.m4a", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\Wql_H564x5E5Zo.m4a.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\Wql_H564x5E5Zo.m4a.NEPHILIM" [0104.692] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\Wql_H564x5E5Zo.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\d918ob_hacubatxr\\wql_h564x5e5zo.m4a"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\Wql_H564x5E5Zo.m4a.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\d918ob_hacubatxr\\wql_h564x5e5zo.m4a.nephilim")) returned 1 [0104.693] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d27cf60, ftCreationTime.dwHighDateTime=0x1d5dcde, ftLastAccessTime.dwLowDateTime=0x8fda7f30, ftLastAccessTime.dwHighDateTime=0x1d5e66e, ftLastWriteTime.dwLowDateTime=0x8fda7f30, ftLastWriteTime.dwHighDateTime=0x1d5e66e, nFileSizeHigh=0x0, nFileSizeLow=0x9736, dwReserved0=0x24dd72c, dwReserved1=0xe5919b5e, cFileName="WxIZyTGHdczfIM.m4a", cAlternateFileName="WXIZYT~1.M4A")) returned 1 [0104.693] lstrcmpiW (lpString1="WxIZyTGHdczfIM.m4a", lpString2=".") returned 1 [0104.693] lstrcmpiW (lpString1="WxIZyTGHdczfIM.m4a", lpString2="..") returned 1 [0104.693] lstrcmpiW (lpString1="WxIZyTGHdczfIM.m4a", lpString2="...") returned 1 [0104.693] lstrcmpiW (lpString1="WxIZyTGHdczfIM.m4a", lpString2="windows") returned 1 [0104.693] lstrcmpiW (lpString1="WxIZyTGHdczfIM.m4a", lpString2="$RECYCLE.BIN") returned 1 [0104.693] lstrcmpiW (lpString1="WxIZyTGHdczfIM.m4a", lpString2="rsa") returned 1 [0104.693] lstrcmpiW (lpString1="WxIZyTGHdczfIM.m4a", lpString2="log") returned 1 [0104.693] lstrcmpiW (lpString1="WxIZyTGHdczfIM.m4a", lpString2="NTDETECT.COM") returned 1 [0104.693] lstrcmpiW (lpString1="WxIZyTGHdczfIM.m4a", lpString2="ntldr") returned 1 [0104.693] lstrcmpiW (lpString1="WxIZyTGHdczfIM.m4a", lpString2="MSDOS.SYS") returned 1 [0104.693] lstrcmpiW (lpString1="WxIZyTGHdczfIM.m4a", lpString2="IO.SYS") returned 1 [0104.693] lstrcmpiW (lpString1="WxIZyTGHdczfIM.m4a", lpString2="boot.ini") returned 1 [0104.693] lstrcmpiW (lpString1="WxIZyTGHdczfIM.m4a", lpString2="AUTOEXEC.BAT") returned 1 [0104.693] lstrcmpiW (lpString1="WxIZyTGHdczfIM.m4a", lpString2="ntuser.dat") returned 1 [0104.693] lstrcmpiW (lpString1="WxIZyTGHdczfIM.m4a", lpString2="desktop.ini") returned 1 [0104.693] lstrcmpiW (lpString1="WxIZyTGHdczfIM.m4a", lpString2="CONFIG.SYS") returned 1 [0104.693] lstrcmpiW (lpString1="WxIZyTGHdczfIM.m4a", lpString2="RECYCLER") returned 1 [0104.693] lstrcmpiW (lpString1="WxIZyTGHdczfIM.m4a", lpString2="BOOTSECT.BAK") returned 1 [0104.693] lstrcmpiW (lpString1="WxIZyTGHdczfIM.m4a", lpString2="bootmgr") returned 1 [0104.693] lstrcmpiW (lpString1="WxIZyTGHdczfIM.m4a", lpString2="programdata") returned 1 [0104.693] lstrcmpiW (lpString1="WxIZyTGHdczfIM.m4a", lpString2="appdata") returned 1 [0104.693] lstrcmpiW (lpString1="WxIZyTGHdczfIM.m4a", lpString2="program files") returned 1 [0104.693] lstrcmpiW (lpString1="WxIZyTGHdczfIM.m4a", lpString2="program files (x86)") returned 1 [0104.693] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\" [0104.693] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\", lpString2="WxIZyTGHdczfIM.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\WxIZyTGHdczfIM.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\WxIZyTGHdczfIM.m4a" [0104.694] PathFindExtensionW (pszPath="WxIZyTGHdczfIM.m4a") returned=".m4a" [0104.694] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0104.694] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0104.694] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0104.694] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0104.694] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0104.694] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0104.694] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0104.694] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0104.694] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0104.694] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0104.694] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0104.694] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0104.694] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0104.694] lstrcmpiW (lpString1=".m4a", lpString2=".NEPHILIM") returned -1 [0104.694] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0104.694] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0104.694] lstrcmpiW (lpString1="WxIZyTGHdczfIM.m4a", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0104.694] lstrlenA (lpString="NEPHILIM") returned 8 [0104.694] GetProcessHeap () returned 0x4e0000 [0104.694] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d910 [0104.694] lstrlenA (lpString="NEPHILIM") returned 8 [0104.694] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\WxIZyTGHdczfIM.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\d918ob_hacubatxr\\wxizytghdczfim.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0104.694] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=38710) returned 1 [0104.695] GetProcessHeap () returned 0x4e0000 [0104.695] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0104.695] GetProcessHeap () returned 0x4e0000 [0104.695] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0104.695] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0104.695] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0104.695] GetProcessHeap () returned 0x4e0000 [0104.695] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0104.695] GetProcessHeap () returned 0x4e0000 [0104.695] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0104.695] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24dd508*=0x100) returned 1 [0104.695] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24dd504*=0x100) returned 1 [0104.695] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x9736, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.695] SetLastError (dwErrCode=0x0) [0104.695] WriteFile (in: hFile=0xf4, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0104.696] GetLastError () returned 0x0 [0104.696] GetLastError () returned 0x0 [0104.696] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x9836, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.696] WriteFile (in: hFile=0xf4, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0104.696] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x9936, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.696] lstrlenA (lpString="NEPHILIM") returned 8 [0104.697] WriteFile (in: hFile=0xf4, lpBuffer=0x50d910*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50d910*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0104.697] GetProcessHeap () returned 0x4e0000 [0104.697] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x9736) returned 0x50dcb8 [0104.697] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.697] ReadFile (in: hFile=0xf4, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x9736, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24dd730*=0x9736, lpOverlapped=0x0) returned 1 [0104.699] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.699] WriteFile (in: hFile=0xf4, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x9736, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24dd73c*=0x9736, lpOverlapped=0x0) returned 1 [0104.699] GetProcessHeap () returned 0x4e0000 [0104.699] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0104.699] CloseHandle (hObject=0xf4) returned 1 [0104.701] GetProcessHeap () returned 0x4e0000 [0104.701] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0104.701] GetProcessHeap () returned 0x4e0000 [0104.701] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0104.702] GetProcessHeap () returned 0x4e0000 [0104.702] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0104.702] GetProcessHeap () returned 0x4e0000 [0104.702] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0104.702] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\WxIZyTGHdczfIM.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\WxIZyTGHdczfIM.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\WxIZyTGHdczfIM.m4a" [0104.702] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\WxIZyTGHdczfIM.m4a", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\WxIZyTGHdczfIM.m4a.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\WxIZyTGHdczfIM.m4a.NEPHILIM" [0104.702] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\WxIZyTGHdczfIM.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\d918ob_hacubatxr\\wxizytghdczfim.m4a"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\WxIZyTGHdczfIM.m4a.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\d918ob_hacubatxr\\wxizytghdczfim.m4a.nephilim")) returned 1 [0104.703] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e0da7c0, ftCreationTime.dwHighDateTime=0x1d5e04f, ftLastAccessTime.dwLowDateTime=0xe4e54b90, ftLastAccessTime.dwHighDateTime=0x1d5de2b, ftLastWriteTime.dwLowDateTime=0xe4e54b90, ftLastWriteTime.dwHighDateTime=0x1d5de2b, nFileSizeHigh=0x0, nFileSizeLow=0x179de, dwReserved0=0x24dd72c, dwReserved1=0xe5919b5e, cFileName="zFvqNkEKMTcCDQLAExj-.m4a", cAlternateFileName="ZFVQNK~1.M4A")) returned 1 [0104.703] lstrcmpiW (lpString1="zFvqNkEKMTcCDQLAExj-.m4a", lpString2=".") returned 1 [0104.703] lstrcmpiW (lpString1="zFvqNkEKMTcCDQLAExj-.m4a", lpString2="..") returned 1 [0104.703] lstrcmpiW (lpString1="zFvqNkEKMTcCDQLAExj-.m4a", lpString2="...") returned 1 [0104.703] lstrcmpiW (lpString1="zFvqNkEKMTcCDQLAExj-.m4a", lpString2="windows") returned 1 [0104.703] lstrcmpiW (lpString1="zFvqNkEKMTcCDQLAExj-.m4a", lpString2="$RECYCLE.BIN") returned 1 [0104.703] lstrcmpiW (lpString1="zFvqNkEKMTcCDQLAExj-.m4a", lpString2="rsa") returned 1 [0104.703] lstrcmpiW (lpString1="zFvqNkEKMTcCDQLAExj-.m4a", lpString2="log") returned 1 [0104.703] lstrcmpiW (lpString1="zFvqNkEKMTcCDQLAExj-.m4a", lpString2="NTDETECT.COM") returned 1 [0104.703] lstrcmpiW (lpString1="zFvqNkEKMTcCDQLAExj-.m4a", lpString2="ntldr") returned 1 [0104.703] lstrcmpiW (lpString1="zFvqNkEKMTcCDQLAExj-.m4a", lpString2="MSDOS.SYS") returned 1 [0104.703] lstrcmpiW (lpString1="zFvqNkEKMTcCDQLAExj-.m4a", lpString2="IO.SYS") returned 1 [0104.703] lstrcmpiW (lpString1="zFvqNkEKMTcCDQLAExj-.m4a", lpString2="boot.ini") returned 1 [0104.704] lstrcmpiW (lpString1="zFvqNkEKMTcCDQLAExj-.m4a", lpString2="AUTOEXEC.BAT") returned 1 [0104.704] lstrcmpiW (lpString1="zFvqNkEKMTcCDQLAExj-.m4a", lpString2="ntuser.dat") returned 1 [0104.704] lstrcmpiW (lpString1="zFvqNkEKMTcCDQLAExj-.m4a", lpString2="desktop.ini") returned 1 [0104.704] lstrcmpiW (lpString1="zFvqNkEKMTcCDQLAExj-.m4a", lpString2="CONFIG.SYS") returned 1 [0104.704] lstrcmpiW (lpString1="zFvqNkEKMTcCDQLAExj-.m4a", lpString2="RECYCLER") returned 1 [0104.704] lstrcmpiW (lpString1="zFvqNkEKMTcCDQLAExj-.m4a", lpString2="BOOTSECT.BAK") returned 1 [0104.704] lstrcmpiW (lpString1="zFvqNkEKMTcCDQLAExj-.m4a", lpString2="bootmgr") returned 1 [0104.704] lstrcmpiW (lpString1="zFvqNkEKMTcCDQLAExj-.m4a", lpString2="programdata") returned 1 [0104.704] lstrcmpiW (lpString1="zFvqNkEKMTcCDQLAExj-.m4a", lpString2="appdata") returned 1 [0104.704] lstrcmpiW (lpString1="zFvqNkEKMTcCDQLAExj-.m4a", lpString2="program files") returned 1 [0104.704] lstrcmpiW (lpString1="zFvqNkEKMTcCDQLAExj-.m4a", lpString2="program files (x86)") returned 1 [0104.704] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\" [0104.704] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\", lpString2="zFvqNkEKMTcCDQLAExj-.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\zFvqNkEKMTcCDQLAExj-.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\zFvqNkEKMTcCDQLAExj-.m4a" [0104.704] PathFindExtensionW (pszPath="zFvqNkEKMTcCDQLAExj-.m4a") returned=".m4a" [0104.704] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0104.704] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0104.704] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0104.704] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0104.704] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0104.704] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0104.704] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0104.704] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0104.704] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0104.704] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0104.704] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0104.704] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0104.705] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0104.705] lstrcmpiW (lpString1=".m4a", lpString2=".NEPHILIM") returned -1 [0104.705] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0104.705] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0104.705] lstrcmpiW (lpString1="zFvqNkEKMTcCDQLAExj-.m4a", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0104.705] lstrlenA (lpString="NEPHILIM") returned 8 [0104.705] GetProcessHeap () returned 0x4e0000 [0104.705] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d920 [0104.705] lstrlenA (lpString="NEPHILIM") returned 8 [0104.705] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\zFvqNkEKMTcCDQLAExj-.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\d918ob_hacubatxr\\zfvqnkekmtccdqlaexj-.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0104.705] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=96734) returned 1 [0104.705] GetProcessHeap () returned 0x4e0000 [0104.705] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0104.705] GetProcessHeap () returned 0x4e0000 [0104.705] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0104.705] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0104.705] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0104.705] GetProcessHeap () returned 0x4e0000 [0104.705] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0104.705] GetProcessHeap () returned 0x4e0000 [0104.705] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0104.706] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24dd508*=0x100) returned 1 [0104.706] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24dd504*=0x100) returned 1 [0104.706] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x179de, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.706] SetLastError (dwErrCode=0x0) [0104.706] WriteFile (in: hFile=0xf4, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0104.707] GetLastError () returned 0x0 [0104.707] GetLastError () returned 0x0 [0104.707] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x17ade, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.707] WriteFile (in: hFile=0xf4, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0104.707] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x17bde, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.707] lstrlenA (lpString="NEPHILIM") returned 8 [0104.707] WriteFile (in: hFile=0xf4, lpBuffer=0x50d920*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50d920*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0104.708] GetProcessHeap () returned 0x4e0000 [0104.708] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x179de) returned 0x50dcb8 [0104.708] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.708] ReadFile (in: hFile=0xf4, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x179de, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24dd730*=0x179de, lpOverlapped=0x0) returned 1 [0104.713] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.714] WriteFile (in: hFile=0xf4, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x179de, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24dd73c*=0x179de, lpOverlapped=0x0) returned 1 [0104.714] GetProcessHeap () returned 0x4e0000 [0104.714] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0104.714] CloseHandle (hObject=0xf4) returned 1 [0104.716] GetProcessHeap () returned 0x4e0000 [0104.716] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0104.716] GetProcessHeap () returned 0x4e0000 [0104.716] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0104.716] GetProcessHeap () returned 0x4e0000 [0104.716] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0104.716] GetProcessHeap () returned 0x4e0000 [0104.716] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0104.716] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\zFvqNkEKMTcCDQLAExj-.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\zFvqNkEKMTcCDQLAExj-.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\zFvqNkEKMTcCDQLAExj-.m4a" [0104.716] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\zFvqNkEKMTcCDQLAExj-.m4a", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\zFvqNkEKMTcCDQLAExj-.m4a.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\zFvqNkEKMTcCDQLAExj-.m4a.NEPHILIM" [0104.716] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\zFvqNkEKMTcCDQLAExj-.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\d918ob_hacubatxr\\zfvqnkekmtccdqlaexj-.m4a"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\D918ob_hACUbatXR\\zFvqNkEKMTcCDQLAExj-.m4a.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\d918ob_hacubatxr\\zfvqnkekmtccdqlaexj-.m4a.nephilim")) returned 1 [0104.719] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e0da7c0, ftCreationTime.dwHighDateTime=0x1d5e04f, ftLastAccessTime.dwLowDateTime=0xe4e54b90, ftLastAccessTime.dwHighDateTime=0x1d5de2b, ftLastWriteTime.dwLowDateTime=0xe4e54b90, ftLastWriteTime.dwHighDateTime=0x1d5de2b, nFileSizeHigh=0x0, nFileSizeLow=0x179de, dwReserved0=0x24dd72c, dwReserved1=0xe5919b5e, cFileName="zFvqNkEKMTcCDQLAExj-.m4a", cAlternateFileName="ZFVQNK~1.M4A")) returned 0 [0104.719] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0104.719] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9233860, ftCreationTime.dwHighDateTime=0x1d5dbe5, ftLastAccessTime.dwLowDateTime=0x44c34bc0, ftLastAccessTime.dwHighDateTime=0x1d5dad0, ftLastWriteTime.dwLowDateTime=0x44c34bc0, ftLastWriteTime.dwHighDateTime=0x1d5dad0, nFileSizeHigh=0x0, nFileSizeLow=0x7fee, dwReserved0=0x24dddac, dwReserved1=0xb237799d, cFileName="RWPm0E.m4a", cAlternateFileName="")) returned 1 [0104.719] lstrcmpiW (lpString1="RWPm0E.m4a", lpString2=".") returned 1 [0104.719] lstrcmpiW (lpString1="RWPm0E.m4a", lpString2="..") returned 1 [0104.719] lstrcmpiW (lpString1="RWPm0E.m4a", lpString2="...") returned 1 [0104.719] lstrcmpiW (lpString1="RWPm0E.m4a", lpString2="windows") returned -1 [0104.719] lstrcmpiW (lpString1="RWPm0E.m4a", lpString2="$RECYCLE.BIN") returned 1 [0104.719] lstrcmpiW (lpString1="RWPm0E.m4a", lpString2="rsa") returned 1 [0104.719] lstrcmpiW (lpString1="RWPm0E.m4a", lpString2="log") returned 1 [0104.719] lstrcmpiW (lpString1="RWPm0E.m4a", lpString2="NTDETECT.COM") returned 1 [0104.719] lstrcmpiW (lpString1="RWPm0E.m4a", lpString2="ntldr") returned 1 [0104.719] lstrcmpiW (lpString1="RWPm0E.m4a", lpString2="MSDOS.SYS") returned 1 [0104.719] lstrcmpiW (lpString1="RWPm0E.m4a", lpString2="IO.SYS") returned 1 [0104.719] lstrcmpiW (lpString1="RWPm0E.m4a", lpString2="boot.ini") returned 1 [0104.719] lstrcmpiW (lpString1="RWPm0E.m4a", lpString2="AUTOEXEC.BAT") returned 1 [0104.719] lstrcmpiW (lpString1="RWPm0E.m4a", lpString2="ntuser.dat") returned 1 [0104.719] lstrcmpiW (lpString1="RWPm0E.m4a", lpString2="desktop.ini") returned 1 [0104.719] lstrcmpiW (lpString1="RWPm0E.m4a", lpString2="CONFIG.SYS") returned 1 [0104.719] lstrcmpiW (lpString1="RWPm0E.m4a", lpString2="RECYCLER") returned 1 [0104.719] lstrcmpiW (lpString1="RWPm0E.m4a", lpString2="BOOTSECT.BAK") returned 1 [0104.719] lstrcmpiW (lpString1="RWPm0E.m4a", lpString2="bootmgr") returned 1 [0104.720] lstrcmpiW (lpString1="RWPm0E.m4a", lpString2="programdata") returned 1 [0104.720] lstrcmpiW (lpString1="RWPm0E.m4a", lpString2="appdata") returned 1 [0104.720] lstrcmpiW (lpString1="RWPm0E.m4a", lpString2="program files") returned 1 [0104.720] lstrcmpiW (lpString1="RWPm0E.m4a", lpString2="program files (x86)") returned 1 [0104.720] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\" [0104.720] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\", lpString2="RWPm0E.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\RWPm0E.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\RWPm0E.m4a" [0104.720] PathFindExtensionW (pszPath="RWPm0E.m4a") returned=".m4a" [0104.720] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0104.720] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0104.720] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0104.720] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0104.720] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0104.720] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0104.720] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0104.720] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0104.720] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0104.720] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0104.720] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0104.720] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0104.720] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0104.720] lstrcmpiW (lpString1=".m4a", lpString2=".NEPHILIM") returned -1 [0104.720] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0104.720] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0104.720] lstrcmpiW (lpString1="RWPm0E.m4a", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0104.720] lstrlenA (lpString="NEPHILIM") returned 8 [0104.720] GetProcessHeap () returned 0x4e0000 [0104.720] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d930 [0104.720] lstrlenA (lpString="NEPHILIM") returned 8 [0104.720] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\RWPm0E.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\rwpm0e.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0104.721] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=32750) returned 1 [0104.721] GetProcessHeap () returned 0x4e0000 [0104.721] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0104.721] GetProcessHeap () returned 0x4e0000 [0104.721] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0104.721] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0104.721] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0104.721] GetProcessHeap () returned 0x4e0000 [0104.721] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0104.721] GetProcessHeap () returned 0x4e0000 [0104.721] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0104.721] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0104.721] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0104.721] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x7fee, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.721] SetLastError (dwErrCode=0x0) [0104.721] WriteFile (in: hFile=0xf0, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0104.722] GetLastError () returned 0x0 [0104.722] GetLastError () returned 0x0 [0104.722] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x80ee, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.723] WriteFile (in: hFile=0xf0, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0104.723] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x81ee, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.723] lstrlenA (lpString="NEPHILIM") returned 8 [0104.723] WriteFile (in: hFile=0xf0, lpBuffer=0x50d930*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50d930*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0104.723] GetProcessHeap () returned 0x4e0000 [0104.723] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x7fee) returned 0x50dcb8 [0104.723] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.723] ReadFile (in: hFile=0xf0, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x7fee, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24dddb0*=0x7fee, lpOverlapped=0x0) returned 1 [0104.725] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.725] WriteFile (in: hFile=0xf0, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x7fee, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24dddbc*=0x7fee, lpOverlapped=0x0) returned 1 [0104.725] GetProcessHeap () returned 0x4e0000 [0104.725] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0104.725] CloseHandle (hObject=0xf0) returned 1 [0104.726] GetProcessHeap () returned 0x4e0000 [0104.726] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0104.726] GetProcessHeap () returned 0x4e0000 [0104.726] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0104.726] GetProcessHeap () returned 0x4e0000 [0104.726] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0104.726] GetProcessHeap () returned 0x4e0000 [0104.726] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0104.726] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\RWPm0E.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\RWPm0E.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\RWPm0E.m4a" [0104.726] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\RWPm0E.m4a", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\RWPm0E.m4a.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\RWPm0E.m4a.NEPHILIM" [0104.727] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\RWPm0E.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\rwpm0e.m4a"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\RWPm0E.m4a.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\rwpm0e.m4a.nephilim")) returned 1 [0104.727] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33d2b2e0, ftCreationTime.dwHighDateTime=0x1d5dba9, ftLastAccessTime.dwLowDateTime=0xbc88b890, ftLastAccessTime.dwHighDateTime=0x1d5dcd1, ftLastWriteTime.dwLowDateTime=0xbc88b890, ftLastWriteTime.dwHighDateTime=0x1d5dcd1, nFileSizeHigh=0x0, nFileSizeLow=0x17391, dwReserved0=0x24dddac, dwReserved1=0xb237799d, cFileName="sE0z-pa.m4a", cAlternateFileName="")) returned 1 [0104.727] lstrcmpiW (lpString1="sE0z-pa.m4a", lpString2=".") returned 1 [0104.727] lstrcmpiW (lpString1="sE0z-pa.m4a", lpString2="..") returned 1 [0104.727] lstrcmpiW (lpString1="sE0z-pa.m4a", lpString2="...") returned 1 [0104.727] lstrcmpiW (lpString1="sE0z-pa.m4a", lpString2="windows") returned -1 [0104.727] lstrcmpiW (lpString1="sE0z-pa.m4a", lpString2="$RECYCLE.BIN") returned 1 [0104.727] lstrcmpiW (lpString1="sE0z-pa.m4a", lpString2="rsa") returned 1 [0104.727] lstrcmpiW (lpString1="sE0z-pa.m4a", lpString2="log") returned 1 [0104.727] lstrcmpiW (lpString1="sE0z-pa.m4a", lpString2="NTDETECT.COM") returned 1 [0104.727] lstrcmpiW (lpString1="sE0z-pa.m4a", lpString2="ntldr") returned 1 [0104.727] lstrcmpiW (lpString1="sE0z-pa.m4a", lpString2="MSDOS.SYS") returned 1 [0104.727] lstrcmpiW (lpString1="sE0z-pa.m4a", lpString2="IO.SYS") returned 1 [0104.728] lstrcmpiW (lpString1="sE0z-pa.m4a", lpString2="boot.ini") returned 1 [0104.728] lstrcmpiW (lpString1="sE0z-pa.m4a", lpString2="AUTOEXEC.BAT") returned 1 [0104.728] lstrcmpiW (lpString1="sE0z-pa.m4a", lpString2="ntuser.dat") returned 1 [0104.728] lstrcmpiW (lpString1="sE0z-pa.m4a", lpString2="desktop.ini") returned 1 [0104.728] lstrcmpiW (lpString1="sE0z-pa.m4a", lpString2="CONFIG.SYS") returned 1 [0104.728] lstrcmpiW (lpString1="sE0z-pa.m4a", lpString2="RECYCLER") returned 1 [0104.728] lstrcmpiW (lpString1="sE0z-pa.m4a", lpString2="BOOTSECT.BAK") returned 1 [0104.728] lstrcmpiW (lpString1="sE0z-pa.m4a", lpString2="bootmgr") returned 1 [0104.728] lstrcmpiW (lpString1="sE0z-pa.m4a", lpString2="programdata") returned 1 [0104.728] lstrcmpiW (lpString1="sE0z-pa.m4a", lpString2="appdata") returned 1 [0104.728] lstrcmpiW (lpString1="sE0z-pa.m4a", lpString2="program files") returned 1 [0104.728] lstrcmpiW (lpString1="sE0z-pa.m4a", lpString2="program files (x86)") returned 1 [0104.728] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\" [0104.728] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\", lpString2="sE0z-pa.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\sE0z-pa.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\sE0z-pa.m4a" [0104.728] PathFindExtensionW (pszPath="sE0z-pa.m4a") returned=".m4a" [0104.728] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0104.728] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0104.728] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0104.728] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0104.728] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0104.728] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0104.728] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0104.728] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0104.728] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0104.728] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0104.728] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0104.728] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0104.728] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0104.728] lstrcmpiW (lpString1=".m4a", lpString2=".NEPHILIM") returned -1 [0104.728] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0104.728] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0104.728] lstrcmpiW (lpString1="sE0z-pa.m4a", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0104.728] lstrlenA (lpString="NEPHILIM") returned 8 [0104.729] GetProcessHeap () returned 0x4e0000 [0104.729] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d940 [0104.729] lstrlenA (lpString="NEPHILIM") returned 8 [0104.729] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\sE0z-pa.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\se0z-pa.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0104.729] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=95121) returned 1 [0104.729] GetProcessHeap () returned 0x4e0000 [0104.729] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0104.729] GetProcessHeap () returned 0x4e0000 [0104.729] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0104.729] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0104.729] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0104.729] GetProcessHeap () returned 0x4e0000 [0104.729] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0104.729] GetProcessHeap () returned 0x4e0000 [0104.729] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0104.729] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0104.729] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0104.729] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x17391, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.730] SetLastError (dwErrCode=0x0) [0104.730] WriteFile (in: hFile=0xf0, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0104.731] GetLastError () returned 0x0 [0104.731] GetLastError () returned 0x0 [0104.731] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x17491, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.731] WriteFile (in: hFile=0xf0, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0104.731] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x17591, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.731] lstrlenA (lpString="NEPHILIM") returned 8 [0104.731] WriteFile (in: hFile=0xf0, lpBuffer=0x50d940*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50d940*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0104.731] GetProcessHeap () returned 0x4e0000 [0104.731] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x17391) returned 0x50dcb8 [0104.731] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.731] ReadFile (in: hFile=0xf0, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x17391, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24dddb0*=0x17391, lpOverlapped=0x0) returned 1 [0104.737] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.737] WriteFile (in: hFile=0xf0, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x17391, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24dddbc*=0x17391, lpOverlapped=0x0) returned 1 [0104.738] GetProcessHeap () returned 0x4e0000 [0104.738] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0104.738] CloseHandle (hObject=0xf0) returned 1 [0104.740] GetProcessHeap () returned 0x4e0000 [0104.740] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0104.740] GetProcessHeap () returned 0x4e0000 [0104.740] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0104.740] GetProcessHeap () returned 0x4e0000 [0104.740] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0104.740] GetProcessHeap () returned 0x4e0000 [0104.740] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0104.740] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\sE0z-pa.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\sE0z-pa.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\sE0z-pa.m4a" [0104.740] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\sE0z-pa.m4a", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\sE0z-pa.m4a.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\sE0z-pa.m4a.NEPHILIM" [0104.740] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\sE0z-pa.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\se0z-pa.m4a"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\sE0z-pa.m4a.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\se0z-pa.m4a.nephilim")) returned 1 [0104.741] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43f5cc20, ftCreationTime.dwHighDateTime=0x1d5e4a0, ftLastAccessTime.dwLowDateTime=0xb600a570, ftLastAccessTime.dwHighDateTime=0x1d5e760, ftLastWriteTime.dwLowDateTime=0xb600a570, ftLastWriteTime.dwHighDateTime=0x1d5e760, nFileSizeHigh=0x0, nFileSizeLow=0x2ab3, dwReserved0=0x24dddac, dwReserved1=0xb237799d, cFileName="VI2lh.wav", cAlternateFileName="")) returned 1 [0104.741] lstrcmpiW (lpString1="VI2lh.wav", lpString2=".") returned 1 [0104.741] lstrcmpiW (lpString1="VI2lh.wav", lpString2="..") returned 1 [0104.741] lstrcmpiW (lpString1="VI2lh.wav", lpString2="...") returned 1 [0104.741] lstrcmpiW (lpString1="VI2lh.wav", lpString2="windows") returned -1 [0104.741] lstrcmpiW (lpString1="VI2lh.wav", lpString2="$RECYCLE.BIN") returned 1 [0104.741] lstrcmpiW (lpString1="VI2lh.wav", lpString2="rsa") returned 1 [0104.741] lstrcmpiW (lpString1="VI2lh.wav", lpString2="log") returned 1 [0104.741] lstrcmpiW (lpString1="VI2lh.wav", lpString2="NTDETECT.COM") returned 1 [0104.741] lstrcmpiW (lpString1="VI2lh.wav", lpString2="ntldr") returned 1 [0104.741] lstrcmpiW (lpString1="VI2lh.wav", lpString2="MSDOS.SYS") returned 1 [0104.741] lstrcmpiW (lpString1="VI2lh.wav", lpString2="IO.SYS") returned 1 [0104.741] lstrcmpiW (lpString1="VI2lh.wav", lpString2="boot.ini") returned 1 [0104.741] lstrcmpiW (lpString1="VI2lh.wav", lpString2="AUTOEXEC.BAT") returned 1 [0104.741] lstrcmpiW (lpString1="VI2lh.wav", lpString2="ntuser.dat") returned 1 [0104.741] lstrcmpiW (lpString1="VI2lh.wav", lpString2="desktop.ini") returned 1 [0104.741] lstrcmpiW (lpString1="VI2lh.wav", lpString2="CONFIG.SYS") returned 1 [0104.742] lstrcmpiW (lpString1="VI2lh.wav", lpString2="RECYCLER") returned 1 [0104.742] lstrcmpiW (lpString1="VI2lh.wav", lpString2="BOOTSECT.BAK") returned 1 [0104.742] lstrcmpiW (lpString1="VI2lh.wav", lpString2="bootmgr") returned 1 [0104.742] lstrcmpiW (lpString1="VI2lh.wav", lpString2="programdata") returned 1 [0104.742] lstrcmpiW (lpString1="VI2lh.wav", lpString2="appdata") returned 1 [0104.742] lstrcmpiW (lpString1="VI2lh.wav", lpString2="program files") returned 1 [0104.742] lstrcmpiW (lpString1="VI2lh.wav", lpString2="program files (x86)") returned 1 [0104.742] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\" [0104.742] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\", lpString2="VI2lh.wav" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\VI2lh.wav") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\VI2lh.wav" [0104.742] PathFindExtensionW (pszPath="VI2lh.wav") returned=".wav" [0104.742] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0104.742] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0104.742] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0104.742] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0104.742] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0104.742] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0104.742] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0104.742] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0104.742] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0104.742] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0104.742] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0104.742] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0104.742] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0104.742] lstrcmpiW (lpString1=".wav", lpString2=".NEPHILIM") returned 1 [0104.742] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0104.742] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0104.742] lstrcmpiW (lpString1="VI2lh.wav", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0104.742] lstrlenA (lpString="NEPHILIM") returned 8 [0104.742] GetProcessHeap () returned 0x4e0000 [0104.742] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d950 [0104.742] lstrlenA (lpString="NEPHILIM") returned 8 [0104.743] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\VI2lh.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\vi2lh.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0104.743] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=10931) returned 1 [0104.743] GetProcessHeap () returned 0x4e0000 [0104.743] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0104.743] GetProcessHeap () returned 0x4e0000 [0104.743] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0104.743] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0104.743] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0104.743] GetProcessHeap () returned 0x4e0000 [0104.743] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0104.743] GetProcessHeap () returned 0x4e0000 [0104.743] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0104.743] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0104.743] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0104.743] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x2ab3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.743] SetLastError (dwErrCode=0x0) [0104.743] WriteFile (in: hFile=0xf0, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0104.744] GetLastError () returned 0x0 [0104.744] GetLastError () returned 0x0 [0104.744] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x2bb3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.745] WriteFile (in: hFile=0xf0, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0104.745] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x2cb3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.745] lstrlenA (lpString="NEPHILIM") returned 8 [0104.745] WriteFile (in: hFile=0xf0, lpBuffer=0x50d950*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50d950*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0104.745] GetProcessHeap () returned 0x4e0000 [0104.745] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x2ab3) returned 0x50dcb8 [0104.745] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.745] ReadFile (in: hFile=0xf0, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x2ab3, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24dddb0*=0x2ab3, lpOverlapped=0x0) returned 1 [0104.745] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.746] WriteFile (in: hFile=0xf0, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x2ab3, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24dddbc*=0x2ab3, lpOverlapped=0x0) returned 1 [0104.746] GetProcessHeap () returned 0x4e0000 [0104.746] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0104.746] CloseHandle (hObject=0xf0) returned 1 [0104.747] GetProcessHeap () returned 0x4e0000 [0104.747] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0104.747] GetProcessHeap () returned 0x4e0000 [0104.747] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0104.747] GetProcessHeap () returned 0x4e0000 [0104.747] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0104.747] GetProcessHeap () returned 0x4e0000 [0104.747] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0104.747] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\VI2lh.wav" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\VI2lh.wav") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\VI2lh.wav" [0104.747] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\VI2lh.wav", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\VI2lh.wav.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\VI2lh.wav.NEPHILIM" [0104.747] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\VI2lh.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\vi2lh.wav"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\VI2lh.wav.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\vi2lh.wav.nephilim")) returned 1 [0104.748] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x402b0e0, ftCreationTime.dwHighDateTime=0x1d5daa2, ftLastAccessTime.dwLowDateTime=0x1216ae70, ftLastAccessTime.dwHighDateTime=0x1d5e6f5, ftLastWriteTime.dwLowDateTime=0x1216ae70, ftLastWriteTime.dwHighDateTime=0x1d5e6f5, nFileSizeHigh=0x0, nFileSizeLow=0x10471, dwReserved0=0x24dddac, dwReserved1=0xb237799d, cFileName="XUY6CF RFsJ8qI7jeBQ.m4a", cAlternateFileName="XUY6CF~1.M4A")) returned 1 [0104.748] lstrcmpiW (lpString1="XUY6CF RFsJ8qI7jeBQ.m4a", lpString2=".") returned 1 [0104.748] lstrcmpiW (lpString1="XUY6CF RFsJ8qI7jeBQ.m4a", lpString2="..") returned 1 [0104.748] lstrcmpiW (lpString1="XUY6CF RFsJ8qI7jeBQ.m4a", lpString2="...") returned 1 [0104.748] lstrcmpiW (lpString1="XUY6CF RFsJ8qI7jeBQ.m4a", lpString2="windows") returned 1 [0104.748] lstrcmpiW (lpString1="XUY6CF RFsJ8qI7jeBQ.m4a", lpString2="$RECYCLE.BIN") returned 1 [0104.748] lstrcmpiW (lpString1="XUY6CF RFsJ8qI7jeBQ.m4a", lpString2="rsa") returned 1 [0104.748] lstrcmpiW (lpString1="XUY6CF RFsJ8qI7jeBQ.m4a", lpString2="log") returned 1 [0104.748] lstrcmpiW (lpString1="XUY6CF RFsJ8qI7jeBQ.m4a", lpString2="NTDETECT.COM") returned 1 [0104.748] lstrcmpiW (lpString1="XUY6CF RFsJ8qI7jeBQ.m4a", lpString2="ntldr") returned 1 [0104.748] lstrcmpiW (lpString1="XUY6CF RFsJ8qI7jeBQ.m4a", lpString2="MSDOS.SYS") returned 1 [0104.748] lstrcmpiW (lpString1="XUY6CF RFsJ8qI7jeBQ.m4a", lpString2="IO.SYS") returned 1 [0104.748] lstrcmpiW (lpString1="XUY6CF RFsJ8qI7jeBQ.m4a", lpString2="boot.ini") returned 1 [0104.750] lstrcmpiW (lpString1="XUY6CF RFsJ8qI7jeBQ.m4a", lpString2="AUTOEXEC.BAT") returned 1 [0104.750] lstrcmpiW (lpString1="XUY6CF RFsJ8qI7jeBQ.m4a", lpString2="ntuser.dat") returned 1 [0104.750] lstrcmpiW (lpString1="XUY6CF RFsJ8qI7jeBQ.m4a", lpString2="desktop.ini") returned 1 [0104.750] lstrcmpiW (lpString1="XUY6CF RFsJ8qI7jeBQ.m4a", lpString2="CONFIG.SYS") returned 1 [0104.750] lstrcmpiW (lpString1="XUY6CF RFsJ8qI7jeBQ.m4a", lpString2="RECYCLER") returned 1 [0104.750] lstrcmpiW (lpString1="XUY6CF RFsJ8qI7jeBQ.m4a", lpString2="BOOTSECT.BAK") returned 1 [0104.750] lstrcmpiW (lpString1="XUY6CF RFsJ8qI7jeBQ.m4a", lpString2="bootmgr") returned 1 [0104.750] lstrcmpiW (lpString1="XUY6CF RFsJ8qI7jeBQ.m4a", lpString2="programdata") returned 1 [0104.750] lstrcmpiW (lpString1="XUY6CF RFsJ8qI7jeBQ.m4a", lpString2="appdata") returned 1 [0104.750] lstrcmpiW (lpString1="XUY6CF RFsJ8qI7jeBQ.m4a", lpString2="program files") returned 1 [0104.750] lstrcmpiW (lpString1="XUY6CF RFsJ8qI7jeBQ.m4a", lpString2="program files (x86)") returned 1 [0104.750] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\" [0104.750] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\", lpString2="XUY6CF RFsJ8qI7jeBQ.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\XUY6CF RFsJ8qI7jeBQ.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\XUY6CF RFsJ8qI7jeBQ.m4a" [0104.750] PathFindExtensionW (pszPath="XUY6CF RFsJ8qI7jeBQ.m4a") returned=".m4a" [0104.750] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0104.750] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0104.750] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0104.750] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0104.750] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0104.750] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0104.750] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0104.751] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0104.751] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0104.751] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0104.751] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0104.751] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0104.751] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0104.751] lstrcmpiW (lpString1=".m4a", lpString2=".NEPHILIM") returned -1 [0104.751] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0104.751] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0104.751] lstrcmpiW (lpString1="XUY6CF RFsJ8qI7jeBQ.m4a", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0104.751] lstrlenA (lpString="NEPHILIM") returned 8 [0104.751] GetProcessHeap () returned 0x4e0000 [0104.751] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d960 [0104.751] lstrlenA (lpString="NEPHILIM") returned 8 [0104.751] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\XUY6CF RFsJ8qI7jeBQ.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\xuy6cf rfsj8qi7jebq.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0104.751] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=66673) returned 1 [0104.751] GetProcessHeap () returned 0x4e0000 [0104.751] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0104.751] GetProcessHeap () returned 0x4e0000 [0104.751] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0104.751] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0104.751] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0104.751] GetProcessHeap () returned 0x4e0000 [0104.751] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0104.751] GetProcessHeap () returned 0x4e0000 [0104.751] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0104.751] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0104.752] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0104.752] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x10471, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.752] SetLastError (dwErrCode=0x0) [0104.752] WriteFile (in: hFile=0xf0, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0104.753] GetLastError () returned 0x0 [0104.753] GetLastError () returned 0x0 [0104.753] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x10571, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.753] WriteFile (in: hFile=0xf0, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0104.753] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x10671, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.753] lstrlenA (lpString="NEPHILIM") returned 8 [0104.753] WriteFile (in: hFile=0xf0, lpBuffer=0x50d960*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50d960*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0104.753] GetProcessHeap () returned 0x4e0000 [0104.753] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10471) returned 0x50dcb8 [0104.753] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.753] ReadFile (in: hFile=0xf0, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x10471, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24dddb0*=0x10471, lpOverlapped=0x0) returned 1 [0104.757] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.757] WriteFile (in: hFile=0xf0, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x10471, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24dddbc*=0x10471, lpOverlapped=0x0) returned 1 [0104.757] GetProcessHeap () returned 0x4e0000 [0104.757] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0104.757] CloseHandle (hObject=0xf0) returned 1 [0104.759] GetProcessHeap () returned 0x4e0000 [0104.759] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0104.759] GetProcessHeap () returned 0x4e0000 [0104.759] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0104.759] GetProcessHeap () returned 0x4e0000 [0104.759] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0104.759] GetProcessHeap () returned 0x4e0000 [0104.759] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0104.759] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\XUY6CF RFsJ8qI7jeBQ.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\XUY6CF RFsJ8qI7jeBQ.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\XUY6CF RFsJ8qI7jeBQ.m4a" [0104.759] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\XUY6CF RFsJ8qI7jeBQ.m4a", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\XUY6CF RFsJ8qI7jeBQ.m4a.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\XUY6CF RFsJ8qI7jeBQ.m4a.NEPHILIM" [0104.759] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\XUY6CF RFsJ8qI7jeBQ.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\xuy6cf rfsj8qi7jebq.m4a"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\XUY6CF RFsJ8qI7jeBQ.m4a.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\xuy6cf rfsj8qi7jebq.m4a.nephilim")) returned 1 [0104.760] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3c9e960, ftCreationTime.dwHighDateTime=0x1d5e6de, ftLastAccessTime.dwLowDateTime=0x29f6e560, ftLastAccessTime.dwHighDateTime=0x1d5d899, ftLastWriteTime.dwLowDateTime=0x29f6e560, ftLastWriteTime.dwHighDateTime=0x1d5d899, nFileSizeHigh=0x0, nFileSizeLow=0x17b0, dwReserved0=0x24dddac, dwReserved1=0xb237799d, cFileName="YUnHNwyZx0dX.mp3", cAlternateFileName="YUNHNW~1.MP3")) returned 1 [0104.760] lstrcmpiW (lpString1="YUnHNwyZx0dX.mp3", lpString2=".") returned 1 [0104.760] lstrcmpiW (lpString1="YUnHNwyZx0dX.mp3", lpString2="..") returned 1 [0104.760] lstrcmpiW (lpString1="YUnHNwyZx0dX.mp3", lpString2="...") returned 1 [0104.760] lstrcmpiW (lpString1="YUnHNwyZx0dX.mp3", lpString2="windows") returned 1 [0104.760] lstrcmpiW (lpString1="YUnHNwyZx0dX.mp3", lpString2="$RECYCLE.BIN") returned 1 [0104.760] lstrcmpiW (lpString1="YUnHNwyZx0dX.mp3", lpString2="rsa") returned 1 [0104.760] lstrcmpiW (lpString1="YUnHNwyZx0dX.mp3", lpString2="log") returned 1 [0104.760] lstrcmpiW (lpString1="YUnHNwyZx0dX.mp3", lpString2="NTDETECT.COM") returned 1 [0104.760] lstrcmpiW (lpString1="YUnHNwyZx0dX.mp3", lpString2="ntldr") returned 1 [0104.760] lstrcmpiW (lpString1="YUnHNwyZx0dX.mp3", lpString2="MSDOS.SYS") returned 1 [0104.760] lstrcmpiW (lpString1="YUnHNwyZx0dX.mp3", lpString2="IO.SYS") returned 1 [0104.760] lstrcmpiW (lpString1="YUnHNwyZx0dX.mp3", lpString2="boot.ini") returned 1 [0104.760] lstrcmpiW (lpString1="YUnHNwyZx0dX.mp3", lpString2="AUTOEXEC.BAT") returned 1 [0104.760] lstrcmpiW (lpString1="YUnHNwyZx0dX.mp3", lpString2="ntuser.dat") returned 1 [0104.760] lstrcmpiW (lpString1="YUnHNwyZx0dX.mp3", lpString2="desktop.ini") returned 1 [0104.760] lstrcmpiW (lpString1="YUnHNwyZx0dX.mp3", lpString2="CONFIG.SYS") returned 1 [0104.760] lstrcmpiW (lpString1="YUnHNwyZx0dX.mp3", lpString2="RECYCLER") returned 1 [0104.760] lstrcmpiW (lpString1="YUnHNwyZx0dX.mp3", lpString2="BOOTSECT.BAK") returned 1 [0104.760] lstrcmpiW (lpString1="YUnHNwyZx0dX.mp3", lpString2="bootmgr") returned 1 [0104.760] lstrcmpiW (lpString1="YUnHNwyZx0dX.mp3", lpString2="programdata") returned 1 [0104.760] lstrcmpiW (lpString1="YUnHNwyZx0dX.mp3", lpString2="appdata") returned 1 [0104.760] lstrcmpiW (lpString1="YUnHNwyZx0dX.mp3", lpString2="program files") returned 1 [0104.760] lstrcmpiW (lpString1="YUnHNwyZx0dX.mp3", lpString2="program files (x86)") returned 1 [0104.760] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\" [0104.760] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\", lpString2="YUnHNwyZx0dX.mp3" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\YUnHNwyZx0dX.mp3") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\YUnHNwyZx0dX.mp3" [0104.760] PathFindExtensionW (pszPath="YUnHNwyZx0dX.mp3") returned=".mp3" [0104.760] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0104.761] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0104.761] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0104.761] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0104.761] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0104.761] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0104.761] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0104.761] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0104.761] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0104.761] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0104.761] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0104.761] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93075a40, ftCreationTime.dwHighDateTime=0x1d5e720, ftLastAccessTime.dwLowDateTime=0x391dca50, ftLastAccessTime.dwHighDateTime=0x1d5d9fb, ftLastWriteTime.dwLowDateTime=0x391dca50, ftLastWriteTime.dwHighDateTime=0x1d5d9fb, nFileSizeHigh=0x0, nFileSizeLow=0x13fd4, dwReserved0=0x24dddac, dwReserved1=0xb237799d, cFileName="z86ZZCWl6Cmr G.m4a", cAlternateFileName="Z86ZZC~1.M4A")) returned 1 [0104.761] lstrcmpiW (lpString1="z86ZZCWl6Cmr G.m4a", lpString2=".") returned 1 [0104.761] lstrcmpiW (lpString1="z86ZZCWl6Cmr G.m4a", lpString2="..") returned 1 [0104.761] lstrcmpiW (lpString1="z86ZZCWl6Cmr G.m4a", lpString2="...") returned 1 [0104.761] lstrcmpiW (lpString1="z86ZZCWl6Cmr G.m4a", lpString2="windows") returned 1 [0104.761] lstrcmpiW (lpString1="z86ZZCWl6Cmr G.m4a", lpString2="$RECYCLE.BIN") returned 1 [0104.761] lstrcmpiW (lpString1="z86ZZCWl6Cmr G.m4a", lpString2="rsa") returned 1 [0104.761] lstrcmpiW (lpString1="z86ZZCWl6Cmr G.m4a", lpString2="log") returned 1 [0104.761] lstrcmpiW (lpString1="z86ZZCWl6Cmr G.m4a", lpString2="NTDETECT.COM") returned 1 [0104.761] lstrcmpiW (lpString1="z86ZZCWl6Cmr G.m4a", lpString2="ntldr") returned 1 [0104.761] lstrcmpiW (lpString1="z86ZZCWl6Cmr G.m4a", lpString2="MSDOS.SYS") returned 1 [0104.761] lstrcmpiW (lpString1="z86ZZCWl6Cmr G.m4a", lpString2="IO.SYS") returned 1 [0104.761] lstrcmpiW (lpString1="z86ZZCWl6Cmr G.m4a", lpString2="boot.ini") returned 1 [0104.761] lstrcmpiW (lpString1="z86ZZCWl6Cmr G.m4a", lpString2="AUTOEXEC.BAT") returned 1 [0104.761] lstrcmpiW (lpString1="z86ZZCWl6Cmr G.m4a", lpString2="ntuser.dat") returned 1 [0104.761] lstrcmpiW (lpString1="z86ZZCWl6Cmr G.m4a", lpString2="desktop.ini") returned 1 [0104.761] lstrcmpiW (lpString1="z86ZZCWl6Cmr G.m4a", lpString2="CONFIG.SYS") returned 1 [0104.761] lstrcmpiW (lpString1="z86ZZCWl6Cmr G.m4a", lpString2="RECYCLER") returned 1 [0104.761] lstrcmpiW (lpString1="z86ZZCWl6Cmr G.m4a", lpString2="BOOTSECT.BAK") returned 1 [0104.761] lstrcmpiW (lpString1="z86ZZCWl6Cmr G.m4a", lpString2="bootmgr") returned 1 [0104.762] lstrcmpiW (lpString1="z86ZZCWl6Cmr G.m4a", lpString2="programdata") returned 1 [0104.762] lstrcmpiW (lpString1="z86ZZCWl6Cmr G.m4a", lpString2="appdata") returned 1 [0104.762] lstrcmpiW (lpString1="z86ZZCWl6Cmr G.m4a", lpString2="program files") returned 1 [0104.762] lstrcmpiW (lpString1="z86ZZCWl6Cmr G.m4a", lpString2="program files (x86)") returned 1 [0104.762] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\" [0104.762] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\", lpString2="z86ZZCWl6Cmr G.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\z86ZZCWl6Cmr G.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\z86ZZCWl6Cmr G.m4a" [0104.762] PathFindExtensionW (pszPath="z86ZZCWl6Cmr G.m4a") returned=".m4a" [0104.762] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0104.762] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0104.762] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0104.762] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0104.762] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0104.762] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0104.762] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0104.762] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0104.762] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0104.762] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0104.762] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0104.762] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0104.762] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0104.762] lstrcmpiW (lpString1=".m4a", lpString2=".NEPHILIM") returned -1 [0104.762] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0104.762] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0104.762] lstrcmpiW (lpString1="z86ZZCWl6Cmr G.m4a", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0104.762] lstrlenA (lpString="NEPHILIM") returned 8 [0104.762] GetProcessHeap () returned 0x4e0000 [0104.762] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d970 [0104.762] lstrlenA (lpString="NEPHILIM") returned 8 [0104.763] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\z86ZZCWl6Cmr G.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\z86zzcwl6cmr g.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0104.763] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=81876) returned 1 [0104.763] GetProcessHeap () returned 0x4e0000 [0104.763] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0104.763] GetProcessHeap () returned 0x4e0000 [0104.763] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0104.763] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0104.763] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0104.763] GetProcessHeap () returned 0x4e0000 [0104.763] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0104.763] GetProcessHeap () returned 0x4e0000 [0104.763] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0104.763] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0104.763] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0104.763] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x13fd4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.764] SetLastError (dwErrCode=0x0) [0104.764] WriteFile (in: hFile=0xf0, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0104.781] GetLastError () returned 0x0 [0104.781] GetLastError () returned 0x0 [0104.781] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x140d4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.781] WriteFile (in: hFile=0xf0, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0104.782] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x141d4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.782] lstrlenA (lpString="NEPHILIM") returned 8 [0104.782] WriteFile (in: hFile=0xf0, lpBuffer=0x50d970*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50d970*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0104.782] GetProcessHeap () returned 0x4e0000 [0104.782] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x13fd4) returned 0x50dcb8 [0104.782] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.782] ReadFile (in: hFile=0xf0, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x13fd4, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24dddb0*=0x13fd4, lpOverlapped=0x0) returned 1 [0104.786] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.787] WriteFile (in: hFile=0xf0, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x13fd4, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24dddbc*=0x13fd4, lpOverlapped=0x0) returned 1 [0104.787] GetProcessHeap () returned 0x4e0000 [0104.787] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0104.787] CloseHandle (hObject=0xf0) returned 1 [0104.800] GetProcessHeap () returned 0x4e0000 [0104.800] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0104.800] GetProcessHeap () returned 0x4e0000 [0104.800] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0104.800] GetProcessHeap () returned 0x4e0000 [0104.800] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0104.800] GetProcessHeap () returned 0x4e0000 [0104.800] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0104.800] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\z86ZZCWl6Cmr G.m4a" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\z86ZZCWl6Cmr G.m4a") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\z86ZZCWl6Cmr G.m4a" [0104.800] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\z86ZZCWl6Cmr G.m4a", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\z86ZZCWl6Cmr G.m4a.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\z86ZZCWl6Cmr G.m4a.NEPHILIM" [0104.800] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\z86ZZCWl6Cmr G.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\z86zzcwl6cmr g.m4a"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\z86ZZCWl6Cmr G.m4a.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\z86zzcwl6cmr g.m4a.nephilim")) returned 1 [0104.801] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8f776c0, ftCreationTime.dwHighDateTime=0x1d5e172, ftLastAccessTime.dwLowDateTime=0x64021e90, ftLastAccessTime.dwHighDateTime=0x1d5de53, ftLastWriteTime.dwLowDateTime=0x64021e90, ftLastWriteTime.dwHighDateTime=0x1d5de53, nFileSizeHigh=0x0, nFileSizeLow=0x13a25, dwReserved0=0x24dddac, dwReserved1=0xb237799d, cFileName="zM_WUfi 8.wav", cAlternateFileName="ZM_WUF~1.WAV")) returned 1 [0104.801] lstrcmpiW (lpString1="zM_WUfi 8.wav", lpString2=".") returned 1 [0104.801] lstrcmpiW (lpString1="zM_WUfi 8.wav", lpString2="..") returned 1 [0104.801] lstrcmpiW (lpString1="zM_WUfi 8.wav", lpString2="...") returned 1 [0104.801] lstrcmpiW (lpString1="zM_WUfi 8.wav", lpString2="windows") returned 1 [0104.801] lstrcmpiW (lpString1="zM_WUfi 8.wav", lpString2="$RECYCLE.BIN") returned 1 [0104.801] lstrcmpiW (lpString1="zM_WUfi 8.wav", lpString2="rsa") returned 1 [0104.801] lstrcmpiW (lpString1="zM_WUfi 8.wav", lpString2="log") returned 1 [0104.801] lstrcmpiW (lpString1="zM_WUfi 8.wav", lpString2="NTDETECT.COM") returned 1 [0104.801] lstrcmpiW (lpString1="zM_WUfi 8.wav", lpString2="ntldr") returned 1 [0104.801] lstrcmpiW (lpString1="zM_WUfi 8.wav", lpString2="MSDOS.SYS") returned 1 [0104.801] lstrcmpiW (lpString1="zM_WUfi 8.wav", lpString2="IO.SYS") returned 1 [0104.801] lstrcmpiW (lpString1="zM_WUfi 8.wav", lpString2="boot.ini") returned 1 [0104.801] lstrcmpiW (lpString1="zM_WUfi 8.wav", lpString2="AUTOEXEC.BAT") returned 1 [0104.801] lstrcmpiW (lpString1="zM_WUfi 8.wav", lpString2="ntuser.dat") returned 1 [0104.801] lstrcmpiW (lpString1="zM_WUfi 8.wav", lpString2="desktop.ini") returned 1 [0104.801] lstrcmpiW (lpString1="zM_WUfi 8.wav", lpString2="CONFIG.SYS") returned 1 [0104.801] lstrcmpiW (lpString1="zM_WUfi 8.wav", lpString2="RECYCLER") returned 1 [0104.801] lstrcmpiW (lpString1="zM_WUfi 8.wav", lpString2="BOOTSECT.BAK") returned 1 [0104.802] lstrcmpiW (lpString1="zM_WUfi 8.wav", lpString2="bootmgr") returned 1 [0104.802] lstrcmpiW (lpString1="zM_WUfi 8.wav", lpString2="programdata") returned 1 [0104.802] lstrcmpiW (lpString1="zM_WUfi 8.wav", lpString2="appdata") returned 1 [0104.802] lstrcmpiW (lpString1="zM_WUfi 8.wav", lpString2="program files") returned 1 [0104.802] lstrcmpiW (lpString1="zM_WUfi 8.wav", lpString2="program files (x86)") returned 1 [0104.802] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\" [0104.802] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\", lpString2="zM_WUfi 8.wav" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\zM_WUfi 8.wav") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\zM_WUfi 8.wav" [0104.802] PathFindExtensionW (pszPath="zM_WUfi 8.wav") returned=".wav" [0104.802] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0104.802] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0104.802] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0104.802] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0104.802] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0104.802] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0104.802] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0104.802] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0104.802] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0104.802] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0104.802] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0104.802] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0104.802] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0104.802] lstrcmpiW (lpString1=".wav", lpString2=".NEPHILIM") returned 1 [0104.802] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0104.802] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0104.802] lstrcmpiW (lpString1="zM_WUfi 8.wav", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0104.802] lstrlenA (lpString="NEPHILIM") returned 8 [0104.802] GetProcessHeap () returned 0x4e0000 [0104.802] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d980 [0104.803] lstrlenA (lpString="NEPHILIM") returned 8 [0104.803] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\zM_WUfi 8.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\zm_wufi 8.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0104.803] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=80421) returned 1 [0104.803] GetProcessHeap () returned 0x4e0000 [0104.803] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0104.803] GetProcessHeap () returned 0x4e0000 [0104.803] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0104.803] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0104.803] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0104.803] GetProcessHeap () returned 0x4e0000 [0104.803] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0104.803] GetProcessHeap () returned 0x4e0000 [0104.803] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0104.803] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0104.803] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0104.804] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x13a25, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.804] SetLastError (dwErrCode=0x0) [0104.804] WriteFile (in: hFile=0xf0, lpBuffer=0x5080f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x5080f8*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0104.805] GetLastError () returned 0x0 [0104.805] GetLastError () returned 0x0 [0104.805] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x13b25, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.805] WriteFile (in: hFile=0xf0, lpBuffer=0x508200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508200*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0104.805] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x13c25, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.805] lstrlenA (lpString="NEPHILIM") returned 8 [0104.805] WriteFile (in: hFile=0xf0, lpBuffer=0x50d980*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50d980*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0104.805] GetProcessHeap () returned 0x4e0000 [0104.805] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x13a25) returned 0x50dcb8 [0104.805] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.805] ReadFile (in: hFile=0xf0, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x13a25, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24dddb0*=0x13a25, lpOverlapped=0x0) returned 1 [0104.809] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.809] WriteFile (in: hFile=0xf0, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x13a25, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24dddbc*=0x13a25, lpOverlapped=0x0) returned 1 [0104.810] GetProcessHeap () returned 0x4e0000 [0104.810] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0104.810] CloseHandle (hObject=0xf0) returned 1 [0104.811] GetProcessHeap () returned 0x4e0000 [0104.811] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x5080f8 | out: hHeap=0x4e0000) returned 1 [0104.811] GetProcessHeap () returned 0x4e0000 [0104.811] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508200 | out: hHeap=0x4e0000) returned 1 [0104.812] GetProcessHeap () returned 0x4e0000 [0104.812] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cc0 | out: hHeap=0x4e0000) returned 1 [0104.812] GetProcessHeap () returned 0x4e0000 [0104.812] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504cd8 | out: hHeap=0x4e0000) returned 1 [0104.812] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\zM_WUfi 8.wav" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\zM_WUfi 8.wav") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\zM_WUfi 8.wav" [0104.812] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\zM_WUfi 8.wav", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\zM_WUfi 8.wav.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\zM_WUfi 8.wav.NEPHILIM" [0104.812] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\zM_WUfi 8.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\zm_wufi 8.wav"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UEL4L3jO9WoSQ7Qozz6\\zM_WUfi 8.wav.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uel4l3jo9wosq7qozz6\\zm_wufi 8.wav.nephilim")) returned 1 [0104.812] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8f776c0, ftCreationTime.dwHighDateTime=0x1d5e172, ftLastAccessTime.dwLowDateTime=0x64021e90, ftLastAccessTime.dwHighDateTime=0x1d5de53, ftLastWriteTime.dwLowDateTime=0x64021e90, ftLastWriteTime.dwHighDateTime=0x1d5de53, nFileSizeHigh=0x0, nFileSizeLow=0x13a25, dwReserved0=0x24dddac, dwReserved1=0xb237799d, cFileName="zM_WUfi 8.wav", cAlternateFileName="ZM_WUF~1.WAV")) returned 0 [0104.813] FindClose (in: hFindFile=0x50a900 | out: hFindFile=0x50a900) returned 1 [0104.813] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x66ef0060, ftCreationTime.dwHighDateTime=0x1d5d8e4, ftLastAccessTime.dwLowDateTime=0x689e6fd0, ftLastAccessTime.dwHighDateTime=0x1d5e763, ftLastWriteTime.dwLowDateTime=0x689e6fd0, ftLastWriteTime.dwHighDateTime=0x1d5e763, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="UEL4L3jO9WoSQ7Qozz6", cAlternateFileName="UEL4L3~1")) returned 0 [0104.813] FindClose (in: hFindFile=0x50a8c0 | out: hFindFile=0x50a8c0) returned 1 [0104.813] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x290dda00, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x290dda00, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x290dda00, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0104.813] lstrcmpiW (lpString1="My Documents", lpString2=".") returned 1 [0104.813] lstrcmpiW (lpString1="My Documents", lpString2="..") returned 1 [0104.813] lstrcmpiW (lpString1="My Documents", lpString2="...") returned 1 [0104.813] lstrcmpiW (lpString1="My Documents", lpString2="windows") returned -1 [0104.813] lstrcmpiW (lpString1="My Documents", lpString2="$RECYCLE.BIN") returned 1 [0104.813] lstrcmpiW (lpString1="My Documents", lpString2="rsa") returned -1 [0104.813] lstrcmpiW (lpString1="My Documents", lpString2="log") returned 1 [0104.813] lstrcmpiW (lpString1="My Documents", lpString2="NTDETECT.COM") returned -1 [0104.813] lstrcmpiW (lpString1="My Documents", lpString2="ntldr") returned -1 [0104.813] lstrcmpiW (lpString1="My Documents", lpString2="MSDOS.SYS") returned 1 [0104.813] lstrcmpiW (lpString1="My Documents", lpString2="IO.SYS") returned 1 [0104.813] lstrcmpiW (lpString1="My Documents", lpString2="boot.ini") returned 1 [0104.813] lstrcmpiW (lpString1="My Documents", lpString2="AUTOEXEC.BAT") returned 1 [0104.813] lstrcmpiW (lpString1="My Documents", lpString2="ntuser.dat") returned -1 [0104.813] lstrcmpiW (lpString1="My Documents", lpString2="desktop.ini") returned 1 [0104.813] lstrcmpiW (lpString1="My Documents", lpString2="CONFIG.SYS") returned 1 [0104.813] lstrcmpiW (lpString1="My Documents", lpString2="RECYCLER") returned -1 [0104.813] lstrcmpiW (lpString1="My Documents", lpString2="BOOTSECT.BAK") returned 1 [0104.813] lstrcmpiW (lpString1="My Documents", lpString2="bootmgr") returned 1 [0104.813] lstrcmpiW (lpString1="My Documents", lpString2="programdata") returned -1 [0104.813] lstrcmpiW (lpString1="My Documents", lpString2="appdata") returned 1 [0104.813] lstrcmpiW (lpString1="My Documents", lpString2="program files") returned -1 [0104.813] lstrcmpiW (lpString1="My Documents", lpString2="program files (x86)") returned -1 [0104.814] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" [0104.814] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="My Documents" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\My Documents") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\My Documents" [0104.814] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\My Documents", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\My Documents\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\My Documents\\" [0104.814] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\My Documents\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\My Documents\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\My Documents\\" [0104.814] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\My Documents\\", lpString2="*.*" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\My Documents\\*.*") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\My Documents\\*.*" [0104.814] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\My Documents\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x66ef0060, ftCreationTime.dwHighDateTime=0x1d5d8e4, ftLastAccessTime.dwLowDateTime=0x689e6fd0, ftLastAccessTime.dwHighDateTime=0x1d5e763, ftLastWriteTime.dwLowDateTime=0x689e6fd0, ftLastWriteTime.dwHighDateTime=0x1d5e763, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="UEL4L3jO9WoSQ7Qozz6", cAlternateFileName="UEL4L3~1")) returned 0xffffffff [0104.814] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29103b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29103b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29103b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="NetHood", cAlternateFileName="")) returned 1 [0104.814] lstrcmpiW (lpString1="NetHood", lpString2=".") returned 1 [0104.814] lstrcmpiW (lpString1="NetHood", lpString2="..") returned 1 [0104.814] lstrcmpiW (lpString1="NetHood", lpString2="...") returned 1 [0104.814] lstrcmpiW (lpString1="NetHood", lpString2="windows") returned -1 [0104.814] lstrcmpiW (lpString1="NetHood", lpString2="$RECYCLE.BIN") returned 1 [0104.814] lstrcmpiW (lpString1="NetHood", lpString2="rsa") returned -1 [0104.814] lstrcmpiW (lpString1="NetHood", lpString2="log") returned 1 [0104.814] lstrcmpiW (lpString1="NetHood", lpString2="NTDETECT.COM") returned -1 [0104.814] lstrcmpiW (lpString1="NetHood", lpString2="ntldr") returned -1 [0104.814] lstrcmpiW (lpString1="NetHood", lpString2="MSDOS.SYS") returned 1 [0104.814] lstrcmpiW (lpString1="NetHood", lpString2="IO.SYS") returned 1 [0104.814] lstrcmpiW (lpString1="NetHood", lpString2="boot.ini") returned 1 [0104.814] lstrcmpiW (lpString1="NetHood", lpString2="AUTOEXEC.BAT") returned 1 [0104.814] lstrcmpiW (lpString1="NetHood", lpString2="ntuser.dat") returned -1 [0104.814] lstrcmpiW (lpString1="NetHood", lpString2="desktop.ini") returned 1 [0104.814] lstrcmpiW (lpString1="NetHood", lpString2="CONFIG.SYS") returned 1 [0104.814] lstrcmpiW (lpString1="NetHood", lpString2="RECYCLER") returned -1 [0104.815] lstrcmpiW (lpString1="NetHood", lpString2="BOOTSECT.BAK") returned 1 [0104.815] lstrcmpiW (lpString1="NetHood", lpString2="bootmgr") returned 1 [0104.815] lstrcmpiW (lpString1="NetHood", lpString2="programdata") returned -1 [0104.815] lstrcmpiW (lpString1="NetHood", lpString2="appdata") returned 1 [0104.815] lstrcmpiW (lpString1="NetHood", lpString2="program files") returned -1 [0104.815] lstrcmpiW (lpString1="NetHood", lpString2="program files (x86)") returned -1 [0104.815] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" [0104.815] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="NetHood" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\NetHood") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\NetHood" [0104.815] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\NetHood", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\NetHood\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\NetHood\\" [0104.815] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\NetHood\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\NetHood\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\NetHood\\" [0104.815] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\NetHood\\", lpString2="*.*" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\NetHood\\*.*") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\NetHood\\*.*" [0104.815] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\NetHood\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x66ef0060, ftCreationTime.dwHighDateTime=0x1d5d8e4, ftLastAccessTime.dwLowDateTime=0x689e6fd0, ftLastAccessTime.dwHighDateTime=0x1d5e763, ftLastWriteTime.dwLowDateTime=0x689e6fd0, ftLastWriteTime.dwHighDateTime=0x1d5e763, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="UEL4L3jO9WoSQ7Qozz6", cAlternateFileName="UEL4L3~1")) returned 0xffffffff [0104.815] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x8f3afd80, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x8f3afd80, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x100000, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0104.815] lstrcmpiW (lpString1="NTUSER.DAT", lpString2=".") returned 1 [0104.815] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="..") returned 1 [0104.815] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="...") returned 1 [0104.815] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="windows") returned -1 [0104.815] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="$RECYCLE.BIN") returned 1 [0104.815] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="rsa") returned -1 [0104.815] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="log") returned 1 [0104.815] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="NTDETECT.COM") returned 1 [0104.815] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="ntldr") returned 1 [0104.815] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="MSDOS.SYS") returned 1 [0104.815] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="IO.SYS") returned 1 [0104.815] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="boot.ini") returned 1 [0104.815] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="AUTOEXEC.BAT") returned 1 [0104.815] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="ntuser.dat") returned 0 [0104.815] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28f60c40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f60c40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x8f389c20, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x40000, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="ntuser.dat.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1 [0104.816] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2=".") returned 1 [0104.816] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="..") returned 1 [0104.816] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="...") returned 1 [0104.816] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="windows") returned -1 [0104.816] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="$RECYCLE.BIN") returned 1 [0104.816] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="rsa") returned -1 [0104.816] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="log") returned 1 [0104.816] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="NTDETECT.COM") returned 1 [0104.816] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="ntldr") returned 1 [0104.816] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="MSDOS.SYS") returned 1 [0104.816] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="IO.SYS") returned 1 [0104.816] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="boot.ini") returned 1 [0104.816] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="AUTOEXEC.BAT") returned 1 [0104.816] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="ntuser.dat") returned 1 [0104.816] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="desktop.ini") returned 1 [0104.816] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="CONFIG.SYS") returned 1 [0104.816] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="RECYCLER") returned -1 [0104.816] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="BOOTSECT.BAK") returned 1 [0104.816] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="bootmgr") returned 1 [0104.816] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="programdata") returned -1 [0104.816] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="appdata") returned 1 [0104.816] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="program files") returned -1 [0104.816] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="program files (x86)") returned -1 [0104.816] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" [0104.816] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="ntuser.dat.LOG1" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1" [0104.816] PathFindExtensionW (pszPath="ntuser.dat.LOG1") returned=".LOG1" [0104.816] lstrcmpiW (lpString1=".LOG1", lpString2=".exe") returned 1 [0104.816] lstrcmpiW (lpString1=".LOG1", lpString2=".log") returned 1 [0104.816] lstrcmpiW (lpString1=".LOG1", lpString2=".cab") returned 1 [0104.816] lstrcmpiW (lpString1=".LOG1", lpString2=".cmd") returned 1 [0104.816] lstrcmpiW (lpString1=".LOG1", lpString2=".com") returned 1 [0104.816] lstrcmpiW (lpString1=".LOG1", lpString2=".cpl") returned 1 [0104.816] lstrcmpiW (lpString1=".LOG1", lpString2=".ini") returned 1 [0104.817] lstrcmpiW (lpString1=".LOG1", lpString2=".dll") returned 1 [0104.817] lstrcmpiW (lpString1=".LOG1", lpString2=".url") returned -1 [0104.817] lstrcmpiW (lpString1=".LOG1", lpString2=".ttf") returned -1 [0104.817] lstrcmpiW (lpString1=".LOG1", lpString2=".mp3") returned -1 [0104.817] lstrcmpiW (lpString1=".LOG1", lpString2=".pif") returned -1 [0104.817] lstrcmpiW (lpString1=".LOG1", lpString2=".mp4") returned -1 [0104.817] lstrcmpiW (lpString1=".LOG1", lpString2=".NEPHILIM") returned -1 [0104.817] lstrcmpiW (lpString1=".LOG1", lpString2=".msi") returned -1 [0104.817] lstrcmpiW (lpString1=".LOG1", lpString2=".lnk") returned 1 [0104.817] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0104.817] lstrlenA (lpString="NEPHILIM") returned 8 [0104.817] GetProcessHeap () returned 0x4e0000 [0104.817] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d990 [0104.817] lstrlenA (lpString="NEPHILIM") returned 8 [0104.817] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0104.817] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24deac8 | out: lpFileSize=0x24deac8*=4294968320) returned 0 [0104.817] GetProcessHeap () returned 0x4e0000 [0104.817] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cd8 [0104.818] GetProcessHeap () returned 0x4e0000 [0104.818] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cc0 [0104.818] SystemFunction036 (in: RandomBuffer=0x504cd8, RandomBufferLength=0x10 | out: RandomBuffer=0x504cd8) returned 1 [0104.818] SystemFunction036 (in: RandomBuffer=0x504cc0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cc0) returned 1 [0104.818] GetProcessHeap () returned 0x4e0000 [0104.818] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508200 [0104.818] GetProcessHeap () returned 0x4e0000 [0104.818] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5080f8 [0104.818] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508200*, pdwDataLen=0x24de888*=0x10, dwBufLen=0x100 | out: pbData=0x508200*, pdwDataLen=0x24de888*=0x100) returned 1 [0104.818] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5080f8*, pdwDataLen=0x24de884*=0x10, dwBufLen=0x100 | out: pbData=0x5080f8*, pdwDataLen=0x24de884*=0x100) returned 1 [0104.818] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0104.818] SetLastError (dwErrCode=0x0) [0104.818] WriteFile (in: hFile=0xffffffff, lpBuffer=0x508200, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0) returned 0 [0104.818] GetLastError () returned 0x6 [0104.818] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28f60c40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f60c40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28f60c40, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="ntuser.dat.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1 [0104.818] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2=".") returned 1 [0104.818] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="..") returned 1 [0104.818] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="...") returned 1 [0104.818] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="windows") returned -1 [0104.818] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="$RECYCLE.BIN") returned 1 [0104.818] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="rsa") returned -1 [0104.818] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="log") returned 1 [0104.819] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="NTDETECT.COM") returned 1 [0104.819] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="ntldr") returned 1 [0104.819] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="MSDOS.SYS") returned 1 [0104.819] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="IO.SYS") returned 1 [0104.819] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="boot.ini") returned 1 [0104.819] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="AUTOEXEC.BAT") returned 1 [0104.819] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="ntuser.dat") returned 1 [0104.819] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="desktop.ini") returned 1 [0104.819] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="CONFIG.SYS") returned 1 [0104.819] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="RECYCLER") returned -1 [0104.819] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="BOOTSECT.BAK") returned 1 [0104.819] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="bootmgr") returned 1 [0104.819] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="programdata") returned -1 [0104.819] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="appdata") returned 1 [0104.819] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="program files") returned -1 [0104.819] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="program files (x86)") returned -1 [0104.819] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" [0104.819] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="ntuser.dat.LOG2" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG2") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG2" [0104.819] PathFindExtensionW (pszPath="ntuser.dat.LOG2") returned=".LOG2" [0104.819] lstrcmpiW (lpString1=".LOG2", lpString2=".exe") returned 1 [0104.819] lstrcmpiW (lpString1=".LOG2", lpString2=".log") returned 1 [0104.819] lstrcmpiW (lpString1=".LOG2", lpString2=".cab") returned 1 [0104.819] lstrcmpiW (lpString1=".LOG2", lpString2=".cmd") returned 1 [0104.819] lstrcmpiW (lpString1=".LOG2", lpString2=".com") returned 1 [0104.819] lstrcmpiW (lpString1=".LOG2", lpString2=".cpl") returned 1 [0104.819] lstrcmpiW (lpString1=".LOG2", lpString2=".ini") returned 1 [0104.819] lstrcmpiW (lpString1=".LOG2", lpString2=".dll") returned 1 [0104.819] lstrcmpiW (lpString1=".LOG2", lpString2=".url") returned -1 [0104.819] lstrcmpiW (lpString1=".LOG2", lpString2=".ttf") returned -1 [0104.819] lstrcmpiW (lpString1=".LOG2", lpString2=".mp3") returned -1 [0104.819] lstrcmpiW (lpString1=".LOG2", lpString2=".pif") returned -1 [0104.819] lstrcmpiW (lpString1=".LOG2", lpString2=".mp4") returned -1 [0104.819] lstrcmpiW (lpString1=".LOG2", lpString2=".NEPHILIM") returned -1 [0104.820] lstrcmpiW (lpString1=".LOG2", lpString2=".msi") returned -1 [0104.820] lstrcmpiW (lpString1=".LOG2", lpString2=".lnk") returned 1 [0104.820] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0104.820] lstrlenA (lpString="NEPHILIM") returned 8 [0104.820] GetProcessHeap () returned 0x4e0000 [0104.820] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d9a0 [0104.820] lstrlenA (lpString="NEPHILIM") returned 8 [0104.820] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG2" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0104.820] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24deac8 | out: lpFileSize=0x24deac8*=4294968320) returned 0 [0104.820] GetProcessHeap () returned 0x4e0000 [0104.820] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504cf0 [0104.820] GetProcessHeap () returned 0x4e0000 [0104.820] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504d08 [0104.820] SystemFunction036 (in: RandomBuffer=0x504cf0, RandomBufferLength=0x10 | out: RandomBuffer=0x504cf0) returned 1 [0104.820] SystemFunction036 (in: RandomBuffer=0x504d08, RandomBufferLength=0x10 | out: RandomBuffer=0x504d08) returned 1 [0104.820] GetProcessHeap () returned 0x4e0000 [0104.820] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508308 [0104.820] GetProcessHeap () returned 0x4e0000 [0104.820] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508410 [0104.820] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508308*, pdwDataLen=0x24de888*=0x10, dwBufLen=0x100 | out: pbData=0x508308*, pdwDataLen=0x24de888*=0x100) returned 1 [0104.821] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508410*, pdwDataLen=0x24de884*=0x10, dwBufLen=0x100 | out: pbData=0x508410*, pdwDataLen=0x24de884*=0x100) returned 1 [0104.821] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0104.821] SetLastError (dwErrCode=0x0) [0104.821] WriteFile (in: hFile=0xffffffff, lpBuffer=0x508308, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0) returned 0 [0104.821] GetLastError () returned 0x6 [0104.821] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28f60c40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f60c40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x40b0f7f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1 [0104.821] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2=".") returned 1 [0104.821] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="..") returned 1 [0104.821] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="...") returned 1 [0104.821] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="windows") returned -1 [0104.821] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="$RECYCLE.BIN") returned 1 [0104.821] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="rsa") returned -1 [0104.821] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="log") returned 1 [0104.821] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="NTDETECT.COM") returned 1 [0104.821] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="ntldr") returned 1 [0104.821] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="MSDOS.SYS") returned 1 [0104.821] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="IO.SYS") returned 1 [0104.821] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="boot.ini") returned 1 [0104.821] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="AUTOEXEC.BAT") returned 1 [0104.821] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="ntuser.dat") returned 1 [0104.821] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="desktop.ini") returned 1 [0104.821] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="CONFIG.SYS") returned 1 [0104.821] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="RECYCLER") returned -1 [0104.821] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="BOOTSECT.BAK") returned 1 [0104.821] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="bootmgr") returned 1 [0104.821] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="programdata") returned -1 [0104.822] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="appdata") returned 1 [0104.822] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="program files") returned -1 [0104.822] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="program files (x86)") returned -1 [0104.822] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" [0104.822] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" [0104.822] PathFindExtensionW (pszPath="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned=".blf" [0104.822] lstrcmpiW (lpString1=".blf", lpString2=".exe") returned -1 [0104.822] lstrcmpiW (lpString1=".blf", lpString2=".log") returned -1 [0104.822] lstrcmpiW (lpString1=".blf", lpString2=".cab") returned -1 [0104.822] lstrcmpiW (lpString1=".blf", lpString2=".cmd") returned -1 [0104.822] lstrcmpiW (lpString1=".blf", lpString2=".com") returned -1 [0104.822] lstrcmpiW (lpString1=".blf", lpString2=".cpl") returned -1 [0104.822] lstrcmpiW (lpString1=".blf", lpString2=".ini") returned -1 [0104.822] lstrcmpiW (lpString1=".blf", lpString2=".dll") returned -1 [0104.822] lstrcmpiW (lpString1=".blf", lpString2=".url") returned -1 [0104.822] lstrcmpiW (lpString1=".blf", lpString2=".ttf") returned -1 [0104.822] lstrcmpiW (lpString1=".blf", lpString2=".mp3") returned -1 [0104.822] lstrcmpiW (lpString1=".blf", lpString2=".pif") returned -1 [0104.822] lstrcmpiW (lpString1=".blf", lpString2=".mp4") returned -1 [0104.822] lstrcmpiW (lpString1=".blf", lpString2=".NEPHILIM") returned -1 [0104.822] lstrcmpiW (lpString1=".blf", lpString2=".msi") returned -1 [0104.822] lstrcmpiW (lpString1=".blf", lpString2=".lnk") returned -1 [0104.822] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0104.822] lstrlenA (lpString="NEPHILIM") returned 8 [0104.822] GetProcessHeap () returned 0x4e0000 [0104.822] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d9b0 [0104.822] lstrlenA (lpString="NEPHILIM") returned 8 [0104.822] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0104.822] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24deac8 | out: lpFileSize=0x24deac8*=4294968320) returned 0 [0104.823] GetProcessHeap () returned 0x4e0000 [0104.823] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504d20 [0104.823] GetProcessHeap () returned 0x4e0000 [0104.823] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504d38 [0104.823] SystemFunction036 (in: RandomBuffer=0x504d20, RandomBufferLength=0x10 | out: RandomBuffer=0x504d20) returned 1 [0104.823] SystemFunction036 (in: RandomBuffer=0x504d38, RandomBufferLength=0x10 | out: RandomBuffer=0x504d38) returned 1 [0104.823] GetProcessHeap () returned 0x4e0000 [0104.823] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508518 [0104.823] GetProcessHeap () returned 0x4e0000 [0104.823] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508620 [0104.823] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508518*, pdwDataLen=0x24de888*=0x10, dwBufLen=0x100 | out: pbData=0x508518*, pdwDataLen=0x24de888*=0x100) returned 1 [0104.823] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508620*, pdwDataLen=0x24de884*=0x10, dwBufLen=0x100 | out: pbData=0x508620*, pdwDataLen=0x24de884*=0x100) returned 1 [0104.823] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0104.823] SetLastError (dwErrCode=0x0) [0104.823] WriteFile (in: hFile=0xffffffff, lpBuffer=0x508518, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0) returned 0 [0104.823] GetLastError () returned 0x6 [0104.823] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28f86da0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f86da0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x40b0f7f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1 [0104.823] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2=".") returned 1 [0104.823] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="..") returned 1 [0104.823] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="...") returned 1 [0104.823] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="windows") returned -1 [0104.823] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.824] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="rsa") returned -1 [0104.824] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="log") returned 1 [0104.824] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="NTDETECT.COM") returned 1 [0104.824] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="ntldr") returned 1 [0104.824] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="MSDOS.SYS") returned 1 [0104.824] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="IO.SYS") returned 1 [0104.824] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="boot.ini") returned 1 [0104.824] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="AUTOEXEC.BAT") returned 1 [0104.824] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="ntuser.dat") returned 1 [0104.824] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="desktop.ini") returned 1 [0104.824] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="CONFIG.SYS") returned 1 [0104.824] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="RECYCLER") returned -1 [0104.824] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="BOOTSECT.BAK") returned 1 [0104.824] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="bootmgr") returned 1 [0104.824] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="programdata") returned -1 [0104.824] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="appdata") returned 1 [0104.824] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="program files") returned -1 [0104.824] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="program files (x86)") returned -1 [0104.824] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" [0104.824] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" [0104.824] PathFindExtensionW (pszPath="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned=".regtrans-ms" [0104.824] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".exe") returned 1 [0104.824] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".log") returned 1 [0104.824] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cab") returned 1 [0104.824] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cmd") returned 1 [0104.824] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".com") returned 1 [0104.824] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cpl") returned 1 [0104.824] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".ini") returned 1 [0104.824] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".dll") returned 1 [0104.824] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".url") returned -1 [0104.824] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".ttf") returned -1 [0104.824] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".mp3") returned 1 [0104.824] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".pif") returned 1 [0104.824] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".mp4") returned 1 [0104.825] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".NEPHILIM") returned 1 [0104.825] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".msi") returned 1 [0104.825] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".lnk") returned 1 [0104.825] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0104.825] lstrlenA (lpString="NEPHILIM") returned 8 [0104.825] GetProcessHeap () returned 0x4e0000 [0104.825] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d9c0 [0104.825] lstrlenA (lpString="NEPHILIM") returned 8 [0104.825] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0104.825] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24deac8 | out: lpFileSize=0x24deac8*=4294968320) returned 0 [0104.825] GetProcessHeap () returned 0x4e0000 [0104.825] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504d50 [0104.825] GetProcessHeap () returned 0x4e0000 [0104.825] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504d68 [0104.825] SystemFunction036 (in: RandomBuffer=0x504d50, RandomBufferLength=0x10 | out: RandomBuffer=0x504d50) returned 1 [0104.825] SystemFunction036 (in: RandomBuffer=0x504d68, RandomBufferLength=0x10 | out: RandomBuffer=0x504d68) returned 1 [0104.825] GetProcessHeap () returned 0x4e0000 [0104.825] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508728 [0104.825] GetProcessHeap () returned 0x4e0000 [0104.825] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508830 [0104.825] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508728*, pdwDataLen=0x24de888*=0x10, dwBufLen=0x100 | out: pbData=0x508728*, pdwDataLen=0x24de888*=0x100) returned 1 [0104.825] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508830*, pdwDataLen=0x24de884*=0x10, dwBufLen=0x100 | out: pbData=0x508830*, pdwDataLen=0x24de884*=0x100) returned 1 [0104.826] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0104.826] SetLastError (dwErrCode=0x0) [0104.826] WriteFile (in: hFile=0xffffffff, lpBuffer=0x508728, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0) returned 0 [0104.826] GetLastError () returned 0x6 [0104.826] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28f86da0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f86da0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x40b0f7f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1 [0104.826] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2=".") returned 1 [0104.826] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="..") returned 1 [0104.826] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="...") returned 1 [0104.826] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="windows") returned -1 [0104.826] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="$RECYCLE.BIN") returned 1 [0104.826] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="rsa") returned -1 [0104.826] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="log") returned 1 [0104.826] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="NTDETECT.COM") returned 1 [0104.828] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="ntldr") returned 1 [0104.828] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="MSDOS.SYS") returned 1 [0104.829] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="IO.SYS") returned 1 [0104.829] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="boot.ini") returned 1 [0104.829] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="AUTOEXEC.BAT") returned 1 [0104.829] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="ntuser.dat") returned 1 [0104.829] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="desktop.ini") returned 1 [0104.829] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="CONFIG.SYS") returned 1 [0104.829] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="RECYCLER") returned -1 [0104.829] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="BOOTSECT.BAK") returned 1 [0104.829] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="bootmgr") returned 1 [0104.829] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="programdata") returned -1 [0104.829] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="appdata") returned 1 [0104.829] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="program files") returned -1 [0104.829] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="program files (x86)") returned -1 [0104.829] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" [0104.829] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" [0104.829] PathFindExtensionW (pszPath="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned=".regtrans-ms" [0104.829] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".exe") returned 1 [0104.829] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".log") returned 1 [0104.829] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cab") returned 1 [0104.829] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cmd") returned 1 [0104.829] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".com") returned 1 [0104.829] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cpl") returned 1 [0104.829] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".ini") returned 1 [0104.829] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".dll") returned 1 [0104.829] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".url") returned -1 [0104.829] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".ttf") returned -1 [0104.829] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".mp3") returned 1 [0104.829] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".pif") returned 1 [0104.829] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".mp4") returned 1 [0104.829] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".NEPHILIM") returned 1 [0104.830] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".msi") returned 1 [0104.830] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".lnk") returned 1 [0104.830] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0104.830] lstrlenA (lpString="NEPHILIM") returned 8 [0104.830] GetProcessHeap () returned 0x4e0000 [0104.830] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d9d0 [0104.830] lstrlenA (lpString="NEPHILIM") returned 8 [0104.830] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0104.830] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24deac8 | out: lpFileSize=0x24deac8*=4294968320) returned 0 [0104.830] GetProcessHeap () returned 0x4e0000 [0104.830] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504d80 [0104.830] GetProcessHeap () returned 0x4e0000 [0104.830] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504d98 [0104.830] SystemFunction036 (in: RandomBuffer=0x504d80, RandomBufferLength=0x10 | out: RandomBuffer=0x504d80) returned 1 [0104.830] SystemFunction036 (in: RandomBuffer=0x504d98, RandomBufferLength=0x10 | out: RandomBuffer=0x504d98) returned 1 [0104.830] GetProcessHeap () returned 0x4e0000 [0104.830] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508938 [0104.830] GetProcessHeap () returned 0x4e0000 [0104.830] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508a40 [0104.830] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508938*, pdwDataLen=0x24de888*=0x10, dwBufLen=0x100 | out: pbData=0x508938*, pdwDataLen=0x24de888*=0x100) returned 1 [0104.831] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508a40*, pdwDataLen=0x24de884*=0x10, dwBufLen=0x100 | out: pbData=0x508a40*, pdwDataLen=0x24de884*=0x100) returned 1 [0104.831] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0104.831] SetLastError (dwErrCode=0x0) [0104.831] WriteFile (in: hFile=0xffffffff, lpBuffer=0x508938, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0) returned 0 [0104.831] GetLastError () returned 0x6 [0104.831] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cd94e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xe9bbeade, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x14, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="ntuser.ini", cAlternateFileName="")) returned 1 [0104.831] lstrcmpiW (lpString1="ntuser.ini", lpString2=".") returned 1 [0104.831] lstrcmpiW (lpString1="ntuser.ini", lpString2="..") returned 1 [0104.831] lstrcmpiW (lpString1="ntuser.ini", lpString2="...") returned 1 [0104.831] lstrcmpiW (lpString1="ntuser.ini", lpString2="windows") returned -1 [0104.831] lstrcmpiW (lpString1="ntuser.ini", lpString2="$RECYCLE.BIN") returned 1 [0104.831] lstrcmpiW (lpString1="ntuser.ini", lpString2="rsa") returned -1 [0104.831] lstrcmpiW (lpString1="ntuser.ini", lpString2="log") returned 1 [0104.831] lstrcmpiW (lpString1="ntuser.ini", lpString2="NTDETECT.COM") returned 1 [0104.831] lstrcmpiW (lpString1="ntuser.ini", lpString2="ntldr") returned 1 [0104.831] lstrcmpiW (lpString1="ntuser.ini", lpString2="MSDOS.SYS") returned 1 [0104.831] lstrcmpiW (lpString1="ntuser.ini", lpString2="IO.SYS") returned 1 [0104.831] lstrcmpiW (lpString1="ntuser.ini", lpString2="boot.ini") returned 1 [0104.831] lstrcmpiW (lpString1="ntuser.ini", lpString2="AUTOEXEC.BAT") returned 1 [0104.831] lstrcmpiW (lpString1="ntuser.ini", lpString2="ntuser.dat") returned 1 [0104.831] lstrcmpiW (lpString1="ntuser.ini", lpString2="desktop.ini") returned 1 [0104.831] lstrcmpiW (lpString1="ntuser.ini", lpString2="CONFIG.SYS") returned 1 [0104.831] lstrcmpiW (lpString1="ntuser.ini", lpString2="RECYCLER") returned -1 [0104.831] lstrcmpiW (lpString1="ntuser.ini", lpString2="BOOTSECT.BAK") returned 1 [0104.831] lstrcmpiW (lpString1="ntuser.ini", lpString2="bootmgr") returned 1 [0104.832] lstrcmpiW (lpString1="ntuser.ini", lpString2="programdata") returned -1 [0104.832] lstrcmpiW (lpString1="ntuser.ini", lpString2="appdata") returned 1 [0104.832] lstrcmpiW (lpString1="ntuser.ini", lpString2="program files") returned -1 [0104.832] lstrcmpiW (lpString1="ntuser.ini", lpString2="program files (x86)") returned -1 [0104.832] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" [0104.832] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="ntuser.ini" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini" [0104.832] PathFindExtensionW (pszPath="ntuser.ini") returned=".ini" [0104.832] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0104.832] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0104.832] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0104.832] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0104.832] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0104.832] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0104.832] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0104.832] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xe07397c0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe07397c0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0104.832] lstrcmpiW (lpString1="Pictures", lpString2=".") returned 1 [0104.832] lstrcmpiW (lpString1="Pictures", lpString2="..") returned 1 [0104.832] lstrcmpiW (lpString1="Pictures", lpString2="...") returned 1 [0104.832] lstrcmpiW (lpString1="Pictures", lpString2="windows") returned -1 [0104.832] lstrcmpiW (lpString1="Pictures", lpString2="$RECYCLE.BIN") returned 1 [0104.832] lstrcmpiW (lpString1="Pictures", lpString2="rsa") returned -1 [0104.832] lstrcmpiW (lpString1="Pictures", lpString2="log") returned 1 [0104.832] lstrcmpiW (lpString1="Pictures", lpString2="NTDETECT.COM") returned 1 [0104.832] lstrcmpiW (lpString1="Pictures", lpString2="ntldr") returned 1 [0104.832] lstrcmpiW (lpString1="Pictures", lpString2="MSDOS.SYS") returned 1 [0104.832] lstrcmpiW (lpString1="Pictures", lpString2="IO.SYS") returned 1 [0104.832] lstrcmpiW (lpString1="Pictures", lpString2="boot.ini") returned 1 [0104.832] lstrcmpiW (lpString1="Pictures", lpString2="AUTOEXEC.BAT") returned 1 [0104.832] lstrcmpiW (lpString1="Pictures", lpString2="ntuser.dat") returned 1 [0104.833] lstrcmpiW (lpString1="Pictures", lpString2="desktop.ini") returned 1 [0104.833] lstrcmpiW (lpString1="Pictures", lpString2="CONFIG.SYS") returned 1 [0104.833] lstrcmpiW (lpString1="Pictures", lpString2="RECYCLER") returned -1 [0104.833] lstrcmpiW (lpString1="Pictures", lpString2="BOOTSECT.BAK") returned 1 [0104.833] lstrcmpiW (lpString1="Pictures", lpString2="bootmgr") returned 1 [0104.833] lstrcmpiW (lpString1="Pictures", lpString2="programdata") returned -1 [0104.833] lstrcmpiW (lpString1="Pictures", lpString2="appdata") returned 1 [0104.833] lstrcmpiW (lpString1="Pictures", lpString2="program files") returned -1 [0104.833] lstrcmpiW (lpString1="Pictures", lpString2="program files (x86)") returned -1 [0104.833] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" [0104.833] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Pictures" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures" [0104.833] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" [0104.833] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" [0104.833] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\", lpString2="*.*" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*" [0104.833] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xe07397c0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe07397c0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName=".", cAlternateFileName="")) returned 0x50a8c0 [0104.833] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0104.833] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xe07397c0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe07397c0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="..", cAlternateFileName="")) returned 1 [0104.833] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0104.833] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0104.833] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4b3c50e0, ftCreationTime.dwHighDateTime=0x1d5e5d0, ftLastAccessTime.dwLowDateTime=0x46ae4bd0, ftLastAccessTime.dwHighDateTime=0x1d5e5a5, ftLastWriteTime.dwLowDateTime=0x46ae4bd0, ftLastWriteTime.dwHighDateTime=0x1d5e5a5, nFileSizeHigh=0x0, nFileSizeLow=0x4c26, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="-Uf_nS_aQJPj.jpg", cAlternateFileName="-UF_NS~1.JPG")) returned 1 [0104.834] lstrcmpiW (lpString1="-Uf_nS_aQJPj.jpg", lpString2=".") returned 1 [0104.834] lstrcmpiW (lpString1="-Uf_nS_aQJPj.jpg", lpString2="..") returned 1 [0104.834] lstrcmpiW (lpString1="-Uf_nS_aQJPj.jpg", lpString2="...") returned 1 [0104.834] lstrcmpiW (lpString1="-Uf_nS_aQJPj.jpg", lpString2="windows") returned -1 [0104.834] lstrcmpiW (lpString1="-Uf_nS_aQJPj.jpg", lpString2="$RECYCLE.BIN") returned 1 [0104.834] lstrcmpiW (lpString1="-Uf_nS_aQJPj.jpg", lpString2="rsa") returned 1 [0104.834] lstrcmpiW (lpString1="-Uf_nS_aQJPj.jpg", lpString2="log") returned 1 [0104.834] lstrcmpiW (lpString1="-Uf_nS_aQJPj.jpg", lpString2="NTDETECT.COM") returned 1 [0104.834] lstrcmpiW (lpString1="-Uf_nS_aQJPj.jpg", lpString2="ntldr") returned 1 [0104.834] lstrcmpiW (lpString1="-Uf_nS_aQJPj.jpg", lpString2="MSDOS.SYS") returned 1 [0104.834] lstrcmpiW (lpString1="-Uf_nS_aQJPj.jpg", lpString2="IO.SYS") returned 1 [0104.834] lstrcmpiW (lpString1="-Uf_nS_aQJPj.jpg", lpString2="boot.ini") returned 1 [0104.834] lstrcmpiW (lpString1="-Uf_nS_aQJPj.jpg", lpString2="AUTOEXEC.BAT") returned 1 [0104.834] lstrcmpiW (lpString1="-Uf_nS_aQJPj.jpg", lpString2="ntuser.dat") returned 1 [0104.834] lstrcmpiW (lpString1="-Uf_nS_aQJPj.jpg", lpString2="desktop.ini") returned 1 [0104.834] lstrcmpiW (lpString1="-Uf_nS_aQJPj.jpg", lpString2="CONFIG.SYS") returned 1 [0104.834] lstrcmpiW (lpString1="-Uf_nS_aQJPj.jpg", lpString2="RECYCLER") returned 1 [0104.834] lstrcmpiW (lpString1="-Uf_nS_aQJPj.jpg", lpString2="BOOTSECT.BAK") returned 1 [0104.834] lstrcmpiW (lpString1="-Uf_nS_aQJPj.jpg", lpString2="bootmgr") returned 1 [0104.834] lstrcmpiW (lpString1="-Uf_nS_aQJPj.jpg", lpString2="programdata") returned 1 [0104.834] lstrcmpiW (lpString1="-Uf_nS_aQJPj.jpg", lpString2="appdata") returned 1 [0104.834] lstrcmpiW (lpString1="-Uf_nS_aQJPj.jpg", lpString2="program files") returned 1 [0104.834] lstrcmpiW (lpString1="-Uf_nS_aQJPj.jpg", lpString2="program files (x86)") returned 1 [0104.834] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" [0104.834] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\", lpString2="-Uf_nS_aQJPj.jpg" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\-Uf_nS_aQJPj.jpg") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\-Uf_nS_aQJPj.jpg" [0104.834] PathFindExtensionW (pszPath="-Uf_nS_aQJPj.jpg") returned=".jpg" [0104.835] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0104.835] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0104.835] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0104.835] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0104.835] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0104.835] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0104.835] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0104.835] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0104.835] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0104.835] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0104.835] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0104.835] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0104.835] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0104.835] lstrcmpiW (lpString1=".jpg", lpString2=".NEPHILIM") returned -1 [0104.835] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0104.835] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0104.835] lstrcmpiW (lpString1="-Uf_nS_aQJPj.jpg", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0104.835] lstrlenA (lpString="NEPHILIM") returned 8 [0104.835] GetProcessHeap () returned 0x4e0000 [0104.835] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d9e0 [0104.835] lstrlenA (lpString="NEPHILIM") returned 8 [0104.835] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\-Uf_nS_aQJPj.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\-uf_ns_aqjpj.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0104.836] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=19494) returned 1 [0104.836] GetProcessHeap () returned 0x4e0000 [0104.836] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504db0 [0104.836] GetProcessHeap () returned 0x4e0000 [0104.836] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504dc8 [0104.836] SystemFunction036 (in: RandomBuffer=0x504db0, RandomBufferLength=0x10 | out: RandomBuffer=0x504db0) returned 1 [0104.836] SystemFunction036 (in: RandomBuffer=0x504dc8, RandomBufferLength=0x10 | out: RandomBuffer=0x504dc8) returned 1 [0104.836] GetProcessHeap () returned 0x4e0000 [0104.836] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508b48 [0104.836] GetProcessHeap () returned 0x4e0000 [0104.836] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508c50 [0104.836] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508b48*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508b48*, pdwDataLen=0x24de208*=0x100) returned 1 [0104.836] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508c50*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508c50*, pdwDataLen=0x24de204*=0x100) returned 1 [0104.836] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x4c26, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.836] SetLastError (dwErrCode=0x0) [0104.837] WriteFile (in: hFile=0xec, lpBuffer=0x508b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508b48*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0104.838] GetLastError () returned 0x0 [0104.838] GetLastError () returned 0x0 [0104.838] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x4d26, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.838] WriteFile (in: hFile=0xec, lpBuffer=0x508c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508c50*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0104.838] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x4e26, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.838] lstrlenA (lpString="NEPHILIM") returned 8 [0104.838] WriteFile (in: hFile=0xec, lpBuffer=0x50d9e0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50d9e0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0104.838] GetProcessHeap () returned 0x4e0000 [0104.838] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x4c26) returned 0x50dcb8 [0104.838] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.838] ReadFile (in: hFile=0xec, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x4c26, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24de430*=0x4c26, lpOverlapped=0x0) returned 1 [0104.839] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.840] WriteFile (in: hFile=0xec, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x4c26, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24de43c*=0x4c26, lpOverlapped=0x0) returned 1 [0104.840] GetProcessHeap () returned 0x4e0000 [0104.840] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0104.840] CloseHandle (hObject=0xec) returned 1 [0104.850] GetProcessHeap () returned 0x4e0000 [0104.850] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508b48 | out: hHeap=0x4e0000) returned 1 [0104.851] GetProcessHeap () returned 0x4e0000 [0104.851] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508c50 | out: hHeap=0x4e0000) returned 1 [0104.851] GetProcessHeap () returned 0x4e0000 [0104.851] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504db0 | out: hHeap=0x4e0000) returned 1 [0104.851] GetProcessHeap () returned 0x4e0000 [0104.851] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504dc8 | out: hHeap=0x4e0000) returned 1 [0104.851] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\-Uf_nS_aQJPj.jpg" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\-Uf_nS_aQJPj.jpg") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\-Uf_nS_aQJPj.jpg" [0104.851] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\-Uf_nS_aQJPj.jpg", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\-Uf_nS_aQJPj.jpg.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\-Uf_nS_aQJPj.jpg.NEPHILIM" [0104.851] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\-Uf_nS_aQJPj.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\-uf_ns_aqjpj.jpg"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\-Uf_nS_aQJPj.jpg.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\-uf_ns_aqjpj.jpg.nephilim")) returned 1 [0104.852] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71076a80, ftCreationTime.dwHighDateTime=0x1d5e04e, ftLastAccessTime.dwLowDateTime=0xd0be1f40, ftLastAccessTime.dwHighDateTime=0x1d5dff5, ftLastWriteTime.dwLowDateTime=0xd0be1f40, ftLastWriteTime.dwHighDateTime=0x1d5dff5, nFileSizeHigh=0x0, nFileSizeLow=0x7ec6, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="4p98rTVFWk9NUKd3XYuz.png", cAlternateFileName="4P98RT~1.PNG")) returned 1 [0104.852] lstrcmpiW (lpString1="4p98rTVFWk9NUKd3XYuz.png", lpString2=".") returned 1 [0104.852] lstrcmpiW (lpString1="4p98rTVFWk9NUKd3XYuz.png", lpString2="..") returned 1 [0104.852] lstrcmpiW (lpString1="4p98rTVFWk9NUKd3XYuz.png", lpString2="...") returned 1 [0104.852] lstrcmpiW (lpString1="4p98rTVFWk9NUKd3XYuz.png", lpString2="windows") returned -1 [0104.852] lstrcmpiW (lpString1="4p98rTVFWk9NUKd3XYuz.png", lpString2="$RECYCLE.BIN") returned 1 [0104.852] lstrcmpiW (lpString1="4p98rTVFWk9NUKd3XYuz.png", lpString2="rsa") returned -1 [0104.852] lstrcmpiW (lpString1="4p98rTVFWk9NUKd3XYuz.png", lpString2="log") returned -1 [0104.852] lstrcmpiW (lpString1="4p98rTVFWk9NUKd3XYuz.png", lpString2="NTDETECT.COM") returned -1 [0104.852] lstrcmpiW (lpString1="4p98rTVFWk9NUKd3XYuz.png", lpString2="ntldr") returned -1 [0104.852] lstrcmpiW (lpString1="4p98rTVFWk9NUKd3XYuz.png", lpString2="MSDOS.SYS") returned -1 [0104.852] lstrcmpiW (lpString1="4p98rTVFWk9NUKd3XYuz.png", lpString2="IO.SYS") returned -1 [0104.852] lstrcmpiW (lpString1="4p98rTVFWk9NUKd3XYuz.png", lpString2="boot.ini") returned -1 [0104.852] lstrcmpiW (lpString1="4p98rTVFWk9NUKd3XYuz.png", lpString2="AUTOEXEC.BAT") returned -1 [0104.852] lstrcmpiW (lpString1="4p98rTVFWk9NUKd3XYuz.png", lpString2="ntuser.dat") returned -1 [0104.852] lstrcmpiW (lpString1="4p98rTVFWk9NUKd3XYuz.png", lpString2="desktop.ini") returned -1 [0104.853] lstrcmpiW (lpString1="4p98rTVFWk9NUKd3XYuz.png", lpString2="CONFIG.SYS") returned -1 [0104.853] lstrcmpiW (lpString1="4p98rTVFWk9NUKd3XYuz.png", lpString2="RECYCLER") returned -1 [0104.853] lstrcmpiW (lpString1="4p98rTVFWk9NUKd3XYuz.png", lpString2="BOOTSECT.BAK") returned -1 [0104.853] lstrcmpiW (lpString1="4p98rTVFWk9NUKd3XYuz.png", lpString2="bootmgr") returned -1 [0104.853] lstrcmpiW (lpString1="4p98rTVFWk9NUKd3XYuz.png", lpString2="programdata") returned -1 [0104.853] lstrcmpiW (lpString1="4p98rTVFWk9NUKd3XYuz.png", lpString2="appdata") returned -1 [0104.853] lstrcmpiW (lpString1="4p98rTVFWk9NUKd3XYuz.png", lpString2="program files") returned -1 [0104.853] lstrcmpiW (lpString1="4p98rTVFWk9NUKd3XYuz.png", lpString2="program files (x86)") returned -1 [0104.853] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" [0104.853] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\", lpString2="4p98rTVFWk9NUKd3XYuz.png" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\4p98rTVFWk9NUKd3XYuz.png") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\4p98rTVFWk9NUKd3XYuz.png" [0104.853] PathFindExtensionW (pszPath="4p98rTVFWk9NUKd3XYuz.png") returned=".png" [0104.853] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0104.853] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0104.853] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0104.853] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0104.853] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0104.853] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0104.853] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0104.853] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0104.853] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0104.853] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0104.853] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0104.853] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0104.853] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0104.854] lstrcmpiW (lpString1=".png", lpString2=".NEPHILIM") returned 1 [0104.854] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0104.854] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0104.854] lstrcmpiW (lpString1="4p98rTVFWk9NUKd3XYuz.png", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0104.854] lstrlenA (lpString="NEPHILIM") returned 8 [0104.854] GetProcessHeap () returned 0x4e0000 [0104.854] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d9f0 [0104.854] lstrlenA (lpString="NEPHILIM") returned 8 [0104.854] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\4p98rTVFWk9NUKd3XYuz.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\4p98rtvfwk9nukd3xyuz.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0104.854] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=32454) returned 1 [0104.854] GetProcessHeap () returned 0x4e0000 [0104.854] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504dc8 [0104.854] GetProcessHeap () returned 0x4e0000 [0104.854] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504db0 [0104.854] SystemFunction036 (in: RandomBuffer=0x504dc8, RandomBufferLength=0x10 | out: RandomBuffer=0x504dc8) returned 1 [0104.854] SystemFunction036 (in: RandomBuffer=0x504db0, RandomBufferLength=0x10 | out: RandomBuffer=0x504db0) returned 1 [0104.854] GetProcessHeap () returned 0x4e0000 [0104.854] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508c50 [0104.855] GetProcessHeap () returned 0x4e0000 [0104.855] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508b48 [0104.855] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508c50*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508c50*, pdwDataLen=0x24de208*=0x100) returned 1 [0104.855] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508b48*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508b48*, pdwDataLen=0x24de204*=0x100) returned 1 [0104.855] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x7ec6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.855] SetLastError (dwErrCode=0x0) [0104.855] WriteFile (in: hFile=0xec, lpBuffer=0x508c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508c50*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0104.856] GetLastError () returned 0x0 [0104.856] GetLastError () returned 0x0 [0104.856] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x7fc6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.857] WriteFile (in: hFile=0xec, lpBuffer=0x508b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508b48*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0104.857] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x80c6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.857] lstrlenA (lpString="NEPHILIM") returned 8 [0104.857] WriteFile (in: hFile=0xec, lpBuffer=0x50d9f0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50d9f0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0104.857] GetProcessHeap () returned 0x4e0000 [0104.857] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x7ec6) returned 0x50dcb8 [0104.857] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.857] ReadFile (in: hFile=0xec, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x7ec6, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24de430*=0x7ec6, lpOverlapped=0x0) returned 1 [0104.861] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.861] WriteFile (in: hFile=0xec, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x7ec6, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24de43c*=0x7ec6, lpOverlapped=0x0) returned 1 [0104.861] GetProcessHeap () returned 0x4e0000 [0104.861] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0104.861] CloseHandle (hObject=0xec) returned 1 [0104.863] GetProcessHeap () returned 0x4e0000 [0104.863] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508c50 | out: hHeap=0x4e0000) returned 1 [0104.863] GetProcessHeap () returned 0x4e0000 [0104.863] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508b48 | out: hHeap=0x4e0000) returned 1 [0104.863] GetProcessHeap () returned 0x4e0000 [0104.863] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504dc8 | out: hHeap=0x4e0000) returned 1 [0104.863] GetProcessHeap () returned 0x4e0000 [0104.863] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504db0 | out: hHeap=0x4e0000) returned 1 [0104.863] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\4p98rTVFWk9NUKd3XYuz.png" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\4p98rTVFWk9NUKd3XYuz.png") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\4p98rTVFWk9NUKd3XYuz.png" [0104.863] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\4p98rTVFWk9NUKd3XYuz.png", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\4p98rTVFWk9NUKd3XYuz.png.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\4p98rTVFWk9NUKd3XYuz.png.NEPHILIM" [0104.863] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\4p98rTVFWk9NUKd3XYuz.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\4p98rtvfwk9nukd3xyuz.png"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\4p98rTVFWk9NUKd3XYuz.png.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\4p98rtvfwk9nukd3xyuz.png.nephilim")) returned 1 [0104.864] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2c5d550, ftCreationTime.dwHighDateTime=0x1d5db43, ftLastAccessTime.dwLowDateTime=0x6ce74b80, ftLastAccessTime.dwHighDateTime=0x1d5dc8b, ftLastWriteTime.dwLowDateTime=0x6ce74b80, ftLastWriteTime.dwHighDateTime=0x1d5dc8b, nFileSizeHigh=0x0, nFileSizeLow=0x8202, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="6f6fM0kHHEbQnM.gif", cAlternateFileName="6F6FM0~1.GIF")) returned 1 [0104.864] lstrcmpiW (lpString1="6f6fM0kHHEbQnM.gif", lpString2=".") returned 1 [0104.864] lstrcmpiW (lpString1="6f6fM0kHHEbQnM.gif", lpString2="..") returned 1 [0104.864] lstrcmpiW (lpString1="6f6fM0kHHEbQnM.gif", lpString2="...") returned 1 [0104.864] lstrcmpiW (lpString1="6f6fM0kHHEbQnM.gif", lpString2="windows") returned -1 [0104.864] lstrcmpiW (lpString1="6f6fM0kHHEbQnM.gif", lpString2="$RECYCLE.BIN") returned 1 [0104.864] lstrcmpiW (lpString1="6f6fM0kHHEbQnM.gif", lpString2="rsa") returned -1 [0104.864] lstrcmpiW (lpString1="6f6fM0kHHEbQnM.gif", lpString2="log") returned -1 [0104.865] lstrcmpiW (lpString1="6f6fM0kHHEbQnM.gif", lpString2="NTDETECT.COM") returned -1 [0104.865] lstrcmpiW (lpString1="6f6fM0kHHEbQnM.gif", lpString2="ntldr") returned -1 [0104.865] lstrcmpiW (lpString1="6f6fM0kHHEbQnM.gif", lpString2="MSDOS.SYS") returned -1 [0104.865] lstrcmpiW (lpString1="6f6fM0kHHEbQnM.gif", lpString2="IO.SYS") returned -1 [0104.865] lstrcmpiW (lpString1="6f6fM0kHHEbQnM.gif", lpString2="boot.ini") returned -1 [0104.865] lstrcmpiW (lpString1="6f6fM0kHHEbQnM.gif", lpString2="AUTOEXEC.BAT") returned -1 [0104.865] lstrcmpiW (lpString1="6f6fM0kHHEbQnM.gif", lpString2="ntuser.dat") returned -1 [0104.865] lstrcmpiW (lpString1="6f6fM0kHHEbQnM.gif", lpString2="desktop.ini") returned -1 [0104.865] lstrcmpiW (lpString1="6f6fM0kHHEbQnM.gif", lpString2="CONFIG.SYS") returned -1 [0104.865] lstrcmpiW (lpString1="6f6fM0kHHEbQnM.gif", lpString2="RECYCLER") returned -1 [0104.865] lstrcmpiW (lpString1="6f6fM0kHHEbQnM.gif", lpString2="BOOTSECT.BAK") returned -1 [0104.865] lstrcmpiW (lpString1="6f6fM0kHHEbQnM.gif", lpString2="bootmgr") returned -1 [0104.865] lstrcmpiW (lpString1="6f6fM0kHHEbQnM.gif", lpString2="programdata") returned -1 [0104.865] lstrcmpiW (lpString1="6f6fM0kHHEbQnM.gif", lpString2="appdata") returned -1 [0104.865] lstrcmpiW (lpString1="6f6fM0kHHEbQnM.gif", lpString2="program files") returned -1 [0104.865] lstrcmpiW (lpString1="6f6fM0kHHEbQnM.gif", lpString2="program files (x86)") returned -1 [0104.865] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" [0104.865] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\", lpString2="6f6fM0kHHEbQnM.gif" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\6f6fM0kHHEbQnM.gif") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\6f6fM0kHHEbQnM.gif" [0104.865] PathFindExtensionW (pszPath="6f6fM0kHHEbQnM.gif") returned=".gif" [0104.865] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0104.865] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0104.865] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0104.865] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0104.865] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0104.865] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0104.866] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0104.866] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0104.866] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0104.866] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0104.866] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0104.866] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0104.866] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0104.866] lstrcmpiW (lpString1=".gif", lpString2=".NEPHILIM") returned -1 [0104.866] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0104.866] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0104.866] lstrcmpiW (lpString1="6f6fM0kHHEbQnM.gif", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0104.866] lstrlenA (lpString="NEPHILIM") returned 8 [0104.866] GetProcessHeap () returned 0x4e0000 [0104.866] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50da00 [0104.866] lstrlenA (lpString="NEPHILIM") returned 8 [0104.866] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\6f6fM0kHHEbQnM.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\6f6fm0khhebqnm.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0104.866] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=33282) returned 1 [0104.866] GetProcessHeap () returned 0x4e0000 [0104.867] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504db0 [0104.867] GetProcessHeap () returned 0x4e0000 [0104.867] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504dc8 [0104.867] SystemFunction036 (in: RandomBuffer=0x504db0, RandomBufferLength=0x10 | out: RandomBuffer=0x504db0) returned 1 [0104.867] SystemFunction036 (in: RandomBuffer=0x504dc8, RandomBufferLength=0x10 | out: RandomBuffer=0x504dc8) returned 1 [0104.867] GetProcessHeap () returned 0x4e0000 [0104.867] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508b48 [0104.867] GetProcessHeap () returned 0x4e0000 [0104.867] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508c50 [0104.867] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508b48*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508b48*, pdwDataLen=0x24de208*=0x100) returned 1 [0104.867] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508c50*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508c50*, pdwDataLen=0x24de204*=0x100) returned 1 [0104.867] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x8202, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.868] SetLastError (dwErrCode=0x0) [0104.868] WriteFile (in: hFile=0xec, lpBuffer=0x508b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508b48*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0104.869] GetLastError () returned 0x0 [0104.869] GetLastError () returned 0x0 [0104.869] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x8302, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.869] WriteFile (in: hFile=0xec, lpBuffer=0x508c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508c50*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0104.869] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x8402, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.869] lstrlenA (lpString="NEPHILIM") returned 8 [0104.869] WriteFile (in: hFile=0xec, lpBuffer=0x50da00*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50da00*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0104.869] GetProcessHeap () returned 0x4e0000 [0104.869] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8202) returned 0x50dcb8 [0104.869] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.869] ReadFile (in: hFile=0xec, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x8202, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24de430*=0x8202, lpOverlapped=0x0) returned 1 [0104.871] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.872] WriteFile (in: hFile=0xec, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x8202, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24de43c*=0x8202, lpOverlapped=0x0) returned 1 [0104.872] GetProcessHeap () returned 0x4e0000 [0104.872] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0104.872] CloseHandle (hObject=0xec) returned 1 [0104.895] GetProcessHeap () returned 0x4e0000 [0104.895] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508b48 | out: hHeap=0x4e0000) returned 1 [0104.895] GetProcessHeap () returned 0x4e0000 [0104.895] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508c50 | out: hHeap=0x4e0000) returned 1 [0104.895] GetProcessHeap () returned 0x4e0000 [0104.896] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504db0 | out: hHeap=0x4e0000) returned 1 [0104.896] GetProcessHeap () returned 0x4e0000 [0104.896] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504dc8 | out: hHeap=0x4e0000) returned 1 [0104.896] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\6f6fM0kHHEbQnM.gif" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\6f6fM0kHHEbQnM.gif") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\6f6fM0kHHEbQnM.gif" [0104.896] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\6f6fM0kHHEbQnM.gif", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\6f6fM0kHHEbQnM.gif.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\6f6fM0kHHEbQnM.gif.NEPHILIM" [0104.896] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\6f6fM0kHHEbQnM.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\6f6fm0khhebqnm.gif"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\6f6fM0kHHEbQnM.gif.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\6f6fm0khhebqnm.gif.nephilim")) returned 1 [0104.897] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f2ec710, ftCreationTime.dwHighDateTime=0x1d5e4a0, ftLastAccessTime.dwLowDateTime=0x707b13a0, ftLastAccessTime.dwHighDateTime=0x1d5daa9, ftLastWriteTime.dwLowDateTime=0x707b13a0, ftLastWriteTime.dwHighDateTime=0x1d5daa9, nFileSizeHigh=0x0, nFileSizeLow=0x14f75, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="7nOMhYU-03VZY.png", cAlternateFileName="7NOMHY~1.PNG")) returned 1 [0104.897] lstrcmpiW (lpString1="7nOMhYU-03VZY.png", lpString2=".") returned 1 [0104.897] lstrcmpiW (lpString1="7nOMhYU-03VZY.png", lpString2="..") returned 1 [0104.897] lstrcmpiW (lpString1="7nOMhYU-03VZY.png", lpString2="...") returned 1 [0104.897] lstrcmpiW (lpString1="7nOMhYU-03VZY.png", lpString2="windows") returned -1 [0104.897] lstrcmpiW (lpString1="7nOMhYU-03VZY.png", lpString2="$RECYCLE.BIN") returned 1 [0104.897] lstrcmpiW (lpString1="7nOMhYU-03VZY.png", lpString2="rsa") returned -1 [0104.897] lstrcmpiW (lpString1="7nOMhYU-03VZY.png", lpString2="log") returned -1 [0104.897] lstrcmpiW (lpString1="7nOMhYU-03VZY.png", lpString2="NTDETECT.COM") returned -1 [0104.897] lstrcmpiW (lpString1="7nOMhYU-03VZY.png", lpString2="ntldr") returned -1 [0104.897] lstrcmpiW (lpString1="7nOMhYU-03VZY.png", lpString2="MSDOS.SYS") returned -1 [0104.897] lstrcmpiW (lpString1="7nOMhYU-03VZY.png", lpString2="IO.SYS") returned -1 [0104.897] lstrcmpiW (lpString1="7nOMhYU-03VZY.png", lpString2="boot.ini") returned -1 [0104.897] lstrcmpiW (lpString1="7nOMhYU-03VZY.png", lpString2="AUTOEXEC.BAT") returned -1 [0104.897] lstrcmpiW (lpString1="7nOMhYU-03VZY.png", lpString2="ntuser.dat") returned -1 [0104.897] lstrcmpiW (lpString1="7nOMhYU-03VZY.png", lpString2="desktop.ini") returned -1 [0104.897] lstrcmpiW (lpString1="7nOMhYU-03VZY.png", lpString2="CONFIG.SYS") returned -1 [0104.897] lstrcmpiW (lpString1="7nOMhYU-03VZY.png", lpString2="RECYCLER") returned -1 [0104.897] lstrcmpiW (lpString1="7nOMhYU-03VZY.png", lpString2="BOOTSECT.BAK") returned -1 [0104.898] lstrcmpiW (lpString1="7nOMhYU-03VZY.png", lpString2="bootmgr") returned -1 [0104.898] lstrcmpiW (lpString1="7nOMhYU-03VZY.png", lpString2="programdata") returned -1 [0104.898] lstrcmpiW (lpString1="7nOMhYU-03VZY.png", lpString2="appdata") returned -1 [0104.898] lstrcmpiW (lpString1="7nOMhYU-03VZY.png", lpString2="program files") returned -1 [0104.898] lstrcmpiW (lpString1="7nOMhYU-03VZY.png", lpString2="program files (x86)") returned -1 [0104.898] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" [0104.898] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\", lpString2="7nOMhYU-03VZY.png" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\7nOMhYU-03VZY.png") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\7nOMhYU-03VZY.png" [0104.898] PathFindExtensionW (pszPath="7nOMhYU-03VZY.png") returned=".png" [0104.898] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0104.898] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0104.898] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0104.898] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0104.898] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0104.898] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0104.898] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0104.898] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0104.898] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0104.898] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0104.898] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0104.898] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0104.898] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0104.898] lstrcmpiW (lpString1=".png", lpString2=".NEPHILIM") returned 1 [0104.898] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0104.898] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0104.898] lstrcmpiW (lpString1="7nOMhYU-03VZY.png", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0104.898] lstrlenA (lpString="NEPHILIM") returned 8 [0104.899] GetProcessHeap () returned 0x4e0000 [0104.899] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50da10 [0104.899] lstrlenA (lpString="NEPHILIM") returned 8 [0104.899] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\7nOMhYU-03VZY.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\7nomhyu-03vzy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0104.899] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=85877) returned 1 [0104.899] GetProcessHeap () returned 0x4e0000 [0104.899] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504dc8 [0104.899] GetProcessHeap () returned 0x4e0000 [0104.899] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504db0 [0104.899] SystemFunction036 (in: RandomBuffer=0x504dc8, RandomBufferLength=0x10 | out: RandomBuffer=0x504dc8) returned 1 [0104.899] SystemFunction036 (in: RandomBuffer=0x504db0, RandomBufferLength=0x10 | out: RandomBuffer=0x504db0) returned 1 [0104.899] GetProcessHeap () returned 0x4e0000 [0104.899] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508c50 [0104.899] GetProcessHeap () returned 0x4e0000 [0104.899] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508b48 [0104.899] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508c50*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508c50*, pdwDataLen=0x24de208*=0x100) returned 1 [0104.900] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508b48*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508b48*, pdwDataLen=0x24de204*=0x100) returned 1 [0104.900] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x14f75, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.900] SetLastError (dwErrCode=0x0) [0104.900] WriteFile (in: hFile=0xec, lpBuffer=0x508c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508c50*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0104.901] GetLastError () returned 0x0 [0104.902] GetLastError () returned 0x0 [0104.902] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x15075, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.902] WriteFile (in: hFile=0xec, lpBuffer=0x508b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508b48*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0104.902] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x15175, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.902] lstrlenA (lpString="NEPHILIM") returned 8 [0104.902] WriteFile (in: hFile=0xec, lpBuffer=0x50da10*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50da10*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0104.902] GetProcessHeap () returned 0x4e0000 [0104.902] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x14f75) returned 0x50dcb8 [0104.902] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.902] ReadFile (in: hFile=0xec, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x14f75, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24de430*=0x14f75, lpOverlapped=0x0) returned 1 [0104.908] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.908] WriteFile (in: hFile=0xec, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x14f75, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24de43c*=0x14f75, lpOverlapped=0x0) returned 1 [0104.909] GetProcessHeap () returned 0x4e0000 [0104.909] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0104.909] CloseHandle (hObject=0xec) returned 1 [0104.911] GetProcessHeap () returned 0x4e0000 [0104.911] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508c50 | out: hHeap=0x4e0000) returned 1 [0104.911] GetProcessHeap () returned 0x4e0000 [0104.911] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508b48 | out: hHeap=0x4e0000) returned 1 [0104.911] GetProcessHeap () returned 0x4e0000 [0104.911] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504dc8 | out: hHeap=0x4e0000) returned 1 [0104.911] GetProcessHeap () returned 0x4e0000 [0104.911] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504db0 | out: hHeap=0x4e0000) returned 1 [0104.911] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\7nOMhYU-03VZY.png" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\7nOMhYU-03VZY.png") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\7nOMhYU-03VZY.png" [0104.911] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\7nOMhYU-03VZY.png", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\7nOMhYU-03VZY.png.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\7nOMhYU-03VZY.png.NEPHILIM" [0104.911] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\7nOMhYU-03VZY.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\7nomhyu-03vzy.png"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\7nOMhYU-03VZY.png.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\7nomhyu-03vzy.png.nephilim")) returned 1 [0104.912] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f4b2150, ftCreationTime.dwHighDateTime=0x1d5dadf, ftLastAccessTime.dwLowDateTime=0x64955a80, ftLastAccessTime.dwHighDateTime=0x1d5dbb9, ftLastWriteTime.dwLowDateTime=0x64955a80, ftLastWriteTime.dwHighDateTime=0x1d5dbb9, nFileSizeHigh=0x0, nFileSizeLow=0x11f4a, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="8twYFrA8egRA4VpVCc.jpg", cAlternateFileName="8TWYFR~1.JPG")) returned 1 [0104.912] lstrcmpiW (lpString1="8twYFrA8egRA4VpVCc.jpg", lpString2=".") returned 1 [0104.912] lstrcmpiW (lpString1="8twYFrA8egRA4VpVCc.jpg", lpString2="..") returned 1 [0104.912] lstrcmpiW (lpString1="8twYFrA8egRA4VpVCc.jpg", lpString2="...") returned 1 [0104.912] lstrcmpiW (lpString1="8twYFrA8egRA4VpVCc.jpg", lpString2="windows") returned -1 [0104.912] lstrcmpiW (lpString1="8twYFrA8egRA4VpVCc.jpg", lpString2="$RECYCLE.BIN") returned 1 [0104.912] lstrcmpiW (lpString1="8twYFrA8egRA4VpVCc.jpg", lpString2="rsa") returned -1 [0104.912] lstrcmpiW (lpString1="8twYFrA8egRA4VpVCc.jpg", lpString2="log") returned -1 [0104.912] lstrcmpiW (lpString1="8twYFrA8egRA4VpVCc.jpg", lpString2="NTDETECT.COM") returned -1 [0104.912] lstrcmpiW (lpString1="8twYFrA8egRA4VpVCc.jpg", lpString2="ntldr") returned -1 [0104.912] lstrcmpiW (lpString1="8twYFrA8egRA4VpVCc.jpg", lpString2="MSDOS.SYS") returned -1 [0104.912] lstrcmpiW (lpString1="8twYFrA8egRA4VpVCc.jpg", lpString2="IO.SYS") returned -1 [0104.912] lstrcmpiW (lpString1="8twYFrA8egRA4VpVCc.jpg", lpString2="boot.ini") returned -1 [0104.912] lstrcmpiW (lpString1="8twYFrA8egRA4VpVCc.jpg", lpString2="AUTOEXEC.BAT") returned -1 [0104.913] lstrcmpiW (lpString1="8twYFrA8egRA4VpVCc.jpg", lpString2="ntuser.dat") returned -1 [0104.913] lstrcmpiW (lpString1="8twYFrA8egRA4VpVCc.jpg", lpString2="desktop.ini") returned -1 [0104.913] lstrcmpiW (lpString1="8twYFrA8egRA4VpVCc.jpg", lpString2="CONFIG.SYS") returned -1 [0104.913] lstrcmpiW (lpString1="8twYFrA8egRA4VpVCc.jpg", lpString2="RECYCLER") returned -1 [0104.913] lstrcmpiW (lpString1="8twYFrA8egRA4VpVCc.jpg", lpString2="BOOTSECT.BAK") returned -1 [0104.913] lstrcmpiW (lpString1="8twYFrA8egRA4VpVCc.jpg", lpString2="bootmgr") returned -1 [0104.913] lstrcmpiW (lpString1="8twYFrA8egRA4VpVCc.jpg", lpString2="programdata") returned -1 [0104.913] lstrcmpiW (lpString1="8twYFrA8egRA4VpVCc.jpg", lpString2="appdata") returned -1 [0104.913] lstrcmpiW (lpString1="8twYFrA8egRA4VpVCc.jpg", lpString2="program files") returned -1 [0104.913] lstrcmpiW (lpString1="8twYFrA8egRA4VpVCc.jpg", lpString2="program files (x86)") returned -1 [0104.913] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" [0104.913] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\", lpString2="8twYFrA8egRA4VpVCc.jpg" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\8twYFrA8egRA4VpVCc.jpg") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\8twYFrA8egRA4VpVCc.jpg" [0104.913] PathFindExtensionW (pszPath="8twYFrA8egRA4VpVCc.jpg") returned=".jpg" [0104.913] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0104.913] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0104.913] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0104.913] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0104.913] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0104.913] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0104.913] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0104.913] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0104.913] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0104.913] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0104.913] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0104.914] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0104.914] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0104.914] lstrcmpiW (lpString1=".jpg", lpString2=".NEPHILIM") returned -1 [0104.914] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0104.914] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0104.914] lstrcmpiW (lpString1="8twYFrA8egRA4VpVCc.jpg", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0104.914] lstrlenA (lpString="NEPHILIM") returned 8 [0104.914] GetProcessHeap () returned 0x4e0000 [0104.914] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50da20 [0104.914] lstrlenA (lpString="NEPHILIM") returned 8 [0104.914] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\8twYFrA8egRA4VpVCc.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\8twyfra8egra4vpvcc.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0104.914] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=73546) returned 1 [0104.914] GetProcessHeap () returned 0x4e0000 [0104.914] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504db0 [0104.914] GetProcessHeap () returned 0x4e0000 [0104.914] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504dc8 [0104.915] SystemFunction036 (in: RandomBuffer=0x504db0, RandomBufferLength=0x10 | out: RandomBuffer=0x504db0) returned 1 [0104.915] SystemFunction036 (in: RandomBuffer=0x504dc8, RandomBufferLength=0x10 | out: RandomBuffer=0x504dc8) returned 1 [0104.915] GetProcessHeap () returned 0x4e0000 [0104.915] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508b48 [0104.915] GetProcessHeap () returned 0x4e0000 [0104.915] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508c50 [0104.915] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508b48*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508b48*, pdwDataLen=0x24de208*=0x100) returned 1 [0104.915] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508c50*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508c50*, pdwDataLen=0x24de204*=0x100) returned 1 [0104.915] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x11f4a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.915] SetLastError (dwErrCode=0x0) [0104.915] WriteFile (in: hFile=0xec, lpBuffer=0x508b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508b48*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0104.917] GetLastError () returned 0x0 [0104.917] GetLastError () returned 0x0 [0104.917] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x1204a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.917] WriteFile (in: hFile=0xec, lpBuffer=0x508c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508c50*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0104.917] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x1214a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.917] lstrlenA (lpString="NEPHILIM") returned 8 [0104.917] WriteFile (in: hFile=0xec, lpBuffer=0x50da20*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50da20*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0104.917] GetProcessHeap () returned 0x4e0000 [0104.917] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x11f4a) returned 0x50dcb8 [0104.917] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.917] ReadFile (in: hFile=0xec, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x11f4a, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24de430*=0x11f4a, lpOverlapped=0x0) returned 1 [0104.923] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.923] WriteFile (in: hFile=0xec, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x11f4a, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24de43c*=0x11f4a, lpOverlapped=0x0) returned 1 [0104.923] GetProcessHeap () returned 0x4e0000 [0104.923] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0104.923] CloseHandle (hObject=0xec) returned 1 [0104.925] GetProcessHeap () returned 0x4e0000 [0104.925] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508b48 | out: hHeap=0x4e0000) returned 1 [0104.925] GetProcessHeap () returned 0x4e0000 [0104.925] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508c50 | out: hHeap=0x4e0000) returned 1 [0104.925] GetProcessHeap () returned 0x4e0000 [0104.925] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504db0 | out: hHeap=0x4e0000) returned 1 [0104.925] GetProcessHeap () returned 0x4e0000 [0104.925] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504dc8 | out: hHeap=0x4e0000) returned 1 [0104.925] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\8twYFrA8egRA4VpVCc.jpg" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\8twYFrA8egRA4VpVCc.jpg") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\8twYFrA8egRA4VpVCc.jpg" [0104.925] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\8twYFrA8egRA4VpVCc.jpg", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\8twYFrA8egRA4VpVCc.jpg.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\8twYFrA8egRA4VpVCc.jpg.NEPHILIM" [0104.925] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\8twYFrA8egRA4VpVCc.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\8twyfra8egra4vpvcc.jpg"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\8twYFrA8egRA4VpVCc.jpg.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\8twyfra8egra4vpvcc.jpg.nephilim")) returned 1 [0104.927] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb51db310, ftCreationTime.dwHighDateTime=0x1d5dc29, ftLastAccessTime.dwLowDateTime=0x9b62c700, ftLastAccessTime.dwHighDateTime=0x1d5e1e5, ftLastWriteTime.dwLowDateTime=0x9b62c700, ftLastWriteTime.dwHighDateTime=0x1d5e1e5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="AAq03dS _t6R", cAlternateFileName="AAQ03D~1")) returned 1 [0104.927] lstrcmpiW (lpString1="AAq03dS _t6R", lpString2=".") returned 1 [0104.927] lstrcmpiW (lpString1="AAq03dS _t6R", lpString2="..") returned 1 [0104.927] lstrcmpiW (lpString1="AAq03dS _t6R", lpString2="...") returned 1 [0104.927] lstrcmpiW (lpString1="AAq03dS _t6R", lpString2="windows") returned -1 [0104.927] lstrcmpiW (lpString1="AAq03dS _t6R", lpString2="$RECYCLE.BIN") returned 1 [0104.927] lstrcmpiW (lpString1="AAq03dS _t6R", lpString2="rsa") returned -1 [0104.927] lstrcmpiW (lpString1="AAq03dS _t6R", lpString2="log") returned -1 [0104.927] lstrcmpiW (lpString1="AAq03dS _t6R", lpString2="NTDETECT.COM") returned -1 [0104.927] lstrcmpiW (lpString1="AAq03dS _t6R", lpString2="ntldr") returned -1 [0104.927] lstrcmpiW (lpString1="AAq03dS _t6R", lpString2="MSDOS.SYS") returned -1 [0104.927] lstrcmpiW (lpString1="AAq03dS _t6R", lpString2="IO.SYS") returned -1 [0104.927] lstrcmpiW (lpString1="AAq03dS _t6R", lpString2="boot.ini") returned -1 [0104.927] lstrcmpiW (lpString1="AAq03dS _t6R", lpString2="AUTOEXEC.BAT") returned -1 [0104.927] lstrcmpiW (lpString1="AAq03dS _t6R", lpString2="ntuser.dat") returned -1 [0104.927] lstrcmpiW (lpString1="AAq03dS _t6R", lpString2="desktop.ini") returned -1 [0104.927] lstrcmpiW (lpString1="AAq03dS _t6R", lpString2="CONFIG.SYS") returned -1 [0104.927] lstrcmpiW (lpString1="AAq03dS _t6R", lpString2="RECYCLER") returned -1 [0104.927] lstrcmpiW (lpString1="AAq03dS _t6R", lpString2="BOOTSECT.BAK") returned -1 [0104.927] lstrcmpiW (lpString1="AAq03dS _t6R", lpString2="bootmgr") returned -1 [0104.927] lstrcmpiW (lpString1="AAq03dS _t6R", lpString2="programdata") returned -1 [0104.927] lstrcmpiW (lpString1="AAq03dS _t6R", lpString2="appdata") returned -1 [0104.928] lstrcmpiW (lpString1="AAq03dS _t6R", lpString2="program files") returned -1 [0104.928] lstrcmpiW (lpString1="AAq03dS _t6R", lpString2="program files (x86)") returned -1 [0104.928] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" [0104.928] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\", lpString2="AAq03dS _t6R" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R" [0104.928] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\" [0104.928] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\" [0104.928] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\", lpString2="*.*" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\*.*") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\*.*" [0104.928] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb51db310, ftCreationTime.dwHighDateTime=0x1d5dc29, ftLastAccessTime.dwLowDateTime=0x9b62c700, ftLastAccessTime.dwHighDateTime=0x1d5e1e5, ftLastWriteTime.dwLowDateTime=0x9b62c700, ftLastWriteTime.dwHighDateTime=0x1d5e1e5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24dddac, dwReserved1=0x76628230, cFileName=".", cAlternateFileName="")) returned 0x50a900 [0104.928] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0104.928] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb51db310, ftCreationTime.dwHighDateTime=0x1d5dc29, ftLastAccessTime.dwLowDateTime=0x9b62c700, ftLastAccessTime.dwHighDateTime=0x1d5e1e5, ftLastWriteTime.dwLowDateTime=0x9b62c700, ftLastWriteTime.dwHighDateTime=0x1d5e1e5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24dddac, dwReserved1=0x76628230, cFileName="..", cAlternateFileName="")) returned 1 [0104.928] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0104.928] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0104.928] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x68317b20, ftCreationTime.dwHighDateTime=0x1d5e35b, ftLastAccessTime.dwLowDateTime=0x59dada10, ftLastAccessTime.dwHighDateTime=0x1d5db4c, ftLastWriteTime.dwLowDateTime=0x59dada10, ftLastWriteTime.dwHighDateTime=0x1d5db4c, nFileSizeHigh=0x0, nFileSizeLow=0x18215, dwReserved0=0x24dddac, dwReserved1=0x76628230, cFileName="-XnIV_EaU5WHIey.bmp", cAlternateFileName="-XNIV_~1.BMP")) returned 1 [0104.928] lstrcmpiW (lpString1="-XnIV_EaU5WHIey.bmp", lpString2=".") returned 1 [0104.929] lstrcmpiW (lpString1="-XnIV_EaU5WHIey.bmp", lpString2="..") returned 1 [0104.929] lstrcmpiW (lpString1="-XnIV_EaU5WHIey.bmp", lpString2="...") returned 1 [0104.929] lstrcmpiW (lpString1="-XnIV_EaU5WHIey.bmp", lpString2="windows") returned 1 [0104.929] lstrcmpiW (lpString1="-XnIV_EaU5WHIey.bmp", lpString2="$RECYCLE.BIN") returned 1 [0104.929] lstrcmpiW (lpString1="-XnIV_EaU5WHIey.bmp", lpString2="rsa") returned 1 [0104.929] lstrcmpiW (lpString1="-XnIV_EaU5WHIey.bmp", lpString2="log") returned 1 [0104.929] lstrcmpiW (lpString1="-XnIV_EaU5WHIey.bmp", lpString2="NTDETECT.COM") returned 1 [0104.929] lstrcmpiW (lpString1="-XnIV_EaU5WHIey.bmp", lpString2="ntldr") returned 1 [0104.929] lstrcmpiW (lpString1="-XnIV_EaU5WHIey.bmp", lpString2="MSDOS.SYS") returned 1 [0104.929] lstrcmpiW (lpString1="-XnIV_EaU5WHIey.bmp", lpString2="IO.SYS") returned 1 [0104.929] lstrcmpiW (lpString1="-XnIV_EaU5WHIey.bmp", lpString2="boot.ini") returned 1 [0104.929] lstrcmpiW (lpString1="-XnIV_EaU5WHIey.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0104.929] lstrcmpiW (lpString1="-XnIV_EaU5WHIey.bmp", lpString2="ntuser.dat") returned 1 [0104.929] lstrcmpiW (lpString1="-XnIV_EaU5WHIey.bmp", lpString2="desktop.ini") returned 1 [0104.929] lstrcmpiW (lpString1="-XnIV_EaU5WHIey.bmp", lpString2="CONFIG.SYS") returned 1 [0104.929] lstrcmpiW (lpString1="-XnIV_EaU5WHIey.bmp", lpString2="RECYCLER") returned 1 [0104.929] lstrcmpiW (lpString1="-XnIV_EaU5WHIey.bmp", lpString2="BOOTSECT.BAK") returned 1 [0104.929] lstrcmpiW (lpString1="-XnIV_EaU5WHIey.bmp", lpString2="bootmgr") returned 1 [0104.929] lstrcmpiW (lpString1="-XnIV_EaU5WHIey.bmp", lpString2="programdata") returned 1 [0104.929] lstrcmpiW (lpString1="-XnIV_EaU5WHIey.bmp", lpString2="appdata") returned 1 [0104.929] lstrcmpiW (lpString1="-XnIV_EaU5WHIey.bmp", lpString2="program files") returned 1 [0104.929] lstrcmpiW (lpString1="-XnIV_EaU5WHIey.bmp", lpString2="program files (x86)") returned 1 [0104.929] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\" [0104.929] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\", lpString2="-XnIV_EaU5WHIey.bmp" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\-XnIV_EaU5WHIey.bmp") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\-XnIV_EaU5WHIey.bmp" [0104.929] PathFindExtensionW (pszPath="-XnIV_EaU5WHIey.bmp") returned=".bmp" [0104.930] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0104.930] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0104.930] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0104.930] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0104.930] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0104.930] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0104.930] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0104.930] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0104.930] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0104.930] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0104.930] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0104.930] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0104.930] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0104.930] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0104.930] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0104.930] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0104.930] lstrcmpiW (lpString1="-XnIV_EaU5WHIey.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0104.930] lstrlenA (lpString="NEPHILIM") returned 8 [0104.930] GetProcessHeap () returned 0x4e0000 [0104.930] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50da30 [0104.930] lstrlenA (lpString="NEPHILIM") returned 8 [0104.930] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\-XnIV_EaU5WHIey.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\-xniv_eau5whiey.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0104.931] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=98837) returned 1 [0104.931] GetProcessHeap () returned 0x4e0000 [0104.931] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504dc8 [0104.931] GetProcessHeap () returned 0x4e0000 [0104.931] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504db0 [0104.931] SystemFunction036 (in: RandomBuffer=0x504dc8, RandomBufferLength=0x10 | out: RandomBuffer=0x504dc8) returned 1 [0104.931] SystemFunction036 (in: RandomBuffer=0x504db0, RandomBufferLength=0x10 | out: RandomBuffer=0x504db0) returned 1 [0104.931] GetProcessHeap () returned 0x4e0000 [0104.931] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508c50 [0104.931] GetProcessHeap () returned 0x4e0000 [0104.931] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508b48 [0104.931] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508c50*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x508c50*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0104.932] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508b48*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x508b48*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0104.932] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x18215, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.932] SetLastError (dwErrCode=0x0) [0104.932] WriteFile (in: hFile=0xf0, lpBuffer=0x508c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508c50*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0104.933] GetLastError () returned 0x0 [0104.933] GetLastError () returned 0x0 [0104.933] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x18315, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.933] WriteFile (in: hFile=0xf0, lpBuffer=0x508b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508b48*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0104.933] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x18415, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.933] lstrlenA (lpString="NEPHILIM") returned 8 [0104.933] WriteFile (in: hFile=0xf0, lpBuffer=0x50da30*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50da30*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0104.934] GetProcessHeap () returned 0x4e0000 [0104.934] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x18215) returned 0x50dcb8 [0104.934] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.934] ReadFile (in: hFile=0xf0, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x18215, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24dddb0*=0x18215, lpOverlapped=0x0) returned 1 [0104.948] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.948] WriteFile (in: hFile=0xf0, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x18215, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24dddbc*=0x18215, lpOverlapped=0x0) returned 1 [0104.949] GetProcessHeap () returned 0x4e0000 [0104.949] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0104.949] CloseHandle (hObject=0xf0) returned 1 [0104.951] GetProcessHeap () returned 0x4e0000 [0104.951] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508c50 | out: hHeap=0x4e0000) returned 1 [0104.951] GetProcessHeap () returned 0x4e0000 [0104.951] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508b48 | out: hHeap=0x4e0000) returned 1 [0104.951] GetProcessHeap () returned 0x4e0000 [0104.951] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504dc8 | out: hHeap=0x4e0000) returned 1 [0104.951] GetProcessHeap () returned 0x4e0000 [0104.951] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504db0 | out: hHeap=0x4e0000) returned 1 [0104.952] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\-XnIV_EaU5WHIey.bmp" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\-XnIV_EaU5WHIey.bmp") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\-XnIV_EaU5WHIey.bmp" [0104.952] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\-XnIV_EaU5WHIey.bmp", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\-XnIV_EaU5WHIey.bmp.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\-XnIV_EaU5WHIey.bmp.NEPHILIM" [0104.952] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\-XnIV_EaU5WHIey.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\-xniv_eau5whiey.bmp"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\-XnIV_EaU5WHIey.bmp.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\-xniv_eau5whiey.bmp.nephilim")) returned 1 [0104.953] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x12fe5990, ftCreationTime.dwHighDateTime=0x1d5d9b3, ftLastAccessTime.dwLowDateTime=0xb2682ec0, ftLastAccessTime.dwHighDateTime=0x1d5d7f1, ftLastWriteTime.dwLowDateTime=0xb2682ec0, ftLastWriteTime.dwHighDateTime=0x1d5d7f1, nFileSizeHigh=0x0, nFileSizeLow=0x9e84, dwReserved0=0x24dddac, dwReserved1=0x76628230, cFileName="1kvq_JfG.bmp", cAlternateFileName="")) returned 1 [0104.953] lstrcmpiW (lpString1="1kvq_JfG.bmp", lpString2=".") returned 1 [0104.953] lstrcmpiW (lpString1="1kvq_JfG.bmp", lpString2="..") returned 1 [0104.953] lstrcmpiW (lpString1="1kvq_JfG.bmp", lpString2="...") returned 1 [0104.953] lstrcmpiW (lpString1="1kvq_JfG.bmp", lpString2="windows") returned -1 [0104.953] lstrcmpiW (lpString1="1kvq_JfG.bmp", lpString2="$RECYCLE.BIN") returned 1 [0104.953] lstrcmpiW (lpString1="1kvq_JfG.bmp", lpString2="rsa") returned -1 [0104.953] lstrcmpiW (lpString1="1kvq_JfG.bmp", lpString2="log") returned -1 [0104.953] lstrcmpiW (lpString1="1kvq_JfG.bmp", lpString2="NTDETECT.COM") returned -1 [0104.953] lstrcmpiW (lpString1="1kvq_JfG.bmp", lpString2="ntldr") returned -1 [0104.953] lstrcmpiW (lpString1="1kvq_JfG.bmp", lpString2="MSDOS.SYS") returned -1 [0104.953] lstrcmpiW (lpString1="1kvq_JfG.bmp", lpString2="IO.SYS") returned -1 [0104.953] lstrcmpiW (lpString1="1kvq_JfG.bmp", lpString2="boot.ini") returned -1 [0104.953] lstrcmpiW (lpString1="1kvq_JfG.bmp", lpString2="AUTOEXEC.BAT") returned -1 [0104.953] lstrcmpiW (lpString1="1kvq_JfG.bmp", lpString2="ntuser.dat") returned -1 [0104.953] lstrcmpiW (lpString1="1kvq_JfG.bmp", lpString2="desktop.ini") returned -1 [0104.953] lstrcmpiW (lpString1="1kvq_JfG.bmp", lpString2="CONFIG.SYS") returned -1 [0104.953] lstrcmpiW (lpString1="1kvq_JfG.bmp", lpString2="RECYCLER") returned -1 [0104.953] lstrcmpiW (lpString1="1kvq_JfG.bmp", lpString2="BOOTSECT.BAK") returned -1 [0104.954] lstrcmpiW (lpString1="1kvq_JfG.bmp", lpString2="bootmgr") returned -1 [0104.954] lstrcmpiW (lpString1="1kvq_JfG.bmp", lpString2="programdata") returned -1 [0104.954] lstrcmpiW (lpString1="1kvq_JfG.bmp", lpString2="appdata") returned -1 [0104.954] lstrcmpiW (lpString1="1kvq_JfG.bmp", lpString2="program files") returned -1 [0104.954] lstrcmpiW (lpString1="1kvq_JfG.bmp", lpString2="program files (x86)") returned -1 [0104.954] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\" [0104.954] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\", lpString2="1kvq_JfG.bmp" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\1kvq_JfG.bmp") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\1kvq_JfG.bmp" [0104.954] PathFindExtensionW (pszPath="1kvq_JfG.bmp") returned=".bmp" [0104.954] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0104.954] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0104.954] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0104.954] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0104.954] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0104.954] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0104.954] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0104.954] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0104.954] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0104.954] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0104.954] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0104.954] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0104.954] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0104.954] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0104.954] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0104.954] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0104.955] lstrcmpiW (lpString1="1kvq_JfG.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0104.955] lstrlenA (lpString="NEPHILIM") returned 8 [0104.955] GetProcessHeap () returned 0x4e0000 [0104.955] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50da40 [0104.955] lstrlenA (lpString="NEPHILIM") returned 8 [0104.955] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\1kvq_JfG.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\1kvq_jfg.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0104.955] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=40580) returned 1 [0104.955] GetProcessHeap () returned 0x4e0000 [0104.955] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504db0 [0104.955] GetProcessHeap () returned 0x4e0000 [0104.955] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504dc8 [0104.955] SystemFunction036 (in: RandomBuffer=0x504db0, RandomBufferLength=0x10 | out: RandomBuffer=0x504db0) returned 1 [0104.955] SystemFunction036 (in: RandomBuffer=0x504dc8, RandomBufferLength=0x10 | out: RandomBuffer=0x504dc8) returned 1 [0104.955] GetProcessHeap () returned 0x4e0000 [0104.955] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508b48 [0104.955] GetProcessHeap () returned 0x4e0000 [0104.956] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508c50 [0104.956] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508b48*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x508b48*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0104.956] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508c50*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x508c50*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0104.956] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x9e84, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.956] SetLastError (dwErrCode=0x0) [0104.956] WriteFile (in: hFile=0xf0, lpBuffer=0x508b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508b48*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0104.957] GetLastError () returned 0x0 [0104.957] GetLastError () returned 0x0 [0104.957] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x9f84, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.957] WriteFile (in: hFile=0xf0, lpBuffer=0x508c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508c50*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0104.958] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xa084, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.958] lstrlenA (lpString="NEPHILIM") returned 8 [0104.958] WriteFile (in: hFile=0xf0, lpBuffer=0x50da40*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50da40*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0104.958] GetProcessHeap () returned 0x4e0000 [0104.958] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x9e84) returned 0x50dcb8 [0104.958] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.958] ReadFile (in: hFile=0xf0, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x9e84, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24dddb0*=0x9e84, lpOverlapped=0x0) returned 1 [0104.961] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.961] WriteFile (in: hFile=0xf0, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x9e84, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24dddbc*=0x9e84, lpOverlapped=0x0) returned 1 [0104.965] GetProcessHeap () returned 0x4e0000 [0104.965] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0104.965] CloseHandle (hObject=0xf0) returned 1 [0104.967] GetProcessHeap () returned 0x4e0000 [0104.967] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508b48 | out: hHeap=0x4e0000) returned 1 [0104.967] GetProcessHeap () returned 0x4e0000 [0104.967] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508c50 | out: hHeap=0x4e0000) returned 1 [0104.967] GetProcessHeap () returned 0x4e0000 [0104.967] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504db0 | out: hHeap=0x4e0000) returned 1 [0104.967] GetProcessHeap () returned 0x4e0000 [0104.967] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504dc8 | out: hHeap=0x4e0000) returned 1 [0104.967] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\1kvq_JfG.bmp" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\1kvq_JfG.bmp") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\1kvq_JfG.bmp" [0104.967] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\1kvq_JfG.bmp", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\1kvq_JfG.bmp.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\1kvq_JfG.bmp.NEPHILIM" [0104.968] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\1kvq_JfG.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\1kvq_jfg.bmp"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\1kvq_JfG.bmp.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\1kvq_jfg.bmp.nephilim")) returned 1 [0104.969] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfaed25b0, ftCreationTime.dwHighDateTime=0x1d5d7f6, ftLastAccessTime.dwLowDateTime=0xac78d5c0, ftLastAccessTime.dwHighDateTime=0x1d5e58c, ftLastWriteTime.dwLowDateTime=0xac78d5c0, ftLastWriteTime.dwHighDateTime=0x1d5e58c, nFileSizeHigh=0x0, nFileSizeLow=0xf4fd, dwReserved0=0x24dddac, dwReserved1=0x76628230, cFileName="AY69cWjwS0SyzG.bmp", cAlternateFileName="AY69CW~1.BMP")) returned 1 [0104.969] lstrcmpiW (lpString1="AY69cWjwS0SyzG.bmp", lpString2=".") returned 1 [0104.969] lstrcmpiW (lpString1="AY69cWjwS0SyzG.bmp", lpString2="..") returned 1 [0104.969] lstrcmpiW (lpString1="AY69cWjwS0SyzG.bmp", lpString2="...") returned 1 [0104.969] lstrcmpiW (lpString1="AY69cWjwS0SyzG.bmp", lpString2="windows") returned -1 [0104.969] lstrcmpiW (lpString1="AY69cWjwS0SyzG.bmp", lpString2="$RECYCLE.BIN") returned 1 [0104.969] lstrcmpiW (lpString1="AY69cWjwS0SyzG.bmp", lpString2="rsa") returned -1 [0104.969] lstrcmpiW (lpString1="AY69cWjwS0SyzG.bmp", lpString2="log") returned -1 [0104.969] lstrcmpiW (lpString1="AY69cWjwS0SyzG.bmp", lpString2="NTDETECT.COM") returned -1 [0104.969] lstrcmpiW (lpString1="AY69cWjwS0SyzG.bmp", lpString2="ntldr") returned -1 [0104.969] lstrcmpiW (lpString1="AY69cWjwS0SyzG.bmp", lpString2="MSDOS.SYS") returned -1 [0104.969] lstrcmpiW (lpString1="AY69cWjwS0SyzG.bmp", lpString2="IO.SYS") returned -1 [0104.969] lstrcmpiW (lpString1="AY69cWjwS0SyzG.bmp", lpString2="boot.ini") returned -1 [0104.969] lstrcmpiW (lpString1="AY69cWjwS0SyzG.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0104.969] lstrcmpiW (lpString1="AY69cWjwS0SyzG.bmp", lpString2="ntuser.dat") returned -1 [0104.969] lstrcmpiW (lpString1="AY69cWjwS0SyzG.bmp", lpString2="desktop.ini") returned -1 [0104.969] lstrcmpiW (lpString1="AY69cWjwS0SyzG.bmp", lpString2="CONFIG.SYS") returned -1 [0104.969] lstrcmpiW (lpString1="AY69cWjwS0SyzG.bmp", lpString2="RECYCLER") returned -1 [0104.969] lstrcmpiW (lpString1="AY69cWjwS0SyzG.bmp", lpString2="BOOTSECT.BAK") returned -1 [0104.969] lstrcmpiW (lpString1="AY69cWjwS0SyzG.bmp", lpString2="bootmgr") returned -1 [0104.970] lstrcmpiW (lpString1="AY69cWjwS0SyzG.bmp", lpString2="programdata") returned -1 [0104.970] lstrcmpiW (lpString1="AY69cWjwS0SyzG.bmp", lpString2="appdata") returned 1 [0104.970] lstrcmpiW (lpString1="AY69cWjwS0SyzG.bmp", lpString2="program files") returned -1 [0104.970] lstrcmpiW (lpString1="AY69cWjwS0SyzG.bmp", lpString2="program files (x86)") returned -1 [0104.970] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\" [0104.970] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\", lpString2="AY69cWjwS0SyzG.bmp" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\AY69cWjwS0SyzG.bmp") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\AY69cWjwS0SyzG.bmp" [0104.970] PathFindExtensionW (pszPath="AY69cWjwS0SyzG.bmp") returned=".bmp" [0104.970] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0104.970] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0104.970] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0104.970] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0104.970] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0104.970] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0104.970] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0104.970] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0104.970] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0104.970] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0104.970] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0104.970] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0104.970] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0104.970] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0104.970] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0104.970] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0104.971] lstrcmpiW (lpString1="AY69cWjwS0SyzG.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0104.971] lstrlenA (lpString="NEPHILIM") returned 8 [0104.971] GetProcessHeap () returned 0x4e0000 [0104.971] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50da50 [0104.971] lstrlenA (lpString="NEPHILIM") returned 8 [0104.971] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\AY69cWjwS0SyzG.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\ay69cwjws0syzg.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0104.971] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=62717) returned 1 [0104.971] GetProcessHeap () returned 0x4e0000 [0104.971] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504dc8 [0104.971] GetProcessHeap () returned 0x4e0000 [0104.971] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504db0 [0104.971] SystemFunction036 (in: RandomBuffer=0x504dc8, RandomBufferLength=0x10 | out: RandomBuffer=0x504dc8) returned 1 [0104.971] SystemFunction036 (in: RandomBuffer=0x504db0, RandomBufferLength=0x10 | out: RandomBuffer=0x504db0) returned 1 [0104.971] GetProcessHeap () returned 0x4e0000 [0104.971] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508c50 [0104.971] GetProcessHeap () returned 0x4e0000 [0104.971] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508b48 [0104.972] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508c50*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x508c50*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0104.972] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508b48*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x508b48*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0104.972] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xf4fd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.972] SetLastError (dwErrCode=0x0) [0104.972] WriteFile (in: hFile=0xf0, lpBuffer=0x508c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508c50*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0104.973] GetLastError () returned 0x0 [0104.973] GetLastError () returned 0x0 [0104.973] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xf5fd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.974] WriteFile (in: hFile=0xf0, lpBuffer=0x508b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508b48*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0104.974] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xf6fd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.974] lstrlenA (lpString="NEPHILIM") returned 8 [0104.974] WriteFile (in: hFile=0xf0, lpBuffer=0x50da50*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50da50*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0104.974] GetProcessHeap () returned 0x4e0000 [0104.974] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xf4fd) returned 0x50dcb8 [0104.974] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.974] ReadFile (in: hFile=0xf0, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0xf4fd, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24dddb0*=0xf4fd, lpOverlapped=0x0) returned 1 [0105.024] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.024] WriteFile (in: hFile=0xf0, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0xf4fd, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24dddbc*=0xf4fd, lpOverlapped=0x0) returned 1 [0105.025] GetProcessHeap () returned 0x4e0000 [0105.025] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.025] CloseHandle (hObject=0xf0) returned 1 [0105.028] GetProcessHeap () returned 0x4e0000 [0105.028] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508c50 | out: hHeap=0x4e0000) returned 1 [0105.029] GetProcessHeap () returned 0x4e0000 [0105.029] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508b48 | out: hHeap=0x4e0000) returned 1 [0105.029] GetProcessHeap () returned 0x4e0000 [0105.029] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504dc8 | out: hHeap=0x4e0000) returned 1 [0105.029] GetProcessHeap () returned 0x4e0000 [0105.029] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504db0 | out: hHeap=0x4e0000) returned 1 [0105.029] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\AY69cWjwS0SyzG.bmp" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\AY69cWjwS0SyzG.bmp") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\AY69cWjwS0SyzG.bmp" [0105.029] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\AY69cWjwS0SyzG.bmp", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\AY69cWjwS0SyzG.bmp.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\AY69cWjwS0SyzG.bmp.NEPHILIM" [0105.040] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\AY69cWjwS0SyzG.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\ay69cwjws0syzg.bmp"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\AY69cWjwS0SyzG.bmp.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\ay69cwjws0syzg.bmp.nephilim")) returned 1 [0105.043] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d0f9030, ftCreationTime.dwHighDateTime=0x1d5d7d3, ftLastAccessTime.dwLowDateTime=0x4bddea60, ftLastAccessTime.dwHighDateTime=0x1d5e1e6, ftLastWriteTime.dwLowDateTime=0x4bddea60, ftLastWriteTime.dwHighDateTime=0x1d5e1e6, nFileSizeHigh=0x0, nFileSizeLow=0xabc6, dwReserved0=0x24dddac, dwReserved1=0x76628230, cFileName="B10kaWPeJI.jpg", cAlternateFileName="B10KAW~1.JPG")) returned 1 [0105.043] lstrcmpiW (lpString1="B10kaWPeJI.jpg", lpString2=".") returned 1 [0105.043] lstrcmpiW (lpString1="B10kaWPeJI.jpg", lpString2="..") returned 1 [0105.043] lstrcmpiW (lpString1="B10kaWPeJI.jpg", lpString2="...") returned 1 [0105.043] lstrcmpiW (lpString1="B10kaWPeJI.jpg", lpString2="windows") returned -1 [0105.043] lstrcmpiW (lpString1="B10kaWPeJI.jpg", lpString2="$RECYCLE.BIN") returned 1 [0105.044] lstrcmpiW (lpString1="B10kaWPeJI.jpg", lpString2="rsa") returned -1 [0105.044] lstrcmpiW (lpString1="B10kaWPeJI.jpg", lpString2="log") returned -1 [0105.044] lstrcmpiW (lpString1="B10kaWPeJI.jpg", lpString2="NTDETECT.COM") returned -1 [0105.044] lstrcmpiW (lpString1="B10kaWPeJI.jpg", lpString2="ntldr") returned -1 [0105.044] lstrcmpiW (lpString1="B10kaWPeJI.jpg", lpString2="MSDOS.SYS") returned -1 [0105.044] lstrcmpiW (lpString1="B10kaWPeJI.jpg", lpString2="IO.SYS") returned -1 [0105.044] lstrcmpiW (lpString1="B10kaWPeJI.jpg", lpString2="boot.ini") returned -1 [0105.044] lstrcmpiW (lpString1="B10kaWPeJI.jpg", lpString2="AUTOEXEC.BAT") returned 1 [0105.044] lstrcmpiW (lpString1="B10kaWPeJI.jpg", lpString2="ntuser.dat") returned -1 [0105.044] lstrcmpiW (lpString1="B10kaWPeJI.jpg", lpString2="desktop.ini") returned -1 [0105.044] lstrcmpiW (lpString1="B10kaWPeJI.jpg", lpString2="CONFIG.SYS") returned -1 [0105.044] lstrcmpiW (lpString1="B10kaWPeJI.jpg", lpString2="RECYCLER") returned -1 [0105.044] lstrcmpiW (lpString1="B10kaWPeJI.jpg", lpString2="BOOTSECT.BAK") returned -1 [0105.044] lstrcmpiW (lpString1="B10kaWPeJI.jpg", lpString2="bootmgr") returned -1 [0105.044] lstrcmpiW (lpString1="B10kaWPeJI.jpg", lpString2="programdata") returned -1 [0105.044] lstrcmpiW (lpString1="B10kaWPeJI.jpg", lpString2="appdata") returned 1 [0105.044] lstrcmpiW (lpString1="B10kaWPeJI.jpg", lpString2="program files") returned -1 [0105.044] lstrcmpiW (lpString1="B10kaWPeJI.jpg", lpString2="program files (x86)") returned -1 [0105.044] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\" [0105.044] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\", lpString2="B10kaWPeJI.jpg" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\B10kaWPeJI.jpg") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\B10kaWPeJI.jpg" [0105.044] PathFindExtensionW (pszPath="B10kaWPeJI.jpg") returned=".jpg" [0105.044] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0105.044] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0105.045] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0105.045] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0105.045] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0105.045] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0105.045] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0105.045] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0105.045] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0105.045] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0105.045] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0105.045] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0105.045] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0105.045] lstrcmpiW (lpString1=".jpg", lpString2=".NEPHILIM") returned -1 [0105.045] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0105.045] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0105.056] lstrcmpiW (lpString1="B10kaWPeJI.jpg", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0105.056] lstrlenA (lpString="NEPHILIM") returned 8 [0105.056] GetProcessHeap () returned 0x4e0000 [0105.056] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50da60 [0105.056] lstrlenA (lpString="NEPHILIM") returned 8 [0105.056] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\B10kaWPeJI.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\b10kawpeji.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0105.059] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=43974) returned 1 [0105.059] GetProcessHeap () returned 0x4e0000 [0105.059] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504db0 [0105.059] GetProcessHeap () returned 0x4e0000 [0105.059] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504dc8 [0105.059] SystemFunction036 (in: RandomBuffer=0x504db0, RandomBufferLength=0x10 | out: RandomBuffer=0x504db0) returned 1 [0105.059] SystemFunction036 (in: RandomBuffer=0x504dc8, RandomBufferLength=0x10 | out: RandomBuffer=0x504dc8) returned 1 [0105.059] GetProcessHeap () returned 0x4e0000 [0105.059] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508b48 [0105.059] GetProcessHeap () returned 0x4e0000 [0105.059] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508c50 [0105.059] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508b48*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x508b48*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0105.059] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508c50*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x508c50*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0105.060] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xabc6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.060] SetLastError (dwErrCode=0x0) [0105.060] WriteFile (in: hFile=0xf0, lpBuffer=0x508b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508b48*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0105.061] GetLastError () returned 0x0 [0105.061] GetLastError () returned 0x0 [0105.061] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xacc6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.061] WriteFile (in: hFile=0xf0, lpBuffer=0x508c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508c50*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0105.061] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xadc6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.061] lstrlenA (lpString="NEPHILIM") returned 8 [0105.061] WriteFile (in: hFile=0xf0, lpBuffer=0x50da60*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50da60*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0105.061] GetProcessHeap () returned 0x4e0000 [0105.061] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xabc6) returned 0x50dcb8 [0105.061] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.062] ReadFile (in: hFile=0xf0, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0xabc6, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24dddb0*=0xabc6, lpOverlapped=0x0) returned 1 [0105.064] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.064] WriteFile (in: hFile=0xf0, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0xabc6, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24dddbc*=0xabc6, lpOverlapped=0x0) returned 1 [0105.065] GetProcessHeap () returned 0x4e0000 [0105.065] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.065] CloseHandle (hObject=0xf0) returned 1 [0105.067] GetProcessHeap () returned 0x4e0000 [0105.067] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508b48 | out: hHeap=0x4e0000) returned 1 [0105.067] GetProcessHeap () returned 0x4e0000 [0105.067] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508c50 | out: hHeap=0x4e0000) returned 1 [0105.067] GetProcessHeap () returned 0x4e0000 [0105.067] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504db0 | out: hHeap=0x4e0000) returned 1 [0105.067] GetProcessHeap () returned 0x4e0000 [0105.067] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504dc8 | out: hHeap=0x4e0000) returned 1 [0105.067] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\B10kaWPeJI.jpg" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\B10kaWPeJI.jpg") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\B10kaWPeJI.jpg" [0105.067] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\B10kaWPeJI.jpg", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\B10kaWPeJI.jpg.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\B10kaWPeJI.jpg.NEPHILIM" [0105.067] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\B10kaWPeJI.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\b10kawpeji.jpg"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\B10kaWPeJI.jpg.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\b10kawpeji.jpg.nephilim")) returned 1 [0105.068] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd225f9e0, ftCreationTime.dwHighDateTime=0x1d5e61a, ftLastAccessTime.dwLowDateTime=0x76ff2bb0, ftLastAccessTime.dwHighDateTime=0x1d5e6ae, ftLastWriteTime.dwLowDateTime=0x76ff2bb0, ftLastWriteTime.dwHighDateTime=0x1d5e6ae, nFileSizeHigh=0x0, nFileSizeLow=0xe678, dwReserved0=0x24dddac, dwReserved1=0x76628230, cFileName="bY4dV3gQE6POb2gQy.png", cAlternateFileName="BY4DV3~1.PNG")) returned 1 [0105.068] lstrcmpiW (lpString1="bY4dV3gQE6POb2gQy.png", lpString2=".") returned 1 [0105.068] lstrcmpiW (lpString1="bY4dV3gQE6POb2gQy.png", lpString2="..") returned 1 [0105.068] lstrcmpiW (lpString1="bY4dV3gQE6POb2gQy.png", lpString2="...") returned 1 [0105.068] lstrcmpiW (lpString1="bY4dV3gQE6POb2gQy.png", lpString2="windows") returned -1 [0105.068] lstrcmpiW (lpString1="bY4dV3gQE6POb2gQy.png", lpString2="$RECYCLE.BIN") returned 1 [0105.068] lstrcmpiW (lpString1="bY4dV3gQE6POb2gQy.png", lpString2="rsa") returned -1 [0105.068] lstrcmpiW (lpString1="bY4dV3gQE6POb2gQy.png", lpString2="log") returned -1 [0105.068] lstrcmpiW (lpString1="bY4dV3gQE6POb2gQy.png", lpString2="NTDETECT.COM") returned -1 [0105.068] lstrcmpiW (lpString1="bY4dV3gQE6POb2gQy.png", lpString2="ntldr") returned -1 [0105.068] lstrcmpiW (lpString1="bY4dV3gQE6POb2gQy.png", lpString2="MSDOS.SYS") returned -1 [0105.068] lstrcmpiW (lpString1="bY4dV3gQE6POb2gQy.png", lpString2="IO.SYS") returned -1 [0105.069] lstrcmpiW (lpString1="bY4dV3gQE6POb2gQy.png", lpString2="boot.ini") returned 1 [0105.069] lstrcmpiW (lpString1="bY4dV3gQE6POb2gQy.png", lpString2="AUTOEXEC.BAT") returned 1 [0105.069] lstrcmpiW (lpString1="bY4dV3gQE6POb2gQy.png", lpString2="ntuser.dat") returned -1 [0105.069] lstrcmpiW (lpString1="bY4dV3gQE6POb2gQy.png", lpString2="desktop.ini") returned -1 [0105.069] lstrcmpiW (lpString1="bY4dV3gQE6POb2gQy.png", lpString2="CONFIG.SYS") returned -1 [0105.069] lstrcmpiW (lpString1="bY4dV3gQE6POb2gQy.png", lpString2="RECYCLER") returned -1 [0105.069] lstrcmpiW (lpString1="bY4dV3gQE6POb2gQy.png", lpString2="BOOTSECT.BAK") returned 1 [0105.069] lstrcmpiW (lpString1="bY4dV3gQE6POb2gQy.png", lpString2="bootmgr") returned 1 [0105.069] lstrcmpiW (lpString1="bY4dV3gQE6POb2gQy.png", lpString2="programdata") returned -1 [0105.069] lstrcmpiW (lpString1="bY4dV3gQE6POb2gQy.png", lpString2="appdata") returned 1 [0105.069] lstrcmpiW (lpString1="bY4dV3gQE6POb2gQy.png", lpString2="program files") returned -1 [0105.069] lstrcmpiW (lpString1="bY4dV3gQE6POb2gQy.png", lpString2="program files (x86)") returned -1 [0105.069] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\" [0105.069] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\", lpString2="bY4dV3gQE6POb2gQy.png" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\bY4dV3gQE6POb2gQy.png") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\bY4dV3gQE6POb2gQy.png" [0105.069] PathFindExtensionW (pszPath="bY4dV3gQE6POb2gQy.png") returned=".png" [0105.069] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0105.069] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0105.069] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0105.069] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0105.069] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0105.069] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0105.069] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0105.069] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0105.069] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0105.070] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0105.070] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0105.070] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0105.070] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0105.070] lstrcmpiW (lpString1=".png", lpString2=".NEPHILIM") returned 1 [0105.070] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0105.070] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0105.070] lstrcmpiW (lpString1="bY4dV3gQE6POb2gQy.png", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0105.070] lstrlenA (lpString="NEPHILIM") returned 8 [0105.070] GetProcessHeap () returned 0x4e0000 [0105.070] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50da70 [0105.070] lstrlenA (lpString="NEPHILIM") returned 8 [0105.070] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\bY4dV3gQE6POb2gQy.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\by4dv3gqe6pob2gqy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0105.070] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=59000) returned 1 [0105.070] GetProcessHeap () returned 0x4e0000 [0105.070] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504dc8 [0105.070] GetProcessHeap () returned 0x4e0000 [0105.070] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504db0 [0105.070] SystemFunction036 (in: RandomBuffer=0x504dc8, RandomBufferLength=0x10 | out: RandomBuffer=0x504dc8) returned 1 [0105.071] SystemFunction036 (in: RandomBuffer=0x504db0, RandomBufferLength=0x10 | out: RandomBuffer=0x504db0) returned 1 [0105.071] GetProcessHeap () returned 0x4e0000 [0105.071] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508c50 [0105.071] GetProcessHeap () returned 0x4e0000 [0105.071] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508b48 [0105.071] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508c50*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x508c50*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0105.071] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508b48*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x508b48*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0105.071] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xe678, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.071] SetLastError (dwErrCode=0x0) [0105.071] WriteFile (in: hFile=0xf0, lpBuffer=0x508c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508c50*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0105.072] GetLastError () returned 0x0 [0105.073] GetLastError () returned 0x0 [0105.073] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xe778, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.073] WriteFile (in: hFile=0xf0, lpBuffer=0x508b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508b48*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0105.073] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xe878, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.073] lstrlenA (lpString="NEPHILIM") returned 8 [0105.073] WriteFile (in: hFile=0xf0, lpBuffer=0x50da70*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50da70*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0105.073] GetProcessHeap () returned 0x4e0000 [0105.073] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xe678) returned 0x50dcb8 [0105.073] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.073] ReadFile (in: hFile=0xf0, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0xe678, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24dddb0*=0xe678, lpOverlapped=0x0) returned 1 [0105.077] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.077] WriteFile (in: hFile=0xf0, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0xe678, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24dddbc*=0xe678, lpOverlapped=0x0) returned 1 [0105.078] GetProcessHeap () returned 0x4e0000 [0105.078] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.078] CloseHandle (hObject=0xf0) returned 1 [0105.080] GetProcessHeap () returned 0x4e0000 [0105.080] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508c50 | out: hHeap=0x4e0000) returned 1 [0105.080] GetProcessHeap () returned 0x4e0000 [0105.080] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508b48 | out: hHeap=0x4e0000) returned 1 [0105.080] GetProcessHeap () returned 0x4e0000 [0105.080] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504dc8 | out: hHeap=0x4e0000) returned 1 [0105.080] GetProcessHeap () returned 0x4e0000 [0105.080] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504db0 | out: hHeap=0x4e0000) returned 1 [0105.080] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\bY4dV3gQE6POb2gQy.png" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\bY4dV3gQE6POb2gQy.png") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\bY4dV3gQE6POb2gQy.png" [0105.080] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\bY4dV3gQE6POb2gQy.png", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\bY4dV3gQE6POb2gQy.png.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\bY4dV3gQE6POb2gQy.png.NEPHILIM" [0105.080] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\bY4dV3gQE6POb2gQy.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\by4dv3gqe6pob2gqy.png"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\bY4dV3gQE6POb2gQy.png.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\by4dv3gqe6pob2gqy.png.nephilim")) returned 1 [0105.081] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2f81280, ftCreationTime.dwHighDateTime=0x1d5da3d, ftLastAccessTime.dwLowDateTime=0x488673d0, ftLastAccessTime.dwHighDateTime=0x1d5dd79, ftLastWriteTime.dwLowDateTime=0x488673d0, ftLastWriteTime.dwHighDateTime=0x1d5dd79, nFileSizeHigh=0x0, nFileSizeLow=0x59cd, dwReserved0=0x24dddac, dwReserved1=0x76628230, cFileName="fOqctAe.gif", cAlternateFileName="")) returned 1 [0105.081] lstrcmpiW (lpString1="fOqctAe.gif", lpString2=".") returned 1 [0105.081] lstrcmpiW (lpString1="fOqctAe.gif", lpString2="..") returned 1 [0105.081] lstrcmpiW (lpString1="fOqctAe.gif", lpString2="...") returned 1 [0105.081] lstrcmpiW (lpString1="fOqctAe.gif", lpString2="windows") returned -1 [0105.081] lstrcmpiW (lpString1="fOqctAe.gif", lpString2="$RECYCLE.BIN") returned 1 [0105.081] lstrcmpiW (lpString1="fOqctAe.gif", lpString2="rsa") returned -1 [0105.081] lstrcmpiW (lpString1="fOqctAe.gif", lpString2="log") returned -1 [0105.081] lstrcmpiW (lpString1="fOqctAe.gif", lpString2="NTDETECT.COM") returned -1 [0105.081] lstrcmpiW (lpString1="fOqctAe.gif", lpString2="ntldr") returned -1 [0105.081] lstrcmpiW (lpString1="fOqctAe.gif", lpString2="MSDOS.SYS") returned -1 [0105.081] lstrcmpiW (lpString1="fOqctAe.gif", lpString2="IO.SYS") returned -1 [0105.081] lstrcmpiW (lpString1="fOqctAe.gif", lpString2="boot.ini") returned 1 [0105.081] lstrcmpiW (lpString1="fOqctAe.gif", lpString2="AUTOEXEC.BAT") returned 1 [0105.081] lstrcmpiW (lpString1="fOqctAe.gif", lpString2="ntuser.dat") returned -1 [0105.082] lstrcmpiW (lpString1="fOqctAe.gif", lpString2="desktop.ini") returned 1 [0105.082] lstrcmpiW (lpString1="fOqctAe.gif", lpString2="CONFIG.SYS") returned 1 [0105.082] lstrcmpiW (lpString1="fOqctAe.gif", lpString2="RECYCLER") returned -1 [0105.082] lstrcmpiW (lpString1="fOqctAe.gif", lpString2="BOOTSECT.BAK") returned 1 [0105.082] lstrcmpiW (lpString1="fOqctAe.gif", lpString2="bootmgr") returned 1 [0105.082] lstrcmpiW (lpString1="fOqctAe.gif", lpString2="programdata") returned -1 [0105.082] lstrcmpiW (lpString1="fOqctAe.gif", lpString2="appdata") returned 1 [0105.082] lstrcmpiW (lpString1="fOqctAe.gif", lpString2="program files") returned -1 [0105.082] lstrcmpiW (lpString1="fOqctAe.gif", lpString2="program files (x86)") returned -1 [0105.082] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\" [0105.082] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\", lpString2="fOqctAe.gif" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\fOqctAe.gif") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\fOqctAe.gif" [0105.082] PathFindExtensionW (pszPath="fOqctAe.gif") returned=".gif" [0105.082] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0105.082] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0105.082] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0105.082] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0105.082] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0105.082] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0105.082] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0105.082] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0105.082] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0105.082] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0105.082] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0105.082] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0105.082] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0105.082] lstrcmpiW (lpString1=".gif", lpString2=".NEPHILIM") returned -1 [0105.083] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0105.083] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0105.083] lstrcmpiW (lpString1="fOqctAe.gif", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0105.083] lstrlenA (lpString="NEPHILIM") returned 8 [0105.083] GetProcessHeap () returned 0x4e0000 [0105.083] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50da80 [0105.083] lstrlenA (lpString="NEPHILIM") returned 8 [0105.083] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\fOqctAe.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\foqctae.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0105.083] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=22989) returned 1 [0105.083] GetProcessHeap () returned 0x4e0000 [0105.083] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504db0 [0105.083] GetProcessHeap () returned 0x4e0000 [0105.083] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504dc8 [0105.083] SystemFunction036 (in: RandomBuffer=0x504db0, RandomBufferLength=0x10 | out: RandomBuffer=0x504db0) returned 1 [0105.084] SystemFunction036 (in: RandomBuffer=0x504dc8, RandomBufferLength=0x10 | out: RandomBuffer=0x504dc8) returned 1 [0105.084] GetProcessHeap () returned 0x4e0000 [0105.084] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508b48 [0105.084] GetProcessHeap () returned 0x4e0000 [0105.084] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508c50 [0105.084] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508b48*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x508b48*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0105.084] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508c50*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x508c50*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0105.084] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x59cd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.085] SetLastError (dwErrCode=0x0) [0105.085] WriteFile (in: hFile=0xf0, lpBuffer=0x508b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508b48*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0105.086] GetLastError () returned 0x0 [0105.086] GetLastError () returned 0x0 [0105.086] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x5acd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.086] WriteFile (in: hFile=0xf0, lpBuffer=0x508c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508c50*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0105.086] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x5bcd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.086] lstrlenA (lpString="NEPHILIM") returned 8 [0105.086] WriteFile (in: hFile=0xf0, lpBuffer=0x50da80*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50da80*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0105.086] GetProcessHeap () returned 0x4e0000 [0105.086] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x59cd) returned 0x50dcb8 [0105.086] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.086] ReadFile (in: hFile=0xf0, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x59cd, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24dddb0*=0x59cd, lpOverlapped=0x0) returned 1 [0105.088] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.088] WriteFile (in: hFile=0xf0, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x59cd, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24dddbc*=0x59cd, lpOverlapped=0x0) returned 1 [0105.088] GetProcessHeap () returned 0x4e0000 [0105.088] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.088] CloseHandle (hObject=0xf0) returned 1 [0105.122] GetProcessHeap () returned 0x4e0000 [0105.122] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508b48 | out: hHeap=0x4e0000) returned 1 [0105.122] GetProcessHeap () returned 0x4e0000 [0105.122] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508c50 | out: hHeap=0x4e0000) returned 1 [0105.122] GetProcessHeap () returned 0x4e0000 [0105.122] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504db0 | out: hHeap=0x4e0000) returned 1 [0105.122] GetProcessHeap () returned 0x4e0000 [0105.122] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504dc8 | out: hHeap=0x4e0000) returned 1 [0105.122] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\fOqctAe.gif" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\fOqctAe.gif") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\fOqctAe.gif" [0105.122] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\fOqctAe.gif", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\fOqctAe.gif.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\fOqctAe.gif.NEPHILIM" [0105.123] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\fOqctAe.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\foqctae.gif"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\fOqctAe.gif.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\foqctae.gif.nephilim")) returned 1 [0105.124] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf6b986e0, ftCreationTime.dwHighDateTime=0x1d5e035, ftLastAccessTime.dwLowDateTime=0x5c4cec40, ftLastAccessTime.dwHighDateTime=0x1d5e333, ftLastWriteTime.dwLowDateTime=0x5c4cec40, ftLastWriteTime.dwHighDateTime=0x1d5e333, nFileSizeHigh=0x0, nFileSizeLow=0x3c0c, dwReserved0=0x24dddac, dwReserved1=0x76628230, cFileName="h 6IzkeGtDMfDw0qURjw.jpg", cAlternateFileName="H6IZKE~1.JPG")) returned 1 [0105.124] lstrcmpiW (lpString1="h 6IzkeGtDMfDw0qURjw.jpg", lpString2=".") returned 1 [0105.124] lstrcmpiW (lpString1="h 6IzkeGtDMfDw0qURjw.jpg", lpString2="..") returned 1 [0105.124] lstrcmpiW (lpString1="h 6IzkeGtDMfDw0qURjw.jpg", lpString2="...") returned 1 [0105.124] lstrcmpiW (lpString1="h 6IzkeGtDMfDw0qURjw.jpg", lpString2="windows") returned -1 [0105.124] lstrcmpiW (lpString1="h 6IzkeGtDMfDw0qURjw.jpg", lpString2="$RECYCLE.BIN") returned 1 [0105.124] lstrcmpiW (lpString1="h 6IzkeGtDMfDw0qURjw.jpg", lpString2="rsa") returned -1 [0105.124] lstrcmpiW (lpString1="h 6IzkeGtDMfDw0qURjw.jpg", lpString2="log") returned -1 [0105.124] lstrcmpiW (lpString1="h 6IzkeGtDMfDw0qURjw.jpg", lpString2="NTDETECT.COM") returned -1 [0105.124] lstrcmpiW (lpString1="h 6IzkeGtDMfDw0qURjw.jpg", lpString2="ntldr") returned -1 [0105.124] lstrcmpiW (lpString1="h 6IzkeGtDMfDw0qURjw.jpg", lpString2="MSDOS.SYS") returned -1 [0105.124] lstrcmpiW (lpString1="h 6IzkeGtDMfDw0qURjw.jpg", lpString2="IO.SYS") returned -1 [0105.124] lstrcmpiW (lpString1="h 6IzkeGtDMfDw0qURjw.jpg", lpString2="boot.ini") returned 1 [0105.124] lstrcmpiW (lpString1="h 6IzkeGtDMfDw0qURjw.jpg", lpString2="AUTOEXEC.BAT") returned 1 [0105.124] lstrcmpiW (lpString1="h 6IzkeGtDMfDw0qURjw.jpg", lpString2="ntuser.dat") returned -1 [0105.124] lstrcmpiW (lpString1="h 6IzkeGtDMfDw0qURjw.jpg", lpString2="desktop.ini") returned 1 [0105.124] lstrcmpiW (lpString1="h 6IzkeGtDMfDw0qURjw.jpg", lpString2="CONFIG.SYS") returned 1 [0105.124] lstrcmpiW (lpString1="h 6IzkeGtDMfDw0qURjw.jpg", lpString2="RECYCLER") returned -1 [0105.124] lstrcmpiW (lpString1="h 6IzkeGtDMfDw0qURjw.jpg", lpString2="BOOTSECT.BAK") returned 1 [0105.124] lstrcmpiW (lpString1="h 6IzkeGtDMfDw0qURjw.jpg", lpString2="bootmgr") returned 1 [0105.124] lstrcmpiW (lpString1="h 6IzkeGtDMfDw0qURjw.jpg", lpString2="programdata") returned -1 [0105.124] lstrcmpiW (lpString1="h 6IzkeGtDMfDw0qURjw.jpg", lpString2="appdata") returned 1 [0105.124] lstrcmpiW (lpString1="h 6IzkeGtDMfDw0qURjw.jpg", lpString2="program files") returned -1 [0105.124] lstrcmpiW (lpString1="h 6IzkeGtDMfDw0qURjw.jpg", lpString2="program files (x86)") returned -1 [0105.125] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\" [0105.125] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\", lpString2="h 6IzkeGtDMfDw0qURjw.jpg" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\h 6IzkeGtDMfDw0qURjw.jpg") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\h 6IzkeGtDMfDw0qURjw.jpg" [0105.125] PathFindExtensionW (pszPath="h 6IzkeGtDMfDw0qURjw.jpg") returned=".jpg" [0105.125] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0105.125] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0105.125] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0105.125] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0105.125] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0105.125] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0105.125] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0105.125] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0105.125] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0105.125] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0105.125] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0105.125] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0105.125] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0105.125] lstrcmpiW (lpString1=".jpg", lpString2=".NEPHILIM") returned -1 [0105.125] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0105.125] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0105.125] lstrcmpiW (lpString1="h 6IzkeGtDMfDw0qURjw.jpg", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0105.125] lstrlenA (lpString="NEPHILIM") returned 8 [0105.125] GetProcessHeap () returned 0x4e0000 [0105.125] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50da90 [0105.125] lstrlenA (lpString="NEPHILIM") returned 8 [0105.126] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\h 6IzkeGtDMfDw0qURjw.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\h 6izkegtdmfdw0qurjw.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0105.126] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=15372) returned 1 [0105.126] GetProcessHeap () returned 0x4e0000 [0105.126] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504dc8 [0105.126] GetProcessHeap () returned 0x4e0000 [0105.126] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504db0 [0105.126] SystemFunction036 (in: RandomBuffer=0x504dc8, RandomBufferLength=0x10 | out: RandomBuffer=0x504dc8) returned 1 [0105.126] SystemFunction036 (in: RandomBuffer=0x504db0, RandomBufferLength=0x10 | out: RandomBuffer=0x504db0) returned 1 [0105.126] GetProcessHeap () returned 0x4e0000 [0105.126] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508c50 [0105.126] GetProcessHeap () returned 0x4e0000 [0105.126] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508b48 [0105.126] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508c50*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x508c50*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0105.127] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508b48*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x508b48*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0105.127] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x3c0c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.127] SetLastError (dwErrCode=0x0) [0105.127] WriteFile (in: hFile=0xf0, lpBuffer=0x508c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508c50*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0105.129] GetLastError () returned 0x0 [0105.129] GetLastError () returned 0x0 [0105.129] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x3d0c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.129] WriteFile (in: hFile=0xf0, lpBuffer=0x508b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508b48*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0105.129] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x3e0c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.129] lstrlenA (lpString="NEPHILIM") returned 8 [0105.129] WriteFile (in: hFile=0xf0, lpBuffer=0x50da90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50da90*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0105.129] GetProcessHeap () returned 0x4e0000 [0105.129] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x3c0c) returned 0x50dcb8 [0105.129] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.129] ReadFile (in: hFile=0xf0, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x3c0c, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24dddb0*=0x3c0c, lpOverlapped=0x0) returned 1 [0105.165] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.166] WriteFile (in: hFile=0xf0, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x3c0c, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24dddbc*=0x3c0c, lpOverlapped=0x0) returned 1 [0105.166] GetProcessHeap () returned 0x4e0000 [0105.166] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.166] CloseHandle (hObject=0xf0) returned 1 [0105.168] GetProcessHeap () returned 0x4e0000 [0105.168] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508c50 | out: hHeap=0x4e0000) returned 1 [0105.168] GetProcessHeap () returned 0x4e0000 [0105.168] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508b48 | out: hHeap=0x4e0000) returned 1 [0105.168] GetProcessHeap () returned 0x4e0000 [0105.168] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504dc8 | out: hHeap=0x4e0000) returned 1 [0105.168] GetProcessHeap () returned 0x4e0000 [0105.168] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504db0 | out: hHeap=0x4e0000) returned 1 [0105.168] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\h 6IzkeGtDMfDw0qURjw.jpg" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\h 6IzkeGtDMfDw0qURjw.jpg") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\h 6IzkeGtDMfDw0qURjw.jpg" [0105.168] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\h 6IzkeGtDMfDw0qURjw.jpg", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\h 6IzkeGtDMfDw0qURjw.jpg.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\h 6IzkeGtDMfDw0qURjw.jpg.NEPHILIM" [0105.168] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\h 6IzkeGtDMfDw0qURjw.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\h 6izkegtdmfdw0qurjw.jpg"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\h 6IzkeGtDMfDw0qURjw.jpg.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\h 6izkegtdmfdw0qurjw.jpg.nephilim")) returned 1 [0105.170] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47ac7320, ftCreationTime.dwHighDateTime=0x1d5df1c, ftLastAccessTime.dwLowDateTime=0x39db5010, ftLastAccessTime.dwHighDateTime=0x1d5e703, ftLastWriteTime.dwLowDateTime=0x39db5010, ftLastWriteTime.dwHighDateTime=0x1d5e703, nFileSizeHigh=0x0, nFileSizeLow=0xba8, dwReserved0=0x24dddac, dwReserved1=0x76628230, cFileName="jVnZkl8xLMAlp91n.bmp", cAlternateFileName="JVNZKL~1.BMP")) returned 1 [0105.170] lstrcmpiW (lpString1="jVnZkl8xLMAlp91n.bmp", lpString2=".") returned 1 [0105.170] lstrcmpiW (lpString1="jVnZkl8xLMAlp91n.bmp", lpString2="..") returned 1 [0105.170] lstrcmpiW (lpString1="jVnZkl8xLMAlp91n.bmp", lpString2="...") returned 1 [0105.170] lstrcmpiW (lpString1="jVnZkl8xLMAlp91n.bmp", lpString2="windows") returned -1 [0105.170] lstrcmpiW (lpString1="jVnZkl8xLMAlp91n.bmp", lpString2="$RECYCLE.BIN") returned 1 [0105.170] lstrcmpiW (lpString1="jVnZkl8xLMAlp91n.bmp", lpString2="rsa") returned -1 [0105.170] lstrcmpiW (lpString1="jVnZkl8xLMAlp91n.bmp", lpString2="log") returned -1 [0105.170] lstrcmpiW (lpString1="jVnZkl8xLMAlp91n.bmp", lpString2="NTDETECT.COM") returned -1 [0105.170] lstrcmpiW (lpString1="jVnZkl8xLMAlp91n.bmp", lpString2="ntldr") returned -1 [0105.170] lstrcmpiW (lpString1="jVnZkl8xLMAlp91n.bmp", lpString2="MSDOS.SYS") returned -1 [0105.170] lstrcmpiW (lpString1="jVnZkl8xLMAlp91n.bmp", lpString2="IO.SYS") returned 1 [0105.170] lstrcmpiW (lpString1="jVnZkl8xLMAlp91n.bmp", lpString2="boot.ini") returned 1 [0105.170] lstrcmpiW (lpString1="jVnZkl8xLMAlp91n.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0105.170] lstrcmpiW (lpString1="jVnZkl8xLMAlp91n.bmp", lpString2="ntuser.dat") returned -1 [0105.171] lstrcmpiW (lpString1="jVnZkl8xLMAlp91n.bmp", lpString2="desktop.ini") returned 1 [0105.171] lstrcmpiW (lpString1="jVnZkl8xLMAlp91n.bmp", lpString2="CONFIG.SYS") returned 1 [0105.171] lstrcmpiW (lpString1="jVnZkl8xLMAlp91n.bmp", lpString2="RECYCLER") returned -1 [0105.171] lstrcmpiW (lpString1="jVnZkl8xLMAlp91n.bmp", lpString2="BOOTSECT.BAK") returned 1 [0105.171] lstrcmpiW (lpString1="jVnZkl8xLMAlp91n.bmp", lpString2="bootmgr") returned 1 [0105.171] lstrcmpiW (lpString1="jVnZkl8xLMAlp91n.bmp", lpString2="programdata") returned -1 [0105.171] lstrcmpiW (lpString1="jVnZkl8xLMAlp91n.bmp", lpString2="appdata") returned 1 [0105.171] lstrcmpiW (lpString1="jVnZkl8xLMAlp91n.bmp", lpString2="program files") returned -1 [0105.171] lstrcmpiW (lpString1="jVnZkl8xLMAlp91n.bmp", lpString2="program files (x86)") returned -1 [0105.171] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\" [0105.171] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\", lpString2="jVnZkl8xLMAlp91n.bmp" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\jVnZkl8xLMAlp91n.bmp") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\jVnZkl8xLMAlp91n.bmp" [0105.171] PathFindExtensionW (pszPath="jVnZkl8xLMAlp91n.bmp") returned=".bmp" [0105.171] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0105.171] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0105.171] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0105.172] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0105.172] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0105.172] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0105.172] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0105.172] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0105.172] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0105.172] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0105.172] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0105.172] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0105.172] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0105.172] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0105.172] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0105.172] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0105.172] lstrcmpiW (lpString1="jVnZkl8xLMAlp91n.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0105.172] lstrlenA (lpString="NEPHILIM") returned 8 [0105.172] GetProcessHeap () returned 0x4e0000 [0105.172] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50daa0 [0105.173] lstrlenA (lpString="NEPHILIM") returned 8 [0105.173] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\jVnZkl8xLMAlp91n.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\jvnzkl8xlmalp91n.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0105.173] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=2984) returned 1 [0105.173] GetProcessHeap () returned 0x4e0000 [0105.173] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504db0 [0105.173] GetProcessHeap () returned 0x4e0000 [0105.173] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504dc8 [0105.173] SystemFunction036 (in: RandomBuffer=0x504db0, RandomBufferLength=0x10 | out: RandomBuffer=0x504db0) returned 1 [0105.173] SystemFunction036 (in: RandomBuffer=0x504dc8, RandomBufferLength=0x10 | out: RandomBuffer=0x504dc8) returned 1 [0105.173] GetProcessHeap () returned 0x4e0000 [0105.173] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508b48 [0105.174] GetProcessHeap () returned 0x4e0000 [0105.174] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508c50 [0105.174] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508b48*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x508b48*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0105.174] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508c50*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x508c50*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0105.174] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xba8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.174] SetLastError (dwErrCode=0x0) [0105.174] WriteFile (in: hFile=0xf0, lpBuffer=0x508b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508b48*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0105.176] GetLastError () returned 0x0 [0105.176] GetLastError () returned 0x0 [0105.176] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xca8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.176] WriteFile (in: hFile=0xf0, lpBuffer=0x508c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508c50*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0105.176] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xda8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.176] lstrlenA (lpString="NEPHILIM") returned 8 [0105.176] WriteFile (in: hFile=0xf0, lpBuffer=0x50daa0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50daa0*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0105.176] GetProcessHeap () returned 0x4e0000 [0105.176] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xba8) returned 0x50c8b0 [0105.176] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.176] ReadFile (in: hFile=0xf0, lpBuffer=0x50c8b0, nNumberOfBytesToRead=0xba8, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50c8b0*, lpNumberOfBytesRead=0x24dddb0*=0xba8, lpOverlapped=0x0) returned 1 [0105.177] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.177] WriteFile (in: hFile=0xf0, lpBuffer=0x50c8b0*, nNumberOfBytesToWrite=0xba8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50c8b0*, lpNumberOfBytesWritten=0x24dddbc*=0xba8, lpOverlapped=0x0) returned 1 [0105.177] GetProcessHeap () returned 0x4e0000 [0105.177] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50c8b0 | out: hHeap=0x4e0000) returned 1 [0105.177] CloseHandle (hObject=0xf0) returned 1 [0105.180] GetProcessHeap () returned 0x4e0000 [0105.180] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508b48 | out: hHeap=0x4e0000) returned 1 [0105.180] GetProcessHeap () returned 0x4e0000 [0105.180] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508c50 | out: hHeap=0x4e0000) returned 1 [0105.180] GetProcessHeap () returned 0x4e0000 [0105.180] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504db0 | out: hHeap=0x4e0000) returned 1 [0105.180] GetProcessHeap () returned 0x4e0000 [0105.180] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504dc8 | out: hHeap=0x4e0000) returned 1 [0105.180] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\jVnZkl8xLMAlp91n.bmp" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\jVnZkl8xLMAlp91n.bmp") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\jVnZkl8xLMAlp91n.bmp" [0105.180] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\jVnZkl8xLMAlp91n.bmp", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\jVnZkl8xLMAlp91n.bmp.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\jVnZkl8xLMAlp91n.bmp.NEPHILIM" [0105.180] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\jVnZkl8xLMAlp91n.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\jvnzkl8xlmalp91n.bmp"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\jVnZkl8xLMAlp91n.bmp.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\jvnzkl8xlmalp91n.bmp.nephilim")) returned 1 [0105.181] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x748c5d20, ftCreationTime.dwHighDateTime=0x1d5e420, ftLastAccessTime.dwLowDateTime=0x6c82ea70, ftLastAccessTime.dwHighDateTime=0x1d5db85, ftLastWriteTime.dwLowDateTime=0x6c82ea70, ftLastWriteTime.dwHighDateTime=0x1d5db85, nFileSizeHigh=0x0, nFileSizeLow=0x392c, dwReserved0=0x24dddac, dwReserved1=0x76628230, cFileName="ljVt.gif", cAlternateFileName="")) returned 1 [0105.181] lstrcmpiW (lpString1="ljVt.gif", lpString2=".") returned 1 [0105.181] lstrcmpiW (lpString1="ljVt.gif", lpString2="..") returned 1 [0105.181] lstrcmpiW (lpString1="ljVt.gif", lpString2="...") returned 1 [0105.181] lstrcmpiW (lpString1="ljVt.gif", lpString2="windows") returned -1 [0105.182] lstrcmpiW (lpString1="ljVt.gif", lpString2="$RECYCLE.BIN") returned 1 [0105.182] lstrcmpiW (lpString1="ljVt.gif", lpString2="rsa") returned -1 [0105.182] lstrcmpiW (lpString1="ljVt.gif", lpString2="log") returned -1 [0105.182] lstrcmpiW (lpString1="ljVt.gif", lpString2="NTDETECT.COM") returned -1 [0105.182] lstrcmpiW (lpString1="ljVt.gif", lpString2="ntldr") returned -1 [0105.182] lstrcmpiW (lpString1="ljVt.gif", lpString2="MSDOS.SYS") returned -1 [0105.182] lstrcmpiW (lpString1="ljVt.gif", lpString2="IO.SYS") returned 1 [0105.182] lstrcmpiW (lpString1="ljVt.gif", lpString2="boot.ini") returned 1 [0105.182] lstrcmpiW (lpString1="ljVt.gif", lpString2="AUTOEXEC.BAT") returned 1 [0105.182] lstrcmpiW (lpString1="ljVt.gif", lpString2="ntuser.dat") returned -1 [0105.182] lstrcmpiW (lpString1="ljVt.gif", lpString2="desktop.ini") returned 1 [0105.182] lstrcmpiW (lpString1="ljVt.gif", lpString2="CONFIG.SYS") returned 1 [0105.182] lstrcmpiW (lpString1="ljVt.gif", lpString2="RECYCLER") returned -1 [0105.182] lstrcmpiW (lpString1="ljVt.gif", lpString2="BOOTSECT.BAK") returned 1 [0105.182] lstrcmpiW (lpString1="ljVt.gif", lpString2="bootmgr") returned 1 [0105.182] lstrcmpiW (lpString1="ljVt.gif", lpString2="programdata") returned -1 [0105.182] lstrcmpiW (lpString1="ljVt.gif", lpString2="appdata") returned 1 [0105.182] lstrcmpiW (lpString1="ljVt.gif", lpString2="program files") returned -1 [0105.182] lstrcmpiW (lpString1="ljVt.gif", lpString2="program files (x86)") returned -1 [0105.182] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\" [0105.182] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\", lpString2="ljVt.gif" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\ljVt.gif") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\ljVt.gif" [0105.182] PathFindExtensionW (pszPath="ljVt.gif") returned=".gif" [0105.182] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0105.183] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0105.183] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0105.183] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0105.183] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0105.183] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0105.183] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0105.183] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0105.183] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0105.183] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0105.183] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0105.183] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0105.183] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0105.183] lstrcmpiW (lpString1=".gif", lpString2=".NEPHILIM") returned -1 [0105.183] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0105.183] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0105.183] lstrcmpiW (lpString1="ljVt.gif", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0105.183] lstrlenA (lpString="NEPHILIM") returned 8 [0105.183] GetProcessHeap () returned 0x4e0000 [0105.183] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50dab0 [0105.183] lstrlenA (lpString="NEPHILIM") returned 8 [0105.183] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\ljVt.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\ljvt.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0105.184] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=14636) returned 1 [0105.184] GetProcessHeap () returned 0x4e0000 [0105.184] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504dc8 [0105.184] GetProcessHeap () returned 0x4e0000 [0105.184] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504db0 [0105.184] SystemFunction036 (in: RandomBuffer=0x504dc8, RandomBufferLength=0x10 | out: RandomBuffer=0x504dc8) returned 1 [0105.184] SystemFunction036 (in: RandomBuffer=0x504db0, RandomBufferLength=0x10 | out: RandomBuffer=0x504db0) returned 1 [0105.184] GetProcessHeap () returned 0x4e0000 [0105.184] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508c50 [0105.184] GetProcessHeap () returned 0x4e0000 [0105.184] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508b48 [0105.184] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508c50*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x508c50*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0105.184] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508b48*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x508b48*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0105.185] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x392c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.185] SetLastError (dwErrCode=0x0) [0105.185] WriteFile (in: hFile=0xf0, lpBuffer=0x508c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508c50*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0105.186] GetLastError () returned 0x0 [0105.186] GetLastError () returned 0x0 [0105.186] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x3a2c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.186] WriteFile (in: hFile=0xf0, lpBuffer=0x508b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508b48*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0105.186] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x3b2c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.186] lstrlenA (lpString="NEPHILIM") returned 8 [0105.187] WriteFile (in: hFile=0xf0, lpBuffer=0x50dab0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50dab0*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0105.187] GetProcessHeap () returned 0x4e0000 [0105.187] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x392c) returned 0x50dcb8 [0105.187] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.187] ReadFile (in: hFile=0xf0, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x392c, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24dddb0*=0x392c, lpOverlapped=0x0) returned 1 [0105.188] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.188] WriteFile (in: hFile=0xf0, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x392c, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24dddbc*=0x392c, lpOverlapped=0x0) returned 1 [0105.188] GetProcessHeap () returned 0x4e0000 [0105.188] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.188] CloseHandle (hObject=0xf0) returned 1 [0105.192] GetProcessHeap () returned 0x4e0000 [0105.192] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508c50 | out: hHeap=0x4e0000) returned 1 [0105.192] GetProcessHeap () returned 0x4e0000 [0105.192] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508b48 | out: hHeap=0x4e0000) returned 1 [0105.192] GetProcessHeap () returned 0x4e0000 [0105.192] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504dc8 | out: hHeap=0x4e0000) returned 1 [0105.192] GetProcessHeap () returned 0x4e0000 [0105.192] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504db0 | out: hHeap=0x4e0000) returned 1 [0105.192] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\ljVt.gif" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\ljVt.gif") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\ljVt.gif" [0105.192] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\ljVt.gif", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\ljVt.gif.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\ljVt.gif.NEPHILIM" [0105.192] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\ljVt.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\ljvt.gif"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\ljVt.gif.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\ljvt.gif.nephilim")) returned 1 [0105.193] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2dd9ed0, ftCreationTime.dwHighDateTime=0x1d5e0a2, ftLastAccessTime.dwLowDateTime=0xa0be0ef0, ftLastAccessTime.dwHighDateTime=0x1d5e404, ftLastWriteTime.dwLowDateTime=0xa0be0ef0, ftLastWriteTime.dwHighDateTime=0x1d5e404, nFileSizeHigh=0x0, nFileSizeLow=0x303b, dwReserved0=0x24dddac, dwReserved1=0x76628230, cFileName="qYk5-.gif", cAlternateFileName="")) returned 1 [0105.193] lstrcmpiW (lpString1="qYk5-.gif", lpString2=".") returned 1 [0105.193] lstrcmpiW (lpString1="qYk5-.gif", lpString2="..") returned 1 [0105.194] lstrcmpiW (lpString1="qYk5-.gif", lpString2="...") returned 1 [0105.194] lstrcmpiW (lpString1="qYk5-.gif", lpString2="windows") returned -1 [0105.194] lstrcmpiW (lpString1="qYk5-.gif", lpString2="$RECYCLE.BIN") returned 1 [0105.194] lstrcmpiW (lpString1="qYk5-.gif", lpString2="rsa") returned -1 [0105.194] lstrcmpiW (lpString1="qYk5-.gif", lpString2="log") returned 1 [0105.194] lstrcmpiW (lpString1="qYk5-.gif", lpString2="NTDETECT.COM") returned 1 [0105.194] lstrcmpiW (lpString1="qYk5-.gif", lpString2="ntldr") returned 1 [0105.194] lstrcmpiW (lpString1="qYk5-.gif", lpString2="MSDOS.SYS") returned 1 [0105.194] lstrcmpiW (lpString1="qYk5-.gif", lpString2="IO.SYS") returned 1 [0105.194] lstrcmpiW (lpString1="qYk5-.gif", lpString2="boot.ini") returned 1 [0105.194] lstrcmpiW (lpString1="qYk5-.gif", lpString2="AUTOEXEC.BAT") returned 1 [0105.194] lstrcmpiW (lpString1="qYk5-.gif", lpString2="ntuser.dat") returned 1 [0105.194] lstrcmpiW (lpString1="qYk5-.gif", lpString2="desktop.ini") returned 1 [0105.194] lstrcmpiW (lpString1="qYk5-.gif", lpString2="CONFIG.SYS") returned 1 [0105.194] lstrcmpiW (lpString1="qYk5-.gif", lpString2="RECYCLER") returned -1 [0105.194] lstrcmpiW (lpString1="qYk5-.gif", lpString2="BOOTSECT.BAK") returned 1 [0105.194] lstrcmpiW (lpString1="qYk5-.gif", lpString2="bootmgr") returned 1 [0105.194] lstrcmpiW (lpString1="qYk5-.gif", lpString2="programdata") returned 1 [0105.194] lstrcmpiW (lpString1="qYk5-.gif", lpString2="appdata") returned 1 [0105.194] lstrcmpiW (lpString1="qYk5-.gif", lpString2="program files") returned 1 [0105.194] lstrcmpiW (lpString1="qYk5-.gif", lpString2="program files (x86)") returned 1 [0105.194] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\" [0105.194] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\", lpString2="qYk5-.gif" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\qYk5-.gif") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\qYk5-.gif" [0105.195] PathFindExtensionW (pszPath="qYk5-.gif") returned=".gif" [0105.195] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0105.195] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0105.195] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0105.195] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0105.195] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0105.195] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0105.195] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0105.195] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0105.195] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0105.195] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0105.195] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0105.195] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0105.195] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0105.195] lstrcmpiW (lpString1=".gif", lpString2=".NEPHILIM") returned -1 [0105.195] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0105.195] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0105.195] lstrcmpiW (lpString1="qYk5-.gif", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0105.195] lstrlenA (lpString="NEPHILIM") returned 8 [0105.195] GetProcessHeap () returned 0x4e0000 [0105.195] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50dac0 [0105.195] lstrlenA (lpString="NEPHILIM") returned 8 [0105.196] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\qYk5-.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\qyk5-.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0105.196] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=12347) returned 1 [0105.196] GetProcessHeap () returned 0x4e0000 [0105.196] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504db0 [0105.196] GetProcessHeap () returned 0x4e0000 [0105.196] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504dc8 [0105.196] SystemFunction036 (in: RandomBuffer=0x504db0, RandomBufferLength=0x10 | out: RandomBuffer=0x504db0) returned 1 [0105.197] SystemFunction036 (in: RandomBuffer=0x504dc8, RandomBufferLength=0x10 | out: RandomBuffer=0x504dc8) returned 1 [0105.197] GetProcessHeap () returned 0x4e0000 [0105.197] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508b48 [0105.197] GetProcessHeap () returned 0x4e0000 [0105.197] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508c50 [0105.197] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508b48*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x508b48*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0105.197] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508c50*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x508c50*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0105.197] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x303b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.197] SetLastError (dwErrCode=0x0) [0105.197] WriteFile (in: hFile=0xf0, lpBuffer=0x508b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508b48*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0105.198] GetLastError () returned 0x0 [0105.198] GetLastError () returned 0x0 [0105.198] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x313b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.199] WriteFile (in: hFile=0xf0, lpBuffer=0x508c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508c50*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0105.199] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x323b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.199] lstrlenA (lpString="NEPHILIM") returned 8 [0105.199] WriteFile (in: hFile=0xf0, lpBuffer=0x50dac0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50dac0*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0105.199] GetProcessHeap () returned 0x4e0000 [0105.199] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x303b) returned 0x50dcb8 [0105.199] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.199] ReadFile (in: hFile=0xf0, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x303b, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24dddb0*=0x303b, lpOverlapped=0x0) returned 1 [0105.200] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.200] WriteFile (in: hFile=0xf0, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x303b, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24dddbc*=0x303b, lpOverlapped=0x0) returned 1 [0105.200] GetProcessHeap () returned 0x4e0000 [0105.200] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.200] CloseHandle (hObject=0xf0) returned 1 [0105.212] GetProcessHeap () returned 0x4e0000 [0105.212] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508b48 | out: hHeap=0x4e0000) returned 1 [0105.213] GetProcessHeap () returned 0x4e0000 [0105.213] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508c50 | out: hHeap=0x4e0000) returned 1 [0105.213] GetProcessHeap () returned 0x4e0000 [0105.213] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504db0 | out: hHeap=0x4e0000) returned 1 [0105.213] GetProcessHeap () returned 0x4e0000 [0105.213] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504dc8 | out: hHeap=0x4e0000) returned 1 [0105.213] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\qYk5-.gif" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\qYk5-.gif") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\qYk5-.gif" [0105.213] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\qYk5-.gif", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\qYk5-.gif.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\qYk5-.gif.NEPHILIM" [0105.213] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\qYk5-.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\qyk5-.gif"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\qYk5-.gif.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\qyk5-.gif.nephilim")) returned 1 [0105.214] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39edb2c0, ftCreationTime.dwHighDateTime=0x1d5d7b1, ftLastAccessTime.dwLowDateTime=0x17f142c0, ftLastAccessTime.dwHighDateTime=0x1d5d961, ftLastWriteTime.dwLowDateTime=0x17f142c0, ftLastWriteTime.dwHighDateTime=0x1d5d961, nFileSizeHigh=0x0, nFileSizeLow=0x16769, dwReserved0=0x24dddac, dwReserved1=0x76628230, cFileName="rt15iobTtzAY6p.jpg", cAlternateFileName="RT15IO~1.JPG")) returned 1 [0105.214] lstrcmpiW (lpString1="rt15iobTtzAY6p.jpg", lpString2=".") returned 1 [0105.214] lstrcmpiW (lpString1="rt15iobTtzAY6p.jpg", lpString2="..") returned 1 [0105.214] lstrcmpiW (lpString1="rt15iobTtzAY6p.jpg", lpString2="...") returned 1 [0105.214] lstrcmpiW (lpString1="rt15iobTtzAY6p.jpg", lpString2="windows") returned -1 [0105.214] lstrcmpiW (lpString1="rt15iobTtzAY6p.jpg", lpString2="$RECYCLE.BIN") returned 1 [0105.214] lstrcmpiW (lpString1="rt15iobTtzAY6p.jpg", lpString2="rsa") returned 1 [0105.214] lstrcmpiW (lpString1="rt15iobTtzAY6p.jpg", lpString2="log") returned 1 [0105.214] lstrcmpiW (lpString1="rt15iobTtzAY6p.jpg", lpString2="NTDETECT.COM") returned 1 [0105.214] lstrcmpiW (lpString1="rt15iobTtzAY6p.jpg", lpString2="ntldr") returned 1 [0105.214] lstrcmpiW (lpString1="rt15iobTtzAY6p.jpg", lpString2="MSDOS.SYS") returned 1 [0105.214] lstrcmpiW (lpString1="rt15iobTtzAY6p.jpg", lpString2="IO.SYS") returned 1 [0105.214] lstrcmpiW (lpString1="rt15iobTtzAY6p.jpg", lpString2="boot.ini") returned 1 [0105.214] lstrcmpiW (lpString1="rt15iobTtzAY6p.jpg", lpString2="AUTOEXEC.BAT") returned 1 [0105.214] lstrcmpiW (lpString1="rt15iobTtzAY6p.jpg", lpString2="ntuser.dat") returned 1 [0105.214] lstrcmpiW (lpString1="rt15iobTtzAY6p.jpg", lpString2="desktop.ini") returned 1 [0105.214] lstrcmpiW (lpString1="rt15iobTtzAY6p.jpg", lpString2="CONFIG.SYS") returned 1 [0105.214] lstrcmpiW (lpString1="rt15iobTtzAY6p.jpg", lpString2="RECYCLER") returned 1 [0105.215] lstrcmpiW (lpString1="rt15iobTtzAY6p.jpg", lpString2="BOOTSECT.BAK") returned 1 [0105.215] lstrcmpiW (lpString1="rt15iobTtzAY6p.jpg", lpString2="bootmgr") returned 1 [0105.215] lstrcmpiW (lpString1="rt15iobTtzAY6p.jpg", lpString2="programdata") returned 1 [0105.215] lstrcmpiW (lpString1="rt15iobTtzAY6p.jpg", lpString2="appdata") returned 1 [0105.215] lstrcmpiW (lpString1="rt15iobTtzAY6p.jpg", lpString2="program files") returned 1 [0105.215] lstrcmpiW (lpString1="rt15iobTtzAY6p.jpg", lpString2="program files (x86)") returned 1 [0105.215] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\" [0105.215] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\", lpString2="rt15iobTtzAY6p.jpg" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\rt15iobTtzAY6p.jpg") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\rt15iobTtzAY6p.jpg" [0105.215] PathFindExtensionW (pszPath="rt15iobTtzAY6p.jpg") returned=".jpg" [0105.215] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0105.215] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0105.215] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0105.215] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0105.215] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0105.215] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0105.215] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0105.215] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0105.215] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0105.215] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0105.215] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0105.215] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0105.215] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0105.215] lstrcmpiW (lpString1=".jpg", lpString2=".NEPHILIM") returned -1 [0105.215] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0105.215] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0105.215] lstrcmpiW (lpString1="rt15iobTtzAY6p.jpg", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0105.215] lstrlenA (lpString="NEPHILIM") returned 8 [0105.215] GetProcessHeap () returned 0x4e0000 [0105.216] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50dad0 [0105.216] lstrlenA (lpString="NEPHILIM") returned 8 [0105.216] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\rt15iobTtzAY6p.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\rt15iobttzay6p.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0105.216] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=92009) returned 1 [0105.216] GetProcessHeap () returned 0x4e0000 [0105.216] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504dc8 [0105.216] GetProcessHeap () returned 0x4e0000 [0105.216] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504db0 [0105.216] SystemFunction036 (in: RandomBuffer=0x504dc8, RandomBufferLength=0x10 | out: RandomBuffer=0x504dc8) returned 1 [0105.216] SystemFunction036 (in: RandomBuffer=0x504db0, RandomBufferLength=0x10 | out: RandomBuffer=0x504db0) returned 1 [0105.216] GetProcessHeap () returned 0x4e0000 [0105.216] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508c50 [0105.216] GetProcessHeap () returned 0x4e0000 [0105.216] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508b48 [0105.216] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508c50*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x508c50*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0105.217] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508b48*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x508b48*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0105.217] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x16769, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.217] SetLastError (dwErrCode=0x0) [0105.217] WriteFile (in: hFile=0xf0, lpBuffer=0x508c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508c50*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0105.218] GetLastError () returned 0x0 [0105.218] GetLastError () returned 0x0 [0105.218] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x16869, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.218] WriteFile (in: hFile=0xf0, lpBuffer=0x508b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508b48*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0105.218] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x16969, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.218] lstrlenA (lpString="NEPHILIM") returned 8 [0105.218] WriteFile (in: hFile=0xf0, lpBuffer=0x50dad0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50dad0*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0105.218] GetProcessHeap () returned 0x4e0000 [0105.218] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x16769) returned 0x50dcb8 [0105.218] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.218] ReadFile (in: hFile=0xf0, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x16769, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24dddb0*=0x16769, lpOverlapped=0x0) returned 1 [0105.224] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.224] WriteFile (in: hFile=0xf0, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x16769, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24dddbc*=0x16769, lpOverlapped=0x0) returned 1 [0105.225] GetProcessHeap () returned 0x4e0000 [0105.225] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.225] CloseHandle (hObject=0xf0) returned 1 [0105.228] GetProcessHeap () returned 0x4e0000 [0105.228] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508c50 | out: hHeap=0x4e0000) returned 1 [0105.228] GetProcessHeap () returned 0x4e0000 [0105.228] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508b48 | out: hHeap=0x4e0000) returned 1 [0105.228] GetProcessHeap () returned 0x4e0000 [0105.228] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504dc8 | out: hHeap=0x4e0000) returned 1 [0105.228] GetProcessHeap () returned 0x4e0000 [0105.228] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504db0 | out: hHeap=0x4e0000) returned 1 [0105.228] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\rt15iobTtzAY6p.jpg" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\rt15iobTtzAY6p.jpg") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\rt15iobTtzAY6p.jpg" [0105.228] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\rt15iobTtzAY6p.jpg", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\rt15iobTtzAY6p.jpg.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\rt15iobTtzAY6p.jpg.NEPHILIM" [0105.228] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\rt15iobTtzAY6p.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\rt15iobttzay6p.jpg"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\rt15iobTtzAY6p.jpg.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\rt15iobttzay6p.jpg.nephilim")) returned 1 [0105.229] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f24a150, ftCreationTime.dwHighDateTime=0x1d5db66, ftLastAccessTime.dwLowDateTime=0xf6f6baa0, ftLastAccessTime.dwHighDateTime=0x1d5dc8a, ftLastWriteTime.dwLowDateTime=0xf6f6baa0, ftLastWriteTime.dwHighDateTime=0x1d5dc8a, nFileSizeHigh=0x0, nFileSizeLow=0x12f43, dwReserved0=0x24dddac, dwReserved1=0x76628230, cFileName="TR0BzaNnDj0Uo.png", cAlternateFileName="TR0BZA~1.PNG")) returned 1 [0105.229] lstrcmpiW (lpString1="TR0BzaNnDj0Uo.png", lpString2=".") returned 1 [0105.229] lstrcmpiW (lpString1="TR0BzaNnDj0Uo.png", lpString2="..") returned 1 [0105.229] lstrcmpiW (lpString1="TR0BzaNnDj0Uo.png", lpString2="...") returned 1 [0105.229] lstrcmpiW (lpString1="TR0BzaNnDj0Uo.png", lpString2="windows") returned -1 [0105.229] lstrcmpiW (lpString1="TR0BzaNnDj0Uo.png", lpString2="$RECYCLE.BIN") returned 1 [0105.230] lstrcmpiW (lpString1="TR0BzaNnDj0Uo.png", lpString2="rsa") returned 1 [0105.230] lstrcmpiW (lpString1="TR0BzaNnDj0Uo.png", lpString2="log") returned 1 [0105.230] lstrcmpiW (lpString1="TR0BzaNnDj0Uo.png", lpString2="NTDETECT.COM") returned 1 [0105.230] lstrcmpiW (lpString1="TR0BzaNnDj0Uo.png", lpString2="ntldr") returned 1 [0105.230] lstrcmpiW (lpString1="TR0BzaNnDj0Uo.png", lpString2="MSDOS.SYS") returned 1 [0105.230] lstrcmpiW (lpString1="TR0BzaNnDj0Uo.png", lpString2="IO.SYS") returned 1 [0105.230] lstrcmpiW (lpString1="TR0BzaNnDj0Uo.png", lpString2="boot.ini") returned 1 [0105.230] lstrcmpiW (lpString1="TR0BzaNnDj0Uo.png", lpString2="AUTOEXEC.BAT") returned 1 [0105.230] lstrcmpiW (lpString1="TR0BzaNnDj0Uo.png", lpString2="ntuser.dat") returned 1 [0105.230] lstrcmpiW (lpString1="TR0BzaNnDj0Uo.png", lpString2="desktop.ini") returned 1 [0105.230] lstrcmpiW (lpString1="TR0BzaNnDj0Uo.png", lpString2="CONFIG.SYS") returned 1 [0105.230] lstrcmpiW (lpString1="TR0BzaNnDj0Uo.png", lpString2="RECYCLER") returned 1 [0105.230] lstrcmpiW (lpString1="TR0BzaNnDj0Uo.png", lpString2="BOOTSECT.BAK") returned 1 [0105.230] lstrcmpiW (lpString1="TR0BzaNnDj0Uo.png", lpString2="bootmgr") returned 1 [0105.230] lstrcmpiW (lpString1="TR0BzaNnDj0Uo.png", lpString2="programdata") returned 1 [0105.230] lstrcmpiW (lpString1="TR0BzaNnDj0Uo.png", lpString2="appdata") returned 1 [0105.230] lstrcmpiW (lpString1="TR0BzaNnDj0Uo.png", lpString2="program files") returned 1 [0105.230] lstrcmpiW (lpString1="TR0BzaNnDj0Uo.png", lpString2="program files (x86)") returned 1 [0105.230] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\" [0105.230] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\", lpString2="TR0BzaNnDj0Uo.png" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\TR0BzaNnDj0Uo.png") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\TR0BzaNnDj0Uo.png" [0105.230] PathFindExtensionW (pszPath="TR0BzaNnDj0Uo.png") returned=".png" [0105.230] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0105.230] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0105.230] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0105.230] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0105.230] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0105.230] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0105.230] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0105.230] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0105.230] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0105.231] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0105.231] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0105.231] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0105.231] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0105.231] lstrcmpiW (lpString1=".png", lpString2=".NEPHILIM") returned 1 [0105.231] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0105.231] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0105.231] lstrcmpiW (lpString1="TR0BzaNnDj0Uo.png", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0105.231] lstrlenA (lpString="NEPHILIM") returned 8 [0105.231] GetProcessHeap () returned 0x4e0000 [0105.231] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50dae0 [0105.231] lstrlenA (lpString="NEPHILIM") returned 8 [0105.231] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\TR0BzaNnDj0Uo.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\tr0bzanndj0uo.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0105.231] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=77635) returned 1 [0105.231] GetProcessHeap () returned 0x4e0000 [0105.231] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504db0 [0105.231] GetProcessHeap () returned 0x4e0000 [0105.231] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504dc8 [0105.231] SystemFunction036 (in: RandomBuffer=0x504db0, RandomBufferLength=0x10 | out: RandomBuffer=0x504db0) returned 1 [0105.231] SystemFunction036 (in: RandomBuffer=0x504dc8, RandomBufferLength=0x10 | out: RandomBuffer=0x504dc8) returned 1 [0105.231] GetProcessHeap () returned 0x4e0000 [0105.231] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508b48 [0105.232] GetProcessHeap () returned 0x4e0000 [0105.232] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508c50 [0105.232] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508b48*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x508b48*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0105.232] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508c50*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x508c50*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0105.232] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x12f43, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.233] SetLastError (dwErrCode=0x0) [0105.233] WriteFile (in: hFile=0xf0, lpBuffer=0x508b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508b48*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0105.234] GetLastError () returned 0x0 [0105.234] GetLastError () returned 0x0 [0105.234] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x13043, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.234] WriteFile (in: hFile=0xf0, lpBuffer=0x508c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508c50*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0105.234] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x13143, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.234] lstrlenA (lpString="NEPHILIM") returned 8 [0105.234] WriteFile (in: hFile=0xf0, lpBuffer=0x50dae0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50dae0*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0105.234] GetProcessHeap () returned 0x4e0000 [0105.234] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x12f43) returned 0x50dcb8 [0105.235] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.235] ReadFile (in: hFile=0xf0, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x12f43, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24dddb0*=0x12f43, lpOverlapped=0x0) returned 1 [0105.239] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.239] WriteFile (in: hFile=0xf0, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x12f43, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24dddbc*=0x12f43, lpOverlapped=0x0) returned 1 [0105.240] GetProcessHeap () returned 0x4e0000 [0105.240] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.240] CloseHandle (hObject=0xf0) returned 1 [0105.244] GetProcessHeap () returned 0x4e0000 [0105.244] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508b48 | out: hHeap=0x4e0000) returned 1 [0105.244] GetProcessHeap () returned 0x4e0000 [0105.244] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508c50 | out: hHeap=0x4e0000) returned 1 [0105.244] GetProcessHeap () returned 0x4e0000 [0105.244] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504db0 | out: hHeap=0x4e0000) returned 1 [0105.244] GetProcessHeap () returned 0x4e0000 [0105.244] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504dc8 | out: hHeap=0x4e0000) returned 1 [0105.244] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\TR0BzaNnDj0Uo.png" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\TR0BzaNnDj0Uo.png") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\TR0BzaNnDj0Uo.png" [0105.244] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\TR0BzaNnDj0Uo.png", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\TR0BzaNnDj0Uo.png.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\TR0BzaNnDj0Uo.png.NEPHILIM" [0105.244] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\TR0BzaNnDj0Uo.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\tr0bzanndj0uo.png"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\TR0BzaNnDj0Uo.png.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\tr0bzanndj0uo.png.nephilim")) returned 1 [0105.245] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4f663060, ftCreationTime.dwHighDateTime=0x1d5d9db, ftLastAccessTime.dwLowDateTime=0x9fc23590, ftLastAccessTime.dwHighDateTime=0x1d5dbbb, ftLastWriteTime.dwLowDateTime=0x9fc23590, ftLastWriteTime.dwHighDateTime=0x1d5dbbb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24dddac, dwReserved1=0x76628230, cFileName="woXaBqbokyzl2r", cAlternateFileName="WOXABQ~1")) returned 1 [0105.245] lstrcmpiW (lpString1="woXaBqbokyzl2r", lpString2=".") returned 1 [0105.245] lstrcmpiW (lpString1="woXaBqbokyzl2r", lpString2="..") returned 1 [0105.245] lstrcmpiW (lpString1="woXaBqbokyzl2r", lpString2="...") returned 1 [0105.245] lstrcmpiW (lpString1="woXaBqbokyzl2r", lpString2="windows") returned 1 [0105.245] lstrcmpiW (lpString1="woXaBqbokyzl2r", lpString2="$RECYCLE.BIN") returned 1 [0105.245] lstrcmpiW (lpString1="woXaBqbokyzl2r", lpString2="rsa") returned 1 [0105.245] lstrcmpiW (lpString1="woXaBqbokyzl2r", lpString2="log") returned 1 [0105.246] lstrcmpiW (lpString1="woXaBqbokyzl2r", lpString2="NTDETECT.COM") returned 1 [0105.246] lstrcmpiW (lpString1="woXaBqbokyzl2r", lpString2="ntldr") returned 1 [0105.246] lstrcmpiW (lpString1="woXaBqbokyzl2r", lpString2="MSDOS.SYS") returned 1 [0105.246] lstrcmpiW (lpString1="woXaBqbokyzl2r", lpString2="IO.SYS") returned 1 [0105.246] lstrcmpiW (lpString1="woXaBqbokyzl2r", lpString2="boot.ini") returned 1 [0105.246] lstrcmpiW (lpString1="woXaBqbokyzl2r", lpString2="AUTOEXEC.BAT") returned 1 [0105.246] lstrcmpiW (lpString1="woXaBqbokyzl2r", lpString2="ntuser.dat") returned 1 [0105.246] lstrcmpiW (lpString1="woXaBqbokyzl2r", lpString2="desktop.ini") returned 1 [0105.246] lstrcmpiW (lpString1="woXaBqbokyzl2r", lpString2="CONFIG.SYS") returned 1 [0105.246] lstrcmpiW (lpString1="woXaBqbokyzl2r", lpString2="RECYCLER") returned 1 [0105.246] lstrcmpiW (lpString1="woXaBqbokyzl2r", lpString2="BOOTSECT.BAK") returned 1 [0105.246] lstrcmpiW (lpString1="woXaBqbokyzl2r", lpString2="bootmgr") returned 1 [0105.246] lstrcmpiW (lpString1="woXaBqbokyzl2r", lpString2="programdata") returned 1 [0105.246] lstrcmpiW (lpString1="woXaBqbokyzl2r", lpString2="appdata") returned 1 [0105.246] lstrcmpiW (lpString1="woXaBqbokyzl2r", lpString2="program files") returned 1 [0105.246] lstrcmpiW (lpString1="woXaBqbokyzl2r", lpString2="program files (x86)") returned 1 [0105.246] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\" [0105.246] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\", lpString2="woXaBqbokyzl2r" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r" [0105.246] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\" [0105.246] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\" [0105.246] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\", lpString2="*.*" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\*.*") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\*.*" [0105.246] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4f663060, ftCreationTime.dwHighDateTime=0x1d5d9db, ftLastAccessTime.dwLowDateTime=0x9fc23590, ftLastAccessTime.dwHighDateTime=0x1d5dbbb, ftLastWriteTime.dwLowDateTime=0x9fc23590, ftLastWriteTime.dwHighDateTime=0x1d5dbbb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24dd72c, dwReserved1=0x6cc3827f, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0105.247] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0105.247] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4f663060, ftCreationTime.dwHighDateTime=0x1d5d9db, ftLastAccessTime.dwLowDateTime=0x9fc23590, ftLastAccessTime.dwHighDateTime=0x1d5dbbb, ftLastWriteTime.dwLowDateTime=0x9fc23590, ftLastWriteTime.dwHighDateTime=0x1d5dbbb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24dd72c, dwReserved1=0x6cc3827f, cFileName="..", cAlternateFileName="")) returned 1 [0105.247] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0105.247] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0105.247] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39c232a0, ftCreationTime.dwHighDateTime=0x1d5dba6, ftLastAccessTime.dwLowDateTime=0x2aefc840, ftLastAccessTime.dwHighDateTime=0x1d5e7d7, ftLastWriteTime.dwLowDateTime=0x2aefc840, ftLastWriteTime.dwHighDateTime=0x1d5e7d7, nFileSizeHigh=0x0, nFileSizeLow=0x5989, dwReserved0=0x24dd72c, dwReserved1=0x6cc3827f, cFileName="3fU-xgmX.png", cAlternateFileName="")) returned 1 [0105.247] lstrcmpiW (lpString1="3fU-xgmX.png", lpString2=".") returned 1 [0105.247] lstrcmpiW (lpString1="3fU-xgmX.png", lpString2="..") returned 1 [0105.247] lstrcmpiW (lpString1="3fU-xgmX.png", lpString2="...") returned 1 [0105.247] lstrcmpiW (lpString1="3fU-xgmX.png", lpString2="windows") returned -1 [0105.247] lstrcmpiW (lpString1="3fU-xgmX.png", lpString2="$RECYCLE.BIN") returned 1 [0105.247] lstrcmpiW (lpString1="3fU-xgmX.png", lpString2="rsa") returned -1 [0105.247] lstrcmpiW (lpString1="3fU-xgmX.png", lpString2="log") returned -1 [0105.247] lstrcmpiW (lpString1="3fU-xgmX.png", lpString2="NTDETECT.COM") returned -1 [0105.247] lstrcmpiW (lpString1="3fU-xgmX.png", lpString2="ntldr") returned -1 [0105.247] lstrcmpiW (lpString1="3fU-xgmX.png", lpString2="MSDOS.SYS") returned -1 [0105.264] lstrcmpiW (lpString1="3fU-xgmX.png", lpString2="IO.SYS") returned -1 [0105.264] lstrcmpiW (lpString1="3fU-xgmX.png", lpString2="boot.ini") returned -1 [0105.264] lstrcmpiW (lpString1="3fU-xgmX.png", lpString2="AUTOEXEC.BAT") returned -1 [0105.264] lstrcmpiW (lpString1="3fU-xgmX.png", lpString2="ntuser.dat") returned -1 [0105.264] lstrcmpiW (lpString1="3fU-xgmX.png", lpString2="desktop.ini") returned -1 [0105.264] lstrcmpiW (lpString1="3fU-xgmX.png", lpString2="CONFIG.SYS") returned -1 [0105.264] lstrcmpiW (lpString1="3fU-xgmX.png", lpString2="RECYCLER") returned -1 [0105.265] lstrcmpiW (lpString1="3fU-xgmX.png", lpString2="BOOTSECT.BAK") returned -1 [0105.265] lstrcmpiW (lpString1="3fU-xgmX.png", lpString2="bootmgr") returned -1 [0105.265] lstrcmpiW (lpString1="3fU-xgmX.png", lpString2="programdata") returned -1 [0105.265] lstrcmpiW (lpString1="3fU-xgmX.png", lpString2="appdata") returned -1 [0105.265] lstrcmpiW (lpString1="3fU-xgmX.png", lpString2="program files") returned -1 [0105.265] lstrcmpiW (lpString1="3fU-xgmX.png", lpString2="program files (x86)") returned -1 [0105.265] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\" [0105.265] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\", lpString2="3fU-xgmX.png" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\3fU-xgmX.png") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\3fU-xgmX.png" [0105.265] PathFindExtensionW (pszPath="3fU-xgmX.png") returned=".png" [0105.265] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0105.265] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0105.265] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0105.265] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0105.265] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0105.265] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0105.265] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0105.265] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0105.265] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0105.265] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0105.265] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0105.265] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0105.265] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0105.265] lstrcmpiW (lpString1=".png", lpString2=".NEPHILIM") returned 1 [0105.265] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0105.265] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0105.265] lstrcmpiW (lpString1="3fU-xgmX.png", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0105.265] lstrlenA (lpString="NEPHILIM") returned 8 [0105.265] GetProcessHeap () returned 0x4e0000 [0105.265] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50daf0 [0105.266] lstrlenA (lpString="NEPHILIM") returned 8 [0105.266] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\3fU-xgmX.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\woxabqbokyzl2r\\3fu-xgmx.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0105.266] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=22921) returned 1 [0105.266] GetProcessHeap () returned 0x4e0000 [0105.266] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504dc8 [0105.266] GetProcessHeap () returned 0x4e0000 [0105.266] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504db0 [0105.266] SystemFunction036 (in: RandomBuffer=0x504dc8, RandomBufferLength=0x10 | out: RandomBuffer=0x504dc8) returned 1 [0105.266] SystemFunction036 (in: RandomBuffer=0x504db0, RandomBufferLength=0x10 | out: RandomBuffer=0x504db0) returned 1 [0105.266] GetProcessHeap () returned 0x4e0000 [0105.266] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508c50 [0105.266] GetProcessHeap () returned 0x4e0000 [0105.266] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508b48 [0105.266] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508c50*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x508c50*, pdwDataLen=0x24dd508*=0x100) returned 1 [0105.267] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508b48*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x508b48*, pdwDataLen=0x24dd504*=0x100) returned 1 [0105.267] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x5989, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.267] SetLastError (dwErrCode=0x0) [0105.267] WriteFile (in: hFile=0xf4, lpBuffer=0x508c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508c50*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0105.268] GetLastError () returned 0x0 [0105.268] GetLastError () returned 0x0 [0105.268] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x5a89, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.268] WriteFile (in: hFile=0xf4, lpBuffer=0x508b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508b48*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0105.268] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x5b89, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.268] lstrlenA (lpString="NEPHILIM") returned 8 [0105.268] WriteFile (in: hFile=0xf4, lpBuffer=0x50daf0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50daf0*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0105.268] GetProcessHeap () returned 0x4e0000 [0105.268] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x5989) returned 0x50dcb8 [0105.268] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.268] ReadFile (in: hFile=0xf4, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x5989, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24dd730*=0x5989, lpOverlapped=0x0) returned 1 [0105.270] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.270] WriteFile (in: hFile=0xf4, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x5989, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24dd73c*=0x5989, lpOverlapped=0x0) returned 1 [0105.270] GetProcessHeap () returned 0x4e0000 [0105.270] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.270] CloseHandle (hObject=0xf4) returned 1 [0105.272] GetProcessHeap () returned 0x4e0000 [0105.272] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508c50 | out: hHeap=0x4e0000) returned 1 [0105.272] GetProcessHeap () returned 0x4e0000 [0105.272] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508b48 | out: hHeap=0x4e0000) returned 1 [0105.272] GetProcessHeap () returned 0x4e0000 [0105.272] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504dc8 | out: hHeap=0x4e0000) returned 1 [0105.272] GetProcessHeap () returned 0x4e0000 [0105.272] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504db0 | out: hHeap=0x4e0000) returned 1 [0105.272] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\3fU-xgmX.png" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\3fU-xgmX.png") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\3fU-xgmX.png" [0105.272] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\3fU-xgmX.png", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\3fU-xgmX.png.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\3fU-xgmX.png.NEPHILIM" [0105.272] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\3fU-xgmX.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\woxabqbokyzl2r\\3fu-xgmx.png"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\3fU-xgmX.png.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\woxabqbokyzl2r\\3fu-xgmx.png.nephilim")) returned 1 [0105.274] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b2c1390, ftCreationTime.dwHighDateTime=0x1d5de23, ftLastAccessTime.dwLowDateTime=0x28ea4c40, ftLastAccessTime.dwHighDateTime=0x1d5d829, ftLastWriteTime.dwLowDateTime=0x28ea4c40, ftLastWriteTime.dwHighDateTime=0x1d5d829, nFileSizeHigh=0x0, nFileSizeLow=0xfde4, dwReserved0=0x24dd72c, dwReserved1=0x6cc3827f, cFileName="5ugmzBnJys-rOcLEHK.jpg", cAlternateFileName="5UGMZB~1.JPG")) returned 1 [0105.274] lstrcmpiW (lpString1="5ugmzBnJys-rOcLEHK.jpg", lpString2=".") returned 1 [0105.274] lstrcmpiW (lpString1="5ugmzBnJys-rOcLEHK.jpg", lpString2="..") returned 1 [0105.274] lstrcmpiW (lpString1="5ugmzBnJys-rOcLEHK.jpg", lpString2="...") returned 1 [0105.274] lstrcmpiW (lpString1="5ugmzBnJys-rOcLEHK.jpg", lpString2="windows") returned -1 [0105.274] lstrcmpiW (lpString1="5ugmzBnJys-rOcLEHK.jpg", lpString2="$RECYCLE.BIN") returned 1 [0105.274] lstrcmpiW (lpString1="5ugmzBnJys-rOcLEHK.jpg", lpString2="rsa") returned -1 [0105.274] lstrcmpiW (lpString1="5ugmzBnJys-rOcLEHK.jpg", lpString2="log") returned -1 [0105.274] lstrcmpiW (lpString1="5ugmzBnJys-rOcLEHK.jpg", lpString2="NTDETECT.COM") returned -1 [0105.274] lstrcmpiW (lpString1="5ugmzBnJys-rOcLEHK.jpg", lpString2="ntldr") returned -1 [0105.274] lstrcmpiW (lpString1="5ugmzBnJys-rOcLEHK.jpg", lpString2="MSDOS.SYS") returned -1 [0105.274] lstrcmpiW (lpString1="5ugmzBnJys-rOcLEHK.jpg", lpString2="IO.SYS") returned -1 [0105.274] lstrcmpiW (lpString1="5ugmzBnJys-rOcLEHK.jpg", lpString2="boot.ini") returned -1 [0105.274] lstrcmpiW (lpString1="5ugmzBnJys-rOcLEHK.jpg", lpString2="AUTOEXEC.BAT") returned -1 [0105.274] lstrcmpiW (lpString1="5ugmzBnJys-rOcLEHK.jpg", lpString2="ntuser.dat") returned -1 [0105.274] lstrcmpiW (lpString1="5ugmzBnJys-rOcLEHK.jpg", lpString2="desktop.ini") returned -1 [0105.274] lstrcmpiW (lpString1="5ugmzBnJys-rOcLEHK.jpg", lpString2="CONFIG.SYS") returned -1 [0105.274] lstrcmpiW (lpString1="5ugmzBnJys-rOcLEHK.jpg", lpString2="RECYCLER") returned -1 [0105.274] lstrcmpiW (lpString1="5ugmzBnJys-rOcLEHK.jpg", lpString2="BOOTSECT.BAK") returned -1 [0105.274] lstrcmpiW (lpString1="5ugmzBnJys-rOcLEHK.jpg", lpString2="bootmgr") returned -1 [0105.274] lstrcmpiW (lpString1="5ugmzBnJys-rOcLEHK.jpg", lpString2="programdata") returned -1 [0105.274] lstrcmpiW (lpString1="5ugmzBnJys-rOcLEHK.jpg", lpString2="appdata") returned -1 [0105.274] lstrcmpiW (lpString1="5ugmzBnJys-rOcLEHK.jpg", lpString2="program files") returned -1 [0105.274] lstrcmpiW (lpString1="5ugmzBnJys-rOcLEHK.jpg", lpString2="program files (x86)") returned -1 [0105.274] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\" [0105.275] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\", lpString2="5ugmzBnJys-rOcLEHK.jpg" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\5ugmzBnJys-rOcLEHK.jpg") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\5ugmzBnJys-rOcLEHK.jpg" [0105.275] PathFindExtensionW (pszPath="5ugmzBnJys-rOcLEHK.jpg") returned=".jpg" [0105.275] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0105.275] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0105.275] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0105.275] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0105.275] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0105.275] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0105.275] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0105.275] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0105.275] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0105.275] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0105.275] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0105.275] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0105.275] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0105.275] lstrcmpiW (lpString1=".jpg", lpString2=".NEPHILIM") returned -1 [0105.275] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0105.275] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0105.275] lstrcmpiW (lpString1="5ugmzBnJys-rOcLEHK.jpg", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0105.275] lstrlenA (lpString="NEPHILIM") returned 8 [0105.275] GetProcessHeap () returned 0x4e0000 [0105.275] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50db00 [0105.275] lstrlenA (lpString="NEPHILIM") returned 8 [0105.275] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\5ugmzBnJys-rOcLEHK.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\woxabqbokyzl2r\\5ugmzbnjys-roclehk.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0105.276] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=64996) returned 1 [0105.276] GetProcessHeap () returned 0x4e0000 [0105.276] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504db0 [0105.276] GetProcessHeap () returned 0x4e0000 [0105.276] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504dc8 [0105.276] SystemFunction036 (in: RandomBuffer=0x504db0, RandomBufferLength=0x10 | out: RandomBuffer=0x504db0) returned 1 [0105.276] SystemFunction036 (in: RandomBuffer=0x504dc8, RandomBufferLength=0x10 | out: RandomBuffer=0x504dc8) returned 1 [0105.276] GetProcessHeap () returned 0x4e0000 [0105.276] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508b48 [0105.276] GetProcessHeap () returned 0x4e0000 [0105.276] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508c50 [0105.276] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508b48*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x508b48*, pdwDataLen=0x24dd508*=0x100) returned 1 [0105.276] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508c50*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x508c50*, pdwDataLen=0x24dd504*=0x100) returned 1 [0105.277] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xfde4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.277] SetLastError (dwErrCode=0x0) [0105.277] WriteFile (in: hFile=0xf4, lpBuffer=0x508b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508b48*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0105.278] GetLastError () returned 0x0 [0105.278] GetLastError () returned 0x0 [0105.278] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xfee4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.278] WriteFile (in: hFile=0xf4, lpBuffer=0x508c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508c50*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0105.278] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xffe4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.278] lstrlenA (lpString="NEPHILIM") returned 8 [0105.278] WriteFile (in: hFile=0xf4, lpBuffer=0x50db00*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50db00*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0105.278] GetProcessHeap () returned 0x4e0000 [0105.278] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xfde4) returned 0x50dcb8 [0105.278] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.278] ReadFile (in: hFile=0xf4, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0xfde4, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24dd730*=0xfde4, lpOverlapped=0x0) returned 1 [0105.282] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.282] WriteFile (in: hFile=0xf4, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0xfde4, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24dd73c*=0xfde4, lpOverlapped=0x0) returned 1 [0105.283] GetProcessHeap () returned 0x4e0000 [0105.283] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.283] CloseHandle (hObject=0xf4) returned 1 [0105.288] GetProcessHeap () returned 0x4e0000 [0105.288] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508b48 | out: hHeap=0x4e0000) returned 1 [0105.288] GetProcessHeap () returned 0x4e0000 [0105.288] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508c50 | out: hHeap=0x4e0000) returned 1 [0105.288] GetProcessHeap () returned 0x4e0000 [0105.288] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504db0 | out: hHeap=0x4e0000) returned 1 [0105.288] GetProcessHeap () returned 0x4e0000 [0105.288] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504dc8 | out: hHeap=0x4e0000) returned 1 [0105.288] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\5ugmzBnJys-rOcLEHK.jpg" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\5ugmzBnJys-rOcLEHK.jpg") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\5ugmzBnJys-rOcLEHK.jpg" [0105.288] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\5ugmzBnJys-rOcLEHK.jpg", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\5ugmzBnJys-rOcLEHK.jpg.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\5ugmzBnJys-rOcLEHK.jpg.NEPHILIM" [0105.289] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\5ugmzBnJys-rOcLEHK.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\woxabqbokyzl2r\\5ugmzbnjys-roclehk.jpg"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\5ugmzBnJys-rOcLEHK.jpg.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\woxabqbokyzl2r\\5ugmzbnjys-roclehk.jpg.nephilim")) returned 1 [0105.289] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1de59e40, ftCreationTime.dwHighDateTime=0x1d5da3f, ftLastAccessTime.dwLowDateTime=0xf060a9a0, ftLastAccessTime.dwHighDateTime=0x1d5d977, ftLastWriteTime.dwLowDateTime=0xf060a9a0, ftLastWriteTime.dwHighDateTime=0x1d5d977, nFileSizeHigh=0x0, nFileSizeLow=0xe79, dwReserved0=0x24dd72c, dwReserved1=0x6cc3827f, cFileName="6D_3i63CyKTA.bmp", cAlternateFileName="6D_3I6~1.BMP")) returned 1 [0105.289] lstrcmpiW (lpString1="6D_3i63CyKTA.bmp", lpString2=".") returned 1 [0105.290] lstrcmpiW (lpString1="6D_3i63CyKTA.bmp", lpString2="..") returned 1 [0105.290] lstrcmpiW (lpString1="6D_3i63CyKTA.bmp", lpString2="...") returned 1 [0105.290] lstrcmpiW (lpString1="6D_3i63CyKTA.bmp", lpString2="windows") returned -1 [0105.290] lstrcmpiW (lpString1="6D_3i63CyKTA.bmp", lpString2="$RECYCLE.BIN") returned 1 [0105.290] lstrcmpiW (lpString1="6D_3i63CyKTA.bmp", lpString2="rsa") returned -1 [0105.290] lstrcmpiW (lpString1="6D_3i63CyKTA.bmp", lpString2="log") returned -1 [0105.290] lstrcmpiW (lpString1="6D_3i63CyKTA.bmp", lpString2="NTDETECT.COM") returned -1 [0105.290] lstrcmpiW (lpString1="6D_3i63CyKTA.bmp", lpString2="ntldr") returned -1 [0105.290] lstrcmpiW (lpString1="6D_3i63CyKTA.bmp", lpString2="MSDOS.SYS") returned -1 [0105.290] lstrcmpiW (lpString1="6D_3i63CyKTA.bmp", lpString2="IO.SYS") returned -1 [0105.290] lstrcmpiW (lpString1="6D_3i63CyKTA.bmp", lpString2="boot.ini") returned -1 [0105.290] lstrcmpiW (lpString1="6D_3i63CyKTA.bmp", lpString2="AUTOEXEC.BAT") returned -1 [0105.290] lstrcmpiW (lpString1="6D_3i63CyKTA.bmp", lpString2="ntuser.dat") returned -1 [0105.290] lstrcmpiW (lpString1="6D_3i63CyKTA.bmp", lpString2="desktop.ini") returned -1 [0105.290] lstrcmpiW (lpString1="6D_3i63CyKTA.bmp", lpString2="CONFIG.SYS") returned -1 [0105.290] lstrcmpiW (lpString1="6D_3i63CyKTA.bmp", lpString2="RECYCLER") returned -1 [0105.290] lstrcmpiW (lpString1="6D_3i63CyKTA.bmp", lpString2="BOOTSECT.BAK") returned -1 [0105.290] lstrcmpiW (lpString1="6D_3i63CyKTA.bmp", lpString2="bootmgr") returned -1 [0105.290] lstrcmpiW (lpString1="6D_3i63CyKTA.bmp", lpString2="programdata") returned -1 [0105.290] lstrcmpiW (lpString1="6D_3i63CyKTA.bmp", lpString2="appdata") returned -1 [0105.290] lstrcmpiW (lpString1="6D_3i63CyKTA.bmp", lpString2="program files") returned -1 [0105.290] lstrcmpiW (lpString1="6D_3i63CyKTA.bmp", lpString2="program files (x86)") returned -1 [0105.290] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\" [0105.290] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\", lpString2="6D_3i63CyKTA.bmp" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\6D_3i63CyKTA.bmp") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\6D_3i63CyKTA.bmp" [0105.290] PathFindExtensionW (pszPath="6D_3i63CyKTA.bmp") returned=".bmp" [0105.290] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0105.291] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0105.291] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0105.291] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0105.291] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0105.291] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0105.291] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0105.291] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0105.291] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0105.291] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0105.291] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0105.291] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0105.291] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0105.291] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0105.291] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0105.291] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0105.291] lstrcmpiW (lpString1="6D_3i63CyKTA.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0105.291] lstrlenA (lpString="NEPHILIM") returned 8 [0105.291] GetProcessHeap () returned 0x4e0000 [0105.291] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50db10 [0105.291] lstrlenA (lpString="NEPHILIM") returned 8 [0105.291] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\6D_3i63CyKTA.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\woxabqbokyzl2r\\6d_3i63cykta.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0105.292] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=3705) returned 1 [0105.292] GetProcessHeap () returned 0x4e0000 [0105.292] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504dc8 [0105.292] GetProcessHeap () returned 0x4e0000 [0105.292] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504db0 [0105.292] SystemFunction036 (in: RandomBuffer=0x504dc8, RandomBufferLength=0x10 | out: RandomBuffer=0x504dc8) returned 1 [0105.292] SystemFunction036 (in: RandomBuffer=0x504db0, RandomBufferLength=0x10 | out: RandomBuffer=0x504db0) returned 1 [0105.292] GetProcessHeap () returned 0x4e0000 [0105.292] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508c50 [0105.292] GetProcessHeap () returned 0x4e0000 [0105.292] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508b48 [0105.292] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508c50*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x508c50*, pdwDataLen=0x24dd508*=0x100) returned 1 [0105.292] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508b48*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x508b48*, pdwDataLen=0x24dd504*=0x100) returned 1 [0105.293] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xe79, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.293] SetLastError (dwErrCode=0x0) [0105.293] WriteFile (in: hFile=0xf4, lpBuffer=0x508c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508c50*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0105.294] GetLastError () returned 0x0 [0105.294] GetLastError () returned 0x0 [0105.294] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xf79, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.295] WriteFile (in: hFile=0xf4, lpBuffer=0x508b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508b48*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0105.295] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x1079, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.295] lstrlenA (lpString="NEPHILIM") returned 8 [0105.295] WriteFile (in: hFile=0xf4, lpBuffer=0x50db10*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50db10*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0105.295] GetProcessHeap () returned 0x4e0000 [0105.295] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xe79) returned 0x50dcb8 [0105.295] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.295] ReadFile (in: hFile=0xf4, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0xe79, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24dd730*=0xe79, lpOverlapped=0x0) returned 1 [0105.296] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.296] WriteFile (in: hFile=0xf4, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0xe79, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24dd73c*=0xe79, lpOverlapped=0x0) returned 1 [0105.296] GetProcessHeap () returned 0x4e0000 [0105.296] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.296] CloseHandle (hObject=0xf4) returned 1 [0105.300] GetProcessHeap () returned 0x4e0000 [0105.300] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508c50 | out: hHeap=0x4e0000) returned 1 [0105.300] GetProcessHeap () returned 0x4e0000 [0105.300] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508b48 | out: hHeap=0x4e0000) returned 1 [0105.300] GetProcessHeap () returned 0x4e0000 [0105.300] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504dc8 | out: hHeap=0x4e0000) returned 1 [0105.300] GetProcessHeap () returned 0x4e0000 [0105.300] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504db0 | out: hHeap=0x4e0000) returned 1 [0105.300] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\6D_3i63CyKTA.bmp" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\6D_3i63CyKTA.bmp") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\6D_3i63CyKTA.bmp" [0105.300] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\6D_3i63CyKTA.bmp", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\6D_3i63CyKTA.bmp.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\6D_3i63CyKTA.bmp.NEPHILIM" [0105.300] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\6D_3i63CyKTA.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\woxabqbokyzl2r\\6d_3i63cykta.bmp"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\6D_3i63CyKTA.bmp.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\woxabqbokyzl2r\\6d_3i63cykta.bmp.nephilim")) returned 1 [0105.301] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82a03780, ftCreationTime.dwHighDateTime=0x1d5e0b8, ftLastAccessTime.dwLowDateTime=0x3f647a0, ftLastAccessTime.dwHighDateTime=0x1d5dfee, ftLastWriteTime.dwLowDateTime=0x3f647a0, ftLastWriteTime.dwHighDateTime=0x1d5dfee, nFileSizeHigh=0x0, nFileSizeLow=0xa1d1, dwReserved0=0x24dd72c, dwReserved1=0x6cc3827f, cFileName="7gVOpP5x4gzk.gif", cAlternateFileName="7GVOPP~1.GIF")) returned 1 [0105.301] lstrcmpiW (lpString1="7gVOpP5x4gzk.gif", lpString2=".") returned 1 [0105.301] lstrcmpiW (lpString1="7gVOpP5x4gzk.gif", lpString2="..") returned 1 [0105.301] lstrcmpiW (lpString1="7gVOpP5x4gzk.gif", lpString2="...") returned 1 [0105.301] lstrcmpiW (lpString1="7gVOpP5x4gzk.gif", lpString2="windows") returned -1 [0105.301] lstrcmpiW (lpString1="7gVOpP5x4gzk.gif", lpString2="$RECYCLE.BIN") returned 1 [0105.301] lstrcmpiW (lpString1="7gVOpP5x4gzk.gif", lpString2="rsa") returned -1 [0105.301] lstrcmpiW (lpString1="7gVOpP5x4gzk.gif", lpString2="log") returned -1 [0105.302] lstrcmpiW (lpString1="7gVOpP5x4gzk.gif", lpString2="NTDETECT.COM") returned -1 [0105.302] lstrcmpiW (lpString1="7gVOpP5x4gzk.gif", lpString2="ntldr") returned -1 [0105.302] lstrcmpiW (lpString1="7gVOpP5x4gzk.gif", lpString2="MSDOS.SYS") returned -1 [0105.302] lstrcmpiW (lpString1="7gVOpP5x4gzk.gif", lpString2="IO.SYS") returned -1 [0105.302] lstrcmpiW (lpString1="7gVOpP5x4gzk.gif", lpString2="boot.ini") returned -1 [0105.302] lstrcmpiW (lpString1="7gVOpP5x4gzk.gif", lpString2="AUTOEXEC.BAT") returned -1 [0105.302] lstrcmpiW (lpString1="7gVOpP5x4gzk.gif", lpString2="ntuser.dat") returned -1 [0105.302] lstrcmpiW (lpString1="7gVOpP5x4gzk.gif", lpString2="desktop.ini") returned -1 [0105.302] lstrcmpiW (lpString1="7gVOpP5x4gzk.gif", lpString2="CONFIG.SYS") returned -1 [0105.302] lstrcmpiW (lpString1="7gVOpP5x4gzk.gif", lpString2="RECYCLER") returned -1 [0105.302] lstrcmpiW (lpString1="7gVOpP5x4gzk.gif", lpString2="BOOTSECT.BAK") returned -1 [0105.302] lstrcmpiW (lpString1="7gVOpP5x4gzk.gif", lpString2="bootmgr") returned -1 [0105.302] lstrcmpiW (lpString1="7gVOpP5x4gzk.gif", lpString2="programdata") returned -1 [0105.302] lstrcmpiW (lpString1="7gVOpP5x4gzk.gif", lpString2="appdata") returned -1 [0105.302] lstrcmpiW (lpString1="7gVOpP5x4gzk.gif", lpString2="program files") returned -1 [0105.302] lstrcmpiW (lpString1="7gVOpP5x4gzk.gif", lpString2="program files (x86)") returned -1 [0105.302] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\" [0105.302] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\", lpString2="7gVOpP5x4gzk.gif" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\7gVOpP5x4gzk.gif") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\7gVOpP5x4gzk.gif" [0105.302] PathFindExtensionW (pszPath="7gVOpP5x4gzk.gif") returned=".gif" [0105.302] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0105.302] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0105.302] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0105.302] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0105.302] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0105.302] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0105.302] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0105.303] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0105.303] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0105.303] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0105.303] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0105.303] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0105.303] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0105.303] lstrcmpiW (lpString1=".gif", lpString2=".NEPHILIM") returned -1 [0105.303] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0105.303] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0105.303] lstrcmpiW (lpString1="7gVOpP5x4gzk.gif", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0105.303] lstrlenA (lpString="NEPHILIM") returned 8 [0105.303] GetProcessHeap () returned 0x4e0000 [0105.303] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50db20 [0105.303] lstrlenA (lpString="NEPHILIM") returned 8 [0105.303] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\7gVOpP5x4gzk.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\woxabqbokyzl2r\\7gvopp5x4gzk.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0105.303] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=41425) returned 1 [0105.304] GetProcessHeap () returned 0x4e0000 [0105.304] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504db0 [0105.304] GetProcessHeap () returned 0x4e0000 [0105.304] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504dc8 [0105.304] SystemFunction036 (in: RandomBuffer=0x504db0, RandomBufferLength=0x10 | out: RandomBuffer=0x504db0) returned 1 [0105.304] SystemFunction036 (in: RandomBuffer=0x504dc8, RandomBufferLength=0x10 | out: RandomBuffer=0x504dc8) returned 1 [0105.304] GetProcessHeap () returned 0x4e0000 [0105.304] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508b48 [0105.304] GetProcessHeap () returned 0x4e0000 [0105.304] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508c50 [0105.304] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508b48*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x508b48*, pdwDataLen=0x24dd508*=0x100) returned 1 [0105.304] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508c50*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x508c50*, pdwDataLen=0x24dd504*=0x100) returned 1 [0105.304] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xa1d1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.304] SetLastError (dwErrCode=0x0) [0105.304] WriteFile (in: hFile=0xf4, lpBuffer=0x508b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508b48*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0105.305] GetLastError () returned 0x0 [0105.305] GetLastError () returned 0x0 [0105.305] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xa2d1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.306] WriteFile (in: hFile=0xf4, lpBuffer=0x508c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508c50*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0105.306] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xa3d1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.306] lstrlenA (lpString="NEPHILIM") returned 8 [0105.306] WriteFile (in: hFile=0xf4, lpBuffer=0x50db20*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50db20*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0105.306] GetProcessHeap () returned 0x4e0000 [0105.306] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xa1d1) returned 0x50dcb8 [0105.306] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.306] ReadFile (in: hFile=0xf4, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0xa1d1, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24dd730*=0xa1d1, lpOverlapped=0x0) returned 1 [0105.308] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.308] WriteFile (in: hFile=0xf4, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0xa1d1, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24dd73c*=0xa1d1, lpOverlapped=0x0) returned 1 [0105.309] GetProcessHeap () returned 0x4e0000 [0105.309] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.309] CloseHandle (hObject=0xf4) returned 1 [0105.336] GetProcessHeap () returned 0x4e0000 [0105.336] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508b48 | out: hHeap=0x4e0000) returned 1 [0105.336] GetProcessHeap () returned 0x4e0000 [0105.336] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508c50 | out: hHeap=0x4e0000) returned 1 [0105.336] GetProcessHeap () returned 0x4e0000 [0105.336] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504db0 | out: hHeap=0x4e0000) returned 1 [0105.336] GetProcessHeap () returned 0x4e0000 [0105.336] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504dc8 | out: hHeap=0x4e0000) returned 1 [0105.336] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\7gVOpP5x4gzk.gif" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\7gVOpP5x4gzk.gif") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\7gVOpP5x4gzk.gif" [0105.336] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\7gVOpP5x4gzk.gif", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\7gVOpP5x4gzk.gif.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\7gVOpP5x4gzk.gif.NEPHILIM" [0105.336] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\7gVOpP5x4gzk.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\woxabqbokyzl2r\\7gvopp5x4gzk.gif"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\7gVOpP5x4gzk.gif.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\woxabqbokyzl2r\\7gvopp5x4gzk.gif.nephilim")) returned 1 [0105.337] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x533c90b0, ftCreationTime.dwHighDateTime=0x1d5dce4, ftLastAccessTime.dwLowDateTime=0x50064f40, ftLastAccessTime.dwHighDateTime=0x1d5e684, ftLastWriteTime.dwLowDateTime=0x50064f40, ftLastWriteTime.dwHighDateTime=0x1d5e684, nFileSizeHigh=0x0, nFileSizeLow=0x109b1, dwReserved0=0x24dd72c, dwReserved1=0x6cc3827f, cFileName="IAIe7hWkMsQcX.bmp", cAlternateFileName="IAIE7H~1.BMP")) returned 1 [0105.337] lstrcmpiW (lpString1="IAIe7hWkMsQcX.bmp", lpString2=".") returned 1 [0105.337] lstrcmpiW (lpString1="IAIe7hWkMsQcX.bmp", lpString2="..") returned 1 [0105.338] lstrcmpiW (lpString1="IAIe7hWkMsQcX.bmp", lpString2="...") returned 1 [0105.338] lstrcmpiW (lpString1="IAIe7hWkMsQcX.bmp", lpString2="windows") returned -1 [0105.338] lstrcmpiW (lpString1="IAIe7hWkMsQcX.bmp", lpString2="$RECYCLE.BIN") returned 1 [0105.338] lstrcmpiW (lpString1="IAIe7hWkMsQcX.bmp", lpString2="rsa") returned -1 [0105.338] lstrcmpiW (lpString1="IAIe7hWkMsQcX.bmp", lpString2="log") returned -1 [0105.338] lstrcmpiW (lpString1="IAIe7hWkMsQcX.bmp", lpString2="NTDETECT.COM") returned -1 [0105.338] lstrcmpiW (lpString1="IAIe7hWkMsQcX.bmp", lpString2="ntldr") returned -1 [0105.338] lstrcmpiW (lpString1="IAIe7hWkMsQcX.bmp", lpString2="MSDOS.SYS") returned -1 [0105.338] lstrcmpiW (lpString1="IAIe7hWkMsQcX.bmp", lpString2="IO.SYS") returned -1 [0105.338] lstrcmpiW (lpString1="IAIe7hWkMsQcX.bmp", lpString2="boot.ini") returned 1 [0105.338] lstrcmpiW (lpString1="IAIe7hWkMsQcX.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0105.338] lstrcmpiW (lpString1="IAIe7hWkMsQcX.bmp", lpString2="ntuser.dat") returned -1 [0105.338] lstrcmpiW (lpString1="IAIe7hWkMsQcX.bmp", lpString2="desktop.ini") returned 1 [0105.338] lstrcmpiW (lpString1="IAIe7hWkMsQcX.bmp", lpString2="CONFIG.SYS") returned 1 [0105.338] lstrcmpiW (lpString1="IAIe7hWkMsQcX.bmp", lpString2="RECYCLER") returned -1 [0105.338] lstrcmpiW (lpString1="IAIe7hWkMsQcX.bmp", lpString2="BOOTSECT.BAK") returned 1 [0105.338] lstrcmpiW (lpString1="IAIe7hWkMsQcX.bmp", lpString2="bootmgr") returned 1 [0105.338] lstrcmpiW (lpString1="IAIe7hWkMsQcX.bmp", lpString2="programdata") returned -1 [0105.338] lstrcmpiW (lpString1="IAIe7hWkMsQcX.bmp", lpString2="appdata") returned 1 [0105.338] lstrcmpiW (lpString1="IAIe7hWkMsQcX.bmp", lpString2="program files") returned -1 [0105.338] lstrcmpiW (lpString1="IAIe7hWkMsQcX.bmp", lpString2="program files (x86)") returned -1 [0105.338] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\" [0105.338] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\", lpString2="IAIe7hWkMsQcX.bmp" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\IAIe7hWkMsQcX.bmp") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\IAIe7hWkMsQcX.bmp" [0105.338] PathFindExtensionW (pszPath="IAIe7hWkMsQcX.bmp") returned=".bmp" [0105.338] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0105.339] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0105.339] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0105.339] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0105.339] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0105.339] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0105.339] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0105.339] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0105.339] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0105.339] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0105.339] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0105.339] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0105.339] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0105.339] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0105.339] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0105.339] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0105.339] lstrcmpiW (lpString1="IAIe7hWkMsQcX.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0105.339] lstrlenA (lpString="NEPHILIM") returned 8 [0105.339] GetProcessHeap () returned 0x4e0000 [0105.339] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50db30 [0105.339] lstrlenA (lpString="NEPHILIM") returned 8 [0105.339] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\IAIe7hWkMsQcX.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\woxabqbokyzl2r\\iaie7hwkmsqcx.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0105.340] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=68017) returned 1 [0105.340] GetProcessHeap () returned 0x4e0000 [0105.340] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504dc8 [0105.340] GetProcessHeap () returned 0x4e0000 [0105.340] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504db0 [0105.340] SystemFunction036 (in: RandomBuffer=0x504dc8, RandomBufferLength=0x10 | out: RandomBuffer=0x504dc8) returned 1 [0105.340] SystemFunction036 (in: RandomBuffer=0x504db0, RandomBufferLength=0x10 | out: RandomBuffer=0x504db0) returned 1 [0105.340] GetProcessHeap () returned 0x4e0000 [0105.340] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508c50 [0105.340] GetProcessHeap () returned 0x4e0000 [0105.340] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508b48 [0105.340] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508c50*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x508c50*, pdwDataLen=0x24dd508*=0x100) returned 1 [0105.340] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508b48*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x508b48*, pdwDataLen=0x24dd504*=0x100) returned 1 [0105.341] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x109b1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.341] SetLastError (dwErrCode=0x0) [0105.341] WriteFile (in: hFile=0xf4, lpBuffer=0x508c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508c50*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0105.342] GetLastError () returned 0x0 [0105.342] GetLastError () returned 0x0 [0105.342] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x10ab1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.343] WriteFile (in: hFile=0xf4, lpBuffer=0x508b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508b48*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0105.343] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x10bb1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.343] lstrlenA (lpString="NEPHILIM") returned 8 [0105.343] WriteFile (in: hFile=0xf4, lpBuffer=0x50db30*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50db30*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0105.343] GetProcessHeap () returned 0x4e0000 [0105.343] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x109b1) returned 0x50dcb8 [0105.343] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.343] ReadFile (in: hFile=0xf4, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x109b1, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24dd730*=0x109b1, lpOverlapped=0x0) returned 1 [0105.347] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.347] WriteFile (in: hFile=0xf4, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x109b1, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24dd73c*=0x109b1, lpOverlapped=0x0) returned 1 [0105.348] GetProcessHeap () returned 0x4e0000 [0105.348] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.348] CloseHandle (hObject=0xf4) returned 1 [0105.352] GetProcessHeap () returned 0x4e0000 [0105.352] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508c50 | out: hHeap=0x4e0000) returned 1 [0105.352] GetProcessHeap () returned 0x4e0000 [0105.352] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508b48 | out: hHeap=0x4e0000) returned 1 [0105.352] GetProcessHeap () returned 0x4e0000 [0105.352] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504dc8 | out: hHeap=0x4e0000) returned 1 [0105.352] GetProcessHeap () returned 0x4e0000 [0105.352] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504db0 | out: hHeap=0x4e0000) returned 1 [0105.352] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\IAIe7hWkMsQcX.bmp" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\IAIe7hWkMsQcX.bmp") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\IAIe7hWkMsQcX.bmp" [0105.353] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\IAIe7hWkMsQcX.bmp", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\IAIe7hWkMsQcX.bmp.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\IAIe7hWkMsQcX.bmp.NEPHILIM" [0105.353] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\IAIe7hWkMsQcX.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\woxabqbokyzl2r\\iaie7hwkmsqcx.bmp"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\IAIe7hWkMsQcX.bmp.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\woxabqbokyzl2r\\iaie7hwkmsqcx.bmp.nephilim")) returned 1 [0105.353] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa6d98720, ftCreationTime.dwHighDateTime=0x1d5e345, ftLastAccessTime.dwLowDateTime=0xccf29930, ftLastAccessTime.dwHighDateTime=0x1d5e3e3, ftLastWriteTime.dwLowDateTime=0xccf29930, ftLastWriteTime.dwHighDateTime=0x1d5e3e3, nFileSizeHigh=0x0, nFileSizeLow=0x3151, dwReserved0=0x24dd72c, dwReserved1=0x6cc3827f, cFileName="il9ZK5-Hrw.jpg", cAlternateFileName="IL9ZK5~1.JPG")) returned 1 [0105.353] lstrcmpiW (lpString1="il9ZK5-Hrw.jpg", lpString2=".") returned 1 [0105.353] lstrcmpiW (lpString1="il9ZK5-Hrw.jpg", lpString2="..") returned 1 [0105.353] lstrcmpiW (lpString1="il9ZK5-Hrw.jpg", lpString2="...") returned 1 [0105.354] lstrcmpiW (lpString1="il9ZK5-Hrw.jpg", lpString2="windows") returned -1 [0105.354] lstrcmpiW (lpString1="il9ZK5-Hrw.jpg", lpString2="$RECYCLE.BIN") returned 1 [0105.354] lstrcmpiW (lpString1="il9ZK5-Hrw.jpg", lpString2="rsa") returned -1 [0105.354] lstrcmpiW (lpString1="il9ZK5-Hrw.jpg", lpString2="log") returned -1 [0105.354] lstrcmpiW (lpString1="il9ZK5-Hrw.jpg", lpString2="NTDETECT.COM") returned -1 [0105.354] lstrcmpiW (lpString1="il9ZK5-Hrw.jpg", lpString2="ntldr") returned -1 [0105.354] lstrcmpiW (lpString1="il9ZK5-Hrw.jpg", lpString2="MSDOS.SYS") returned -1 [0105.354] lstrcmpiW (lpString1="il9ZK5-Hrw.jpg", lpString2="IO.SYS") returned -1 [0105.354] lstrcmpiW (lpString1="il9ZK5-Hrw.jpg", lpString2="boot.ini") returned 1 [0105.354] lstrcmpiW (lpString1="il9ZK5-Hrw.jpg", lpString2="AUTOEXEC.BAT") returned 1 [0105.354] lstrcmpiW (lpString1="il9ZK5-Hrw.jpg", lpString2="ntuser.dat") returned -1 [0105.354] lstrcmpiW (lpString1="il9ZK5-Hrw.jpg", lpString2="desktop.ini") returned 1 [0105.354] lstrcmpiW (lpString1="il9ZK5-Hrw.jpg", lpString2="CONFIG.SYS") returned 1 [0105.354] lstrcmpiW (lpString1="il9ZK5-Hrw.jpg", lpString2="RECYCLER") returned -1 [0105.354] lstrcmpiW (lpString1="il9ZK5-Hrw.jpg", lpString2="BOOTSECT.BAK") returned 1 [0105.354] lstrcmpiW (lpString1="il9ZK5-Hrw.jpg", lpString2="bootmgr") returned 1 [0105.354] lstrcmpiW (lpString1="il9ZK5-Hrw.jpg", lpString2="programdata") returned -1 [0105.354] lstrcmpiW (lpString1="il9ZK5-Hrw.jpg", lpString2="appdata") returned 1 [0105.354] lstrcmpiW (lpString1="il9ZK5-Hrw.jpg", lpString2="program files") returned -1 [0105.354] lstrcmpiW (lpString1="il9ZK5-Hrw.jpg", lpString2="program files (x86)") returned -1 [0105.354] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\" [0105.354] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\", lpString2="il9ZK5-Hrw.jpg" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\il9ZK5-Hrw.jpg") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\il9ZK5-Hrw.jpg" [0105.354] PathFindExtensionW (pszPath="il9ZK5-Hrw.jpg") returned=".jpg" [0105.354] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0105.354] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0105.354] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0105.354] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0105.355] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0105.355] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0105.355] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0105.355] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0105.355] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0105.355] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0105.355] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0105.355] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0105.355] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0105.355] lstrcmpiW (lpString1=".jpg", lpString2=".NEPHILIM") returned -1 [0105.355] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0105.355] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0105.355] lstrcmpiW (lpString1="il9ZK5-Hrw.jpg", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0105.355] lstrlenA (lpString="NEPHILIM") returned 8 [0105.355] GetProcessHeap () returned 0x4e0000 [0105.355] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50db40 [0105.355] lstrlenA (lpString="NEPHILIM") returned 8 [0105.355] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\il9ZK5-Hrw.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\woxabqbokyzl2r\\il9zk5-hrw.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0105.355] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=12625) returned 1 [0105.355] GetProcessHeap () returned 0x4e0000 [0105.355] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504db0 [0105.355] GetProcessHeap () returned 0x4e0000 [0105.355] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504dc8 [0105.356] SystemFunction036 (in: RandomBuffer=0x504db0, RandomBufferLength=0x10 | out: RandomBuffer=0x504db0) returned 1 [0105.356] SystemFunction036 (in: RandomBuffer=0x504dc8, RandomBufferLength=0x10 | out: RandomBuffer=0x504dc8) returned 1 [0105.356] GetProcessHeap () returned 0x4e0000 [0105.356] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508b48 [0105.356] GetProcessHeap () returned 0x4e0000 [0105.356] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508c50 [0105.356] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508b48*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x508b48*, pdwDataLen=0x24dd508*=0x100) returned 1 [0105.356] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508c50*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x508c50*, pdwDataLen=0x24dd504*=0x100) returned 1 [0105.356] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x3151, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.356] SetLastError (dwErrCode=0x0) [0105.356] WriteFile (in: hFile=0xf4, lpBuffer=0x508b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508b48*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0105.358] GetLastError () returned 0x0 [0105.358] GetLastError () returned 0x0 [0105.358] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x3251, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.358] WriteFile (in: hFile=0xf4, lpBuffer=0x508c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508c50*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0105.358] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x3351, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.358] lstrlenA (lpString="NEPHILIM") returned 8 [0105.358] WriteFile (in: hFile=0xf4, lpBuffer=0x50db40*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50db40*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0105.358] GetProcessHeap () returned 0x4e0000 [0105.358] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x3151) returned 0x50dcb8 [0105.358] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.358] ReadFile (in: hFile=0xf4, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x3151, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24dd730*=0x3151, lpOverlapped=0x0) returned 1 [0105.359] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.359] WriteFile (in: hFile=0xf4, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x3151, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24dd73c*=0x3151, lpOverlapped=0x0) returned 1 [0105.359] GetProcessHeap () returned 0x4e0000 [0105.359] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.359] CloseHandle (hObject=0xf4) returned 1 [0105.360] GetProcessHeap () returned 0x4e0000 [0105.360] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508b48 | out: hHeap=0x4e0000) returned 1 [0105.360] GetProcessHeap () returned 0x4e0000 [0105.360] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508c50 | out: hHeap=0x4e0000) returned 1 [0105.361] GetProcessHeap () returned 0x4e0000 [0105.361] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504db0 | out: hHeap=0x4e0000) returned 1 [0105.361] GetProcessHeap () returned 0x4e0000 [0105.361] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504dc8 | out: hHeap=0x4e0000) returned 1 [0105.361] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\il9ZK5-Hrw.jpg" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\il9ZK5-Hrw.jpg") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\il9ZK5-Hrw.jpg" [0105.361] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\il9ZK5-Hrw.jpg", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\il9ZK5-Hrw.jpg.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\il9ZK5-Hrw.jpg.NEPHILIM" [0105.361] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\il9ZK5-Hrw.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\woxabqbokyzl2r\\il9zk5-hrw.jpg"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\il9ZK5-Hrw.jpg.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\woxabqbokyzl2r\\il9zk5-hrw.jpg.nephilim")) returned 1 [0105.361] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc02a5860, ftCreationTime.dwHighDateTime=0x1d5ddd9, ftLastAccessTime.dwLowDateTime=0x9c250890, ftLastAccessTime.dwHighDateTime=0x1d5e435, ftLastWriteTime.dwLowDateTime=0x9c250890, ftLastWriteTime.dwHighDateTime=0x1d5e435, nFileSizeHigh=0x0, nFileSizeLow=0x71d4, dwReserved0=0x24dd72c, dwReserved1=0x6cc3827f, cFileName="jGX8exTTasoF4.bmp", cAlternateFileName="JGX8EX~1.BMP")) returned 1 [0105.362] lstrcmpiW (lpString1="jGX8exTTasoF4.bmp", lpString2=".") returned 1 [0105.362] lstrcmpiW (lpString1="jGX8exTTasoF4.bmp", lpString2="..") returned 1 [0105.362] lstrcmpiW (lpString1="jGX8exTTasoF4.bmp", lpString2="...") returned 1 [0105.362] lstrcmpiW (lpString1="jGX8exTTasoF4.bmp", lpString2="windows") returned -1 [0105.362] lstrcmpiW (lpString1="jGX8exTTasoF4.bmp", lpString2="$RECYCLE.BIN") returned 1 [0105.362] lstrcmpiW (lpString1="jGX8exTTasoF4.bmp", lpString2="rsa") returned -1 [0105.362] lstrcmpiW (lpString1="jGX8exTTasoF4.bmp", lpString2="log") returned -1 [0105.362] lstrcmpiW (lpString1="jGX8exTTasoF4.bmp", lpString2="NTDETECT.COM") returned -1 [0105.362] lstrcmpiW (lpString1="jGX8exTTasoF4.bmp", lpString2="ntldr") returned -1 [0105.362] lstrcmpiW (lpString1="jGX8exTTasoF4.bmp", lpString2="MSDOS.SYS") returned -1 [0105.362] lstrcmpiW (lpString1="jGX8exTTasoF4.bmp", lpString2="IO.SYS") returned 1 [0105.362] lstrcmpiW (lpString1="jGX8exTTasoF4.bmp", lpString2="boot.ini") returned 1 [0105.362] lstrcmpiW (lpString1="jGX8exTTasoF4.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0105.362] lstrcmpiW (lpString1="jGX8exTTasoF4.bmp", lpString2="ntuser.dat") returned -1 [0105.362] lstrcmpiW (lpString1="jGX8exTTasoF4.bmp", lpString2="desktop.ini") returned 1 [0105.362] lstrcmpiW (lpString1="jGX8exTTasoF4.bmp", lpString2="CONFIG.SYS") returned 1 [0105.362] lstrcmpiW (lpString1="jGX8exTTasoF4.bmp", lpString2="RECYCLER") returned -1 [0105.362] lstrcmpiW (lpString1="jGX8exTTasoF4.bmp", lpString2="BOOTSECT.BAK") returned 1 [0105.362] lstrcmpiW (lpString1="jGX8exTTasoF4.bmp", lpString2="bootmgr") returned 1 [0105.362] lstrcmpiW (lpString1="jGX8exTTasoF4.bmp", lpString2="programdata") returned -1 [0105.362] lstrcmpiW (lpString1="jGX8exTTasoF4.bmp", lpString2="appdata") returned 1 [0105.362] lstrcmpiW (lpString1="jGX8exTTasoF4.bmp", lpString2="program files") returned -1 [0105.362] lstrcmpiW (lpString1="jGX8exTTasoF4.bmp", lpString2="program files (x86)") returned -1 [0105.362] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\" [0105.363] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\", lpString2="jGX8exTTasoF4.bmp" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\jGX8exTTasoF4.bmp") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\jGX8exTTasoF4.bmp" [0105.363] PathFindExtensionW (pszPath="jGX8exTTasoF4.bmp") returned=".bmp" [0105.363] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0105.363] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0105.363] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0105.363] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0105.363] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0105.363] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0105.363] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0105.363] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0105.363] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0105.363] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0105.363] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0105.363] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0105.363] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0105.363] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0105.363] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0105.363] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0105.363] lstrcmpiW (lpString1="jGX8exTTasoF4.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0105.363] lstrlenA (lpString="NEPHILIM") returned 8 [0105.363] GetProcessHeap () returned 0x4e0000 [0105.363] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50db50 [0105.363] lstrlenA (lpString="NEPHILIM") returned 8 [0105.363] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\jGX8exTTasoF4.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\woxabqbokyzl2r\\jgx8exttasof4.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0105.364] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=29140) returned 1 [0105.364] GetProcessHeap () returned 0x4e0000 [0105.364] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504dc8 [0105.364] GetProcessHeap () returned 0x4e0000 [0105.364] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504db0 [0105.364] SystemFunction036 (in: RandomBuffer=0x504dc8, RandomBufferLength=0x10 | out: RandomBuffer=0x504dc8) returned 1 [0105.364] SystemFunction036 (in: RandomBuffer=0x504db0, RandomBufferLength=0x10 | out: RandomBuffer=0x504db0) returned 1 [0105.364] GetProcessHeap () returned 0x4e0000 [0105.364] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508c50 [0105.364] GetProcessHeap () returned 0x4e0000 [0105.364] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508b48 [0105.364] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508c50*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x508c50*, pdwDataLen=0x24dd508*=0x100) returned 1 [0105.364] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508b48*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x508b48*, pdwDataLen=0x24dd504*=0x100) returned 1 [0105.365] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x71d4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.365] SetLastError (dwErrCode=0x0) [0105.365] WriteFile (in: hFile=0xf4, lpBuffer=0x508c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508c50*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0105.366] GetLastError () returned 0x0 [0105.366] GetLastError () returned 0x0 [0105.366] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x72d4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.366] WriteFile (in: hFile=0xf4, lpBuffer=0x508b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508b48*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0105.366] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x73d4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.366] lstrlenA (lpString="NEPHILIM") returned 8 [0105.366] WriteFile (in: hFile=0xf4, lpBuffer=0x50db50*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50db50*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0105.366] GetProcessHeap () returned 0x4e0000 [0105.366] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x71d4) returned 0x50dcb8 [0105.366] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.366] ReadFile (in: hFile=0xf4, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x71d4, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24dd730*=0x71d4, lpOverlapped=0x0) returned 1 [0105.368] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.368] WriteFile (in: hFile=0xf4, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x71d4, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24dd73c*=0x71d4, lpOverlapped=0x0) returned 1 [0105.369] GetProcessHeap () returned 0x4e0000 [0105.369] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.369] CloseHandle (hObject=0xf4) returned 1 [0105.370] GetProcessHeap () returned 0x4e0000 [0105.371] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508c50 | out: hHeap=0x4e0000) returned 1 [0105.371] GetProcessHeap () returned 0x4e0000 [0105.371] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508b48 | out: hHeap=0x4e0000) returned 1 [0105.371] GetProcessHeap () returned 0x4e0000 [0105.371] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504dc8 | out: hHeap=0x4e0000) returned 1 [0105.371] GetProcessHeap () returned 0x4e0000 [0105.371] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504db0 | out: hHeap=0x4e0000) returned 1 [0105.371] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\jGX8exTTasoF4.bmp" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\jGX8exTTasoF4.bmp") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\jGX8exTTasoF4.bmp" [0105.371] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\jGX8exTTasoF4.bmp", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\jGX8exTTasoF4.bmp.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\jGX8exTTasoF4.bmp.NEPHILIM" [0105.371] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\jGX8exTTasoF4.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\woxabqbokyzl2r\\jgx8exttasof4.bmp"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\jGX8exTTasoF4.bmp.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\woxabqbokyzl2r\\jgx8exttasof4.bmp.nephilim")) returned 1 [0105.372] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdf126890, ftCreationTime.dwHighDateTime=0x1d5e3e1, ftLastAccessTime.dwLowDateTime=0x28cef050, ftLastAccessTime.dwHighDateTime=0x1d5da7f, ftLastWriteTime.dwLowDateTime=0x28cef050, ftLastWriteTime.dwHighDateTime=0x1d5da7f, nFileSizeHigh=0x0, nFileSizeLow=0xae95, dwReserved0=0x24dd72c, dwReserved1=0x6cc3827f, cFileName="k- FY_KLVjDdr.gif", cAlternateFileName="K-FY_K~1.GIF")) returned 1 [0105.372] lstrcmpiW (lpString1="k- FY_KLVjDdr.gif", lpString2=".") returned 1 [0105.372] lstrcmpiW (lpString1="k- FY_KLVjDdr.gif", lpString2="..") returned 1 [0105.372] lstrcmpiW (lpString1="k- FY_KLVjDdr.gif", lpString2="...") returned 1 [0105.372] lstrcmpiW (lpString1="k- FY_KLVjDdr.gif", lpString2="windows") returned -1 [0105.372] lstrcmpiW (lpString1="k- FY_KLVjDdr.gif", lpString2="$RECYCLE.BIN") returned 1 [0105.372] lstrcmpiW (lpString1="k- FY_KLVjDdr.gif", lpString2="rsa") returned -1 [0105.382] lstrcmpiW (lpString1="k- FY_KLVjDdr.gif", lpString2="log") returned -1 [0105.382] lstrcmpiW (lpString1="k- FY_KLVjDdr.gif", lpString2="NTDETECT.COM") returned -1 [0105.382] lstrcmpiW (lpString1="k- FY_KLVjDdr.gif", lpString2="ntldr") returned -1 [0105.382] lstrcmpiW (lpString1="k- FY_KLVjDdr.gif", lpString2="MSDOS.SYS") returned -1 [0105.382] lstrcmpiW (lpString1="k- FY_KLVjDdr.gif", lpString2="IO.SYS") returned 1 [0105.382] lstrcmpiW (lpString1="k- FY_KLVjDdr.gif", lpString2="boot.ini") returned 1 [0105.382] lstrcmpiW (lpString1="k- FY_KLVjDdr.gif", lpString2="AUTOEXEC.BAT") returned 1 [0105.382] lstrcmpiW (lpString1="k- FY_KLVjDdr.gif", lpString2="ntuser.dat") returned -1 [0105.382] lstrcmpiW (lpString1="k- FY_KLVjDdr.gif", lpString2="desktop.ini") returned 1 [0105.382] lstrcmpiW (lpString1="k- FY_KLVjDdr.gif", lpString2="CONFIG.SYS") returned 1 [0105.383] lstrcmpiW (lpString1="k- FY_KLVjDdr.gif", lpString2="RECYCLER") returned -1 [0105.383] lstrcmpiW (lpString1="k- FY_KLVjDdr.gif", lpString2="BOOTSECT.BAK") returned 1 [0105.383] lstrcmpiW (lpString1="k- FY_KLVjDdr.gif", lpString2="bootmgr") returned 1 [0105.383] lstrcmpiW (lpString1="k- FY_KLVjDdr.gif", lpString2="programdata") returned -1 [0105.383] lstrcmpiW (lpString1="k- FY_KLVjDdr.gif", lpString2="appdata") returned 1 [0105.383] lstrcmpiW (lpString1="k- FY_KLVjDdr.gif", lpString2="program files") returned -1 [0105.383] lstrcmpiW (lpString1="k- FY_KLVjDdr.gif", lpString2="program files (x86)") returned -1 [0105.383] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\" [0105.383] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\", lpString2="k- FY_KLVjDdr.gif" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\k- FY_KLVjDdr.gif") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\k- FY_KLVjDdr.gif" [0105.383] PathFindExtensionW (pszPath="k- FY_KLVjDdr.gif") returned=".gif" [0105.383] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0105.383] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0105.383] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0105.383] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0105.383] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0105.383] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0105.383] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0105.383] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0105.383] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0105.383] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0105.384] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0105.384] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0105.384] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0105.384] lstrcmpiW (lpString1=".gif", lpString2=".NEPHILIM") returned -1 [0105.384] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0105.384] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0105.384] lstrcmpiW (lpString1="k- FY_KLVjDdr.gif", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0105.384] lstrlenA (lpString="NEPHILIM") returned 8 [0105.384] GetProcessHeap () returned 0x4e0000 [0105.384] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50db60 [0105.384] lstrlenA (lpString="NEPHILIM") returned 8 [0105.384] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\k- FY_KLVjDdr.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\woxabqbokyzl2r\\k- fy_klvjddr.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0105.385] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=44693) returned 1 [0105.385] GetProcessHeap () returned 0x4e0000 [0105.385] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504db0 [0105.385] GetProcessHeap () returned 0x4e0000 [0105.385] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504dc8 [0105.385] SystemFunction036 (in: RandomBuffer=0x504db0, RandomBufferLength=0x10 | out: RandomBuffer=0x504db0) returned 1 [0105.385] SystemFunction036 (in: RandomBuffer=0x504dc8, RandomBufferLength=0x10 | out: RandomBuffer=0x504dc8) returned 1 [0105.385] GetProcessHeap () returned 0x4e0000 [0105.385] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508b48 [0105.385] GetProcessHeap () returned 0x4e0000 [0105.385] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508c50 [0105.385] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508b48*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x508b48*, pdwDataLen=0x24dd508*=0x100) returned 1 [0105.385] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508c50*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x508c50*, pdwDataLen=0x24dd504*=0x100) returned 1 [0105.386] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xae95, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.386] SetLastError (dwErrCode=0x0) [0105.386] WriteFile (in: hFile=0xf4, lpBuffer=0x508b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508b48*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0105.387] GetLastError () returned 0x0 [0105.387] GetLastError () returned 0x0 [0105.387] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xaf95, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.387] WriteFile (in: hFile=0xf4, lpBuffer=0x508c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508c50*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0105.388] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xb095, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.388] lstrlenA (lpString="NEPHILIM") returned 8 [0105.388] WriteFile (in: hFile=0xf4, lpBuffer=0x50db60*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50db60*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0105.388] GetProcessHeap () returned 0x4e0000 [0105.388] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xae95) returned 0x50dcb8 [0105.388] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.389] ReadFile (in: hFile=0xf4, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0xae95, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24dd730*=0xae95, lpOverlapped=0x0) returned 1 [0105.391] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.391] WriteFile (in: hFile=0xf4, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0xae95, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24dd73c*=0xae95, lpOverlapped=0x0) returned 1 [0105.392] GetProcessHeap () returned 0x4e0000 [0105.392] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.392] CloseHandle (hObject=0xf4) returned 1 [0105.393] GetProcessHeap () returned 0x4e0000 [0105.393] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508b48 | out: hHeap=0x4e0000) returned 1 [0105.393] GetProcessHeap () returned 0x4e0000 [0105.393] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508c50 | out: hHeap=0x4e0000) returned 1 [0105.393] GetProcessHeap () returned 0x4e0000 [0105.393] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504db0 | out: hHeap=0x4e0000) returned 1 [0105.393] GetProcessHeap () returned 0x4e0000 [0105.393] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504dc8 | out: hHeap=0x4e0000) returned 1 [0105.393] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\k- FY_KLVjDdr.gif" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\k- FY_KLVjDdr.gif") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\k- FY_KLVjDdr.gif" [0105.394] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\k- FY_KLVjDdr.gif", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\k- FY_KLVjDdr.gif.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\k- FY_KLVjDdr.gif.NEPHILIM" [0105.394] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\k- FY_KLVjDdr.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\woxabqbokyzl2r\\k- fy_klvjddr.gif"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\k- FY_KLVjDdr.gif.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\woxabqbokyzl2r\\k- fy_klvjddr.gif.nephilim")) returned 1 [0105.395] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ca07450, ftCreationTime.dwHighDateTime=0x1d5d9c7, ftLastAccessTime.dwLowDateTime=0x6f650870, ftLastAccessTime.dwHighDateTime=0x1d5d9e8, ftLastWriteTime.dwLowDateTime=0x6f650870, ftLastWriteTime.dwHighDateTime=0x1d5d9e8, nFileSizeHigh=0x0, nFileSizeLow=0x12a7, dwReserved0=0x24dd72c, dwReserved1=0x6cc3827f, cFileName="KAYKzmSLN.bmp", cAlternateFileName="KAYKZM~1.BMP")) returned 1 [0105.395] lstrcmpiW (lpString1="KAYKzmSLN.bmp", lpString2=".") returned 1 [0105.395] lstrcmpiW (lpString1="KAYKzmSLN.bmp", lpString2="..") returned 1 [0105.395] lstrcmpiW (lpString1="KAYKzmSLN.bmp", lpString2="...") returned 1 [0105.395] lstrcmpiW (lpString1="KAYKzmSLN.bmp", lpString2="windows") returned -1 [0105.395] lstrcmpiW (lpString1="KAYKzmSLN.bmp", lpString2="$RECYCLE.BIN") returned 1 [0105.395] lstrcmpiW (lpString1="KAYKzmSLN.bmp", lpString2="rsa") returned -1 [0105.395] lstrcmpiW (lpString1="KAYKzmSLN.bmp", lpString2="log") returned -1 [0105.395] lstrcmpiW (lpString1="KAYKzmSLN.bmp", lpString2="NTDETECT.COM") returned -1 [0105.395] lstrcmpiW (lpString1="KAYKzmSLN.bmp", lpString2="ntldr") returned -1 [0105.395] lstrcmpiW (lpString1="KAYKzmSLN.bmp", lpString2="MSDOS.SYS") returned -1 [0105.395] lstrcmpiW (lpString1="KAYKzmSLN.bmp", lpString2="IO.SYS") returned 1 [0105.395] lstrcmpiW (lpString1="KAYKzmSLN.bmp", lpString2="boot.ini") returned 1 [0105.395] lstrcmpiW (lpString1="KAYKzmSLN.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0105.395] lstrcmpiW (lpString1="KAYKzmSLN.bmp", lpString2="ntuser.dat") returned -1 [0105.395] lstrcmpiW (lpString1="KAYKzmSLN.bmp", lpString2="desktop.ini") returned 1 [0105.395] lstrcmpiW (lpString1="KAYKzmSLN.bmp", lpString2="CONFIG.SYS") returned 1 [0105.395] lstrcmpiW (lpString1="KAYKzmSLN.bmp", lpString2="RECYCLER") returned -1 [0105.395] lstrcmpiW (lpString1="KAYKzmSLN.bmp", lpString2="BOOTSECT.BAK") returned 1 [0105.395] lstrcmpiW (lpString1="KAYKzmSLN.bmp", lpString2="bootmgr") returned 1 [0105.395] lstrcmpiW (lpString1="KAYKzmSLN.bmp", lpString2="programdata") returned -1 [0105.396] lstrcmpiW (lpString1="KAYKzmSLN.bmp", lpString2="appdata") returned 1 [0105.396] lstrcmpiW (lpString1="KAYKzmSLN.bmp", lpString2="program files") returned -1 [0105.396] lstrcmpiW (lpString1="KAYKzmSLN.bmp", lpString2="program files (x86)") returned -1 [0105.396] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\" [0105.396] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\", lpString2="KAYKzmSLN.bmp" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\KAYKzmSLN.bmp") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\KAYKzmSLN.bmp" [0105.396] PathFindExtensionW (pszPath="KAYKzmSLN.bmp") returned=".bmp" [0105.396] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0105.396] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0105.396] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0105.396] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0105.396] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0105.396] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0105.396] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0105.396] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0105.396] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0105.396] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0105.396] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0105.396] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0105.396] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0105.396] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0105.396] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0105.396] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0105.396] lstrcmpiW (lpString1="KAYKzmSLN.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0105.396] lstrlenA (lpString="NEPHILIM") returned 8 [0105.396] GetProcessHeap () returned 0x4e0000 [0105.397] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50db70 [0105.397] lstrlenA (lpString="NEPHILIM") returned 8 [0105.397] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\KAYKzmSLN.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\woxabqbokyzl2r\\kaykzmsln.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0105.397] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=4775) returned 1 [0105.397] GetProcessHeap () returned 0x4e0000 [0105.397] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504dc8 [0105.397] GetProcessHeap () returned 0x4e0000 [0105.397] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504db0 [0105.397] SystemFunction036 (in: RandomBuffer=0x504dc8, RandomBufferLength=0x10 | out: RandomBuffer=0x504dc8) returned 1 [0105.397] SystemFunction036 (in: RandomBuffer=0x504db0, RandomBufferLength=0x10 | out: RandomBuffer=0x504db0) returned 1 [0105.397] GetProcessHeap () returned 0x4e0000 [0105.397] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508c50 [0105.397] GetProcessHeap () returned 0x4e0000 [0105.397] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508b48 [0105.397] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508c50*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x508c50*, pdwDataLen=0x24dd508*=0x100) returned 1 [0105.398] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508b48*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x508b48*, pdwDataLen=0x24dd504*=0x100) returned 1 [0105.398] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x12a7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.398] SetLastError (dwErrCode=0x0) [0105.398] WriteFile (in: hFile=0xf4, lpBuffer=0x508c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508c50*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0105.399] GetLastError () returned 0x0 [0105.399] GetLastError () returned 0x0 [0105.399] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x13a7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.399] WriteFile (in: hFile=0xf4, lpBuffer=0x508b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508b48*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0105.399] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x14a7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.399] lstrlenA (lpString="NEPHILIM") returned 8 [0105.399] WriteFile (in: hFile=0xf4, lpBuffer=0x50db70*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50db70*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0105.399] GetProcessHeap () returned 0x4e0000 [0105.399] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x12a7) returned 0x50dcb8 [0105.399] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.400] ReadFile (in: hFile=0xf4, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x12a7, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24dd730*=0x12a7, lpOverlapped=0x0) returned 1 [0105.400] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.400] WriteFile (in: hFile=0xf4, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x12a7, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24dd73c*=0x12a7, lpOverlapped=0x0) returned 1 [0105.400] GetProcessHeap () returned 0x4e0000 [0105.400] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.400] CloseHandle (hObject=0xf4) returned 1 [0105.401] GetProcessHeap () returned 0x4e0000 [0105.401] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508c50 | out: hHeap=0x4e0000) returned 1 [0105.401] GetProcessHeap () returned 0x4e0000 [0105.401] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508b48 | out: hHeap=0x4e0000) returned 1 [0105.401] GetProcessHeap () returned 0x4e0000 [0105.401] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504dc8 | out: hHeap=0x4e0000) returned 1 [0105.401] GetProcessHeap () returned 0x4e0000 [0105.401] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504db0 | out: hHeap=0x4e0000) returned 1 [0105.402] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\KAYKzmSLN.bmp" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\KAYKzmSLN.bmp") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\KAYKzmSLN.bmp" [0105.402] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\KAYKzmSLN.bmp", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\KAYKzmSLN.bmp.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\KAYKzmSLN.bmp.NEPHILIM" [0105.402] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\KAYKzmSLN.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\woxabqbokyzl2r\\kaykzmsln.bmp"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\KAYKzmSLN.bmp.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\woxabqbokyzl2r\\kaykzmsln.bmp.nephilim")) returned 1 [0105.402] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c409820, ftCreationTime.dwHighDateTime=0x1d5d9b4, ftLastAccessTime.dwLowDateTime=0x89250220, ftLastAccessTime.dwHighDateTime=0x1d5e0a4, ftLastWriteTime.dwLowDateTime=0x89250220, ftLastWriteTime.dwHighDateTime=0x1d5e0a4, nFileSizeHigh=0x0, nFileSizeLow=0x2235, dwReserved0=0x24dd72c, dwReserved1=0x6cc3827f, cFileName="ltraUM.png", cAlternateFileName="")) returned 1 [0105.402] lstrcmpiW (lpString1="ltraUM.png", lpString2=".") returned 1 [0105.402] lstrcmpiW (lpString1="ltraUM.png", lpString2="..") returned 1 [0105.402] lstrcmpiW (lpString1="ltraUM.png", lpString2="...") returned 1 [0105.403] lstrcmpiW (lpString1="ltraUM.png", lpString2="windows") returned -1 [0105.403] lstrcmpiW (lpString1="ltraUM.png", lpString2="$RECYCLE.BIN") returned 1 [0105.403] lstrcmpiW (lpString1="ltraUM.png", lpString2="rsa") returned -1 [0105.403] lstrcmpiW (lpString1="ltraUM.png", lpString2="log") returned 1 [0105.403] lstrcmpiW (lpString1="ltraUM.png", lpString2="NTDETECT.COM") returned -1 [0105.403] lstrcmpiW (lpString1="ltraUM.png", lpString2="ntldr") returned -1 [0105.403] lstrcmpiW (lpString1="ltraUM.png", lpString2="MSDOS.SYS") returned -1 [0105.403] lstrcmpiW (lpString1="ltraUM.png", lpString2="IO.SYS") returned 1 [0105.403] lstrcmpiW (lpString1="ltraUM.png", lpString2="boot.ini") returned 1 [0105.403] lstrcmpiW (lpString1="ltraUM.png", lpString2="AUTOEXEC.BAT") returned 1 [0105.403] lstrcmpiW (lpString1="ltraUM.png", lpString2="ntuser.dat") returned -1 [0105.403] lstrcmpiW (lpString1="ltraUM.png", lpString2="desktop.ini") returned 1 [0105.403] lstrcmpiW (lpString1="ltraUM.png", lpString2="CONFIG.SYS") returned 1 [0105.403] lstrcmpiW (lpString1="ltraUM.png", lpString2="RECYCLER") returned -1 [0105.403] lstrcmpiW (lpString1="ltraUM.png", lpString2="BOOTSECT.BAK") returned 1 [0105.403] lstrcmpiW (lpString1="ltraUM.png", lpString2="bootmgr") returned 1 [0105.403] lstrcmpiW (lpString1="ltraUM.png", lpString2="programdata") returned -1 [0105.403] lstrcmpiW (lpString1="ltraUM.png", lpString2="appdata") returned 1 [0105.403] lstrcmpiW (lpString1="ltraUM.png", lpString2="program files") returned -1 [0105.403] lstrcmpiW (lpString1="ltraUM.png", lpString2="program files (x86)") returned -1 [0105.403] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\" [0105.403] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\", lpString2="ltraUM.png" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\ltraUM.png") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\ltraUM.png" [0105.403] PathFindExtensionW (pszPath="ltraUM.png") returned=".png" [0105.403] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0105.404] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0105.404] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0105.404] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0105.404] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0105.404] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0105.404] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0105.404] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0105.404] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0105.404] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0105.404] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0105.404] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0105.404] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0105.404] lstrcmpiW (lpString1=".png", lpString2=".NEPHILIM") returned 1 [0105.404] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0105.404] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0105.404] lstrcmpiW (lpString1="ltraUM.png", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0105.404] lstrlenA (lpString="NEPHILIM") returned 8 [0105.404] GetProcessHeap () returned 0x4e0000 [0105.404] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50db80 [0105.404] lstrlenA (lpString="NEPHILIM") returned 8 [0105.404] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\ltraUM.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\woxabqbokyzl2r\\ltraum.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0105.404] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=8757) returned 1 [0105.405] GetProcessHeap () returned 0x4e0000 [0105.405] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504db0 [0105.405] GetProcessHeap () returned 0x4e0000 [0105.405] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504dc8 [0105.405] SystemFunction036 (in: RandomBuffer=0x504db0, RandomBufferLength=0x10 | out: RandomBuffer=0x504db0) returned 1 [0105.405] SystemFunction036 (in: RandomBuffer=0x504dc8, RandomBufferLength=0x10 | out: RandomBuffer=0x504dc8) returned 1 [0105.405] GetProcessHeap () returned 0x4e0000 [0105.405] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508b48 [0105.405] GetProcessHeap () returned 0x4e0000 [0105.405] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508c50 [0105.405] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508b48*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x508b48*, pdwDataLen=0x24dd508*=0x100) returned 1 [0105.405] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508c50*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x508c50*, pdwDataLen=0x24dd504*=0x100) returned 1 [0105.405] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x2235, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.405] SetLastError (dwErrCode=0x0) [0105.405] WriteFile (in: hFile=0xf4, lpBuffer=0x508b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508b48*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0105.406] GetLastError () returned 0x0 [0105.406] GetLastError () returned 0x0 [0105.407] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x2335, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.407] WriteFile (in: hFile=0xf4, lpBuffer=0x508c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508c50*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0105.407] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x2435, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.407] lstrlenA (lpString="NEPHILIM") returned 8 [0105.407] WriteFile (in: hFile=0xf4, lpBuffer=0x50db80*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50db80*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0105.407] GetProcessHeap () returned 0x4e0000 [0105.407] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x2235) returned 0x50dcb8 [0105.407] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.407] ReadFile (in: hFile=0xf4, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x2235, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24dd730*=0x2235, lpOverlapped=0x0) returned 1 [0105.408] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.408] WriteFile (in: hFile=0xf4, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x2235, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24dd73c*=0x2235, lpOverlapped=0x0) returned 1 [0105.408] GetProcessHeap () returned 0x4e0000 [0105.408] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.408] CloseHandle (hObject=0xf4) returned 1 [0105.409] GetProcessHeap () returned 0x4e0000 [0105.409] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508b48 | out: hHeap=0x4e0000) returned 1 [0105.409] GetProcessHeap () returned 0x4e0000 [0105.409] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508c50 | out: hHeap=0x4e0000) returned 1 [0105.409] GetProcessHeap () returned 0x4e0000 [0105.409] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504db0 | out: hHeap=0x4e0000) returned 1 [0105.409] GetProcessHeap () returned 0x4e0000 [0105.409] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504dc8 | out: hHeap=0x4e0000) returned 1 [0105.409] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\ltraUM.png" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\ltraUM.png") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\ltraUM.png" [0105.409] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\ltraUM.png", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\ltraUM.png.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\ltraUM.png.NEPHILIM" [0105.409] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\ltraUM.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\woxabqbokyzl2r\\ltraum.png"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\ltraUM.png.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\woxabqbokyzl2r\\ltraum.png.nephilim")) returned 1 [0105.410] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9d198e0, ftCreationTime.dwHighDateTime=0x1d5e58b, ftLastAccessTime.dwLowDateTime=0x667f3010, ftLastAccessTime.dwHighDateTime=0x1d5e5f4, ftLastWriteTime.dwLowDateTime=0x667f3010, ftLastWriteTime.dwHighDateTime=0x1d5e5f4, nFileSizeHigh=0x0, nFileSizeLow=0x14831, dwReserved0=0x24dd72c, dwReserved1=0x6cc3827f, cFileName="WxLYTXoAy1YslFDMb0H.png", cAlternateFileName="WXLYTX~1.PNG")) returned 1 [0105.410] lstrcmpiW (lpString1="WxLYTXoAy1YslFDMb0H.png", lpString2=".") returned 1 [0105.410] lstrcmpiW (lpString1="WxLYTXoAy1YslFDMb0H.png", lpString2="..") returned 1 [0105.410] lstrcmpiW (lpString1="WxLYTXoAy1YslFDMb0H.png", lpString2="...") returned 1 [0105.410] lstrcmpiW (lpString1="WxLYTXoAy1YslFDMb0H.png", lpString2="windows") returned 1 [0105.410] lstrcmpiW (lpString1="WxLYTXoAy1YslFDMb0H.png", lpString2="$RECYCLE.BIN") returned 1 [0105.410] lstrcmpiW (lpString1="WxLYTXoAy1YslFDMb0H.png", lpString2="rsa") returned 1 [0105.410] lstrcmpiW (lpString1="WxLYTXoAy1YslFDMb0H.png", lpString2="log") returned 1 [0105.410] lstrcmpiW (lpString1="WxLYTXoAy1YslFDMb0H.png", lpString2="NTDETECT.COM") returned 1 [0105.410] lstrcmpiW (lpString1="WxLYTXoAy1YslFDMb0H.png", lpString2="ntldr") returned 1 [0105.410] lstrcmpiW (lpString1="WxLYTXoAy1YslFDMb0H.png", lpString2="MSDOS.SYS") returned 1 [0105.410] lstrcmpiW (lpString1="WxLYTXoAy1YslFDMb0H.png", lpString2="IO.SYS") returned 1 [0105.410] lstrcmpiW (lpString1="WxLYTXoAy1YslFDMb0H.png", lpString2="boot.ini") returned 1 [0105.411] lstrcmpiW (lpString1="WxLYTXoAy1YslFDMb0H.png", lpString2="AUTOEXEC.BAT") returned 1 [0105.411] lstrcmpiW (lpString1="WxLYTXoAy1YslFDMb0H.png", lpString2="ntuser.dat") returned 1 [0105.411] lstrcmpiW (lpString1="WxLYTXoAy1YslFDMb0H.png", lpString2="desktop.ini") returned 1 [0105.411] lstrcmpiW (lpString1="WxLYTXoAy1YslFDMb0H.png", lpString2="CONFIG.SYS") returned 1 [0105.411] lstrcmpiW (lpString1="WxLYTXoAy1YslFDMb0H.png", lpString2="RECYCLER") returned 1 [0105.411] lstrcmpiW (lpString1="WxLYTXoAy1YslFDMb0H.png", lpString2="BOOTSECT.BAK") returned 1 [0105.411] lstrcmpiW (lpString1="WxLYTXoAy1YslFDMb0H.png", lpString2="bootmgr") returned 1 [0105.411] lstrcmpiW (lpString1="WxLYTXoAy1YslFDMb0H.png", lpString2="programdata") returned 1 [0105.411] lstrcmpiW (lpString1="WxLYTXoAy1YslFDMb0H.png", lpString2="appdata") returned 1 [0105.411] lstrcmpiW (lpString1="WxLYTXoAy1YslFDMb0H.png", lpString2="program files") returned 1 [0105.411] lstrcmpiW (lpString1="WxLYTXoAy1YslFDMb0H.png", lpString2="program files (x86)") returned 1 [0105.411] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\" [0105.411] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\", lpString2="WxLYTXoAy1YslFDMb0H.png" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\WxLYTXoAy1YslFDMb0H.png") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\WxLYTXoAy1YslFDMb0H.png" [0105.411] PathFindExtensionW (pszPath="WxLYTXoAy1YslFDMb0H.png") returned=".png" [0105.411] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0105.411] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0105.411] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0105.411] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0105.411] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0105.411] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0105.411] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0105.411] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0105.411] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0105.411] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0105.411] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0105.412] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0105.412] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0105.412] lstrcmpiW (lpString1=".png", lpString2=".NEPHILIM") returned 1 [0105.412] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0105.412] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0105.412] lstrcmpiW (lpString1="WxLYTXoAy1YslFDMb0H.png", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0105.412] lstrlenA (lpString="NEPHILIM") returned 8 [0105.412] GetProcessHeap () returned 0x4e0000 [0105.412] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50db90 [0105.412] lstrlenA (lpString="NEPHILIM") returned 8 [0105.412] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\WxLYTXoAy1YslFDMb0H.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\woxabqbokyzl2r\\wxlytxoay1yslfdmb0h.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0105.412] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=84017) returned 1 [0105.412] GetProcessHeap () returned 0x4e0000 [0105.412] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504dc8 [0105.412] GetProcessHeap () returned 0x4e0000 [0105.412] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504db0 [0105.412] SystemFunction036 (in: RandomBuffer=0x504dc8, RandomBufferLength=0x10 | out: RandomBuffer=0x504dc8) returned 1 [0105.412] SystemFunction036 (in: RandomBuffer=0x504db0, RandomBufferLength=0x10 | out: RandomBuffer=0x504db0) returned 1 [0105.412] GetProcessHeap () returned 0x4e0000 [0105.412] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508c50 [0105.412] GetProcessHeap () returned 0x4e0000 [0105.412] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508b48 [0105.413] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508c50*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x508c50*, pdwDataLen=0x24dd508*=0x100) returned 1 [0105.413] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508b48*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x508b48*, pdwDataLen=0x24dd504*=0x100) returned 1 [0105.413] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x14831, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.413] SetLastError (dwErrCode=0x0) [0105.413] WriteFile (in: hFile=0xf4, lpBuffer=0x508c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508c50*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0105.414] GetLastError () returned 0x0 [0105.414] GetLastError () returned 0x0 [0105.414] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x14931, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.414] WriteFile (in: hFile=0xf4, lpBuffer=0x508b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508b48*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0105.414] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x14a31, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.414] lstrlenA (lpString="NEPHILIM") returned 8 [0105.414] WriteFile (in: hFile=0xf4, lpBuffer=0x50db90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50db90*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0105.415] GetProcessHeap () returned 0x4e0000 [0105.415] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x14831) returned 0x50dcb8 [0105.415] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.415] ReadFile (in: hFile=0xf4, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x14831, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24dd730*=0x14831, lpOverlapped=0x0) returned 1 [0105.422] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.422] WriteFile (in: hFile=0xf4, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x14831, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24dd73c*=0x14831, lpOverlapped=0x0) returned 1 [0105.423] GetProcessHeap () returned 0x4e0000 [0105.423] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.423] CloseHandle (hObject=0xf4) returned 1 [0105.428] GetProcessHeap () returned 0x4e0000 [0105.428] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508c50 | out: hHeap=0x4e0000) returned 1 [0105.428] GetProcessHeap () returned 0x4e0000 [0105.428] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508b48 | out: hHeap=0x4e0000) returned 1 [0105.428] GetProcessHeap () returned 0x4e0000 [0105.428] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504dc8 | out: hHeap=0x4e0000) returned 1 [0105.428] GetProcessHeap () returned 0x4e0000 [0105.428] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504db0 | out: hHeap=0x4e0000) returned 1 [0105.428] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\WxLYTXoAy1YslFDMb0H.png" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\WxLYTXoAy1YslFDMb0H.png") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\WxLYTXoAy1YslFDMb0H.png" [0105.428] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\WxLYTXoAy1YslFDMb0H.png", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\WxLYTXoAy1YslFDMb0H.png.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\WxLYTXoAy1YslFDMb0H.png.NEPHILIM" [0105.428] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\WxLYTXoAy1YslFDMb0H.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\woxabqbokyzl2r\\wxlytxoay1yslfdmb0h.png"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\WxLYTXoAy1YslFDMb0H.png.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\woxabqbokyzl2r\\wxlytxoay1yslfdmb0h.png.nephilim")) returned 1 [0105.429] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x65e245a0, ftCreationTime.dwHighDateTime=0x1d5e187, ftLastAccessTime.dwLowDateTime=0xed6c82f0, ftLastAccessTime.dwHighDateTime=0x1d5e688, ftLastWriteTime.dwLowDateTime=0xed6c82f0, ftLastWriteTime.dwHighDateTime=0x1d5e688, nFileSizeHigh=0x0, nFileSizeLow=0x171c5, dwReserved0=0x24dd72c, dwReserved1=0x6cc3827f, cFileName="Zoo99HBT.bmp", cAlternateFileName="")) returned 1 [0105.429] lstrcmpiW (lpString1="Zoo99HBT.bmp", lpString2=".") returned 1 [0105.429] lstrcmpiW (lpString1="Zoo99HBT.bmp", lpString2="..") returned 1 [0105.429] lstrcmpiW (lpString1="Zoo99HBT.bmp", lpString2="...") returned 1 [0105.429] lstrcmpiW (lpString1="Zoo99HBT.bmp", lpString2="windows") returned 1 [0105.430] lstrcmpiW (lpString1="Zoo99HBT.bmp", lpString2="$RECYCLE.BIN") returned 1 [0105.430] lstrcmpiW (lpString1="Zoo99HBT.bmp", lpString2="rsa") returned 1 [0105.430] lstrcmpiW (lpString1="Zoo99HBT.bmp", lpString2="log") returned 1 [0105.430] lstrcmpiW (lpString1="Zoo99HBT.bmp", lpString2="NTDETECT.COM") returned 1 [0105.430] lstrcmpiW (lpString1="Zoo99HBT.bmp", lpString2="ntldr") returned 1 [0105.430] lstrcmpiW (lpString1="Zoo99HBT.bmp", lpString2="MSDOS.SYS") returned 1 [0105.430] lstrcmpiW (lpString1="Zoo99HBT.bmp", lpString2="IO.SYS") returned 1 [0105.430] lstrcmpiW (lpString1="Zoo99HBT.bmp", lpString2="boot.ini") returned 1 [0105.430] lstrcmpiW (lpString1="Zoo99HBT.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0105.430] lstrcmpiW (lpString1="Zoo99HBT.bmp", lpString2="ntuser.dat") returned 1 [0105.430] lstrcmpiW (lpString1="Zoo99HBT.bmp", lpString2="desktop.ini") returned 1 [0105.430] lstrcmpiW (lpString1="Zoo99HBT.bmp", lpString2="CONFIG.SYS") returned 1 [0105.430] lstrcmpiW (lpString1="Zoo99HBT.bmp", lpString2="RECYCLER") returned 1 [0105.430] lstrcmpiW (lpString1="Zoo99HBT.bmp", lpString2="BOOTSECT.BAK") returned 1 [0105.430] lstrcmpiW (lpString1="Zoo99HBT.bmp", lpString2="bootmgr") returned 1 [0105.430] lstrcmpiW (lpString1="Zoo99HBT.bmp", lpString2="programdata") returned 1 [0105.430] lstrcmpiW (lpString1="Zoo99HBT.bmp", lpString2="appdata") returned 1 [0105.430] lstrcmpiW (lpString1="Zoo99HBT.bmp", lpString2="program files") returned 1 [0105.430] lstrcmpiW (lpString1="Zoo99HBT.bmp", lpString2="program files (x86)") returned 1 [0105.430] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\" [0105.430] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\", lpString2="Zoo99HBT.bmp" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\Zoo99HBT.bmp") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\Zoo99HBT.bmp" [0105.430] PathFindExtensionW (pszPath="Zoo99HBT.bmp") returned=".bmp" [0105.430] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0105.431] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0105.431] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0105.431] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0105.431] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0105.431] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0105.431] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0105.431] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0105.431] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0105.431] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0105.431] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0105.431] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0105.431] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0105.431] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0105.431] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0105.431] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0105.431] lstrcmpiW (lpString1="Zoo99HBT.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0105.431] lstrlenA (lpString="NEPHILIM") returned 8 [0105.431] GetProcessHeap () returned 0x4e0000 [0105.431] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50dba0 [0105.431] lstrlenA (lpString="NEPHILIM") returned 8 [0105.431] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\Zoo99HBT.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\woxabqbokyzl2r\\zoo99hbt.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0105.432] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=94661) returned 1 [0105.432] GetProcessHeap () returned 0x4e0000 [0105.432] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504db0 [0105.432] GetProcessHeap () returned 0x4e0000 [0105.432] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504dc8 [0105.432] SystemFunction036 (in: RandomBuffer=0x504db0, RandomBufferLength=0x10 | out: RandomBuffer=0x504db0) returned 1 [0105.432] SystemFunction036 (in: RandomBuffer=0x504dc8, RandomBufferLength=0x10 | out: RandomBuffer=0x504dc8) returned 1 [0105.432] GetProcessHeap () returned 0x4e0000 [0105.432] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508b48 [0105.432] GetProcessHeap () returned 0x4e0000 [0105.432] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508c50 [0105.432] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508b48*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x508b48*, pdwDataLen=0x24dd508*=0x100) returned 1 [0105.432] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508c50*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x508c50*, pdwDataLen=0x24dd504*=0x100) returned 1 [0105.432] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x171c5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.432] SetLastError (dwErrCode=0x0) [0105.432] WriteFile (in: hFile=0xf4, lpBuffer=0x508b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508b48*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0105.433] GetLastError () returned 0x0 [0105.433] GetLastError () returned 0x0 [0105.433] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x172c5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.433] WriteFile (in: hFile=0xf4, lpBuffer=0x508c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508c50*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0105.433] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x173c5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.434] lstrlenA (lpString="NEPHILIM") returned 8 [0105.434] WriteFile (in: hFile=0xf4, lpBuffer=0x50dba0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50dba0*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0105.434] GetProcessHeap () returned 0x4e0000 [0105.434] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x171c5) returned 0x50dcb8 [0105.434] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.434] ReadFile (in: hFile=0xf4, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x171c5, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24dd730*=0x171c5, lpOverlapped=0x0) returned 1 [0105.439] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.439] WriteFile (in: hFile=0xf4, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x171c5, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24dd73c*=0x171c5, lpOverlapped=0x0) returned 1 [0105.440] GetProcessHeap () returned 0x4e0000 [0105.440] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.440] CloseHandle (hObject=0xf4) returned 1 [0105.444] GetProcessHeap () returned 0x4e0000 [0105.444] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508b48 | out: hHeap=0x4e0000) returned 1 [0105.444] GetProcessHeap () returned 0x4e0000 [0105.444] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508c50 | out: hHeap=0x4e0000) returned 1 [0105.444] GetProcessHeap () returned 0x4e0000 [0105.444] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504db0 | out: hHeap=0x4e0000) returned 1 [0105.444] GetProcessHeap () returned 0x4e0000 [0105.444] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504dc8 | out: hHeap=0x4e0000) returned 1 [0105.444] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\Zoo99HBT.bmp" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\Zoo99HBT.bmp") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\Zoo99HBT.bmp" [0105.444] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\Zoo99HBT.bmp", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\Zoo99HBT.bmp.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\Zoo99HBT.bmp.NEPHILIM" [0105.444] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\Zoo99HBT.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\woxabqbokyzl2r\\zoo99hbt.bmp"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\woXaBqbokyzl2r\\Zoo99HBT.bmp.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\woxabqbokyzl2r\\zoo99hbt.bmp.nephilim")) returned 1 [0105.445] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x65e245a0, ftCreationTime.dwHighDateTime=0x1d5e187, ftLastAccessTime.dwLowDateTime=0xed6c82f0, ftLastAccessTime.dwHighDateTime=0x1d5e688, ftLastWriteTime.dwLowDateTime=0xed6c82f0, ftLastWriteTime.dwHighDateTime=0x1d5e688, nFileSizeHigh=0x0, nFileSizeLow=0x171c5, dwReserved0=0x24dd72c, dwReserved1=0x6cc3827f, cFileName="Zoo99HBT.bmp", cAlternateFileName="")) returned 0 [0105.445] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0105.445] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2bb6ea70, ftCreationTime.dwHighDateTime=0x1d5e777, ftLastAccessTime.dwLowDateTime=0xb1b3c2c0, ftLastAccessTime.dwHighDateTime=0x1d5dc9a, ftLastWriteTime.dwLowDateTime=0xb1b3c2c0, ftLastWriteTime.dwHighDateTime=0x1d5dc9a, nFileSizeHigh=0x0, nFileSizeLow=0x13a86, dwReserved0=0x24dddac, dwReserved1=0x76628230, cFileName="XvsJbsiYY_.jpg", cAlternateFileName="XVSJBS~1.JPG")) returned 1 [0105.445] lstrcmpiW (lpString1="XvsJbsiYY_.jpg", lpString2=".") returned 1 [0105.445] lstrcmpiW (lpString1="XvsJbsiYY_.jpg", lpString2="..") returned 1 [0105.445] lstrcmpiW (lpString1="XvsJbsiYY_.jpg", lpString2="...") returned 1 [0105.446] lstrcmpiW (lpString1="XvsJbsiYY_.jpg", lpString2="windows") returned 1 [0105.446] lstrcmpiW (lpString1="XvsJbsiYY_.jpg", lpString2="$RECYCLE.BIN") returned 1 [0105.446] lstrcmpiW (lpString1="XvsJbsiYY_.jpg", lpString2="rsa") returned 1 [0105.446] lstrcmpiW (lpString1="XvsJbsiYY_.jpg", lpString2="log") returned 1 [0105.446] lstrcmpiW (lpString1="XvsJbsiYY_.jpg", lpString2="NTDETECT.COM") returned 1 [0105.446] lstrcmpiW (lpString1="XvsJbsiYY_.jpg", lpString2="ntldr") returned 1 [0105.446] lstrcmpiW (lpString1="XvsJbsiYY_.jpg", lpString2="MSDOS.SYS") returned 1 [0105.446] lstrcmpiW (lpString1="XvsJbsiYY_.jpg", lpString2="IO.SYS") returned 1 [0105.446] lstrcmpiW (lpString1="XvsJbsiYY_.jpg", lpString2="boot.ini") returned 1 [0105.446] lstrcmpiW (lpString1="XvsJbsiYY_.jpg", lpString2="AUTOEXEC.BAT") returned 1 [0105.446] lstrcmpiW (lpString1="XvsJbsiYY_.jpg", lpString2="ntuser.dat") returned 1 [0105.446] lstrcmpiW (lpString1="XvsJbsiYY_.jpg", lpString2="desktop.ini") returned 1 [0105.446] lstrcmpiW (lpString1="XvsJbsiYY_.jpg", lpString2="CONFIG.SYS") returned 1 [0105.446] lstrcmpiW (lpString1="XvsJbsiYY_.jpg", lpString2="RECYCLER") returned 1 [0105.446] lstrcmpiW (lpString1="XvsJbsiYY_.jpg", lpString2="BOOTSECT.BAK") returned 1 [0105.446] lstrcmpiW (lpString1="XvsJbsiYY_.jpg", lpString2="bootmgr") returned 1 [0105.446] lstrcmpiW (lpString1="XvsJbsiYY_.jpg", lpString2="programdata") returned 1 [0105.446] lstrcmpiW (lpString1="XvsJbsiYY_.jpg", lpString2="appdata") returned 1 [0105.446] lstrcmpiW (lpString1="XvsJbsiYY_.jpg", lpString2="program files") returned 1 [0105.446] lstrcmpiW (lpString1="XvsJbsiYY_.jpg", lpString2="program files (x86)") returned 1 [0105.446] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\" [0105.446] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\", lpString2="XvsJbsiYY_.jpg" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\XvsJbsiYY_.jpg") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\XvsJbsiYY_.jpg" [0105.446] PathFindExtensionW (pszPath="XvsJbsiYY_.jpg") returned=".jpg" [0105.446] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0105.446] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0105.447] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0105.447] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0105.447] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0105.447] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0105.447] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0105.447] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0105.447] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0105.447] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0105.447] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0105.447] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0105.447] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0105.447] lstrcmpiW (lpString1=".jpg", lpString2=".NEPHILIM") returned -1 [0105.447] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0105.447] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0105.447] lstrcmpiW (lpString1="XvsJbsiYY_.jpg", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0105.447] lstrlenA (lpString="NEPHILIM") returned 8 [0105.447] GetProcessHeap () returned 0x4e0000 [0105.447] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50dbb0 [0105.447] lstrlenA (lpString="NEPHILIM") returned 8 [0105.447] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\XvsJbsiYY_.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\xvsjbsiyy_.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0105.448] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=80518) returned 1 [0105.448] GetProcessHeap () returned 0x4e0000 [0105.448] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504dc8 [0105.448] GetProcessHeap () returned 0x4e0000 [0105.448] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504db0 [0105.448] SystemFunction036 (in: RandomBuffer=0x504dc8, RandomBufferLength=0x10 | out: RandomBuffer=0x504dc8) returned 1 [0105.448] SystemFunction036 (in: RandomBuffer=0x504db0, RandomBufferLength=0x10 | out: RandomBuffer=0x504db0) returned 1 [0105.448] GetProcessHeap () returned 0x4e0000 [0105.448] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508c50 [0105.448] GetProcessHeap () returned 0x4e0000 [0105.448] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508b48 [0105.448] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508c50*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x508c50*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0105.448] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508b48*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x508b48*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0105.448] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x13a86, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.448] SetLastError (dwErrCode=0x0) [0105.449] WriteFile (in: hFile=0xf0, lpBuffer=0x508c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508c50*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0105.449] GetLastError () returned 0x0 [0105.449] GetLastError () returned 0x0 [0105.449] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x13b86, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.449] WriteFile (in: hFile=0xf0, lpBuffer=0x508b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x508b48*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0105.450] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x13c86, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.450] lstrlenA (lpString="NEPHILIM") returned 8 [0105.450] WriteFile (in: hFile=0xf0, lpBuffer=0x50dbb0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50dbb0*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0105.450] GetProcessHeap () returned 0x4e0000 [0105.450] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x13a86) returned 0x50dcb8 [0105.450] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.450] ReadFile (in: hFile=0xf0, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x13a86, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24dddb0*=0x13a86, lpOverlapped=0x0) returned 1 [0105.455] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.455] WriteFile (in: hFile=0xf0, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x13a86, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24dddbc*=0x13a86, lpOverlapped=0x0) returned 1 [0105.455] GetProcessHeap () returned 0x4e0000 [0105.455] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.456] CloseHandle (hObject=0xf0) returned 1 [0105.460] GetProcessHeap () returned 0x4e0000 [0105.460] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508c50 | out: hHeap=0x4e0000) returned 1 [0105.460] GetProcessHeap () returned 0x4e0000 [0105.460] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508b48 | out: hHeap=0x4e0000) returned 1 [0105.460] GetProcessHeap () returned 0x4e0000 [0105.460] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504dc8 | out: hHeap=0x4e0000) returned 1 [0105.460] GetProcessHeap () returned 0x4e0000 [0105.460] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504db0 | out: hHeap=0x4e0000) returned 1 [0105.460] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\XvsJbsiYY_.jpg" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\XvsJbsiYY_.jpg") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\XvsJbsiYY_.jpg" [0105.460] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\XvsJbsiYY_.jpg", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\XvsJbsiYY_.jpg.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\XvsJbsiYY_.jpg.NEPHILIM" [0105.460] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\XvsJbsiYY_.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\xvsjbsiyy_.jpg"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\AAq03dS _t6R\\XvsJbsiYY_.jpg.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\aaq03ds _t6r\\xvsjbsiyy_.jpg.nephilim")) returned 1 [0105.461] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2bb6ea70, ftCreationTime.dwHighDateTime=0x1d5e777, ftLastAccessTime.dwLowDateTime=0xb1b3c2c0, ftLastAccessTime.dwHighDateTime=0x1d5dc9a, ftLastWriteTime.dwLowDateTime=0xb1b3c2c0, ftLastWriteTime.dwHighDateTime=0x1d5dc9a, nFileSizeHigh=0x0, nFileSizeLow=0x13a86, dwReserved0=0x24dddac, dwReserved1=0x76628230, cFileName="XvsJbsiYY_.jpg", cAlternateFileName="XVSJBS~1.JPG")) returned 0 [0105.461] FindClose (in: hFindFile=0x50a900 | out: hFindFile=0x50a900) returned 1 [0105.462] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0105.462] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0105.462] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0105.462] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0105.462] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0105.462] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0105.462] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0105.462] lstrcmpiW (lpString1="desktop.ini", lpString2="log") returned -1 [0105.462] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0105.462] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0105.462] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0105.462] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0105.462] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0105.462] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0105.462] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0105.462] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0105.462] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x790a2fd0, ftCreationTime.dwHighDateTime=0x1d5e65f, ftLastAccessTime.dwLowDateTime=0x8facb700, ftLastAccessTime.dwHighDateTime=0x1d5dfa0, ftLastWriteTime.dwLowDateTime=0x8facb700, ftLastWriteTime.dwHighDateTime=0x1d5dfa0, nFileSizeHigh=0x0, nFileSizeLow=0xe7eb, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="H rETdZpNCxZiyix.jpg", cAlternateFileName="HRETDZ~1.JPG")) returned 1 [0105.462] lstrcmpiW (lpString1="H rETdZpNCxZiyix.jpg", lpString2=".") returned 1 [0105.462] lstrcmpiW (lpString1="H rETdZpNCxZiyix.jpg", lpString2="..") returned 1 [0105.462] lstrcmpiW (lpString1="H rETdZpNCxZiyix.jpg", lpString2="...") returned 1 [0105.462] lstrcmpiW (lpString1="H rETdZpNCxZiyix.jpg", lpString2="windows") returned -1 [0105.462] lstrcmpiW (lpString1="H rETdZpNCxZiyix.jpg", lpString2="$RECYCLE.BIN") returned 1 [0105.463] lstrcmpiW (lpString1="H rETdZpNCxZiyix.jpg", lpString2="rsa") returned -1 [0105.463] lstrcmpiW (lpString1="H rETdZpNCxZiyix.jpg", lpString2="log") returned -1 [0105.463] lstrcmpiW (lpString1="H rETdZpNCxZiyix.jpg", lpString2="NTDETECT.COM") returned -1 [0105.463] lstrcmpiW (lpString1="H rETdZpNCxZiyix.jpg", lpString2="ntldr") returned -1 [0105.463] lstrcmpiW (lpString1="H rETdZpNCxZiyix.jpg", lpString2="MSDOS.SYS") returned -1 [0105.463] lstrcmpiW (lpString1="H rETdZpNCxZiyix.jpg", lpString2="IO.SYS") returned -1 [0105.463] lstrcmpiW (lpString1="H rETdZpNCxZiyix.jpg", lpString2="boot.ini") returned 1 [0105.463] lstrcmpiW (lpString1="H rETdZpNCxZiyix.jpg", lpString2="AUTOEXEC.BAT") returned 1 [0105.463] lstrcmpiW (lpString1="H rETdZpNCxZiyix.jpg", lpString2="ntuser.dat") returned -1 [0105.463] lstrcmpiW (lpString1="H rETdZpNCxZiyix.jpg", lpString2="desktop.ini") returned 1 [0105.463] lstrcmpiW (lpString1="H rETdZpNCxZiyix.jpg", lpString2="CONFIG.SYS") returned 1 [0105.463] lstrcmpiW (lpString1="H rETdZpNCxZiyix.jpg", lpString2="RECYCLER") returned -1 [0105.463] lstrcmpiW (lpString1="H rETdZpNCxZiyix.jpg", lpString2="BOOTSECT.BAK") returned 1 [0105.463] lstrcmpiW (lpString1="H rETdZpNCxZiyix.jpg", lpString2="bootmgr") returned 1 [0105.463] lstrcmpiW (lpString1="H rETdZpNCxZiyix.jpg", lpString2="programdata") returned -1 [0105.463] lstrcmpiW (lpString1="H rETdZpNCxZiyix.jpg", lpString2="appdata") returned 1 [0105.463] lstrcmpiW (lpString1="H rETdZpNCxZiyix.jpg", lpString2="program files") returned -1 [0105.463] lstrcmpiW (lpString1="H rETdZpNCxZiyix.jpg", lpString2="program files (x86)") returned -1 [0105.463] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" [0105.463] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\", lpString2="H rETdZpNCxZiyix.jpg" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\H rETdZpNCxZiyix.jpg") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\H rETdZpNCxZiyix.jpg" [0105.463] PathFindExtensionW (pszPath="H rETdZpNCxZiyix.jpg") returned=".jpg" [0105.463] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0105.463] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0105.464] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0105.464] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0105.464] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0105.464] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0105.464] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0105.464] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0105.464] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0105.464] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0105.464] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0105.464] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0105.464] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0105.464] lstrcmpiW (lpString1=".jpg", lpString2=".NEPHILIM") returned -1 [0105.464] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0105.464] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0105.464] lstrcmpiW (lpString1="H rETdZpNCxZiyix.jpg", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0105.464] lstrlenA (lpString="NEPHILIM") returned 8 [0105.464] GetProcessHeap () returned 0x4e0000 [0105.464] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50dbc0 [0105.464] lstrlenA (lpString="NEPHILIM") returned 8 [0105.464] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\H rETdZpNCxZiyix.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\h retdzpncxziyix.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0105.465] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=59371) returned 1 [0105.465] GetProcessHeap () returned 0x4e0000 [0105.465] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504db0 [0105.465] GetProcessHeap () returned 0x4e0000 [0105.465] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504dc8 [0105.465] SystemFunction036 (in: RandomBuffer=0x504db0, RandomBufferLength=0x10 | out: RandomBuffer=0x504db0) returned 1 [0105.465] SystemFunction036 (in: RandomBuffer=0x504dc8, RandomBufferLength=0x10 | out: RandomBuffer=0x504dc8) returned 1 [0105.465] GetProcessHeap () returned 0x4e0000 [0105.465] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508b48 [0105.465] GetProcessHeap () returned 0x4e0000 [0105.465] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508c50 [0105.465] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508b48*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508b48*, pdwDataLen=0x24de208*=0x100) returned 1 [0105.465] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508c50*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508c50*, pdwDataLen=0x24de204*=0x100) returned 1 [0105.466] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xe7eb, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.468] SetLastError (dwErrCode=0x0) [0105.468] WriteFile (in: hFile=0xec, lpBuffer=0x508b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508b48*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.469] GetLastError () returned 0x0 [0105.469] GetLastError () returned 0x0 [0105.469] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xe8eb, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.469] WriteFile (in: hFile=0xec, lpBuffer=0x508c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508c50*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.470] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xe9eb, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.470] lstrlenA (lpString="NEPHILIM") returned 8 [0105.470] WriteFile (in: hFile=0xec, lpBuffer=0x50dbc0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dbc0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0105.470] GetProcessHeap () returned 0x4e0000 [0105.470] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xe7eb) returned 0x50dcb8 [0105.470] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.470] ReadFile (in: hFile=0xec, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0xe7eb, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24de430*=0xe7eb, lpOverlapped=0x0) returned 1 [0105.473] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.474] WriteFile (in: hFile=0xec, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0xe7eb, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24de43c*=0xe7eb, lpOverlapped=0x0) returned 1 [0105.474] GetProcessHeap () returned 0x4e0000 [0105.474] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.474] CloseHandle (hObject=0xec) returned 1 [0105.476] GetProcessHeap () returned 0x4e0000 [0105.476] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508b48 | out: hHeap=0x4e0000) returned 1 [0105.476] GetProcessHeap () returned 0x4e0000 [0105.476] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508c50 | out: hHeap=0x4e0000) returned 1 [0105.476] GetProcessHeap () returned 0x4e0000 [0105.476] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504db0 | out: hHeap=0x4e0000) returned 1 [0105.476] GetProcessHeap () returned 0x4e0000 [0105.476] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504dc8 | out: hHeap=0x4e0000) returned 1 [0105.476] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\H rETdZpNCxZiyix.jpg" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\H rETdZpNCxZiyix.jpg") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\H rETdZpNCxZiyix.jpg" [0105.476] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\H rETdZpNCxZiyix.jpg", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\H rETdZpNCxZiyix.jpg.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\H rETdZpNCxZiyix.jpg.NEPHILIM" [0105.476] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\H rETdZpNCxZiyix.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\h retdzpncxziyix.jpg"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\H rETdZpNCxZiyix.jpg.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\h retdzpncxziyix.jpg.nephilim")) returned 1 [0105.477] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec1b9740, ftCreationTime.dwHighDateTime=0x1d5e53b, ftLastAccessTime.dwLowDateTime=0x91acfc70, ftLastAccessTime.dwHighDateTime=0x1d5e646, ftLastWriteTime.dwLowDateTime=0x91acfc70, ftLastWriteTime.dwHighDateTime=0x1d5e646, nFileSizeHigh=0x0, nFileSizeLow=0x9f70, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="kWJIUzWXrzXqyBJ_.bmp", cAlternateFileName="KWJIUZ~1.BMP")) returned 1 [0105.477] lstrcmpiW (lpString1="kWJIUzWXrzXqyBJ_.bmp", lpString2=".") returned 1 [0105.477] lstrcmpiW (lpString1="kWJIUzWXrzXqyBJ_.bmp", lpString2="..") returned 1 [0105.477] lstrcmpiW (lpString1="kWJIUzWXrzXqyBJ_.bmp", lpString2="...") returned 1 [0105.477] lstrcmpiW (lpString1="kWJIUzWXrzXqyBJ_.bmp", lpString2="windows") returned -1 [0105.477] lstrcmpiW (lpString1="kWJIUzWXrzXqyBJ_.bmp", lpString2="$RECYCLE.BIN") returned 1 [0105.477] lstrcmpiW (lpString1="kWJIUzWXrzXqyBJ_.bmp", lpString2="rsa") returned -1 [0105.477] lstrcmpiW (lpString1="kWJIUzWXrzXqyBJ_.bmp", lpString2="log") returned -1 [0105.477] lstrcmpiW (lpString1="kWJIUzWXrzXqyBJ_.bmp", lpString2="NTDETECT.COM") returned -1 [0105.477] lstrcmpiW (lpString1="kWJIUzWXrzXqyBJ_.bmp", lpString2="ntldr") returned -1 [0105.477] lstrcmpiW (lpString1="kWJIUzWXrzXqyBJ_.bmp", lpString2="MSDOS.SYS") returned -1 [0105.478] lstrcmpiW (lpString1="kWJIUzWXrzXqyBJ_.bmp", lpString2="IO.SYS") returned 1 [0105.478] lstrcmpiW (lpString1="kWJIUzWXrzXqyBJ_.bmp", lpString2="boot.ini") returned 1 [0105.478] lstrcmpiW (lpString1="kWJIUzWXrzXqyBJ_.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0105.478] lstrcmpiW (lpString1="kWJIUzWXrzXqyBJ_.bmp", lpString2="ntuser.dat") returned -1 [0105.478] lstrcmpiW (lpString1="kWJIUzWXrzXqyBJ_.bmp", lpString2="desktop.ini") returned 1 [0105.478] lstrcmpiW (lpString1="kWJIUzWXrzXqyBJ_.bmp", lpString2="CONFIG.SYS") returned 1 [0105.478] lstrcmpiW (lpString1="kWJIUzWXrzXqyBJ_.bmp", lpString2="RECYCLER") returned -1 [0105.478] lstrcmpiW (lpString1="kWJIUzWXrzXqyBJ_.bmp", lpString2="BOOTSECT.BAK") returned 1 [0105.478] lstrcmpiW (lpString1="kWJIUzWXrzXqyBJ_.bmp", lpString2="bootmgr") returned 1 [0105.478] lstrcmpiW (lpString1="kWJIUzWXrzXqyBJ_.bmp", lpString2="programdata") returned -1 [0105.478] lstrcmpiW (lpString1="kWJIUzWXrzXqyBJ_.bmp", lpString2="appdata") returned 1 [0105.478] lstrcmpiW (lpString1="kWJIUzWXrzXqyBJ_.bmp", lpString2="program files") returned -1 [0105.478] lstrcmpiW (lpString1="kWJIUzWXrzXqyBJ_.bmp", lpString2="program files (x86)") returned -1 [0105.478] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" [0105.478] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\", lpString2="kWJIUzWXrzXqyBJ_.bmp" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kWJIUzWXrzXqyBJ_.bmp") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kWJIUzWXrzXqyBJ_.bmp" [0105.478] PathFindExtensionW (pszPath="kWJIUzWXrzXqyBJ_.bmp") returned=".bmp" [0105.478] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0105.478] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0105.478] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0105.478] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0105.478] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0105.478] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0105.478] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0105.478] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0105.478] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0105.478] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0105.478] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0105.478] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0105.478] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0105.478] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0105.479] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0105.479] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0105.479] lstrcmpiW (lpString1="kWJIUzWXrzXqyBJ_.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0105.479] lstrlenA (lpString="NEPHILIM") returned 8 [0105.479] GetProcessHeap () returned 0x4e0000 [0105.479] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50dbd0 [0105.479] lstrlenA (lpString="NEPHILIM") returned 8 [0105.479] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kWJIUzWXrzXqyBJ_.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\kwjiuzwxrzxqybj_.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0105.479] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=40816) returned 1 [0105.479] GetProcessHeap () returned 0x4e0000 [0105.479] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504dc8 [0105.479] GetProcessHeap () returned 0x4e0000 [0105.479] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504db0 [0105.479] SystemFunction036 (in: RandomBuffer=0x504dc8, RandomBufferLength=0x10 | out: RandomBuffer=0x504dc8) returned 1 [0105.479] SystemFunction036 (in: RandomBuffer=0x504db0, RandomBufferLength=0x10 | out: RandomBuffer=0x504db0) returned 1 [0105.479] GetProcessHeap () returned 0x4e0000 [0105.479] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508c50 [0105.479] GetProcessHeap () returned 0x4e0000 [0105.479] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508b48 [0105.479] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508c50*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508c50*, pdwDataLen=0x24de208*=0x100) returned 1 [0105.480] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508b48*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508b48*, pdwDataLen=0x24de204*=0x100) returned 1 [0105.480] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x9f70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.480] SetLastError (dwErrCode=0x0) [0105.480] WriteFile (in: hFile=0xec, lpBuffer=0x508c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508c50*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.481] GetLastError () returned 0x0 [0105.481] GetLastError () returned 0x0 [0105.481] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xa070, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.481] WriteFile (in: hFile=0xec, lpBuffer=0x508b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508b48*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.481] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xa170, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.482] lstrlenA (lpString="NEPHILIM") returned 8 [0105.482] WriteFile (in: hFile=0xec, lpBuffer=0x50dbd0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dbd0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0105.482] GetProcessHeap () returned 0x4e0000 [0105.482] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x9f70) returned 0x50dcb8 [0105.482] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.482] ReadFile (in: hFile=0xec, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x9f70, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24de430*=0x9f70, lpOverlapped=0x0) returned 1 [0105.485] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.485] WriteFile (in: hFile=0xec, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x9f70, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24de43c*=0x9f70, lpOverlapped=0x0) returned 1 [0105.485] GetProcessHeap () returned 0x4e0000 [0105.485] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.486] CloseHandle (hObject=0xec) returned 1 [0105.492] GetProcessHeap () returned 0x4e0000 [0105.492] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508c50 | out: hHeap=0x4e0000) returned 1 [0105.492] GetProcessHeap () returned 0x4e0000 [0105.492] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508b48 | out: hHeap=0x4e0000) returned 1 [0105.492] GetProcessHeap () returned 0x4e0000 [0105.492] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504dc8 | out: hHeap=0x4e0000) returned 1 [0105.492] GetProcessHeap () returned 0x4e0000 [0105.492] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504db0 | out: hHeap=0x4e0000) returned 1 [0105.492] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kWJIUzWXrzXqyBJ_.bmp" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kWJIUzWXrzXqyBJ_.bmp") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kWJIUzWXrzXqyBJ_.bmp" [0105.492] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kWJIUzWXrzXqyBJ_.bmp", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kWJIUzWXrzXqyBJ_.bmp.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kWJIUzWXrzXqyBJ_.bmp.NEPHILIM" [0105.493] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kWJIUzWXrzXqyBJ_.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\kwjiuzwxrzxqybj_.bmp"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kWJIUzWXrzXqyBJ_.bmp.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\kwjiuzwxrzxqybj_.bmp.nephilim")) returned 1 [0105.493] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3908a050, ftCreationTime.dwHighDateTime=0x1d5d869, ftLastAccessTime.dwLowDateTime=0x8de6fb20, ftLastAccessTime.dwHighDateTime=0x1d5def0, ftLastWriteTime.dwLowDateTime=0x8de6fb20, ftLastWriteTime.dwHighDateTime=0x1d5def0, nFileSizeHigh=0x0, nFileSizeLow=0x11c57, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="lNQksITpPuLC3wBX3WUY.jpg", cAlternateFileName="LNQKSI~1.JPG")) returned 1 [0105.494] lstrcmpiW (lpString1="lNQksITpPuLC3wBX3WUY.jpg", lpString2=".") returned 1 [0105.494] lstrcmpiW (lpString1="lNQksITpPuLC3wBX3WUY.jpg", lpString2="..") returned 1 [0105.494] lstrcmpiW (lpString1="lNQksITpPuLC3wBX3WUY.jpg", lpString2="...") returned 1 [0105.494] lstrcmpiW (lpString1="lNQksITpPuLC3wBX3WUY.jpg", lpString2="windows") returned -1 [0105.494] lstrcmpiW (lpString1="lNQksITpPuLC3wBX3WUY.jpg", lpString2="$RECYCLE.BIN") returned 1 [0105.494] lstrcmpiW (lpString1="lNQksITpPuLC3wBX3WUY.jpg", lpString2="rsa") returned -1 [0105.494] lstrcmpiW (lpString1="lNQksITpPuLC3wBX3WUY.jpg", lpString2="log") returned -1 [0105.494] lstrcmpiW (lpString1="lNQksITpPuLC3wBX3WUY.jpg", lpString2="NTDETECT.COM") returned -1 [0105.494] lstrcmpiW (lpString1="lNQksITpPuLC3wBX3WUY.jpg", lpString2="ntldr") returned -1 [0105.494] lstrcmpiW (lpString1="lNQksITpPuLC3wBX3WUY.jpg", lpString2="MSDOS.SYS") returned -1 [0105.494] lstrcmpiW (lpString1="lNQksITpPuLC3wBX3WUY.jpg", lpString2="IO.SYS") returned 1 [0105.494] lstrcmpiW (lpString1="lNQksITpPuLC3wBX3WUY.jpg", lpString2="boot.ini") returned 1 [0105.494] lstrcmpiW (lpString1="lNQksITpPuLC3wBX3WUY.jpg", lpString2="AUTOEXEC.BAT") returned 1 [0105.494] lstrcmpiW (lpString1="lNQksITpPuLC3wBX3WUY.jpg", lpString2="ntuser.dat") returned -1 [0105.494] lstrcmpiW (lpString1="lNQksITpPuLC3wBX3WUY.jpg", lpString2="desktop.ini") returned 1 [0105.494] lstrcmpiW (lpString1="lNQksITpPuLC3wBX3WUY.jpg", lpString2="CONFIG.SYS") returned 1 [0105.494] lstrcmpiW (lpString1="lNQksITpPuLC3wBX3WUY.jpg", lpString2="RECYCLER") returned -1 [0105.494] lstrcmpiW (lpString1="lNQksITpPuLC3wBX3WUY.jpg", lpString2="BOOTSECT.BAK") returned 1 [0105.494] lstrcmpiW (lpString1="lNQksITpPuLC3wBX3WUY.jpg", lpString2="bootmgr") returned 1 [0105.494] lstrcmpiW (lpString1="lNQksITpPuLC3wBX3WUY.jpg", lpString2="programdata") returned -1 [0105.494] lstrcmpiW (lpString1="lNQksITpPuLC3wBX3WUY.jpg", lpString2="appdata") returned 1 [0105.494] lstrcmpiW (lpString1="lNQksITpPuLC3wBX3WUY.jpg", lpString2="program files") returned -1 [0105.494] lstrcmpiW (lpString1="lNQksITpPuLC3wBX3WUY.jpg", lpString2="program files (x86)") returned -1 [0105.494] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" [0105.494] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\", lpString2="lNQksITpPuLC3wBX3WUY.jpg" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\lNQksITpPuLC3wBX3WUY.jpg") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\lNQksITpPuLC3wBX3WUY.jpg" [0105.494] PathFindExtensionW (pszPath="lNQksITpPuLC3wBX3WUY.jpg") returned=".jpg" [0105.494] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0105.494] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0105.494] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0105.494] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0105.494] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0105.494] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0105.495] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0105.495] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0105.495] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0105.495] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0105.495] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0105.495] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0105.495] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0105.495] lstrcmpiW (lpString1=".jpg", lpString2=".NEPHILIM") returned -1 [0105.495] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0105.495] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0105.495] lstrcmpiW (lpString1="lNQksITpPuLC3wBX3WUY.jpg", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0105.495] lstrlenA (lpString="NEPHILIM") returned 8 [0105.495] GetProcessHeap () returned 0x4e0000 [0105.495] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50dbe0 [0105.495] lstrlenA (lpString="NEPHILIM") returned 8 [0105.495] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\lNQksITpPuLC3wBX3WUY.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\lnqksitppulc3wbx3wuy.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0105.495] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=72791) returned 1 [0105.495] GetProcessHeap () returned 0x4e0000 [0105.495] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504db0 [0105.495] GetProcessHeap () returned 0x4e0000 [0105.495] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504dc8 [0105.495] SystemFunction036 (in: RandomBuffer=0x504db0, RandomBufferLength=0x10 | out: RandomBuffer=0x504db0) returned 1 [0105.495] SystemFunction036 (in: RandomBuffer=0x504dc8, RandomBufferLength=0x10 | out: RandomBuffer=0x504dc8) returned 1 [0105.495] GetProcessHeap () returned 0x4e0000 [0105.495] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508b48 [0105.495] GetProcessHeap () returned 0x4e0000 [0105.496] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508c50 [0105.496] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508b48*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508b48*, pdwDataLen=0x24de208*=0x100) returned 1 [0105.496] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508c50*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508c50*, pdwDataLen=0x24de204*=0x100) returned 1 [0105.496] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x11c57, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.496] SetLastError (dwErrCode=0x0) [0105.496] WriteFile (in: hFile=0xec, lpBuffer=0x508b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508b48*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.497] GetLastError () returned 0x0 [0105.497] GetLastError () returned 0x0 [0105.497] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x11d57, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.497] WriteFile (in: hFile=0xec, lpBuffer=0x508c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508c50*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.498] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x11e57, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.498] lstrlenA (lpString="NEPHILIM") returned 8 [0105.498] WriteFile (in: hFile=0xec, lpBuffer=0x50dbe0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dbe0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0105.498] GetProcessHeap () returned 0x4e0000 [0105.498] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x11c57) returned 0x50dcb8 [0105.498] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.498] ReadFile (in: hFile=0xec, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x11c57, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24de430*=0x11c57, lpOverlapped=0x0) returned 1 [0105.503] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.503] WriteFile (in: hFile=0xec, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x11c57, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24de43c*=0x11c57, lpOverlapped=0x0) returned 1 [0105.503] GetProcessHeap () returned 0x4e0000 [0105.503] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.503] CloseHandle (hObject=0xec) returned 1 [0105.516] GetProcessHeap () returned 0x4e0000 [0105.516] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508b48 | out: hHeap=0x4e0000) returned 1 [0105.516] GetProcessHeap () returned 0x4e0000 [0105.516] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508c50 | out: hHeap=0x4e0000) returned 1 [0105.517] GetProcessHeap () returned 0x4e0000 [0105.517] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504db0 | out: hHeap=0x4e0000) returned 1 [0105.517] GetProcessHeap () returned 0x4e0000 [0105.517] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504dc8 | out: hHeap=0x4e0000) returned 1 [0105.517] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\lNQksITpPuLC3wBX3WUY.jpg" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\lNQksITpPuLC3wBX3WUY.jpg") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\lNQksITpPuLC3wBX3WUY.jpg" [0105.517] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\lNQksITpPuLC3wBX3WUY.jpg", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\lNQksITpPuLC3wBX3WUY.jpg.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\lNQksITpPuLC3wBX3WUY.jpg.NEPHILIM" [0105.517] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\lNQksITpPuLC3wBX3WUY.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\lnqksitppulc3wbx3wuy.jpg"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\lNQksITpPuLC3wBX3WUY.jpg.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\lnqksitppulc3wbx3wuy.jpg.nephilim")) returned 1 [0105.518] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc34733c0, ftCreationTime.dwHighDateTime=0x1d5d87e, ftLastAccessTime.dwLowDateTime=0x1cdd05f0, ftLastAccessTime.dwHighDateTime=0x1d5e355, ftLastWriteTime.dwLowDateTime=0x1cdd05f0, ftLastWriteTime.dwHighDateTime=0x1d5e355, nFileSizeHigh=0x0, nFileSizeLow=0x4850, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="oYnhF7jjLMo4MYEMc.png", cAlternateFileName="OYNHF7~1.PNG")) returned 1 [0105.519] lstrcmpiW (lpString1="oYnhF7jjLMo4MYEMc.png", lpString2=".") returned 1 [0105.519] lstrcmpiW (lpString1="oYnhF7jjLMo4MYEMc.png", lpString2="..") returned 1 [0105.519] lstrcmpiW (lpString1="oYnhF7jjLMo4MYEMc.png", lpString2="...") returned 1 [0105.519] lstrcmpiW (lpString1="oYnhF7jjLMo4MYEMc.png", lpString2="windows") returned -1 [0105.519] lstrcmpiW (lpString1="oYnhF7jjLMo4MYEMc.png", lpString2="$RECYCLE.BIN") returned 1 [0105.519] lstrcmpiW (lpString1="oYnhF7jjLMo4MYEMc.png", lpString2="rsa") returned -1 [0105.519] lstrcmpiW (lpString1="oYnhF7jjLMo4MYEMc.png", lpString2="log") returned 1 [0105.519] lstrcmpiW (lpString1="oYnhF7jjLMo4MYEMc.png", lpString2="NTDETECT.COM") returned 1 [0105.519] lstrcmpiW (lpString1="oYnhF7jjLMo4MYEMc.png", lpString2="ntldr") returned 1 [0105.519] lstrcmpiW (lpString1="oYnhF7jjLMo4MYEMc.png", lpString2="MSDOS.SYS") returned 1 [0105.519] lstrcmpiW (lpString1="oYnhF7jjLMo4MYEMc.png", lpString2="IO.SYS") returned 1 [0105.519] lstrcmpiW (lpString1="oYnhF7jjLMo4MYEMc.png", lpString2="boot.ini") returned 1 [0105.519] lstrcmpiW (lpString1="oYnhF7jjLMo4MYEMc.png", lpString2="AUTOEXEC.BAT") returned 1 [0105.519] lstrcmpiW (lpString1="oYnhF7jjLMo4MYEMc.png", lpString2="ntuser.dat") returned 1 [0105.519] lstrcmpiW (lpString1="oYnhF7jjLMo4MYEMc.png", lpString2="desktop.ini") returned 1 [0105.519] lstrcmpiW (lpString1="oYnhF7jjLMo4MYEMc.png", lpString2="CONFIG.SYS") returned 1 [0105.519] lstrcmpiW (lpString1="oYnhF7jjLMo4MYEMc.png", lpString2="RECYCLER") returned -1 [0105.519] lstrcmpiW (lpString1="oYnhF7jjLMo4MYEMc.png", lpString2="BOOTSECT.BAK") returned 1 [0105.519] lstrcmpiW (lpString1="oYnhF7jjLMo4MYEMc.png", lpString2="bootmgr") returned 1 [0105.519] lstrcmpiW (lpString1="oYnhF7jjLMo4MYEMc.png", lpString2="programdata") returned -1 [0105.519] lstrcmpiW (lpString1="oYnhF7jjLMo4MYEMc.png", lpString2="appdata") returned 1 [0105.519] lstrcmpiW (lpString1="oYnhF7jjLMo4MYEMc.png", lpString2="program files") returned -1 [0105.519] lstrcmpiW (lpString1="oYnhF7jjLMo4MYEMc.png", lpString2="program files (x86)") returned -1 [0105.519] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" [0105.519] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\", lpString2="oYnhF7jjLMo4MYEMc.png" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\oYnhF7jjLMo4MYEMc.png") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\oYnhF7jjLMo4MYEMc.png" [0105.519] PathFindExtensionW (pszPath="oYnhF7jjLMo4MYEMc.png") returned=".png" [0105.519] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0105.519] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0105.520] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0105.520] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0105.520] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0105.520] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0105.520] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0105.520] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0105.520] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0105.520] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0105.520] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0105.520] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0105.520] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0105.520] lstrcmpiW (lpString1=".png", lpString2=".NEPHILIM") returned 1 [0105.520] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0105.520] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0105.520] lstrcmpiW (lpString1="oYnhF7jjLMo4MYEMc.png", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0105.520] lstrlenA (lpString="NEPHILIM") returned 8 [0105.520] GetProcessHeap () returned 0x4e0000 [0105.520] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50dbf0 [0105.520] lstrlenA (lpString="NEPHILIM") returned 8 [0105.520] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\oYnhF7jjLMo4MYEMc.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\oynhf7jjlmo4myemc.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0105.520] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=18512) returned 1 [0105.520] GetProcessHeap () returned 0x4e0000 [0105.520] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504dc8 [0105.520] GetProcessHeap () returned 0x4e0000 [0105.521] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504db0 [0105.521] SystemFunction036 (in: RandomBuffer=0x504dc8, RandomBufferLength=0x10 | out: RandomBuffer=0x504dc8) returned 1 [0105.521] SystemFunction036 (in: RandomBuffer=0x504db0, RandomBufferLength=0x10 | out: RandomBuffer=0x504db0) returned 1 [0105.521] GetProcessHeap () returned 0x4e0000 [0105.521] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508c50 [0105.521] GetProcessHeap () returned 0x4e0000 [0105.521] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508b48 [0105.521] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508c50*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508c50*, pdwDataLen=0x24de208*=0x100) returned 1 [0105.521] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508b48*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508b48*, pdwDataLen=0x24de204*=0x100) returned 1 [0105.521] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x4850, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.521] SetLastError (dwErrCode=0x0) [0105.521] WriteFile (in: hFile=0xec, lpBuffer=0x508c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508c50*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.522] GetLastError () returned 0x0 [0105.522] GetLastError () returned 0x0 [0105.522] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x4950, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.522] WriteFile (in: hFile=0xec, lpBuffer=0x508b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508b48*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.522] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x4a50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.522] lstrlenA (lpString="NEPHILIM") returned 8 [0105.522] WriteFile (in: hFile=0xec, lpBuffer=0x50dbf0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dbf0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0105.522] GetProcessHeap () returned 0x4e0000 [0105.522] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x4850) returned 0x50dcb8 [0105.522] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.522] ReadFile (in: hFile=0xec, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x4850, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24de430*=0x4850, lpOverlapped=0x0) returned 1 [0105.523] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.524] WriteFile (in: hFile=0xec, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x4850, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24de43c*=0x4850, lpOverlapped=0x0) returned 1 [0105.524] GetProcessHeap () returned 0x4e0000 [0105.524] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.524] CloseHandle (hObject=0xec) returned 1 [0105.525] GetProcessHeap () returned 0x4e0000 [0105.525] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508c50 | out: hHeap=0x4e0000) returned 1 [0105.525] GetProcessHeap () returned 0x4e0000 [0105.525] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508b48 | out: hHeap=0x4e0000) returned 1 [0105.525] GetProcessHeap () returned 0x4e0000 [0105.525] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504dc8 | out: hHeap=0x4e0000) returned 1 [0105.525] GetProcessHeap () returned 0x4e0000 [0105.525] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504db0 | out: hHeap=0x4e0000) returned 1 [0105.525] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\oYnhF7jjLMo4MYEMc.png" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\oYnhF7jjLMo4MYEMc.png") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\oYnhF7jjLMo4MYEMc.png" [0105.525] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\oYnhF7jjLMo4MYEMc.png", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\oYnhF7jjLMo4MYEMc.png.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\oYnhF7jjLMo4MYEMc.png.NEPHILIM" [0105.525] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\oYnhF7jjLMo4MYEMc.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\oynhf7jjlmo4myemc.png"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\oYnhF7jjLMo4MYEMc.png.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\oynhf7jjlmo4myemc.png.nephilim")) returned 1 [0105.526] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60e66340, ftCreationTime.dwHighDateTime=0x1d5e2bf, ftLastAccessTime.dwLowDateTime=0xc0a404b0, ftLastAccessTime.dwHighDateTime=0x1d5d985, ftLastWriteTime.dwLowDateTime=0xc0a404b0, ftLastWriteTime.dwHighDateTime=0x1d5d985, nFileSizeHigh=0x0, nFileSizeLow=0xa4fe, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="R_aLDxI--zaqsM0.jpg", cAlternateFileName="R_ALDX~1.JPG")) returned 1 [0105.526] lstrcmpiW (lpString1="R_aLDxI--zaqsM0.jpg", lpString2=".") returned 1 [0105.526] lstrcmpiW (lpString1="R_aLDxI--zaqsM0.jpg", lpString2="..") returned 1 [0105.526] lstrcmpiW (lpString1="R_aLDxI--zaqsM0.jpg", lpString2="...") returned 1 [0105.526] lstrcmpiW (lpString1="R_aLDxI--zaqsM0.jpg", lpString2="windows") returned -1 [0105.526] lstrcmpiW (lpString1="R_aLDxI--zaqsM0.jpg", lpString2="$RECYCLE.BIN") returned 1 [0105.526] lstrcmpiW (lpString1="R_aLDxI--zaqsM0.jpg", lpString2="rsa") returned -1 [0105.526] lstrcmpiW (lpString1="R_aLDxI--zaqsM0.jpg", lpString2="log") returned 1 [0105.526] lstrcmpiW (lpString1="R_aLDxI--zaqsM0.jpg", lpString2="NTDETECT.COM") returned 1 [0105.526] lstrcmpiW (lpString1="R_aLDxI--zaqsM0.jpg", lpString2="ntldr") returned 1 [0105.526] lstrcmpiW (lpString1="R_aLDxI--zaqsM0.jpg", lpString2="MSDOS.SYS") returned 1 [0105.526] lstrcmpiW (lpString1="R_aLDxI--zaqsM0.jpg", lpString2="IO.SYS") returned 1 [0105.526] lstrcmpiW (lpString1="R_aLDxI--zaqsM0.jpg", lpString2="boot.ini") returned 1 [0105.526] lstrcmpiW (lpString1="R_aLDxI--zaqsM0.jpg", lpString2="AUTOEXEC.BAT") returned 1 [0105.526] lstrcmpiW (lpString1="R_aLDxI--zaqsM0.jpg", lpString2="ntuser.dat") returned 1 [0105.526] lstrcmpiW (lpString1="R_aLDxI--zaqsM0.jpg", lpString2="desktop.ini") returned 1 [0105.526] lstrcmpiW (lpString1="R_aLDxI--zaqsM0.jpg", lpString2="CONFIG.SYS") returned 1 [0105.526] lstrcmpiW (lpString1="R_aLDxI--zaqsM0.jpg", lpString2="RECYCLER") returned -1 [0105.526] lstrcmpiW (lpString1="R_aLDxI--zaqsM0.jpg", lpString2="BOOTSECT.BAK") returned 1 [0105.526] lstrcmpiW (lpString1="R_aLDxI--zaqsM0.jpg", lpString2="bootmgr") returned 1 [0105.527] lstrcmpiW (lpString1="R_aLDxI--zaqsM0.jpg", lpString2="programdata") returned 1 [0105.527] lstrcmpiW (lpString1="R_aLDxI--zaqsM0.jpg", lpString2="appdata") returned 1 [0105.527] lstrcmpiW (lpString1="R_aLDxI--zaqsM0.jpg", lpString2="program files") returned 1 [0105.527] lstrcmpiW (lpString1="R_aLDxI--zaqsM0.jpg", lpString2="program files (x86)") returned 1 [0105.527] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" [0105.527] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\", lpString2="R_aLDxI--zaqsM0.jpg" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\R_aLDxI--zaqsM0.jpg") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\R_aLDxI--zaqsM0.jpg" [0105.527] PathFindExtensionW (pszPath="R_aLDxI--zaqsM0.jpg") returned=".jpg" [0105.527] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0105.527] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0105.527] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0105.527] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0105.527] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0105.527] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0105.527] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0105.527] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0105.527] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0105.527] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0105.527] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0105.527] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0105.527] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0105.527] lstrcmpiW (lpString1=".jpg", lpString2=".NEPHILIM") returned -1 [0105.527] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0105.527] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0105.527] lstrcmpiW (lpString1="R_aLDxI--zaqsM0.jpg", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0105.527] lstrlenA (lpString="NEPHILIM") returned 8 [0105.527] GetProcessHeap () returned 0x4e0000 [0105.527] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50dc00 [0105.527] lstrlenA (lpString="NEPHILIM") returned 8 [0105.527] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\R_aLDxI--zaqsM0.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\r_aldxi--zaqsm0.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0105.528] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=42238) returned 1 [0105.528] GetProcessHeap () returned 0x4e0000 [0105.528] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504db0 [0105.528] GetProcessHeap () returned 0x4e0000 [0105.528] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504dc8 [0105.528] SystemFunction036 (in: RandomBuffer=0x504db0, RandomBufferLength=0x10 | out: RandomBuffer=0x504db0) returned 1 [0105.528] SystemFunction036 (in: RandomBuffer=0x504dc8, RandomBufferLength=0x10 | out: RandomBuffer=0x504dc8) returned 1 [0105.528] GetProcessHeap () returned 0x4e0000 [0105.528] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508b48 [0105.528] GetProcessHeap () returned 0x4e0000 [0105.528] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508c50 [0105.528] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508b48*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508b48*, pdwDataLen=0x24de208*=0x100) returned 1 [0105.528] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508c50*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508c50*, pdwDataLen=0x24de204*=0x100) returned 1 [0105.528] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xa4fe, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.528] SetLastError (dwErrCode=0x0) [0105.528] WriteFile (in: hFile=0xec, lpBuffer=0x508b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508b48*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.529] GetLastError () returned 0x0 [0105.529] GetLastError () returned 0x0 [0105.529] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xa5fe, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.529] WriteFile (in: hFile=0xec, lpBuffer=0x508c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508c50*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.530] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xa6fe, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.530] lstrlenA (lpString="NEPHILIM") returned 8 [0105.530] WriteFile (in: hFile=0xec, lpBuffer=0x50dc00*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dc00*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0105.530] GetProcessHeap () returned 0x4e0000 [0105.530] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xa4fe) returned 0x50dcb8 [0105.530] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.530] ReadFile (in: hFile=0xec, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0xa4fe, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24de430*=0xa4fe, lpOverlapped=0x0) returned 1 [0105.532] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.532] WriteFile (in: hFile=0xec, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0xa4fe, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24de43c*=0xa4fe, lpOverlapped=0x0) returned 1 [0105.533] GetProcessHeap () returned 0x4e0000 [0105.533] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.533] CloseHandle (hObject=0xec) returned 1 [0105.534] GetProcessHeap () returned 0x4e0000 [0105.534] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508b48 | out: hHeap=0x4e0000) returned 1 [0105.534] GetProcessHeap () returned 0x4e0000 [0105.534] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508c50 | out: hHeap=0x4e0000) returned 1 [0105.534] GetProcessHeap () returned 0x4e0000 [0105.534] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504db0 | out: hHeap=0x4e0000) returned 1 [0105.534] GetProcessHeap () returned 0x4e0000 [0105.534] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504dc8 | out: hHeap=0x4e0000) returned 1 [0105.534] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\R_aLDxI--zaqsM0.jpg" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\R_aLDxI--zaqsM0.jpg") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\R_aLDxI--zaqsM0.jpg" [0105.534] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\R_aLDxI--zaqsM0.jpg", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\R_aLDxI--zaqsM0.jpg.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\R_aLDxI--zaqsM0.jpg.NEPHILIM" [0105.534] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\R_aLDxI--zaqsM0.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\r_aldxi--zaqsm0.jpg"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\R_aLDxI--zaqsM0.jpg.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\r_aldxi--zaqsm0.jpg.nephilim")) returned 1 [0105.535] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376347e0, ftCreationTime.dwHighDateTime=0x1d5d9e1, ftLastAccessTime.dwLowDateTime=0x20ea8490, ftLastAccessTime.dwHighDateTime=0x1d5e1b8, ftLastWriteTime.dwLowDateTime=0x20ea8490, ftLastWriteTime.dwHighDateTime=0x1d5e1b8, nFileSizeHigh=0x0, nFileSizeLow=0x17ad3, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="wh4Za_QMfWN8Y_9OeV.gif", cAlternateFileName="WH4ZA_~1.GIF")) returned 1 [0105.535] lstrcmpiW (lpString1="wh4Za_QMfWN8Y_9OeV.gif", lpString2=".") returned 1 [0105.535] lstrcmpiW (lpString1="wh4Za_QMfWN8Y_9OeV.gif", lpString2="..") returned 1 [0105.535] lstrcmpiW (lpString1="wh4Za_QMfWN8Y_9OeV.gif", lpString2="...") returned 1 [0105.535] lstrcmpiW (lpString1="wh4Za_QMfWN8Y_9OeV.gif", lpString2="windows") returned -1 [0105.535] lstrcmpiW (lpString1="wh4Za_QMfWN8Y_9OeV.gif", lpString2="$RECYCLE.BIN") returned 1 [0105.535] lstrcmpiW (lpString1="wh4Za_QMfWN8Y_9OeV.gif", lpString2="rsa") returned 1 [0105.535] lstrcmpiW (lpString1="wh4Za_QMfWN8Y_9OeV.gif", lpString2="log") returned 1 [0105.535] lstrcmpiW (lpString1="wh4Za_QMfWN8Y_9OeV.gif", lpString2="NTDETECT.COM") returned 1 [0105.535] lstrcmpiW (lpString1="wh4Za_QMfWN8Y_9OeV.gif", lpString2="ntldr") returned 1 [0105.535] lstrcmpiW (lpString1="wh4Za_QMfWN8Y_9OeV.gif", lpString2="MSDOS.SYS") returned 1 [0105.535] lstrcmpiW (lpString1="wh4Za_QMfWN8Y_9OeV.gif", lpString2="IO.SYS") returned 1 [0105.535] lstrcmpiW (lpString1="wh4Za_QMfWN8Y_9OeV.gif", lpString2="boot.ini") returned 1 [0105.535] lstrcmpiW (lpString1="wh4Za_QMfWN8Y_9OeV.gif", lpString2="AUTOEXEC.BAT") returned 1 [0105.536] lstrcmpiW (lpString1="wh4Za_QMfWN8Y_9OeV.gif", lpString2="ntuser.dat") returned 1 [0105.536] lstrcmpiW (lpString1="wh4Za_QMfWN8Y_9OeV.gif", lpString2="desktop.ini") returned 1 [0105.536] lstrcmpiW (lpString1="wh4Za_QMfWN8Y_9OeV.gif", lpString2="CONFIG.SYS") returned 1 [0105.536] lstrcmpiW (lpString1="wh4Za_QMfWN8Y_9OeV.gif", lpString2="RECYCLER") returned 1 [0105.536] lstrcmpiW (lpString1="wh4Za_QMfWN8Y_9OeV.gif", lpString2="BOOTSECT.BAK") returned 1 [0105.536] lstrcmpiW (lpString1="wh4Za_QMfWN8Y_9OeV.gif", lpString2="bootmgr") returned 1 [0105.536] lstrcmpiW (lpString1="wh4Za_QMfWN8Y_9OeV.gif", lpString2="programdata") returned 1 [0105.536] lstrcmpiW (lpString1="wh4Za_QMfWN8Y_9OeV.gif", lpString2="appdata") returned 1 [0105.536] lstrcmpiW (lpString1="wh4Za_QMfWN8Y_9OeV.gif", lpString2="program files") returned 1 [0105.536] lstrcmpiW (lpString1="wh4Za_QMfWN8Y_9OeV.gif", lpString2="program files (x86)") returned 1 [0105.536] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" [0105.536] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\", lpString2="wh4Za_QMfWN8Y_9OeV.gif" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\wh4Za_QMfWN8Y_9OeV.gif") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\wh4Za_QMfWN8Y_9OeV.gif" [0105.536] PathFindExtensionW (pszPath="wh4Za_QMfWN8Y_9OeV.gif") returned=".gif" [0105.536] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0105.536] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0105.536] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0105.536] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0105.536] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0105.536] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0105.536] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0105.536] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0105.536] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0105.536] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0105.536] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0105.536] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0105.536] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0105.536] lstrcmpiW (lpString1=".gif", lpString2=".NEPHILIM") returned -1 [0105.536] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0105.536] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0105.536] lstrcmpiW (lpString1="wh4Za_QMfWN8Y_9OeV.gif", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0105.536] lstrlenA (lpString="NEPHILIM") returned 8 [0105.537] GetProcessHeap () returned 0x4e0000 [0105.537] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50dc10 [0105.537] lstrlenA (lpString="NEPHILIM") returned 8 [0105.537] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\wh4Za_QMfWN8Y_9OeV.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\wh4za_qmfwn8y_9oev.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0105.537] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=96979) returned 1 [0105.537] GetProcessHeap () returned 0x4e0000 [0105.537] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504dc8 [0105.537] GetProcessHeap () returned 0x4e0000 [0105.537] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504db0 [0105.537] SystemFunction036 (in: RandomBuffer=0x504dc8, RandomBufferLength=0x10 | out: RandomBuffer=0x504dc8) returned 1 [0105.537] SystemFunction036 (in: RandomBuffer=0x504db0, RandomBufferLength=0x10 | out: RandomBuffer=0x504db0) returned 1 [0105.537] GetProcessHeap () returned 0x4e0000 [0105.537] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508c50 [0105.537] GetProcessHeap () returned 0x4e0000 [0105.537] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508b48 [0105.537] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508c50*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508c50*, pdwDataLen=0x24de208*=0x100) returned 1 [0105.537] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508b48*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508b48*, pdwDataLen=0x24de204*=0x100) returned 1 [0105.538] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x17ad3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.538] SetLastError (dwErrCode=0x0) [0105.538] WriteFile (in: hFile=0xec, lpBuffer=0x508c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508c50*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.539] GetLastError () returned 0x0 [0105.539] GetLastError () returned 0x0 [0105.539] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x17bd3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.539] WriteFile (in: hFile=0xec, lpBuffer=0x508b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508b48*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.539] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x17cd3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.539] lstrlenA (lpString="NEPHILIM") returned 8 [0105.539] WriteFile (in: hFile=0xec, lpBuffer=0x50dc10*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dc10*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0105.539] GetProcessHeap () returned 0x4e0000 [0105.539] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x17ad3) returned 0x50dcb8 [0105.539] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.539] ReadFile (in: hFile=0xec, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x17ad3, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24de430*=0x17ad3, lpOverlapped=0x0) returned 1 [0105.545] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.545] WriteFile (in: hFile=0xec, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x17ad3, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24de43c*=0x17ad3, lpOverlapped=0x0) returned 1 [0105.546] GetProcessHeap () returned 0x4e0000 [0105.546] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.546] CloseHandle (hObject=0xec) returned 1 [0105.548] GetProcessHeap () returned 0x4e0000 [0105.548] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508c50 | out: hHeap=0x4e0000) returned 1 [0105.548] GetProcessHeap () returned 0x4e0000 [0105.548] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508b48 | out: hHeap=0x4e0000) returned 1 [0105.548] GetProcessHeap () returned 0x4e0000 [0105.548] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504dc8 | out: hHeap=0x4e0000) returned 1 [0105.548] GetProcessHeap () returned 0x4e0000 [0105.548] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504db0 | out: hHeap=0x4e0000) returned 1 [0105.548] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\wh4Za_QMfWN8Y_9OeV.gif" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\wh4Za_QMfWN8Y_9OeV.gif") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\wh4Za_QMfWN8Y_9OeV.gif" [0105.548] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\wh4Za_QMfWN8Y_9OeV.gif", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\wh4Za_QMfWN8Y_9OeV.gif.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\wh4Za_QMfWN8Y_9OeV.gif.NEPHILIM" [0105.548] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\wh4Za_QMfWN8Y_9OeV.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\wh4za_qmfwn8y_9oev.gif"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\wh4Za_QMfWN8Y_9OeV.gif.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\wh4za_qmfwn8y_9oev.gif.nephilim")) returned 1 [0105.552] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0de3de0, ftCreationTime.dwHighDateTime=0x1d5e783, ftLastAccessTime.dwLowDateTime=0xec5e5880, ftLastAccessTime.dwHighDateTime=0x1d5e79f, ftLastWriteTime.dwLowDateTime=0xec5e5880, ftLastWriteTime.dwHighDateTime=0x1d5e79f, nFileSizeHigh=0x0, nFileSizeLow=0x463a, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="X55YkSvWHYx.png", cAlternateFileName="X55YKS~1.PNG")) returned 1 [0105.553] lstrcmpiW (lpString1="X55YkSvWHYx.png", lpString2=".") returned 1 [0105.553] lstrcmpiW (lpString1="X55YkSvWHYx.png", lpString2="..") returned 1 [0105.553] lstrcmpiW (lpString1="X55YkSvWHYx.png", lpString2="...") returned 1 [0105.553] lstrcmpiW (lpString1="X55YkSvWHYx.png", lpString2="windows") returned 1 [0105.553] lstrcmpiW (lpString1="X55YkSvWHYx.png", lpString2="$RECYCLE.BIN") returned 1 [0105.553] lstrcmpiW (lpString1="X55YkSvWHYx.png", lpString2="rsa") returned 1 [0105.553] lstrcmpiW (lpString1="X55YkSvWHYx.png", lpString2="log") returned 1 [0105.553] lstrcmpiW (lpString1="X55YkSvWHYx.png", lpString2="NTDETECT.COM") returned 1 [0105.553] lstrcmpiW (lpString1="X55YkSvWHYx.png", lpString2="ntldr") returned 1 [0105.553] lstrcmpiW (lpString1="X55YkSvWHYx.png", lpString2="MSDOS.SYS") returned 1 [0105.553] lstrcmpiW (lpString1="X55YkSvWHYx.png", lpString2="IO.SYS") returned 1 [0105.553] lstrcmpiW (lpString1="X55YkSvWHYx.png", lpString2="boot.ini") returned 1 [0105.553] lstrcmpiW (lpString1="X55YkSvWHYx.png", lpString2="AUTOEXEC.BAT") returned 1 [0105.553] lstrcmpiW (lpString1="X55YkSvWHYx.png", lpString2="ntuser.dat") returned 1 [0105.553] lstrcmpiW (lpString1="X55YkSvWHYx.png", lpString2="desktop.ini") returned 1 [0105.553] lstrcmpiW (lpString1="X55YkSvWHYx.png", lpString2="CONFIG.SYS") returned 1 [0105.553] lstrcmpiW (lpString1="X55YkSvWHYx.png", lpString2="RECYCLER") returned 1 [0105.553] lstrcmpiW (lpString1="X55YkSvWHYx.png", lpString2="BOOTSECT.BAK") returned 1 [0105.553] lstrcmpiW (lpString1="X55YkSvWHYx.png", lpString2="bootmgr") returned 1 [0105.553] lstrcmpiW (lpString1="X55YkSvWHYx.png", lpString2="programdata") returned 1 [0105.553] lstrcmpiW (lpString1="X55YkSvWHYx.png", lpString2="appdata") returned 1 [0105.553] lstrcmpiW (lpString1="X55YkSvWHYx.png", lpString2="program files") returned 1 [0105.553] lstrcmpiW (lpString1="X55YkSvWHYx.png", lpString2="program files (x86)") returned 1 [0105.553] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" [0105.553] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\", lpString2="X55YkSvWHYx.png" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\X55YkSvWHYx.png") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\X55YkSvWHYx.png" [0105.553] PathFindExtensionW (pszPath="X55YkSvWHYx.png") returned=".png" [0105.553] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0105.553] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0105.554] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0105.554] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0105.554] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0105.554] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0105.554] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0105.554] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0105.554] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0105.554] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0105.554] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0105.554] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0105.554] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0105.554] lstrcmpiW (lpString1=".png", lpString2=".NEPHILIM") returned 1 [0105.554] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0105.554] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0105.554] lstrcmpiW (lpString1="X55YkSvWHYx.png", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0105.554] lstrlenA (lpString="NEPHILIM") returned 8 [0105.554] GetProcessHeap () returned 0x4e0000 [0105.554] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50dc20 [0105.554] lstrlenA (lpString="NEPHILIM") returned 8 [0105.554] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\X55YkSvWHYx.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\x55yksvwhyx.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0105.554] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=17978) returned 1 [0105.554] GetProcessHeap () returned 0x4e0000 [0105.555] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504db0 [0105.555] GetProcessHeap () returned 0x4e0000 [0105.555] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504dc8 [0105.555] SystemFunction036 (in: RandomBuffer=0x504db0, RandomBufferLength=0x10 | out: RandomBuffer=0x504db0) returned 1 [0105.555] SystemFunction036 (in: RandomBuffer=0x504dc8, RandomBufferLength=0x10 | out: RandomBuffer=0x504dc8) returned 1 [0105.555] GetProcessHeap () returned 0x4e0000 [0105.555] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508b48 [0105.555] GetProcessHeap () returned 0x4e0000 [0105.555] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508c50 [0105.555] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508b48*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508b48*, pdwDataLen=0x24de208*=0x100) returned 1 [0105.555] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508c50*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508c50*, pdwDataLen=0x24de204*=0x100) returned 1 [0105.555] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x463a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.555] SetLastError (dwErrCode=0x0) [0105.555] WriteFile (in: hFile=0xec, lpBuffer=0x508b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508b48*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.556] GetLastError () returned 0x0 [0105.556] GetLastError () returned 0x0 [0105.556] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x473a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.556] WriteFile (in: hFile=0xec, lpBuffer=0x508c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508c50*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.557] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x483a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.557] lstrlenA (lpString="NEPHILIM") returned 8 [0105.557] WriteFile (in: hFile=0xec, lpBuffer=0x50dc20*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dc20*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0105.557] GetProcessHeap () returned 0x4e0000 [0105.557] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x463a) returned 0x50dcb8 [0105.557] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.557] ReadFile (in: hFile=0xec, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x463a, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24de430*=0x463a, lpOverlapped=0x0) returned 1 [0105.558] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.558] WriteFile (in: hFile=0xec, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x463a, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24de43c*=0x463a, lpOverlapped=0x0) returned 1 [0105.558] GetProcessHeap () returned 0x4e0000 [0105.558] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.558] CloseHandle (hObject=0xec) returned 1 [0105.568] GetProcessHeap () returned 0x4e0000 [0105.568] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508b48 | out: hHeap=0x4e0000) returned 1 [0105.568] GetProcessHeap () returned 0x4e0000 [0105.568] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508c50 | out: hHeap=0x4e0000) returned 1 [0105.568] GetProcessHeap () returned 0x4e0000 [0105.568] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504db0 | out: hHeap=0x4e0000) returned 1 [0105.568] GetProcessHeap () returned 0x4e0000 [0105.568] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504dc8 | out: hHeap=0x4e0000) returned 1 [0105.568] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\X55YkSvWHYx.png" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\X55YkSvWHYx.png") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\X55YkSvWHYx.png" [0105.569] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\X55YkSvWHYx.png", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\X55YkSvWHYx.png.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\X55YkSvWHYx.png.NEPHILIM" [0105.569] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\X55YkSvWHYx.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\x55yksvwhyx.png"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\X55YkSvWHYx.png.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\x55yksvwhyx.png.nephilim")) returned 1 [0105.570] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0de3de0, ftCreationTime.dwHighDateTime=0x1d5e783, ftLastAccessTime.dwLowDateTime=0xec5e5880, ftLastAccessTime.dwHighDateTime=0x1d5e79f, ftLastWriteTime.dwLowDateTime=0xec5e5880, ftLastWriteTime.dwHighDateTime=0x1d5e79f, nFileSizeHigh=0x0, nFileSizeLow=0x463a, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="X55YkSvWHYx.png", cAlternateFileName="X55YKS~1.PNG")) returned 0 [0105.570] FindClose (in: hFindFile=0x50a8c0 | out: hFindFile=0x50a8c0) returned 1 [0105.570] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29103b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29103b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29103b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0105.570] lstrcmpiW (lpString1="PrintHood", lpString2=".") returned 1 [0105.570] lstrcmpiW (lpString1="PrintHood", lpString2="..") returned 1 [0105.570] lstrcmpiW (lpString1="PrintHood", lpString2="...") returned 1 [0105.570] lstrcmpiW (lpString1="PrintHood", lpString2="windows") returned -1 [0105.570] lstrcmpiW (lpString1="PrintHood", lpString2="$RECYCLE.BIN") returned 1 [0105.570] lstrcmpiW (lpString1="PrintHood", lpString2="rsa") returned -1 [0105.570] lstrcmpiW (lpString1="PrintHood", lpString2="log") returned 1 [0105.570] lstrcmpiW (lpString1="PrintHood", lpString2="NTDETECT.COM") returned 1 [0105.570] lstrcmpiW (lpString1="PrintHood", lpString2="ntldr") returned 1 [0105.570] lstrcmpiW (lpString1="PrintHood", lpString2="MSDOS.SYS") returned 1 [0105.570] lstrcmpiW (lpString1="PrintHood", lpString2="IO.SYS") returned 1 [0105.570] lstrcmpiW (lpString1="PrintHood", lpString2="boot.ini") returned 1 [0105.570] lstrcmpiW (lpString1="PrintHood", lpString2="AUTOEXEC.BAT") returned 1 [0105.570] lstrcmpiW (lpString1="PrintHood", lpString2="ntuser.dat") returned 1 [0105.570] lstrcmpiW (lpString1="PrintHood", lpString2="desktop.ini") returned 1 [0105.570] lstrcmpiW (lpString1="PrintHood", lpString2="CONFIG.SYS") returned 1 [0105.571] lstrcmpiW (lpString1="PrintHood", lpString2="RECYCLER") returned -1 [0105.571] lstrcmpiW (lpString1="PrintHood", lpString2="BOOTSECT.BAK") returned 1 [0105.571] lstrcmpiW (lpString1="PrintHood", lpString2="bootmgr") returned 1 [0105.571] lstrcmpiW (lpString1="PrintHood", lpString2="programdata") returned -1 [0105.571] lstrcmpiW (lpString1="PrintHood", lpString2="appdata") returned 1 [0105.571] lstrcmpiW (lpString1="PrintHood", lpString2="program files") returned -1 [0105.571] lstrcmpiW (lpString1="PrintHood", lpString2="program files (x86)") returned -1 [0105.571] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" [0105.571] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="PrintHood" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\PrintHood") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\PrintHood" [0105.571] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\PrintHood", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\PrintHood\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\PrintHood\\" [0105.571] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\PrintHood\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\PrintHood\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\PrintHood\\" [0105.571] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\PrintHood\\", lpString2="*.*" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\PrintHood\\*.*") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\PrintHood\\*.*" [0105.571] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\PrintHood\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0de3de0, ftCreationTime.dwHighDateTime=0x1d5e783, ftLastAccessTime.dwLowDateTime=0xec5e5880, ftLastAccessTime.dwHighDateTime=0x1d5e79f, ftLastWriteTime.dwLowDateTime=0xec5e5880, ftLastWriteTime.dwHighDateTime=0x1d5e79f, nFileSizeHigh=0x0, nFileSizeLow=0x463a, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="X55YkSvWHYx.png", cAlternateFileName="X55YKS~1.PNG")) returned 0xffffffff [0105.571] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29129cc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29129cc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29129cc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Recent", cAlternateFileName="")) returned 1 [0105.571] lstrcmpiW (lpString1="Recent", lpString2=".") returned 1 [0105.571] lstrcmpiW (lpString1="Recent", lpString2="..") returned 1 [0105.571] lstrcmpiW (lpString1="Recent", lpString2="...") returned 1 [0105.571] lstrcmpiW (lpString1="Recent", lpString2="windows") returned -1 [0105.571] lstrcmpiW (lpString1="Recent", lpString2="$RECYCLE.BIN") returned 1 [0105.572] lstrcmpiW (lpString1="Recent", lpString2="rsa") returned -1 [0105.572] lstrcmpiW (lpString1="Recent", lpString2="log") returned 1 [0105.572] lstrcmpiW (lpString1="Recent", lpString2="NTDETECT.COM") returned 1 [0105.572] lstrcmpiW (lpString1="Recent", lpString2="ntldr") returned 1 [0105.572] lstrcmpiW (lpString1="Recent", lpString2="MSDOS.SYS") returned 1 [0105.572] lstrcmpiW (lpString1="Recent", lpString2="IO.SYS") returned 1 [0105.572] lstrcmpiW (lpString1="Recent", lpString2="boot.ini") returned 1 [0105.572] lstrcmpiW (lpString1="Recent", lpString2="AUTOEXEC.BAT") returned 1 [0105.572] lstrcmpiW (lpString1="Recent", lpString2="ntuser.dat") returned 1 [0105.572] lstrcmpiW (lpString1="Recent", lpString2="desktop.ini") returned 1 [0105.572] lstrcmpiW (lpString1="Recent", lpString2="CONFIG.SYS") returned 1 [0105.572] lstrcmpiW (lpString1="Recent", lpString2="RECYCLER") returned -1 [0105.572] lstrcmpiW (lpString1="Recent", lpString2="BOOTSECT.BAK") returned 1 [0105.572] lstrcmpiW (lpString1="Recent", lpString2="bootmgr") returned 1 [0105.572] lstrcmpiW (lpString1="Recent", lpString2="programdata") returned 1 [0105.572] lstrcmpiW (lpString1="Recent", lpString2="appdata") returned 1 [0105.572] lstrcmpiW (lpString1="Recent", lpString2="program files") returned 1 [0105.572] lstrcmpiW (lpString1="Recent", lpString2="program files (x86)") returned 1 [0105.572] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" [0105.572] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Recent" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Recent") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Recent" [0105.572] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Recent", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Recent\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Recent\\" [0105.572] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Recent\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Recent\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Recent\\" [0105.572] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Recent\\", lpString2="*.*" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Recent\\*.*") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Recent\\*.*" [0105.573] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Recent\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0de3de0, ftCreationTime.dwHighDateTime=0x1d5e783, ftLastAccessTime.dwLowDateTime=0xec5e5880, ftLastAccessTime.dwHighDateTime=0x1d5e79f, ftLastWriteTime.dwLowDateTime=0xec5e5880, ftLastWriteTime.dwHighDateTime=0x1d5e79f, nFileSizeHigh=0x0, nFileSizeLow=0x463a, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="X55YkSvWHYx.png", cAlternateFileName="X55YKS~1.PNG")) returned 0xffffffff [0105.573] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d22d5a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0105.573] lstrcmpiW (lpString1="Saved Games", lpString2=".") returned 1 [0105.573] lstrcmpiW (lpString1="Saved Games", lpString2="..") returned 1 [0105.573] lstrcmpiW (lpString1="Saved Games", lpString2="...") returned 1 [0105.573] lstrcmpiW (lpString1="Saved Games", lpString2="windows") returned -1 [0105.573] lstrcmpiW (lpString1="Saved Games", lpString2="$RECYCLE.BIN") returned 1 [0105.573] lstrcmpiW (lpString1="Saved Games", lpString2="rsa") returned 1 [0105.573] lstrcmpiW (lpString1="Saved Games", lpString2="log") returned 1 [0105.573] lstrcmpiW (lpString1="Saved Games", lpString2="NTDETECT.COM") returned 1 [0105.573] lstrcmpiW (lpString1="Saved Games", lpString2="ntldr") returned 1 [0105.573] lstrcmpiW (lpString1="Saved Games", lpString2="MSDOS.SYS") returned 1 [0105.573] lstrcmpiW (lpString1="Saved Games", lpString2="IO.SYS") returned 1 [0105.573] lstrcmpiW (lpString1="Saved Games", lpString2="boot.ini") returned 1 [0105.573] lstrcmpiW (lpString1="Saved Games", lpString2="AUTOEXEC.BAT") returned 1 [0105.573] lstrcmpiW (lpString1="Saved Games", lpString2="ntuser.dat") returned 1 [0105.573] lstrcmpiW (lpString1="Saved Games", lpString2="desktop.ini") returned 1 [0105.573] lstrcmpiW (lpString1="Saved Games", lpString2="CONFIG.SYS") returned 1 [0105.573] lstrcmpiW (lpString1="Saved Games", lpString2="RECYCLER") returned 1 [0105.573] lstrcmpiW (lpString1="Saved Games", lpString2="BOOTSECT.BAK") returned 1 [0105.574] lstrcmpiW (lpString1="Saved Games", lpString2="bootmgr") returned 1 [0105.574] lstrcmpiW (lpString1="Saved Games", lpString2="programdata") returned 1 [0105.574] lstrcmpiW (lpString1="Saved Games", lpString2="appdata") returned 1 [0105.574] lstrcmpiW (lpString1="Saved Games", lpString2="program files") returned 1 [0105.574] lstrcmpiW (lpString1="Saved Games", lpString2="program files (x86)") returned 1 [0105.574] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" [0105.574] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Saved Games" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games" [0105.574] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\" [0105.574] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\" [0105.574] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\", lpString2="*.*" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\*.*") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\*.*" [0105.574] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d22d5a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName=".", cAlternateFileName="")) returned 0x50a8c0 [0105.575] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0105.575] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d22d5a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="..", cAlternateFileName="")) returned 1 [0105.575] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0105.575] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0105.575] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d22d5a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0105.575] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0105.575] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0105.575] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0105.575] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0105.575] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0105.575] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0105.575] lstrcmpiW (lpString1="desktop.ini", lpString2="log") returned -1 [0105.575] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0105.575] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0105.575] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0105.575] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0105.575] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0105.575] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0105.575] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0105.576] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0105.576] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d22d5a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0105.576] FindClose (in: hFindFile=0x50a8c0 | out: hFindFile=0x50a8c0) returned 1 [0105.576] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Searches", cAlternateFileName="")) returned 1 [0105.576] lstrcmpiW (lpString1="Searches", lpString2=".") returned 1 [0105.576] lstrcmpiW (lpString1="Searches", lpString2="..") returned 1 [0105.576] lstrcmpiW (lpString1="Searches", lpString2="...") returned 1 [0105.576] lstrcmpiW (lpString1="Searches", lpString2="windows") returned -1 [0105.576] lstrcmpiW (lpString1="Searches", lpString2="$RECYCLE.BIN") returned 1 [0105.576] lstrcmpiW (lpString1="Searches", lpString2="rsa") returned 1 [0105.576] lstrcmpiW (lpString1="Searches", lpString2="log") returned 1 [0105.577] lstrcmpiW (lpString1="Searches", lpString2="NTDETECT.COM") returned 1 [0105.577] lstrcmpiW (lpString1="Searches", lpString2="ntldr") returned 1 [0105.577] lstrcmpiW (lpString1="Searches", lpString2="MSDOS.SYS") returned 1 [0105.577] lstrcmpiW (lpString1="Searches", lpString2="IO.SYS") returned 1 [0105.577] lstrcmpiW (lpString1="Searches", lpString2="boot.ini") returned 1 [0105.577] lstrcmpiW (lpString1="Searches", lpString2="AUTOEXEC.BAT") returned 1 [0105.577] lstrcmpiW (lpString1="Searches", lpString2="ntuser.dat") returned 1 [0105.577] lstrcmpiW (lpString1="Searches", lpString2="desktop.ini") returned 1 [0105.577] lstrcmpiW (lpString1="Searches", lpString2="CONFIG.SYS") returned 1 [0105.577] lstrcmpiW (lpString1="Searches", lpString2="RECYCLER") returned 1 [0105.577] lstrcmpiW (lpString1="Searches", lpString2="BOOTSECT.BAK") returned 1 [0105.577] lstrcmpiW (lpString1="Searches", lpString2="bootmgr") returned 1 [0105.577] lstrcmpiW (lpString1="Searches", lpString2="programdata") returned 1 [0105.577] lstrcmpiW (lpString1="Searches", lpString2="appdata") returned 1 [0105.577] lstrcmpiW (lpString1="Searches", lpString2="program files") returned 1 [0105.577] lstrcmpiW (lpString1="Searches", lpString2="program files (x86)") returned 1 [0105.577] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" [0105.577] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Searches" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches" [0105.577] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\" [0105.577] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\" [0105.577] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\", lpString2="*.*" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\*.*") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\*.*" [0105.577] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName=".", cAlternateFileName="")) returned 0x50a8c0 [0105.578] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0105.578] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="..", cAlternateFileName="")) returned 1 [0105.578] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0105.578] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0105.578] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x20c, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0105.578] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0105.578] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0105.578] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0105.578] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0105.578] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0105.578] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0105.578] lstrcmpiW (lpString1="desktop.ini", lpString2="log") returned -1 [0105.578] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0105.578] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0105.578] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0105.578] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0105.578] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0105.578] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0105.578] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0105.579] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0105.579] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99d9932, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="Everywhere.search-ms", cAlternateFileName="EVERYW~1.SEA")) returned 1 [0105.579] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2=".") returned 1 [0105.579] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="..") returned 1 [0105.579] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="...") returned 1 [0105.579] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="windows") returned -1 [0105.579] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.579] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="rsa") returned -1 [0105.579] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="log") returned -1 [0105.579] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="NTDETECT.COM") returned -1 [0105.579] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="ntldr") returned -1 [0105.579] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="MSDOS.SYS") returned -1 [0105.579] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="IO.SYS") returned -1 [0105.579] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="boot.ini") returned 1 [0105.579] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="AUTOEXEC.BAT") returned 1 [0105.579] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="ntuser.dat") returned -1 [0105.579] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="desktop.ini") returned 1 [0105.579] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="CONFIG.SYS") returned 1 [0105.579] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="RECYCLER") returned -1 [0105.579] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="BOOTSECT.BAK") returned 1 [0105.579] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="bootmgr") returned 1 [0105.579] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="programdata") returned -1 [0105.579] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="appdata") returned 1 [0105.579] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="program files") returned -1 [0105.580] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="program files (x86)") returned -1 [0105.580] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\" [0105.580] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\", lpString2="Everywhere.search-ms" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms" [0105.580] PathFindExtensionW (pszPath="Everywhere.search-ms") returned=".search-ms" [0105.580] lstrcmpiW (lpString1=".search-ms", lpString2=".exe") returned 1 [0105.580] lstrcmpiW (lpString1=".search-ms", lpString2=".log") returned 1 [0105.580] lstrcmpiW (lpString1=".search-ms", lpString2=".cab") returned 1 [0105.580] lstrcmpiW (lpString1=".search-ms", lpString2=".cmd") returned 1 [0105.580] lstrcmpiW (lpString1=".search-ms", lpString2=".com") returned 1 [0105.580] lstrcmpiW (lpString1=".search-ms", lpString2=".cpl") returned 1 [0105.580] lstrcmpiW (lpString1=".search-ms", lpString2=".ini") returned 1 [0105.580] lstrcmpiW (lpString1=".search-ms", lpString2=".dll") returned 1 [0105.580] lstrcmpiW (lpString1=".search-ms", lpString2=".url") returned -1 [0105.580] lstrcmpiW (lpString1=".search-ms", lpString2=".ttf") returned -1 [0105.580] lstrcmpiW (lpString1=".search-ms", lpString2=".mp3") returned 1 [0105.580] lstrcmpiW (lpString1=".search-ms", lpString2=".pif") returned 1 [0105.580] lstrcmpiW (lpString1=".search-ms", lpString2=".mp4") returned 1 [0105.580] lstrcmpiW (lpString1=".search-ms", lpString2=".NEPHILIM") returned 1 [0105.580] lstrcmpiW (lpString1=".search-ms", lpString2=".msi") returned 1 [0105.580] lstrcmpiW (lpString1=".search-ms", lpString2=".lnk") returned 1 [0105.580] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0105.580] lstrlenA (lpString="NEPHILIM") returned 8 [0105.580] GetProcessHeap () returned 0x4e0000 [0105.581] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50dc30 [0105.581] lstrlenA (lpString="NEPHILIM") returned 8 [0105.581] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\everywhere.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0105.581] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=4294968320) returned 0 [0105.581] GetProcessHeap () returned 0x4e0000 [0105.581] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504dc8 [0105.581] GetProcessHeap () returned 0x4e0000 [0105.581] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504db0 [0105.581] SystemFunction036 (in: RandomBuffer=0x504dc8, RandomBufferLength=0x10 | out: RandomBuffer=0x504dc8) returned 1 [0105.581] SystemFunction036 (in: RandomBuffer=0x504db0, RandomBufferLength=0x10 | out: RandomBuffer=0x504db0) returned 1 [0105.581] GetProcessHeap () returned 0x4e0000 [0105.581] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508c50 [0105.581] GetProcessHeap () returned 0x4e0000 [0105.581] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508b48 [0105.582] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508c50*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508c50*, pdwDataLen=0x24de208*=0x100) returned 1 [0105.582] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508b48*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508b48*, pdwDataLen=0x24de204*=0x100) returned 1 [0105.582] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0105.582] SetLastError (dwErrCode=0x0) [0105.582] WriteFile (in: hFile=0xffffffff, lpBuffer=0x508c50, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0) returned 0 [0105.582] GetLastError () returned 0x6 [0105.582] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 1 [0105.582] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2=".") returned 1 [0105.582] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="..") returned 1 [0105.582] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="...") returned 1 [0105.582] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="windows") returned -1 [0105.582] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="$RECYCLE.BIN") returned 1 [0105.583] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="rsa") returned -1 [0105.583] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="log") returned -1 [0105.583] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="NTDETECT.COM") returned -1 [0105.583] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="ntldr") returned -1 [0105.583] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="MSDOS.SYS") returned -1 [0105.583] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="IO.SYS") returned -1 [0105.583] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="boot.ini") returned 1 [0105.583] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="AUTOEXEC.BAT") returned 1 [0105.583] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="ntuser.dat") returned -1 [0105.583] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="desktop.ini") returned 1 [0105.583] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="CONFIG.SYS") returned 1 [0105.583] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="RECYCLER") returned -1 [0105.583] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="BOOTSECT.BAK") returned 1 [0105.583] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="bootmgr") returned 1 [0105.583] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="programdata") returned -1 [0105.583] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="appdata") returned 1 [0105.583] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="program files") returned -1 [0105.583] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="program files (x86)") returned -1 [0105.583] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\" [0105.583] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\", lpString2="Indexed Locations.search-ms" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms" [0105.583] PathFindExtensionW (pszPath="Indexed Locations.search-ms") returned=".search-ms" [0105.583] lstrcmpiW (lpString1=".search-ms", lpString2=".exe") returned 1 [0105.583] lstrcmpiW (lpString1=".search-ms", lpString2=".log") returned 1 [0105.583] lstrcmpiW (lpString1=".search-ms", lpString2=".cab") returned 1 [0105.584] lstrcmpiW (lpString1=".search-ms", lpString2=".cmd") returned 1 [0105.584] lstrcmpiW (lpString1=".search-ms", lpString2=".com") returned 1 [0105.584] lstrcmpiW (lpString1=".search-ms", lpString2=".cpl") returned 1 [0105.584] lstrcmpiW (lpString1=".search-ms", lpString2=".ini") returned 1 [0105.584] lstrcmpiW (lpString1=".search-ms", lpString2=".dll") returned 1 [0105.584] lstrcmpiW (lpString1=".search-ms", lpString2=".url") returned -1 [0105.584] lstrcmpiW (lpString1=".search-ms", lpString2=".ttf") returned -1 [0105.584] lstrcmpiW (lpString1=".search-ms", lpString2=".mp3") returned 1 [0105.584] lstrcmpiW (lpString1=".search-ms", lpString2=".pif") returned 1 [0105.584] lstrcmpiW (lpString1=".search-ms", lpString2=".mp4") returned 1 [0105.584] lstrcmpiW (lpString1=".search-ms", lpString2=".NEPHILIM") returned 1 [0105.584] lstrcmpiW (lpString1=".search-ms", lpString2=".msi") returned 1 [0105.584] lstrcmpiW (lpString1=".search-ms", lpString2=".lnk") returned 1 [0105.584] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0105.584] lstrlenA (lpString="NEPHILIM") returned 8 [0105.584] GetProcessHeap () returned 0x4e0000 [0105.584] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50dc40 [0105.584] lstrlenA (lpString="NEPHILIM") returned 8 [0105.584] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\indexed locations.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0105.584] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=4294968320) returned 0 [0105.584] GetProcessHeap () returned 0x4e0000 [0105.585] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504de0 [0105.585] GetProcessHeap () returned 0x4e0000 [0105.585] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504df8 [0105.585] SystemFunction036 (in: RandomBuffer=0x504de0, RandomBufferLength=0x10 | out: RandomBuffer=0x504de0) returned 1 [0105.585] SystemFunction036 (in: RandomBuffer=0x504df8, RandomBufferLength=0x10 | out: RandomBuffer=0x504df8) returned 1 [0105.585] GetProcessHeap () returned 0x4e0000 [0105.585] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508d58 [0105.585] GetProcessHeap () returned 0x4e0000 [0105.585] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508e60 [0105.585] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508d58*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508d58*, pdwDataLen=0x24de208*=0x100) returned 1 [0105.585] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508e60*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508e60*, pdwDataLen=0x24de204*=0x100) returned 1 [0105.585] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0105.585] SetLastError (dwErrCode=0x0) [0105.585] WriteFile (in: hFile=0xffffffff, lpBuffer=0x508d58, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0) returned 0 [0105.586] GetLastError () returned 0x6 [0105.586] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 0 [0105.586] FindClose (in: hFindFile=0x50a8c0 | out: hFindFile=0x50a8c0) returned 1 [0105.586] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29129cc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29129cc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29129cc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="SendTo", cAlternateFileName="")) returned 1 [0105.586] lstrcmpiW (lpString1="SendTo", lpString2=".") returned 1 [0105.586] lstrcmpiW (lpString1="SendTo", lpString2="..") returned 1 [0105.586] lstrcmpiW (lpString1="SendTo", lpString2="...") returned 1 [0105.586] lstrcmpiW (lpString1="SendTo", lpString2="windows") returned -1 [0105.586] lstrcmpiW (lpString1="SendTo", lpString2="$RECYCLE.BIN") returned 1 [0105.586] lstrcmpiW (lpString1="SendTo", lpString2="rsa") returned 1 [0105.586] lstrcmpiW (lpString1="SendTo", lpString2="log") returned 1 [0105.586] lstrcmpiW (lpString1="SendTo", lpString2="NTDETECT.COM") returned 1 [0105.586] lstrcmpiW (lpString1="SendTo", lpString2="ntldr") returned 1 [0105.586] lstrcmpiW (lpString1="SendTo", lpString2="MSDOS.SYS") returned 1 [0105.586] lstrcmpiW (lpString1="SendTo", lpString2="IO.SYS") returned 1 [0105.586] lstrcmpiW (lpString1="SendTo", lpString2="boot.ini") returned 1 [0105.586] lstrcmpiW (lpString1="SendTo", lpString2="AUTOEXEC.BAT") returned 1 [0105.586] lstrcmpiW (lpString1="SendTo", lpString2="ntuser.dat") returned 1 [0105.586] lstrcmpiW (lpString1="SendTo", lpString2="desktop.ini") returned 1 [0105.586] lstrcmpiW (lpString1="SendTo", lpString2="CONFIG.SYS") returned 1 [0105.587] lstrcmpiW (lpString1="SendTo", lpString2="RECYCLER") returned 1 [0105.587] lstrcmpiW (lpString1="SendTo", lpString2="BOOTSECT.BAK") returned 1 [0105.587] lstrcmpiW (lpString1="SendTo", lpString2="bootmgr") returned 1 [0105.587] lstrcmpiW (lpString1="SendTo", lpString2="programdata") returned 1 [0105.587] lstrcmpiW (lpString1="SendTo", lpString2="appdata") returned 1 [0105.587] lstrcmpiW (lpString1="SendTo", lpString2="program files") returned 1 [0105.587] lstrcmpiW (lpString1="SendTo", lpString2="program files (x86)") returned 1 [0105.587] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" [0105.587] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="SendTo" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\SendTo") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\SendTo" [0105.587] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\SendTo", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\SendTo\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\SendTo\\" [0105.587] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\SendTo\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\SendTo\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\SendTo\\" [0105.587] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\SendTo\\", lpString2="*.*" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\SendTo\\*.*") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\SendTo\\*.*" [0105.587] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\SendTo\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 0xffffffff [0105.587] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29129cc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29129cc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29129cc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0105.587] lstrcmpiW (lpString1="Start Menu", lpString2=".") returned 1 [0105.587] lstrcmpiW (lpString1="Start Menu", lpString2="..") returned 1 [0105.587] lstrcmpiW (lpString1="Start Menu", lpString2="...") returned 1 [0105.587] lstrcmpiW (lpString1="Start Menu", lpString2="windows") returned -1 [0105.587] lstrcmpiW (lpString1="Start Menu", lpString2="$RECYCLE.BIN") returned 1 [0105.587] lstrcmpiW (lpString1="Start Menu", lpString2="rsa") returned 1 [0105.588] lstrcmpiW (lpString1="Start Menu", lpString2="log") returned 1 [0105.588] lstrcmpiW (lpString1="Start Menu", lpString2="NTDETECT.COM") returned 1 [0105.588] lstrcmpiW (lpString1="Start Menu", lpString2="ntldr") returned 1 [0105.588] lstrcmpiW (lpString1="Start Menu", lpString2="MSDOS.SYS") returned 1 [0105.588] lstrcmpiW (lpString1="Start Menu", lpString2="IO.SYS") returned 1 [0105.588] lstrcmpiW (lpString1="Start Menu", lpString2="boot.ini") returned 1 [0105.588] lstrcmpiW (lpString1="Start Menu", lpString2="AUTOEXEC.BAT") returned 1 [0105.588] lstrcmpiW (lpString1="Start Menu", lpString2="ntuser.dat") returned 1 [0105.588] lstrcmpiW (lpString1="Start Menu", lpString2="desktop.ini") returned 1 [0105.588] lstrcmpiW (lpString1="Start Menu", lpString2="CONFIG.SYS") returned 1 [0105.588] lstrcmpiW (lpString1="Start Menu", lpString2="RECYCLER") returned 1 [0105.588] lstrcmpiW (lpString1="Start Menu", lpString2="BOOTSECT.BAK") returned 1 [0105.588] lstrcmpiW (lpString1="Start Menu", lpString2="bootmgr") returned 1 [0105.588] lstrcmpiW (lpString1="Start Menu", lpString2="programdata") returned 1 [0105.588] lstrcmpiW (lpString1="Start Menu", lpString2="appdata") returned 1 [0105.588] lstrcmpiW (lpString1="Start Menu", lpString2="program files") returned 1 [0105.588] lstrcmpiW (lpString1="Start Menu", lpString2="program files (x86)") returned 1 [0105.588] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" [0105.588] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Start Menu" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Start Menu") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Start Menu" [0105.588] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Start Menu", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Start Menu\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Start Menu\\" [0105.588] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Start Menu\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Start Menu\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Start Menu\\" [0105.588] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Start Menu\\", lpString2="*.*" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Start Menu\\*.*") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Start Menu\\*.*" [0105.588] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Start Menu\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 0xffffffff [0105.589] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x2914fe20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0105.589] lstrcmpiW (lpString1="Templates", lpString2=".") returned 1 [0105.589] lstrcmpiW (lpString1="Templates", lpString2="..") returned 1 [0105.589] lstrcmpiW (lpString1="Templates", lpString2="...") returned 1 [0105.589] lstrcmpiW (lpString1="Templates", lpString2="windows") returned -1 [0105.589] lstrcmpiW (lpString1="Templates", lpString2="$RECYCLE.BIN") returned 1 [0105.589] lstrcmpiW (lpString1="Templates", lpString2="rsa") returned 1 [0105.589] lstrcmpiW (lpString1="Templates", lpString2="log") returned 1 [0105.589] lstrcmpiW (lpString1="Templates", lpString2="NTDETECT.COM") returned 1 [0105.589] lstrcmpiW (lpString1="Templates", lpString2="ntldr") returned 1 [0105.589] lstrcmpiW (lpString1="Templates", lpString2="MSDOS.SYS") returned 1 [0105.589] lstrcmpiW (lpString1="Templates", lpString2="IO.SYS") returned 1 [0105.589] lstrcmpiW (lpString1="Templates", lpString2="boot.ini") returned 1 [0105.589] lstrcmpiW (lpString1="Templates", lpString2="AUTOEXEC.BAT") returned 1 [0105.589] lstrcmpiW (lpString1="Templates", lpString2="ntuser.dat") returned 1 [0105.589] lstrcmpiW (lpString1="Templates", lpString2="desktop.ini") returned 1 [0105.589] lstrcmpiW (lpString1="Templates", lpString2="CONFIG.SYS") returned 1 [0105.589] lstrcmpiW (lpString1="Templates", lpString2="RECYCLER") returned 1 [0105.589] lstrcmpiW (lpString1="Templates", lpString2="BOOTSECT.BAK") returned 1 [0105.589] lstrcmpiW (lpString1="Templates", lpString2="bootmgr") returned 1 [0105.589] lstrcmpiW (lpString1="Templates", lpString2="programdata") returned 1 [0105.589] lstrcmpiW (lpString1="Templates", lpString2="appdata") returned 1 [0105.589] lstrcmpiW (lpString1="Templates", lpString2="program files") returned 1 [0105.589] lstrcmpiW (lpString1="Templates", lpString2="program files (x86)") returned 1 [0105.590] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" [0105.590] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Templates" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Templates") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Templates" [0105.590] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Templates", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Templates\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Templates\\" [0105.590] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Templates\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Templates\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Templates\\" [0105.590] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Templates\\", lpString2="*.*" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Templates\\*.*") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Templates\\*.*" [0105.590] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Templates\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 0xffffffff [0105.590] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xde99e620, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xde99e620, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Videos", cAlternateFileName="")) returned 1 [0105.590] lstrcmpiW (lpString1="Videos", lpString2=".") returned 1 [0105.590] lstrcmpiW (lpString1="Videos", lpString2="..") returned 1 [0105.590] lstrcmpiW (lpString1="Videos", lpString2="...") returned 1 [0105.590] lstrcmpiW (lpString1="Videos", lpString2="windows") returned -1 [0105.590] lstrcmpiW (lpString1="Videos", lpString2="$RECYCLE.BIN") returned 1 [0105.590] lstrcmpiW (lpString1="Videos", lpString2="rsa") returned 1 [0105.590] lstrcmpiW (lpString1="Videos", lpString2="log") returned 1 [0105.590] lstrcmpiW (lpString1="Videos", lpString2="NTDETECT.COM") returned 1 [0105.590] lstrcmpiW (lpString1="Videos", lpString2="ntldr") returned 1 [0105.590] lstrcmpiW (lpString1="Videos", lpString2="MSDOS.SYS") returned 1 [0105.590] lstrcmpiW (lpString1="Videos", lpString2="IO.SYS") returned 1 [0105.590] lstrcmpiW (lpString1="Videos", lpString2="boot.ini") returned 1 [0105.591] lstrcmpiW (lpString1="Videos", lpString2="AUTOEXEC.BAT") returned 1 [0105.591] lstrcmpiW (lpString1="Videos", lpString2="ntuser.dat") returned 1 [0105.591] lstrcmpiW (lpString1="Videos", lpString2="desktop.ini") returned 1 [0105.591] lstrcmpiW (lpString1="Videos", lpString2="CONFIG.SYS") returned 1 [0105.591] lstrcmpiW (lpString1="Videos", lpString2="RECYCLER") returned 1 [0105.591] lstrcmpiW (lpString1="Videos", lpString2="BOOTSECT.BAK") returned 1 [0105.591] lstrcmpiW (lpString1="Videos", lpString2="bootmgr") returned 1 [0105.591] lstrcmpiW (lpString1="Videos", lpString2="programdata") returned 1 [0105.591] lstrcmpiW (lpString1="Videos", lpString2="appdata") returned 1 [0105.591] lstrcmpiW (lpString1="Videos", lpString2="program files") returned 1 [0105.591] lstrcmpiW (lpString1="Videos", lpString2="program files (x86)") returned 1 [0105.591] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\" [0105.591] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Videos" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos" [0105.591] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos", lpString2="\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0105.591] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0105.591] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="*.*" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*" [0105.591] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xde99e620, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xde99e620, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName=".", cAlternateFileName="")) returned 0x50a8c0 [0105.591] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0105.592] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xde99e620, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xde99e620, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="..", cAlternateFileName="")) returned 1 [0105.592] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0105.592] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0105.592] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16c642f0, ftCreationTime.dwHighDateTime=0x1d5ded5, ftLastAccessTime.dwLowDateTime=0xca8b2450, ftLastAccessTime.dwHighDateTime=0x1d5e4ce, ftLastWriteTime.dwLowDateTime=0xca8b2450, ftLastWriteTime.dwHighDateTime=0x1d5e4ce, nFileSizeHigh=0x0, nFileSizeLow=0x16085, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="07LKGqlUvDd3rdk0.avi", cAlternateFileName="07LKGQ~1.AVI")) returned 1 [0105.592] lstrcmpiW (lpString1="07LKGqlUvDd3rdk0.avi", lpString2=".") returned 1 [0105.592] lstrcmpiW (lpString1="07LKGqlUvDd3rdk0.avi", lpString2="..") returned 1 [0105.592] lstrcmpiW (lpString1="07LKGqlUvDd3rdk0.avi", lpString2="...") returned 1 [0105.592] lstrcmpiW (lpString1="07LKGqlUvDd3rdk0.avi", lpString2="windows") returned -1 [0105.592] lstrcmpiW (lpString1="07LKGqlUvDd3rdk0.avi", lpString2="$RECYCLE.BIN") returned 1 [0105.592] lstrcmpiW (lpString1="07LKGqlUvDd3rdk0.avi", lpString2="rsa") returned -1 [0105.592] lstrcmpiW (lpString1="07LKGqlUvDd3rdk0.avi", lpString2="log") returned -1 [0105.592] lstrcmpiW (lpString1="07LKGqlUvDd3rdk0.avi", lpString2="NTDETECT.COM") returned -1 [0105.592] lstrcmpiW (lpString1="07LKGqlUvDd3rdk0.avi", lpString2="ntldr") returned -1 [0105.592] lstrcmpiW (lpString1="07LKGqlUvDd3rdk0.avi", lpString2="MSDOS.SYS") returned -1 [0105.592] lstrcmpiW (lpString1="07LKGqlUvDd3rdk0.avi", lpString2="IO.SYS") returned -1 [0105.592] lstrcmpiW (lpString1="07LKGqlUvDd3rdk0.avi", lpString2="boot.ini") returned -1 [0105.592] lstrcmpiW (lpString1="07LKGqlUvDd3rdk0.avi", lpString2="AUTOEXEC.BAT") returned -1 [0105.592] lstrcmpiW (lpString1="07LKGqlUvDd3rdk0.avi", lpString2="ntuser.dat") returned -1 [0105.592] lstrcmpiW (lpString1="07LKGqlUvDd3rdk0.avi", lpString2="desktop.ini") returned -1 [0105.592] lstrcmpiW (lpString1="07LKGqlUvDd3rdk0.avi", lpString2="CONFIG.SYS") returned -1 [0105.592] lstrcmpiW (lpString1="07LKGqlUvDd3rdk0.avi", lpString2="RECYCLER") returned -1 [0105.592] lstrcmpiW (lpString1="07LKGqlUvDd3rdk0.avi", lpString2="BOOTSECT.BAK") returned -1 [0105.593] lstrcmpiW (lpString1="07LKGqlUvDd3rdk0.avi", lpString2="bootmgr") returned -1 [0105.593] lstrcmpiW (lpString1="07LKGqlUvDd3rdk0.avi", lpString2="programdata") returned -1 [0105.593] lstrcmpiW (lpString1="07LKGqlUvDd3rdk0.avi", lpString2="appdata") returned -1 [0105.593] lstrcmpiW (lpString1="07LKGqlUvDd3rdk0.avi", lpString2="program files") returned -1 [0105.593] lstrcmpiW (lpString1="07LKGqlUvDd3rdk0.avi", lpString2="program files (x86)") returned -1 [0105.593] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0105.593] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="07LKGqlUvDd3rdk0.avi" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\07LKGqlUvDd3rdk0.avi") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\07LKGqlUvDd3rdk0.avi" [0105.593] PathFindExtensionW (pszPath="07LKGqlUvDd3rdk0.avi") returned=".avi" [0105.593] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0105.593] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0105.593] lstrcmpiW (lpString1=".avi", lpString2=".cab") returned -1 [0105.593] lstrcmpiW (lpString1=".avi", lpString2=".cmd") returned -1 [0105.593] lstrcmpiW (lpString1=".avi", lpString2=".com") returned -1 [0105.593] lstrcmpiW (lpString1=".avi", lpString2=".cpl") returned -1 [0105.593] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0105.593] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0105.593] lstrcmpiW (lpString1=".avi", lpString2=".url") returned -1 [0105.593] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0105.593] lstrcmpiW (lpString1=".avi", lpString2=".mp3") returned -1 [0105.593] lstrcmpiW (lpString1=".avi", lpString2=".pif") returned -1 [0105.593] lstrcmpiW (lpString1=".avi", lpString2=".mp4") returned -1 [0105.593] lstrcmpiW (lpString1=".avi", lpString2=".NEPHILIM") returned -1 [0105.593] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0105.593] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0105.593] lstrcmpiW (lpString1="07LKGqlUvDd3rdk0.avi", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0105.593] lstrlenA (lpString="NEPHILIM") returned 8 [0105.594] GetProcessHeap () returned 0x4e0000 [0105.594] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50dc50 [0105.594] lstrlenA (lpString="NEPHILIM") returned 8 [0105.594] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\07LKGqlUvDd3rdk0.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\07lkgqluvdd3rdk0.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0105.594] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=90245) returned 1 [0105.594] GetProcessHeap () returned 0x4e0000 [0105.594] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e10 [0105.594] GetProcessHeap () returned 0x4e0000 [0105.594] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e28 [0105.594] SystemFunction036 (in: RandomBuffer=0x504e10, RandomBufferLength=0x10 | out: RandomBuffer=0x504e10) returned 1 [0105.594] SystemFunction036 (in: RandomBuffer=0x504e28, RandomBufferLength=0x10 | out: RandomBuffer=0x504e28) returned 1 [0105.594] GetProcessHeap () returned 0x4e0000 [0105.594] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508f68 [0105.594] GetProcessHeap () returned 0x4e0000 [0105.594] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x509070 [0105.594] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508f68*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508f68*, pdwDataLen=0x24de208*=0x100) returned 1 [0105.595] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x509070*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x509070*, pdwDataLen=0x24de204*=0x100) returned 1 [0105.595] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x16085, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.595] SetLastError (dwErrCode=0x0) [0105.595] WriteFile (in: hFile=0xec, lpBuffer=0x508f68*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508f68*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.596] GetLastError () returned 0x0 [0105.596] GetLastError () returned 0x0 [0105.596] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x16185, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.596] WriteFile (in: hFile=0xec, lpBuffer=0x509070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x509070*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.596] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x16285, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.596] lstrlenA (lpString="NEPHILIM") returned 8 [0105.597] WriteFile (in: hFile=0xec, lpBuffer=0x50dc50*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dc50*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0105.597] GetProcessHeap () returned 0x4e0000 [0105.597] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x16085) returned 0x50dcb8 [0105.597] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.597] ReadFile (in: hFile=0xec, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x16085, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24de430*=0x16085, lpOverlapped=0x0) returned 1 [0105.602] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.603] WriteFile (in: hFile=0xec, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x16085, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24de43c*=0x16085, lpOverlapped=0x0) returned 1 [0105.603] GetProcessHeap () returned 0x4e0000 [0105.603] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.603] CloseHandle (hObject=0xec) returned 1 [0105.611] GetProcessHeap () returned 0x4e0000 [0105.611] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508f68 | out: hHeap=0x4e0000) returned 1 [0105.611] GetProcessHeap () returned 0x4e0000 [0105.611] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x509070 | out: hHeap=0x4e0000) returned 1 [0105.611] GetProcessHeap () returned 0x4e0000 [0105.611] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e10 | out: hHeap=0x4e0000) returned 1 [0105.611] GetProcessHeap () returned 0x4e0000 [0105.611] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e28 | out: hHeap=0x4e0000) returned 1 [0105.611] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\07LKGqlUvDd3rdk0.avi" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\07LKGqlUvDd3rdk0.avi") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\07LKGqlUvDd3rdk0.avi" [0105.611] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\07LKGqlUvDd3rdk0.avi", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\07LKGqlUvDd3rdk0.avi.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\07LKGqlUvDd3rdk0.avi.NEPHILIM" [0105.611] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\07LKGqlUvDd3rdk0.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\07lkgqluvdd3rdk0.avi"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\07LKGqlUvDd3rdk0.avi.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\07lkgqluvdd3rdk0.avi.nephilim")) returned 1 [0105.612] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb1dc3570, ftCreationTime.dwHighDateTime=0x1d5e4b5, ftLastAccessTime.dwLowDateTime=0xc5fe58f0, ftLastAccessTime.dwHighDateTime=0x1d5dd6a, ftLastWriteTime.dwLowDateTime=0xc5fe58f0, ftLastWriteTime.dwHighDateTime=0x1d5dd6a, nFileSizeHigh=0x0, nFileSizeLow=0x144f2, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="0e_pY5Vcc.swf", cAlternateFileName="0E_PY5~1.SWF")) returned 1 [0105.613] lstrcmpiW (lpString1="0e_pY5Vcc.swf", lpString2=".") returned 1 [0105.613] lstrcmpiW (lpString1="0e_pY5Vcc.swf", lpString2="..") returned 1 [0105.613] lstrcmpiW (lpString1="0e_pY5Vcc.swf", lpString2="...") returned 1 [0105.613] lstrcmpiW (lpString1="0e_pY5Vcc.swf", lpString2="windows") returned -1 [0105.613] lstrcmpiW (lpString1="0e_pY5Vcc.swf", lpString2="$RECYCLE.BIN") returned 1 [0105.613] lstrcmpiW (lpString1="0e_pY5Vcc.swf", lpString2="rsa") returned -1 [0105.613] lstrcmpiW (lpString1="0e_pY5Vcc.swf", lpString2="log") returned -1 [0105.613] lstrcmpiW (lpString1="0e_pY5Vcc.swf", lpString2="NTDETECT.COM") returned -1 [0105.613] lstrcmpiW (lpString1="0e_pY5Vcc.swf", lpString2="ntldr") returned -1 [0105.613] lstrcmpiW (lpString1="0e_pY5Vcc.swf", lpString2="MSDOS.SYS") returned -1 [0105.613] lstrcmpiW (lpString1="0e_pY5Vcc.swf", lpString2="IO.SYS") returned -1 [0105.613] lstrcmpiW (lpString1="0e_pY5Vcc.swf", lpString2="boot.ini") returned -1 [0105.613] lstrcmpiW (lpString1="0e_pY5Vcc.swf", lpString2="AUTOEXEC.BAT") returned -1 [0105.613] lstrcmpiW (lpString1="0e_pY5Vcc.swf", lpString2="ntuser.dat") returned -1 [0105.613] lstrcmpiW (lpString1="0e_pY5Vcc.swf", lpString2="desktop.ini") returned -1 [0105.613] lstrcmpiW (lpString1="0e_pY5Vcc.swf", lpString2="CONFIG.SYS") returned -1 [0105.613] lstrcmpiW (lpString1="0e_pY5Vcc.swf", lpString2="RECYCLER") returned -1 [0105.613] lstrcmpiW (lpString1="0e_pY5Vcc.swf", lpString2="BOOTSECT.BAK") returned -1 [0105.613] lstrcmpiW (lpString1="0e_pY5Vcc.swf", lpString2="bootmgr") returned -1 [0105.613] lstrcmpiW (lpString1="0e_pY5Vcc.swf", lpString2="programdata") returned -1 [0105.613] lstrcmpiW (lpString1="0e_pY5Vcc.swf", lpString2="appdata") returned -1 [0105.613] lstrcmpiW (lpString1="0e_pY5Vcc.swf", lpString2="program files") returned -1 [0105.613] lstrcmpiW (lpString1="0e_pY5Vcc.swf", lpString2="program files (x86)") returned -1 [0105.613] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0105.613] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="0e_pY5Vcc.swf" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\0e_pY5Vcc.swf") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\0e_pY5Vcc.swf" [0105.614] PathFindExtensionW (pszPath="0e_pY5Vcc.swf") returned=".swf" [0105.614] lstrcmpiW (lpString1=".swf", lpString2=".exe") returned 1 [0105.614] lstrcmpiW (lpString1=".swf", lpString2=".log") returned 1 [0105.614] lstrcmpiW (lpString1=".swf", lpString2=".cab") returned 1 [0105.614] lstrcmpiW (lpString1=".swf", lpString2=".cmd") returned 1 [0105.614] lstrcmpiW (lpString1=".swf", lpString2=".com") returned 1 [0105.614] lstrcmpiW (lpString1=".swf", lpString2=".cpl") returned 1 [0105.614] lstrcmpiW (lpString1=".swf", lpString2=".ini") returned 1 [0105.614] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0105.614] lstrcmpiW (lpString1=".swf", lpString2=".url") returned -1 [0105.614] lstrcmpiW (lpString1=".swf", lpString2=".ttf") returned -1 [0105.614] lstrcmpiW (lpString1=".swf", lpString2=".mp3") returned 1 [0105.614] lstrcmpiW (lpString1=".swf", lpString2=".pif") returned 1 [0105.614] lstrcmpiW (lpString1=".swf", lpString2=".mp4") returned 1 [0105.614] lstrcmpiW (lpString1=".swf", lpString2=".NEPHILIM") returned 1 [0105.614] lstrcmpiW (lpString1=".swf", lpString2=".msi") returned 1 [0105.614] lstrcmpiW (lpString1=".swf", lpString2=".lnk") returned 1 [0105.614] lstrcmpiW (lpString1="0e_pY5Vcc.swf", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0105.614] lstrlenA (lpString="NEPHILIM") returned 8 [0105.614] GetProcessHeap () returned 0x4e0000 [0105.614] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50dc60 [0105.614] lstrlenA (lpString="NEPHILIM") returned 8 [0105.614] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\0e_pY5Vcc.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\0e_py5vcc.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0105.615] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=83186) returned 1 [0105.615] GetProcessHeap () returned 0x4e0000 [0105.615] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e28 [0105.615] GetProcessHeap () returned 0x4e0000 [0105.615] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e10 [0105.615] SystemFunction036 (in: RandomBuffer=0x504e28, RandomBufferLength=0x10 | out: RandomBuffer=0x504e28) returned 1 [0105.615] SystemFunction036 (in: RandomBuffer=0x504e10, RandomBufferLength=0x10 | out: RandomBuffer=0x504e10) returned 1 [0105.615] GetProcessHeap () returned 0x4e0000 [0105.615] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x509070 [0105.615] GetProcessHeap () returned 0x4e0000 [0105.615] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508f68 [0105.615] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x509070*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x509070*, pdwDataLen=0x24de208*=0x100) returned 1 [0105.615] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508f68*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508f68*, pdwDataLen=0x24de204*=0x100) returned 1 [0105.616] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x144f2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.616] SetLastError (dwErrCode=0x0) [0105.616] WriteFile (in: hFile=0xec, lpBuffer=0x509070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x509070*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.617] GetLastError () returned 0x0 [0105.617] GetLastError () returned 0x0 [0105.617] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x145f2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.617] WriteFile (in: hFile=0xec, lpBuffer=0x508f68*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508f68*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.617] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x146f2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.617] lstrlenA (lpString="NEPHILIM") returned 8 [0105.617] WriteFile (in: hFile=0xec, lpBuffer=0x50dc60*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dc60*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0105.617] GetProcessHeap () returned 0x4e0000 [0105.617] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x144f2) returned 0x50dcb8 [0105.617] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.617] ReadFile (in: hFile=0xec, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x144f2, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24de430*=0x144f2, lpOverlapped=0x0) returned 1 [0105.624] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.624] WriteFile (in: hFile=0xec, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x144f2, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24de43c*=0x144f2, lpOverlapped=0x0) returned 1 [0105.624] GetProcessHeap () returned 0x4e0000 [0105.624] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.624] CloseHandle (hObject=0xec) returned 1 [0105.626] GetProcessHeap () returned 0x4e0000 [0105.626] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x509070 | out: hHeap=0x4e0000) returned 1 [0105.626] GetProcessHeap () returned 0x4e0000 [0105.626] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508f68 | out: hHeap=0x4e0000) returned 1 [0105.626] GetProcessHeap () returned 0x4e0000 [0105.626] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e28 | out: hHeap=0x4e0000) returned 1 [0105.626] GetProcessHeap () returned 0x4e0000 [0105.626] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e10 | out: hHeap=0x4e0000) returned 1 [0105.626] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\0e_pY5Vcc.swf" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\0e_pY5Vcc.swf") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\0e_pY5Vcc.swf" [0105.627] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\0e_pY5Vcc.swf", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\0e_pY5Vcc.swf.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\0e_pY5Vcc.swf.NEPHILIM" [0105.627] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\0e_pY5Vcc.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\0e_py5vcc.swf"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\0e_pY5Vcc.swf.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\0e_py5vcc.swf.nephilim")) returned 1 [0105.627] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3481c20, ftCreationTime.dwHighDateTime=0x1d5d846, ftLastAccessTime.dwLowDateTime=0x5d3ddfd0, ftLastAccessTime.dwHighDateTime=0x1d5d85a, ftLastWriteTime.dwLowDateTime=0x5d3ddfd0, ftLastWriteTime.dwHighDateTime=0x1d5d85a, nFileSizeHigh=0x0, nFileSizeLow=0xc5b5, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="1gKqJ15ibUv3z.flv", cAlternateFileName="1GKQJ1~1.FLV")) returned 1 [0105.628] lstrcmpiW (lpString1="1gKqJ15ibUv3z.flv", lpString2=".") returned 1 [0105.628] lstrcmpiW (lpString1="1gKqJ15ibUv3z.flv", lpString2="..") returned 1 [0105.628] lstrcmpiW (lpString1="1gKqJ15ibUv3z.flv", lpString2="...") returned 1 [0105.628] lstrcmpiW (lpString1="1gKqJ15ibUv3z.flv", lpString2="windows") returned -1 [0105.628] lstrcmpiW (lpString1="1gKqJ15ibUv3z.flv", lpString2="$RECYCLE.BIN") returned 1 [0105.628] lstrcmpiW (lpString1="1gKqJ15ibUv3z.flv", lpString2="rsa") returned -1 [0105.628] lstrcmpiW (lpString1="1gKqJ15ibUv3z.flv", lpString2="log") returned -1 [0105.628] lstrcmpiW (lpString1="1gKqJ15ibUv3z.flv", lpString2="NTDETECT.COM") returned -1 [0105.628] lstrcmpiW (lpString1="1gKqJ15ibUv3z.flv", lpString2="ntldr") returned -1 [0105.628] lstrcmpiW (lpString1="1gKqJ15ibUv3z.flv", lpString2="MSDOS.SYS") returned -1 [0105.628] lstrcmpiW (lpString1="1gKqJ15ibUv3z.flv", lpString2="IO.SYS") returned -1 [0105.628] lstrcmpiW (lpString1="1gKqJ15ibUv3z.flv", lpString2="boot.ini") returned -1 [0105.628] lstrcmpiW (lpString1="1gKqJ15ibUv3z.flv", lpString2="AUTOEXEC.BAT") returned -1 [0105.628] lstrcmpiW (lpString1="1gKqJ15ibUv3z.flv", lpString2="ntuser.dat") returned -1 [0105.628] lstrcmpiW (lpString1="1gKqJ15ibUv3z.flv", lpString2="desktop.ini") returned -1 [0105.628] lstrcmpiW (lpString1="1gKqJ15ibUv3z.flv", lpString2="CONFIG.SYS") returned -1 [0105.628] lstrcmpiW (lpString1="1gKqJ15ibUv3z.flv", lpString2="RECYCLER") returned -1 [0105.628] lstrcmpiW (lpString1="1gKqJ15ibUv3z.flv", lpString2="BOOTSECT.BAK") returned -1 [0105.628] lstrcmpiW (lpString1="1gKqJ15ibUv3z.flv", lpString2="bootmgr") returned -1 [0105.628] lstrcmpiW (lpString1="1gKqJ15ibUv3z.flv", lpString2="programdata") returned -1 [0105.628] lstrcmpiW (lpString1="1gKqJ15ibUv3z.flv", lpString2="appdata") returned -1 [0105.628] lstrcmpiW (lpString1="1gKqJ15ibUv3z.flv", lpString2="program files") returned -1 [0105.628] lstrcmpiW (lpString1="1gKqJ15ibUv3z.flv", lpString2="program files (x86)") returned -1 [0105.628] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0105.629] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="1gKqJ15ibUv3z.flv" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\1gKqJ15ibUv3z.flv") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\1gKqJ15ibUv3z.flv" [0105.629] PathFindExtensionW (pszPath="1gKqJ15ibUv3z.flv") returned=".flv" [0105.629] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0105.629] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0105.629] lstrcmpiW (lpString1=".flv", lpString2=".cab") returned 1 [0105.629] lstrcmpiW (lpString1=".flv", lpString2=".cmd") returned 1 [0105.629] lstrcmpiW (lpString1=".flv", lpString2=".com") returned 1 [0105.629] lstrcmpiW (lpString1=".flv", lpString2=".cpl") returned 1 [0105.629] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0105.629] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0105.629] lstrcmpiW (lpString1=".flv", lpString2=".url") returned -1 [0105.629] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0105.629] lstrcmpiW (lpString1=".flv", lpString2=".mp3") returned -1 [0105.629] lstrcmpiW (lpString1=".flv", lpString2=".pif") returned -1 [0105.629] lstrcmpiW (lpString1=".flv", lpString2=".mp4") returned -1 [0105.629] lstrcmpiW (lpString1=".flv", lpString2=".NEPHILIM") returned -1 [0105.629] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0105.629] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0105.629] lstrcmpiW (lpString1="1gKqJ15ibUv3z.flv", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0105.629] lstrlenA (lpString="NEPHILIM") returned 8 [0105.629] GetProcessHeap () returned 0x4e0000 [0105.629] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50dc70 [0105.629] lstrlenA (lpString="NEPHILIM") returned 8 [0105.629] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\1gKqJ15ibUv3z.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\1gkqj15ibuv3z.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0105.630] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=50613) returned 1 [0105.630] GetProcessHeap () returned 0x4e0000 [0105.630] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e10 [0105.630] GetProcessHeap () returned 0x4e0000 [0105.630] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e28 [0105.630] SystemFunction036 (in: RandomBuffer=0x504e10, RandomBufferLength=0x10 | out: RandomBuffer=0x504e10) returned 1 [0105.630] SystemFunction036 (in: RandomBuffer=0x504e28, RandomBufferLength=0x10 | out: RandomBuffer=0x504e28) returned 1 [0105.630] GetProcessHeap () returned 0x4e0000 [0105.630] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508f68 [0105.630] GetProcessHeap () returned 0x4e0000 [0105.630] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x509070 [0105.630] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508f68*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508f68*, pdwDataLen=0x24de208*=0x100) returned 1 [0105.630] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x509070*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x509070*, pdwDataLen=0x24de204*=0x100) returned 1 [0105.631] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xc5b5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.631] SetLastError (dwErrCode=0x0) [0105.631] WriteFile (in: hFile=0xec, lpBuffer=0x508f68*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508f68*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.632] GetLastError () returned 0x0 [0105.632] GetLastError () returned 0x0 [0105.632] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xc6b5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.632] WriteFile (in: hFile=0xec, lpBuffer=0x509070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x509070*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.632] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xc7b5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.632] lstrlenA (lpString="NEPHILIM") returned 8 [0105.632] WriteFile (in: hFile=0xec, lpBuffer=0x50dc70*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dc70*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0105.632] GetProcessHeap () returned 0x4e0000 [0105.632] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xc5b5) returned 0x50dcb8 [0105.632] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.632] ReadFile (in: hFile=0xec, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0xc5b5, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24de430*=0xc5b5, lpOverlapped=0x0) returned 1 [0105.636] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.636] WriteFile (in: hFile=0xec, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0xc5b5, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24de43c*=0xc5b5, lpOverlapped=0x0) returned 1 [0105.636] GetProcessHeap () returned 0x4e0000 [0105.636] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.636] CloseHandle (hObject=0xec) returned 1 [0105.638] GetProcessHeap () returned 0x4e0000 [0105.638] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508f68 | out: hHeap=0x4e0000) returned 1 [0105.638] GetProcessHeap () returned 0x4e0000 [0105.638] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x509070 | out: hHeap=0x4e0000) returned 1 [0105.638] GetProcessHeap () returned 0x4e0000 [0105.638] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e10 | out: hHeap=0x4e0000) returned 1 [0105.638] GetProcessHeap () returned 0x4e0000 [0105.638] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e28 | out: hHeap=0x4e0000) returned 1 [0105.638] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\1gKqJ15ibUv3z.flv" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\1gKqJ15ibUv3z.flv") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\1gKqJ15ibUv3z.flv" [0105.638] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\1gKqJ15ibUv3z.flv", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\1gKqJ15ibUv3z.flv.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\1gKqJ15ibUv3z.flv.NEPHILIM" [0105.638] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\1gKqJ15ibUv3z.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\1gkqj15ibuv3z.flv"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\1gKqJ15ibUv3z.flv.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\1gkqj15ibuv3z.flv.nephilim")) returned 1 [0105.639] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c728c90, ftCreationTime.dwHighDateTime=0x1d5dc43, ftLastAccessTime.dwLowDateTime=0x1daa1500, ftLastAccessTime.dwHighDateTime=0x1d5e057, ftLastWriteTime.dwLowDateTime=0x1daa1500, ftLastWriteTime.dwHighDateTime=0x1d5e057, nFileSizeHigh=0x0, nFileSizeLow=0x13669, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="4YZ71ysbsTtmRB.avi", cAlternateFileName="4YZ71Y~1.AVI")) returned 1 [0105.639] lstrcmpiW (lpString1="4YZ71ysbsTtmRB.avi", lpString2=".") returned 1 [0105.639] lstrcmpiW (lpString1="4YZ71ysbsTtmRB.avi", lpString2="..") returned 1 [0105.639] lstrcmpiW (lpString1="4YZ71ysbsTtmRB.avi", lpString2="...") returned 1 [0105.639] lstrcmpiW (lpString1="4YZ71ysbsTtmRB.avi", lpString2="windows") returned -1 [0105.639] lstrcmpiW (lpString1="4YZ71ysbsTtmRB.avi", lpString2="$RECYCLE.BIN") returned 1 [0105.639] lstrcmpiW (lpString1="4YZ71ysbsTtmRB.avi", lpString2="rsa") returned -1 [0105.639] lstrcmpiW (lpString1="4YZ71ysbsTtmRB.avi", lpString2="log") returned -1 [0105.640] lstrcmpiW (lpString1="4YZ71ysbsTtmRB.avi", lpString2="NTDETECT.COM") returned -1 [0105.640] lstrcmpiW (lpString1="4YZ71ysbsTtmRB.avi", lpString2="ntldr") returned -1 [0105.640] lstrcmpiW (lpString1="4YZ71ysbsTtmRB.avi", lpString2="MSDOS.SYS") returned -1 [0105.640] lstrcmpiW (lpString1="4YZ71ysbsTtmRB.avi", lpString2="IO.SYS") returned -1 [0105.640] lstrcmpiW (lpString1="4YZ71ysbsTtmRB.avi", lpString2="boot.ini") returned -1 [0105.640] lstrcmpiW (lpString1="4YZ71ysbsTtmRB.avi", lpString2="AUTOEXEC.BAT") returned -1 [0105.640] lstrcmpiW (lpString1="4YZ71ysbsTtmRB.avi", lpString2="ntuser.dat") returned -1 [0105.640] lstrcmpiW (lpString1="4YZ71ysbsTtmRB.avi", lpString2="desktop.ini") returned -1 [0105.640] lstrcmpiW (lpString1="4YZ71ysbsTtmRB.avi", lpString2="CONFIG.SYS") returned -1 [0105.640] lstrcmpiW (lpString1="4YZ71ysbsTtmRB.avi", lpString2="RECYCLER") returned -1 [0105.640] lstrcmpiW (lpString1="4YZ71ysbsTtmRB.avi", lpString2="BOOTSECT.BAK") returned -1 [0105.640] lstrcmpiW (lpString1="4YZ71ysbsTtmRB.avi", lpString2="bootmgr") returned -1 [0105.640] lstrcmpiW (lpString1="4YZ71ysbsTtmRB.avi", lpString2="programdata") returned -1 [0105.640] lstrcmpiW (lpString1="4YZ71ysbsTtmRB.avi", lpString2="appdata") returned -1 [0105.640] lstrcmpiW (lpString1="4YZ71ysbsTtmRB.avi", lpString2="program files") returned -1 [0105.640] lstrcmpiW (lpString1="4YZ71ysbsTtmRB.avi", lpString2="program files (x86)") returned -1 [0105.640] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0105.640] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="4YZ71ysbsTtmRB.avi" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4YZ71ysbsTtmRB.avi") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4YZ71ysbsTtmRB.avi" [0105.640] PathFindExtensionW (pszPath="4YZ71ysbsTtmRB.avi") returned=".avi" [0105.640] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0105.640] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0105.640] lstrcmpiW (lpString1=".avi", lpString2=".cab") returned -1 [0105.640] lstrcmpiW (lpString1=".avi", lpString2=".cmd") returned -1 [0105.640] lstrcmpiW (lpString1=".avi", lpString2=".com") returned -1 [0105.640] lstrcmpiW (lpString1=".avi", lpString2=".cpl") returned -1 [0105.640] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0105.641] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0105.641] lstrcmpiW (lpString1=".avi", lpString2=".url") returned -1 [0105.641] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0105.641] lstrcmpiW (lpString1=".avi", lpString2=".mp3") returned -1 [0105.641] lstrcmpiW (lpString1=".avi", lpString2=".pif") returned -1 [0105.641] lstrcmpiW (lpString1=".avi", lpString2=".mp4") returned -1 [0105.641] lstrcmpiW (lpString1=".avi", lpString2=".NEPHILIM") returned -1 [0105.641] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0105.641] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0105.641] lstrcmpiW (lpString1="4YZ71ysbsTtmRB.avi", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0105.641] lstrlenA (lpString="NEPHILIM") returned 8 [0105.641] GetProcessHeap () returned 0x4e0000 [0105.641] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50dc80 [0105.641] lstrlenA (lpString="NEPHILIM") returned 8 [0105.641] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4YZ71ysbsTtmRB.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4yz71ysbsttmrb.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0105.641] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=79465) returned 1 [0105.641] GetProcessHeap () returned 0x4e0000 [0105.641] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e28 [0105.641] GetProcessHeap () returned 0x4e0000 [0105.642] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e10 [0105.642] SystemFunction036 (in: RandomBuffer=0x504e28, RandomBufferLength=0x10 | out: RandomBuffer=0x504e28) returned 1 [0105.642] SystemFunction036 (in: RandomBuffer=0x504e10, RandomBufferLength=0x10 | out: RandomBuffer=0x504e10) returned 1 [0105.642] GetProcessHeap () returned 0x4e0000 [0105.642] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x509070 [0105.642] GetProcessHeap () returned 0x4e0000 [0105.642] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508f68 [0105.642] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x509070*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x509070*, pdwDataLen=0x24de208*=0x100) returned 1 [0105.642] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508f68*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508f68*, pdwDataLen=0x24de204*=0x100) returned 1 [0105.642] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x13669, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.642] SetLastError (dwErrCode=0x0) [0105.642] WriteFile (in: hFile=0xec, lpBuffer=0x509070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x509070*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.644] GetLastError () returned 0x0 [0105.644] GetLastError () returned 0x0 [0105.644] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x13769, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.644] WriteFile (in: hFile=0xec, lpBuffer=0x508f68*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508f68*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.644] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x13869, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.644] lstrlenA (lpString="NEPHILIM") returned 8 [0105.644] WriteFile (in: hFile=0xec, lpBuffer=0x50dc80*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dc80*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0105.644] GetProcessHeap () returned 0x4e0000 [0105.644] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x13669) returned 0x50dcb8 [0105.644] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.644] ReadFile (in: hFile=0xec, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x13669, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24de430*=0x13669, lpOverlapped=0x0) returned 1 [0105.649] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.649] WriteFile (in: hFile=0xec, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x13669, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24de43c*=0x13669, lpOverlapped=0x0) returned 1 [0105.649] GetProcessHeap () returned 0x4e0000 [0105.650] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.650] CloseHandle (hObject=0xec) returned 1 [0105.652] GetProcessHeap () returned 0x4e0000 [0105.652] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x509070 | out: hHeap=0x4e0000) returned 1 [0105.652] GetProcessHeap () returned 0x4e0000 [0105.652] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508f68 | out: hHeap=0x4e0000) returned 1 [0105.652] GetProcessHeap () returned 0x4e0000 [0105.652] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e28 | out: hHeap=0x4e0000) returned 1 [0105.652] GetProcessHeap () returned 0x4e0000 [0105.652] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e10 | out: hHeap=0x4e0000) returned 1 [0105.652] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4YZ71ysbsTtmRB.avi" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4YZ71ysbsTtmRB.avi") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4YZ71ysbsTtmRB.avi" [0105.652] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4YZ71ysbsTtmRB.avi", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4YZ71ysbsTtmRB.avi.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4YZ71ysbsTtmRB.avi.NEPHILIM" [0105.652] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4YZ71ysbsTtmRB.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4yz71ysbsttmrb.avi"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4YZ71ysbsTtmRB.avi.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4yz71ysbsttmrb.avi.nephilim")) returned 1 [0105.653] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57e73710, ftCreationTime.dwHighDateTime=0x1d5e576, ftLastAccessTime.dwLowDateTime=0xea8cc6f0, ftLastAccessTime.dwHighDateTime=0x1d5e177, ftLastWriteTime.dwLowDateTime=0xea8cc6f0, ftLastWriteTime.dwHighDateTime=0x1d5e177, nFileSizeHigh=0x0, nFileSizeLow=0xd3e, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="6lR6-GNGFEFCg18t.mp4", cAlternateFileName="6LR6-G~1.MP4")) returned 1 [0105.653] lstrcmpiW (lpString1="6lR6-GNGFEFCg18t.mp4", lpString2=".") returned 1 [0105.677] lstrcmpiW (lpString1="6lR6-GNGFEFCg18t.mp4", lpString2="..") returned 1 [0105.677] lstrcmpiW (lpString1="6lR6-GNGFEFCg18t.mp4", lpString2="...") returned 1 [0105.677] lstrcmpiW (lpString1="6lR6-GNGFEFCg18t.mp4", lpString2="windows") returned -1 [0105.677] lstrcmpiW (lpString1="6lR6-GNGFEFCg18t.mp4", lpString2="$RECYCLE.BIN") returned 1 [0105.677] lstrcmpiW (lpString1="6lR6-GNGFEFCg18t.mp4", lpString2="rsa") returned -1 [0105.677] lstrcmpiW (lpString1="6lR6-GNGFEFCg18t.mp4", lpString2="log") returned -1 [0105.677] lstrcmpiW (lpString1="6lR6-GNGFEFCg18t.mp4", lpString2="NTDETECT.COM") returned -1 [0105.677] lstrcmpiW (lpString1="6lR6-GNGFEFCg18t.mp4", lpString2="ntldr") returned -1 [0105.677] lstrcmpiW (lpString1="6lR6-GNGFEFCg18t.mp4", lpString2="MSDOS.SYS") returned -1 [0105.677] lstrcmpiW (lpString1="6lR6-GNGFEFCg18t.mp4", lpString2="IO.SYS") returned -1 [0105.677] lstrcmpiW (lpString1="6lR6-GNGFEFCg18t.mp4", lpString2="boot.ini") returned -1 [0105.677] lstrcmpiW (lpString1="6lR6-GNGFEFCg18t.mp4", lpString2="AUTOEXEC.BAT") returned -1 [0105.677] lstrcmpiW (lpString1="6lR6-GNGFEFCg18t.mp4", lpString2="ntuser.dat") returned -1 [0105.677] lstrcmpiW (lpString1="6lR6-GNGFEFCg18t.mp4", lpString2="desktop.ini") returned -1 [0105.677] lstrcmpiW (lpString1="6lR6-GNGFEFCg18t.mp4", lpString2="CONFIG.SYS") returned -1 [0105.677] lstrcmpiW (lpString1="6lR6-GNGFEFCg18t.mp4", lpString2="RECYCLER") returned -1 [0105.677] lstrcmpiW (lpString1="6lR6-GNGFEFCg18t.mp4", lpString2="BOOTSECT.BAK") returned -1 [0105.677] lstrcmpiW (lpString1="6lR6-GNGFEFCg18t.mp4", lpString2="bootmgr") returned -1 [0105.678] lstrcmpiW (lpString1="6lR6-GNGFEFCg18t.mp4", lpString2="programdata") returned -1 [0105.678] lstrcmpiW (lpString1="6lR6-GNGFEFCg18t.mp4", lpString2="appdata") returned -1 [0105.678] lstrcmpiW (lpString1="6lR6-GNGFEFCg18t.mp4", lpString2="program files") returned -1 [0105.678] lstrcmpiW (lpString1="6lR6-GNGFEFCg18t.mp4", lpString2="program files (x86)") returned -1 [0105.678] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0105.678] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="6lR6-GNGFEFCg18t.mp4" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6lR6-GNGFEFCg18t.mp4") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\6lR6-GNGFEFCg18t.mp4" [0105.678] PathFindExtensionW (pszPath="6lR6-GNGFEFCg18t.mp4") returned=".mp4" [0105.678] lstrcmpiW (lpString1=".mp4", lpString2=".exe") returned 1 [0105.678] lstrcmpiW (lpString1=".mp4", lpString2=".log") returned 1 [0105.678] lstrcmpiW (lpString1=".mp4", lpString2=".cab") returned 1 [0105.678] lstrcmpiW (lpString1=".mp4", lpString2=".cmd") returned 1 [0105.678] lstrcmpiW (lpString1=".mp4", lpString2=".com") returned 1 [0105.678] lstrcmpiW (lpString1=".mp4", lpString2=".cpl") returned 1 [0105.678] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0105.678] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0105.678] lstrcmpiW (lpString1=".mp4", lpString2=".url") returned -1 [0105.678] lstrcmpiW (lpString1=".mp4", lpString2=".ttf") returned -1 [0105.678] lstrcmpiW (lpString1=".mp4", lpString2=".mp3") returned 1 [0105.678] lstrcmpiW (lpString1=".mp4", lpString2=".pif") returned -1 [0105.678] lstrcmpiW (lpString1=".mp4", lpString2=".mp4") returned 0 [0105.678] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9cbffec0, ftCreationTime.dwHighDateTime=0x1d5e3e2, ftLastAccessTime.dwLowDateTime=0xed5ed9f0, ftLastAccessTime.dwHighDateTime=0x1d5e08b, ftLastWriteTime.dwLowDateTime=0xed5ed9f0, ftLastWriteTime.dwHighDateTime=0x1d5e08b, nFileSizeHigh=0x0, nFileSizeLow=0x9718, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="72BdruES.mp4", cAlternateFileName="")) returned 1 [0105.678] lstrcmpiW (lpString1="72BdruES.mp4", lpString2=".") returned 1 [0105.678] lstrcmpiW (lpString1="72BdruES.mp4", lpString2="..") returned 1 [0105.678] lstrcmpiW (lpString1="72BdruES.mp4", lpString2="...") returned 1 [0105.678] lstrcmpiW (lpString1="72BdruES.mp4", lpString2="windows") returned -1 [0105.678] lstrcmpiW (lpString1="72BdruES.mp4", lpString2="$RECYCLE.BIN") returned 1 [0105.679] lstrcmpiW (lpString1="72BdruES.mp4", lpString2="rsa") returned -1 [0105.679] lstrcmpiW (lpString1="72BdruES.mp4", lpString2="log") returned -1 [0105.679] lstrcmpiW (lpString1="72BdruES.mp4", lpString2="NTDETECT.COM") returned -1 [0105.679] lstrcmpiW (lpString1="72BdruES.mp4", lpString2="ntldr") returned -1 [0105.679] lstrcmpiW (lpString1="72BdruES.mp4", lpString2="MSDOS.SYS") returned -1 [0105.679] lstrcmpiW (lpString1="72BdruES.mp4", lpString2="IO.SYS") returned -1 [0105.679] lstrcmpiW (lpString1="72BdruES.mp4", lpString2="boot.ini") returned -1 [0105.679] lstrcmpiW (lpString1="72BdruES.mp4", lpString2="AUTOEXEC.BAT") returned -1 [0105.679] lstrcmpiW (lpString1="72BdruES.mp4", lpString2="ntuser.dat") returned -1 [0105.679] lstrcmpiW (lpString1="72BdruES.mp4", lpString2="desktop.ini") returned -1 [0105.679] lstrcmpiW (lpString1="72BdruES.mp4", lpString2="CONFIG.SYS") returned -1 [0105.679] lstrcmpiW (lpString1="72BdruES.mp4", lpString2="RECYCLER") returned -1 [0105.679] lstrcmpiW (lpString1="72BdruES.mp4", lpString2="BOOTSECT.BAK") returned -1 [0105.679] lstrcmpiW (lpString1="72BdruES.mp4", lpString2="bootmgr") returned -1 [0105.679] lstrcmpiW (lpString1="72BdruES.mp4", lpString2="programdata") returned -1 [0105.679] lstrcmpiW (lpString1="72BdruES.mp4", lpString2="appdata") returned -1 [0105.679] lstrcmpiW (lpString1="72BdruES.mp4", lpString2="program files") returned -1 [0105.679] lstrcmpiW (lpString1="72BdruES.mp4", lpString2="program files (x86)") returned -1 [0105.679] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0105.679] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="72BdruES.mp4" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\72BdruES.mp4") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\72BdruES.mp4" [0105.679] PathFindExtensionW (pszPath="72BdruES.mp4") returned=".mp4" [0105.679] lstrcmpiW (lpString1=".mp4", lpString2=".exe") returned 1 [0105.679] lstrcmpiW (lpString1=".mp4", lpString2=".log") returned 1 [0105.679] lstrcmpiW (lpString1=".mp4", lpString2=".cab") returned 1 [0105.679] lstrcmpiW (lpString1=".mp4", lpString2=".cmd") returned 1 [0105.680] lstrcmpiW (lpString1=".mp4", lpString2=".com") returned 1 [0105.680] lstrcmpiW (lpString1=".mp4", lpString2=".cpl") returned 1 [0105.680] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0105.680] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0105.680] lstrcmpiW (lpString1=".mp4", lpString2=".url") returned -1 [0105.680] lstrcmpiW (lpString1=".mp4", lpString2=".ttf") returned -1 [0105.680] lstrcmpiW (lpString1=".mp4", lpString2=".mp3") returned 1 [0105.680] lstrcmpiW (lpString1=".mp4", lpString2=".pif") returned -1 [0105.680] lstrcmpiW (lpString1=".mp4", lpString2=".mp4") returned 0 [0105.680] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3c93120, ftCreationTime.dwHighDateTime=0x1d5dc2b, ftLastAccessTime.dwLowDateTime=0xfd8d1380, ftLastAccessTime.dwHighDateTime=0x1d5e2ef, ftLastWriteTime.dwLowDateTime=0xfd8d1380, ftLastWriteTime.dwHighDateTime=0x1d5e2ef, nFileSizeHigh=0x0, nFileSizeLow=0xe26b, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="9Eb-_YDs8aEVkG4xN.avi", cAlternateFileName="9EB-_Y~1.AVI")) returned 1 [0105.680] lstrcmpiW (lpString1="9Eb-_YDs8aEVkG4xN.avi", lpString2=".") returned 1 [0105.680] lstrcmpiW (lpString1="9Eb-_YDs8aEVkG4xN.avi", lpString2="..") returned 1 [0105.680] lstrcmpiW (lpString1="9Eb-_YDs8aEVkG4xN.avi", lpString2="...") returned 1 [0105.680] lstrcmpiW (lpString1="9Eb-_YDs8aEVkG4xN.avi", lpString2="windows") returned -1 [0105.680] lstrcmpiW (lpString1="9Eb-_YDs8aEVkG4xN.avi", lpString2="$RECYCLE.BIN") returned 1 [0105.680] lstrcmpiW (lpString1="9Eb-_YDs8aEVkG4xN.avi", lpString2="rsa") returned -1 [0105.680] lstrcmpiW (lpString1="9Eb-_YDs8aEVkG4xN.avi", lpString2="log") returned -1 [0105.680] lstrcmpiW (lpString1="9Eb-_YDs8aEVkG4xN.avi", lpString2="NTDETECT.COM") returned -1 [0105.680] lstrcmpiW (lpString1="9Eb-_YDs8aEVkG4xN.avi", lpString2="ntldr") returned -1 [0105.680] lstrcmpiW (lpString1="9Eb-_YDs8aEVkG4xN.avi", lpString2="MSDOS.SYS") returned -1 [0105.680] lstrcmpiW (lpString1="9Eb-_YDs8aEVkG4xN.avi", lpString2="IO.SYS") returned -1 [0105.680] lstrcmpiW (lpString1="9Eb-_YDs8aEVkG4xN.avi", lpString2="boot.ini") returned -1 [0105.680] lstrcmpiW (lpString1="9Eb-_YDs8aEVkG4xN.avi", lpString2="AUTOEXEC.BAT") returned -1 [0105.680] lstrcmpiW (lpString1="9Eb-_YDs8aEVkG4xN.avi", lpString2="ntuser.dat") returned -1 [0105.680] lstrcmpiW (lpString1="9Eb-_YDs8aEVkG4xN.avi", lpString2="desktop.ini") returned -1 [0105.680] lstrcmpiW (lpString1="9Eb-_YDs8aEVkG4xN.avi", lpString2="CONFIG.SYS") returned -1 [0105.680] lstrcmpiW (lpString1="9Eb-_YDs8aEVkG4xN.avi", lpString2="RECYCLER") returned -1 [0105.681] lstrcmpiW (lpString1="9Eb-_YDs8aEVkG4xN.avi", lpString2="BOOTSECT.BAK") returned -1 [0105.681] lstrcmpiW (lpString1="9Eb-_YDs8aEVkG4xN.avi", lpString2="bootmgr") returned -1 [0105.681] lstrcmpiW (lpString1="9Eb-_YDs8aEVkG4xN.avi", lpString2="programdata") returned -1 [0105.681] lstrcmpiW (lpString1="9Eb-_YDs8aEVkG4xN.avi", lpString2="appdata") returned -1 [0105.681] lstrcmpiW (lpString1="9Eb-_YDs8aEVkG4xN.avi", lpString2="program files") returned -1 [0105.681] lstrcmpiW (lpString1="9Eb-_YDs8aEVkG4xN.avi", lpString2="program files (x86)") returned -1 [0105.681] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0105.681] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="9Eb-_YDs8aEVkG4xN.avi" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9Eb-_YDs8aEVkG4xN.avi") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9Eb-_YDs8aEVkG4xN.avi" [0105.681] PathFindExtensionW (pszPath="9Eb-_YDs8aEVkG4xN.avi") returned=".avi" [0105.681] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0105.681] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0105.681] lstrcmpiW (lpString1=".avi", lpString2=".cab") returned -1 [0105.681] lstrcmpiW (lpString1=".avi", lpString2=".cmd") returned -1 [0105.681] lstrcmpiW (lpString1=".avi", lpString2=".com") returned -1 [0105.681] lstrcmpiW (lpString1=".avi", lpString2=".cpl") returned -1 [0105.681] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0105.681] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0105.681] lstrcmpiW (lpString1=".avi", lpString2=".url") returned -1 [0105.681] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0105.681] lstrcmpiW (lpString1=".avi", lpString2=".mp3") returned -1 [0105.681] lstrcmpiW (lpString1=".avi", lpString2=".pif") returned -1 [0105.681] lstrcmpiW (lpString1=".avi", lpString2=".mp4") returned -1 [0105.681] lstrcmpiW (lpString1=".avi", lpString2=".NEPHILIM") returned -1 [0105.681] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0105.681] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0105.681] lstrcmpiW (lpString1="9Eb-_YDs8aEVkG4xN.avi", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0105.681] lstrlenA (lpString="NEPHILIM") returned 8 [0105.682] GetProcessHeap () returned 0x4e0000 [0105.682] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50dc90 [0105.682] lstrlenA (lpString="NEPHILIM") returned 8 [0105.682] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9Eb-_YDs8aEVkG4xN.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9eb-_yds8aevkg4xn.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0105.682] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=57963) returned 1 [0105.682] GetProcessHeap () returned 0x4e0000 [0105.682] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e10 [0105.682] GetProcessHeap () returned 0x4e0000 [0105.682] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e28 [0105.682] SystemFunction036 (in: RandomBuffer=0x504e10, RandomBufferLength=0x10 | out: RandomBuffer=0x504e10) returned 1 [0105.682] SystemFunction036 (in: RandomBuffer=0x504e28, RandomBufferLength=0x10 | out: RandomBuffer=0x504e28) returned 1 [0105.682] GetProcessHeap () returned 0x4e0000 [0105.682] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508f68 [0105.682] GetProcessHeap () returned 0x4e0000 [0105.682] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x509070 [0105.683] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508f68*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508f68*, pdwDataLen=0x24de208*=0x100) returned 1 [0105.683] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x509070*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x509070*, pdwDataLen=0x24de204*=0x100) returned 1 [0105.683] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xe26b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.683] SetLastError (dwErrCode=0x0) [0105.683] WriteFile (in: hFile=0xec, lpBuffer=0x508f68*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508f68*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.684] GetLastError () returned 0x0 [0105.684] GetLastError () returned 0x0 [0105.684] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xe36b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.684] WriteFile (in: hFile=0xec, lpBuffer=0x509070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x509070*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.685] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xe46b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.685] lstrlenA (lpString="NEPHILIM") returned 8 [0105.685] WriteFile (in: hFile=0xec, lpBuffer=0x50dc90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dc90*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0105.685] GetProcessHeap () returned 0x4e0000 [0105.685] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xe26b) returned 0x50dcb8 [0105.685] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.685] ReadFile (in: hFile=0xec, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0xe26b, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24de430*=0xe26b, lpOverlapped=0x0) returned 1 [0105.689] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.689] WriteFile (in: hFile=0xec, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0xe26b, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24de43c*=0xe26b, lpOverlapped=0x0) returned 1 [0105.689] GetProcessHeap () returned 0x4e0000 [0105.689] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.689] CloseHandle (hObject=0xec) returned 1 [0105.691] GetProcessHeap () returned 0x4e0000 [0105.691] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508f68 | out: hHeap=0x4e0000) returned 1 [0105.691] GetProcessHeap () returned 0x4e0000 [0105.691] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x509070 | out: hHeap=0x4e0000) returned 1 [0105.691] GetProcessHeap () returned 0x4e0000 [0105.691] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e10 | out: hHeap=0x4e0000) returned 1 [0105.691] GetProcessHeap () returned 0x4e0000 [0105.691] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e28 | out: hHeap=0x4e0000) returned 1 [0105.692] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9Eb-_YDs8aEVkG4xN.avi" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9Eb-_YDs8aEVkG4xN.avi") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9Eb-_YDs8aEVkG4xN.avi" [0105.692] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9Eb-_YDs8aEVkG4xN.avi", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9Eb-_YDs8aEVkG4xN.avi.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9Eb-_YDs8aEVkG4xN.avi.NEPHILIM" [0105.692] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9Eb-_YDs8aEVkG4xN.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9eb-_yds8aevkg4xn.avi"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9Eb-_YDs8aEVkG4xN.avi.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9eb-_yds8aevkg4xn.avi.nephilim")) returned 1 [0105.692] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2b908b0, ftCreationTime.dwHighDateTime=0x1d5dce5, ftLastAccessTime.dwLowDateTime=0x16b733d0, ftLastAccessTime.dwHighDateTime=0x1d5db1c, ftLastWriteTime.dwLowDateTime=0x16b733d0, ftLastWriteTime.dwHighDateTime=0x1d5db1c, nFileSizeHigh=0x0, nFileSizeLow=0x1cde, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="9Z bHz.swf", cAlternateFileName="9ZBHZ~1.SWF")) returned 1 [0105.693] lstrcmpiW (lpString1="9Z bHz.swf", lpString2=".") returned 1 [0105.693] lstrcmpiW (lpString1="9Z bHz.swf", lpString2="..") returned 1 [0105.693] lstrcmpiW (lpString1="9Z bHz.swf", lpString2="...") returned 1 [0105.693] lstrcmpiW (lpString1="9Z bHz.swf", lpString2="windows") returned -1 [0105.693] lstrcmpiW (lpString1="9Z bHz.swf", lpString2="$RECYCLE.BIN") returned 1 [0105.693] lstrcmpiW (lpString1="9Z bHz.swf", lpString2="rsa") returned -1 [0105.693] lstrcmpiW (lpString1="9Z bHz.swf", lpString2="log") returned -1 [0105.693] lstrcmpiW (lpString1="9Z bHz.swf", lpString2="NTDETECT.COM") returned -1 [0105.693] lstrcmpiW (lpString1="9Z bHz.swf", lpString2="ntldr") returned -1 [0105.693] lstrcmpiW (lpString1="9Z bHz.swf", lpString2="MSDOS.SYS") returned -1 [0105.693] lstrcmpiW (lpString1="9Z bHz.swf", lpString2="IO.SYS") returned -1 [0105.693] lstrcmpiW (lpString1="9Z bHz.swf", lpString2="boot.ini") returned -1 [0105.693] lstrcmpiW (lpString1="9Z bHz.swf", lpString2="AUTOEXEC.BAT") returned -1 [0105.693] lstrcmpiW (lpString1="9Z bHz.swf", lpString2="ntuser.dat") returned -1 [0105.693] lstrcmpiW (lpString1="9Z bHz.swf", lpString2="desktop.ini") returned -1 [0105.693] lstrcmpiW (lpString1="9Z bHz.swf", lpString2="CONFIG.SYS") returned -1 [0105.693] lstrcmpiW (lpString1="9Z bHz.swf", lpString2="RECYCLER") returned -1 [0105.693] lstrcmpiW (lpString1="9Z bHz.swf", lpString2="BOOTSECT.BAK") returned -1 [0105.693] lstrcmpiW (lpString1="9Z bHz.swf", lpString2="bootmgr") returned -1 [0105.693] lstrcmpiW (lpString1="9Z bHz.swf", lpString2="programdata") returned -1 [0105.693] lstrcmpiW (lpString1="9Z bHz.swf", lpString2="appdata") returned -1 [0105.693] lstrcmpiW (lpString1="9Z bHz.swf", lpString2="program files") returned -1 [0105.693] lstrcmpiW (lpString1="9Z bHz.swf", lpString2="program files (x86)") returned -1 [0105.693] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0105.693] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="9Z bHz.swf" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9Z bHz.swf") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9Z bHz.swf" [0105.693] PathFindExtensionW (pszPath="9Z bHz.swf") returned=".swf" [0105.693] lstrcmpiW (lpString1=".swf", lpString2=".exe") returned 1 [0105.693] lstrcmpiW (lpString1=".swf", lpString2=".log") returned 1 [0105.693] lstrcmpiW (lpString1=".swf", lpString2=".cab") returned 1 [0105.693] lstrcmpiW (lpString1=".swf", lpString2=".cmd") returned 1 [0105.694] lstrcmpiW (lpString1=".swf", lpString2=".com") returned 1 [0105.694] lstrcmpiW (lpString1=".swf", lpString2=".cpl") returned 1 [0105.694] lstrcmpiW (lpString1=".swf", lpString2=".ini") returned 1 [0105.694] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0105.694] lstrcmpiW (lpString1=".swf", lpString2=".url") returned -1 [0105.694] lstrcmpiW (lpString1=".swf", lpString2=".ttf") returned -1 [0105.694] lstrcmpiW (lpString1=".swf", lpString2=".mp3") returned 1 [0105.694] lstrcmpiW (lpString1=".swf", lpString2=".pif") returned 1 [0105.694] lstrcmpiW (lpString1=".swf", lpString2=".mp4") returned 1 [0105.694] lstrcmpiW (lpString1=".swf", lpString2=".NEPHILIM") returned 1 [0105.694] lstrcmpiW (lpString1=".swf", lpString2=".msi") returned 1 [0105.694] lstrcmpiW (lpString1=".swf", lpString2=".lnk") returned 1 [0105.694] lstrcmpiW (lpString1="9Z bHz.swf", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0105.694] lstrlenA (lpString="NEPHILIM") returned 8 [0105.694] GetProcessHeap () returned 0x4e0000 [0105.694] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50dca0 [0105.694] lstrlenA (lpString="NEPHILIM") returned 8 [0105.694] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9Z bHz.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9z bhz.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0105.694] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=7390) returned 1 [0105.694] GetProcessHeap () returned 0x4e0000 [0105.694] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e28 [0105.695] GetProcessHeap () returned 0x4e0000 [0105.695] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e10 [0105.695] SystemFunction036 (in: RandomBuffer=0x504e28, RandomBufferLength=0x10 | out: RandomBuffer=0x504e28) returned 1 [0105.695] SystemFunction036 (in: RandomBuffer=0x504e10, RandomBufferLength=0x10 | out: RandomBuffer=0x504e10) returned 1 [0105.695] GetProcessHeap () returned 0x4e0000 [0105.695] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x509070 [0105.695] GetProcessHeap () returned 0x4e0000 [0105.695] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508f68 [0105.695] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x509070*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x509070*, pdwDataLen=0x24de208*=0x100) returned 1 [0105.695] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508f68*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508f68*, pdwDataLen=0x24de204*=0x100) returned 1 [0105.695] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x1cde, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.695] SetLastError (dwErrCode=0x0) [0105.695] WriteFile (in: hFile=0xec, lpBuffer=0x509070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x509070*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.696] GetLastError () returned 0x0 [0105.696] GetLastError () returned 0x0 [0105.697] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x1dde, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.697] WriteFile (in: hFile=0xec, lpBuffer=0x508f68*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508f68*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.697] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x1ede, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.697] lstrlenA (lpString="NEPHILIM") returned 8 [0105.697] WriteFile (in: hFile=0xec, lpBuffer=0x50dca0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dca0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0105.697] GetProcessHeap () returned 0x4e0000 [0105.697] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1cde) returned 0x50b8a8 [0105.697] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.697] ReadFile (in: hFile=0xec, lpBuffer=0x50b8a8, nNumberOfBytesToRead=0x1cde, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50b8a8*, lpNumberOfBytesRead=0x24de430*=0x1cde, lpOverlapped=0x0) returned 1 [0105.698] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.698] WriteFile (in: hFile=0xec, lpBuffer=0x50b8a8*, nNumberOfBytesToWrite=0x1cde, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50b8a8*, lpNumberOfBytesWritten=0x24de43c*=0x1cde, lpOverlapped=0x0) returned 1 [0105.698] GetProcessHeap () returned 0x4e0000 [0105.698] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50b8a8 | out: hHeap=0x4e0000) returned 1 [0105.698] CloseHandle (hObject=0xec) returned 1 [0105.699] GetProcessHeap () returned 0x4e0000 [0105.699] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x509070 | out: hHeap=0x4e0000) returned 1 [0105.699] GetProcessHeap () returned 0x4e0000 [0105.699] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508f68 | out: hHeap=0x4e0000) returned 1 [0105.699] GetProcessHeap () returned 0x4e0000 [0105.699] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e28 | out: hHeap=0x4e0000) returned 1 [0105.699] GetProcessHeap () returned 0x4e0000 [0105.699] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e10 | out: hHeap=0x4e0000) returned 1 [0105.699] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9Z bHz.swf" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9Z bHz.swf") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9Z bHz.swf" [0105.700] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9Z bHz.swf", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9Z bHz.swf.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9Z bHz.swf.NEPHILIM" [0105.700] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9Z bHz.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9z bhz.swf"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\9Z bHz.swf.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\9z bhz.swf.nephilim")) returned 1 [0105.701] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd8871fb0, ftCreationTime.dwHighDateTime=0x1d5e7a2, ftLastAccessTime.dwLowDateTime=0x7548d760, ftLastAccessTime.dwHighDateTime=0x1d5de22, ftLastWriteTime.dwLowDateTime=0x7548d760, ftLastWriteTime.dwHighDateTime=0x1d5de22, nFileSizeHigh=0x0, nFileSizeLow=0x13ba5, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="BHvmegf--VJhdfxMW5.mkv", cAlternateFileName="BHVMEG~1.MKV")) returned 1 [0105.701] lstrcmpiW (lpString1="BHvmegf--VJhdfxMW5.mkv", lpString2=".") returned 1 [0105.701] lstrcmpiW (lpString1="BHvmegf--VJhdfxMW5.mkv", lpString2="..") returned 1 [0105.701] lstrcmpiW (lpString1="BHvmegf--VJhdfxMW5.mkv", lpString2="...") returned 1 [0105.701] lstrcmpiW (lpString1="BHvmegf--VJhdfxMW5.mkv", lpString2="windows") returned -1 [0105.701] lstrcmpiW (lpString1="BHvmegf--VJhdfxMW5.mkv", lpString2="$RECYCLE.BIN") returned 1 [0105.701] lstrcmpiW (lpString1="BHvmegf--VJhdfxMW5.mkv", lpString2="rsa") returned -1 [0105.701] lstrcmpiW (lpString1="BHvmegf--VJhdfxMW5.mkv", lpString2="log") returned -1 [0105.701] lstrcmpiW (lpString1="BHvmegf--VJhdfxMW5.mkv", lpString2="NTDETECT.COM") returned -1 [0105.701] lstrcmpiW (lpString1="BHvmegf--VJhdfxMW5.mkv", lpString2="ntldr") returned -1 [0105.701] lstrcmpiW (lpString1="BHvmegf--VJhdfxMW5.mkv", lpString2="MSDOS.SYS") returned -1 [0105.701] lstrcmpiW (lpString1="BHvmegf--VJhdfxMW5.mkv", lpString2="IO.SYS") returned -1 [0105.701] lstrcmpiW (lpString1="BHvmegf--VJhdfxMW5.mkv", lpString2="boot.ini") returned -1 [0105.701] lstrcmpiW (lpString1="BHvmegf--VJhdfxMW5.mkv", lpString2="AUTOEXEC.BAT") returned 1 [0105.701] lstrcmpiW (lpString1="BHvmegf--VJhdfxMW5.mkv", lpString2="ntuser.dat") returned -1 [0105.701] lstrcmpiW (lpString1="BHvmegf--VJhdfxMW5.mkv", lpString2="desktop.ini") returned -1 [0105.701] lstrcmpiW (lpString1="BHvmegf--VJhdfxMW5.mkv", lpString2="CONFIG.SYS") returned -1 [0105.702] lstrcmpiW (lpString1="BHvmegf--VJhdfxMW5.mkv", lpString2="RECYCLER") returned -1 [0105.702] lstrcmpiW (lpString1="BHvmegf--VJhdfxMW5.mkv", lpString2="BOOTSECT.BAK") returned -1 [0105.702] lstrcmpiW (lpString1="BHvmegf--VJhdfxMW5.mkv", lpString2="bootmgr") returned -1 [0105.702] lstrcmpiW (lpString1="BHvmegf--VJhdfxMW5.mkv", lpString2="programdata") returned -1 [0105.702] lstrcmpiW (lpString1="BHvmegf--VJhdfxMW5.mkv", lpString2="appdata") returned 1 [0105.702] lstrcmpiW (lpString1="BHvmegf--VJhdfxMW5.mkv", lpString2="program files") returned -1 [0105.702] lstrcmpiW (lpString1="BHvmegf--VJhdfxMW5.mkv", lpString2="program files (x86)") returned -1 [0105.702] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0105.702] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="BHvmegf--VJhdfxMW5.mkv" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BHvmegf--VJhdfxMW5.mkv") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BHvmegf--VJhdfxMW5.mkv" [0105.702] PathFindExtensionW (pszPath="BHvmegf--VJhdfxMW5.mkv") returned=".mkv" [0105.702] lstrcmpiW (lpString1=".mkv", lpString2=".exe") returned 1 [0105.702] lstrcmpiW (lpString1=".mkv", lpString2=".log") returned 1 [0105.702] lstrcmpiW (lpString1=".mkv", lpString2=".cab") returned 1 [0105.702] lstrcmpiW (lpString1=".mkv", lpString2=".cmd") returned 1 [0105.702] lstrcmpiW (lpString1=".mkv", lpString2=".com") returned 1 [0105.702] lstrcmpiW (lpString1=".mkv", lpString2=".cpl") returned 1 [0105.702] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0105.702] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0105.702] lstrcmpiW (lpString1=".mkv", lpString2=".url") returned -1 [0105.702] lstrcmpiW (lpString1=".mkv", lpString2=".ttf") returned -1 [0105.702] lstrcmpiW (lpString1=".mkv", lpString2=".mp3") returned -1 [0105.702] lstrcmpiW (lpString1=".mkv", lpString2=".pif") returned -1 [0105.702] lstrcmpiW (lpString1=".mkv", lpString2=".mp4") returned -1 [0105.702] lstrcmpiW (lpString1=".mkv", lpString2=".NEPHILIM") returned -1 [0105.702] lstrcmpiW (lpString1=".mkv", lpString2=".msi") returned -1 [0105.702] lstrcmpiW (lpString1=".mkv", lpString2=".lnk") returned 1 [0105.703] lstrcmpiW (lpString1="BHvmegf--VJhdfxMW5.mkv", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0105.703] lstrlenA (lpString="NEPHILIM") returned 8 [0105.703] GetProcessHeap () returned 0x4e0000 [0105.703] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50b8c0 [0105.703] lstrlenA (lpString="NEPHILIM") returned 8 [0105.703] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BHvmegf--VJhdfxMW5.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\bhvmegf--vjhdfxmw5.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0105.703] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=80805) returned 1 [0105.703] GetProcessHeap () returned 0x4e0000 [0105.703] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e10 [0105.703] GetProcessHeap () returned 0x4e0000 [0105.703] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e28 [0105.703] SystemFunction036 (in: RandomBuffer=0x504e10, RandomBufferLength=0x10 | out: RandomBuffer=0x504e10) returned 1 [0105.703] SystemFunction036 (in: RandomBuffer=0x504e28, RandomBufferLength=0x10 | out: RandomBuffer=0x504e28) returned 1 [0105.703] GetProcessHeap () returned 0x4e0000 [0105.703] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508f68 [0105.703] GetProcessHeap () returned 0x4e0000 [0105.703] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x509070 [0105.703] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508f68*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508f68*, pdwDataLen=0x24de208*=0x100) returned 1 [0105.704] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x509070*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x509070*, pdwDataLen=0x24de204*=0x100) returned 1 [0105.704] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x13ba5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.704] SetLastError (dwErrCode=0x0) [0105.704] WriteFile (in: hFile=0xec, lpBuffer=0x508f68*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508f68*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.705] GetLastError () returned 0x0 [0105.705] GetLastError () returned 0x0 [0105.705] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x13ca5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.705] WriteFile (in: hFile=0xec, lpBuffer=0x509070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x509070*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.705] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x13da5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.705] lstrlenA (lpString="NEPHILIM") returned 8 [0105.705] WriteFile (in: hFile=0xec, lpBuffer=0x50b8c0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50b8c0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0105.706] GetProcessHeap () returned 0x4e0000 [0105.706] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x13ba5) returned 0x50dcb8 [0105.706] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.706] ReadFile (in: hFile=0xec, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x13ba5, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24de430*=0x13ba5, lpOverlapped=0x0) returned 1 [0105.711] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.711] WriteFile (in: hFile=0xec, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x13ba5, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24de43c*=0x13ba5, lpOverlapped=0x0) returned 1 [0105.711] GetProcessHeap () returned 0x4e0000 [0105.712] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.712] CloseHandle (hObject=0xec) returned 1 [0105.713] GetProcessHeap () returned 0x4e0000 [0105.713] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508f68 | out: hHeap=0x4e0000) returned 1 [0105.713] GetProcessHeap () returned 0x4e0000 [0105.713] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x509070 | out: hHeap=0x4e0000) returned 1 [0105.713] GetProcessHeap () returned 0x4e0000 [0105.713] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e10 | out: hHeap=0x4e0000) returned 1 [0105.714] GetProcessHeap () returned 0x4e0000 [0105.714] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e28 | out: hHeap=0x4e0000) returned 1 [0105.714] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BHvmegf--VJhdfxMW5.mkv" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BHvmegf--VJhdfxMW5.mkv") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BHvmegf--VJhdfxMW5.mkv" [0105.714] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BHvmegf--VJhdfxMW5.mkv", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BHvmegf--VJhdfxMW5.mkv.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BHvmegf--VJhdfxMW5.mkv.NEPHILIM" [0105.714] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BHvmegf--VJhdfxMW5.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\bhvmegf--vjhdfxmw5.mkv"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BHvmegf--VJhdfxMW5.mkv.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\bhvmegf--vjhdfxmw5.mkv.nephilim")) returned 1 [0105.715] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd8ea41c0, ftCreationTime.dwHighDateTime=0x1d5db82, ftLastAccessTime.dwLowDateTime=0xd7af29c0, ftLastAccessTime.dwHighDateTime=0x1d5e6f3, ftLastWriteTime.dwLowDateTime=0xd7af29c0, ftLastWriteTime.dwHighDateTime=0x1d5e6f3, nFileSizeHigh=0x0, nFileSizeLow=0x28dd, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="bQGYb789IQ0v.swf", cAlternateFileName="BQGYB7~1.SWF")) returned 1 [0105.715] lstrcmpiW (lpString1="bQGYb789IQ0v.swf", lpString2=".") returned 1 [0105.715] lstrcmpiW (lpString1="bQGYb789IQ0v.swf", lpString2="..") returned 1 [0105.715] lstrcmpiW (lpString1="bQGYb789IQ0v.swf", lpString2="...") returned 1 [0105.715] lstrcmpiW (lpString1="bQGYb789IQ0v.swf", lpString2="windows") returned -1 [0105.715] lstrcmpiW (lpString1="bQGYb789IQ0v.swf", lpString2="$RECYCLE.BIN") returned 1 [0105.715] lstrcmpiW (lpString1="bQGYb789IQ0v.swf", lpString2="rsa") returned -1 [0105.715] lstrcmpiW (lpString1="bQGYb789IQ0v.swf", lpString2="log") returned -1 [0105.715] lstrcmpiW (lpString1="bQGYb789IQ0v.swf", lpString2="NTDETECT.COM") returned -1 [0105.715] lstrcmpiW (lpString1="bQGYb789IQ0v.swf", lpString2="ntldr") returned -1 [0105.715] lstrcmpiW (lpString1="bQGYb789IQ0v.swf", lpString2="MSDOS.SYS") returned -1 [0105.715] lstrcmpiW (lpString1="bQGYb789IQ0v.swf", lpString2="IO.SYS") returned -1 [0105.715] lstrcmpiW (lpString1="bQGYb789IQ0v.swf", lpString2="boot.ini") returned 1 [0105.715] lstrcmpiW (lpString1="bQGYb789IQ0v.swf", lpString2="AUTOEXEC.BAT") returned 1 [0105.715] lstrcmpiW (lpString1="bQGYb789IQ0v.swf", lpString2="ntuser.dat") returned -1 [0105.716] lstrcmpiW (lpString1="bQGYb789IQ0v.swf", lpString2="desktop.ini") returned -1 [0105.716] lstrcmpiW (lpString1="bQGYb789IQ0v.swf", lpString2="CONFIG.SYS") returned -1 [0105.716] lstrcmpiW (lpString1="bQGYb789IQ0v.swf", lpString2="RECYCLER") returned -1 [0105.716] lstrcmpiW (lpString1="bQGYb789IQ0v.swf", lpString2="BOOTSECT.BAK") returned 1 [0105.716] lstrcmpiW (lpString1="bQGYb789IQ0v.swf", lpString2="bootmgr") returned 1 [0105.716] lstrcmpiW (lpString1="bQGYb789IQ0v.swf", lpString2="programdata") returned -1 [0105.716] lstrcmpiW (lpString1="bQGYb789IQ0v.swf", lpString2="appdata") returned 1 [0105.716] lstrcmpiW (lpString1="bQGYb789IQ0v.swf", lpString2="program files") returned -1 [0105.718] lstrcmpiW (lpString1="bQGYb789IQ0v.swf", lpString2="program files (x86)") returned -1 [0105.718] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0105.718] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="bQGYb789IQ0v.swf" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\bQGYb789IQ0v.swf") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\bQGYb789IQ0v.swf" [0105.718] PathFindExtensionW (pszPath="bQGYb789IQ0v.swf") returned=".swf" [0105.718] lstrcmpiW (lpString1=".swf", lpString2=".exe") returned 1 [0105.718] lstrcmpiW (lpString1=".swf", lpString2=".log") returned 1 [0105.718] lstrcmpiW (lpString1=".swf", lpString2=".cab") returned 1 [0105.718] lstrcmpiW (lpString1=".swf", lpString2=".cmd") returned 1 [0105.718] lstrcmpiW (lpString1=".swf", lpString2=".com") returned 1 [0105.718] lstrcmpiW (lpString1=".swf", lpString2=".cpl") returned 1 [0105.718] lstrcmpiW (lpString1=".swf", lpString2=".ini") returned 1 [0105.718] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0105.718] lstrcmpiW (lpString1=".swf", lpString2=".url") returned -1 [0105.718] lstrcmpiW (lpString1=".swf", lpString2=".ttf") returned -1 [0105.718] lstrcmpiW (lpString1=".swf", lpString2=".mp3") returned 1 [0105.718] lstrcmpiW (lpString1=".swf", lpString2=".pif") returned 1 [0105.718] lstrcmpiW (lpString1=".swf", lpString2=".mp4") returned 1 [0105.718] lstrcmpiW (lpString1=".swf", lpString2=".NEPHILIM") returned 1 [0105.718] lstrcmpiW (lpString1=".swf", lpString2=".msi") returned 1 [0105.718] lstrcmpiW (lpString1=".swf", lpString2=".lnk") returned 1 [0105.718] lstrcmpiW (lpString1="bQGYb789IQ0v.swf", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0105.719] lstrlenA (lpString="NEPHILIM") returned 8 [0105.719] GetProcessHeap () returned 0x4e0000 [0105.719] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50b8d0 [0105.719] lstrlenA (lpString="NEPHILIM") returned 8 [0105.719] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\bQGYb789IQ0v.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\bqgyb789iq0v.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0105.719] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=10461) returned 1 [0105.719] GetProcessHeap () returned 0x4e0000 [0105.719] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e28 [0105.719] GetProcessHeap () returned 0x4e0000 [0105.719] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e10 [0105.719] SystemFunction036 (in: RandomBuffer=0x504e28, RandomBufferLength=0x10 | out: RandomBuffer=0x504e28) returned 1 [0105.719] SystemFunction036 (in: RandomBuffer=0x504e10, RandomBufferLength=0x10 | out: RandomBuffer=0x504e10) returned 1 [0105.719] GetProcessHeap () returned 0x4e0000 [0105.719] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x509070 [0105.719] GetProcessHeap () returned 0x4e0000 [0105.719] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508f68 [0105.720] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x509070*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x509070*, pdwDataLen=0x24de208*=0x100) returned 1 [0105.720] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508f68*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508f68*, pdwDataLen=0x24de204*=0x100) returned 1 [0105.720] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x28dd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.720] SetLastError (dwErrCode=0x0) [0105.720] WriteFile (in: hFile=0xec, lpBuffer=0x509070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x509070*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.721] GetLastError () returned 0x0 [0105.721] GetLastError () returned 0x0 [0105.721] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x29dd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.722] WriteFile (in: hFile=0xec, lpBuffer=0x508f68*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508f68*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.722] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x2add, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.722] lstrlenA (lpString="NEPHILIM") returned 8 [0105.722] WriteFile (in: hFile=0xec, lpBuffer=0x50b8d0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50b8d0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0105.722] GetProcessHeap () returned 0x4e0000 [0105.722] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x28dd) returned 0x50dcb8 [0105.722] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.722] ReadFile (in: hFile=0xec, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x28dd, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24de430*=0x28dd, lpOverlapped=0x0) returned 1 [0105.723] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.723] WriteFile (in: hFile=0xec, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x28dd, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24de43c*=0x28dd, lpOverlapped=0x0) returned 1 [0105.723] GetProcessHeap () returned 0x4e0000 [0105.723] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.723] CloseHandle (hObject=0xec) returned 1 [0105.724] GetProcessHeap () returned 0x4e0000 [0105.724] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x509070 | out: hHeap=0x4e0000) returned 1 [0105.724] GetProcessHeap () returned 0x4e0000 [0105.724] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508f68 | out: hHeap=0x4e0000) returned 1 [0105.724] GetProcessHeap () returned 0x4e0000 [0105.724] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e28 | out: hHeap=0x4e0000) returned 1 [0105.724] GetProcessHeap () returned 0x4e0000 [0105.724] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e10 | out: hHeap=0x4e0000) returned 1 [0105.725] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\bQGYb789IQ0v.swf" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\bQGYb789IQ0v.swf") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\bQGYb789IQ0v.swf" [0105.725] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\bQGYb789IQ0v.swf", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\bQGYb789IQ0v.swf.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\bQGYb789IQ0v.swf.NEPHILIM" [0105.725] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\bQGYb789IQ0v.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\bqgyb789iq0v.swf"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\bQGYb789IQ0v.swf.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\bqgyb789iq0v.swf.nephilim")) returned 1 [0105.726] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4bac830, ftCreationTime.dwHighDateTime=0x1d5dc26, ftLastAccessTime.dwLowDateTime=0xa912e990, ftLastAccessTime.dwHighDateTime=0x1d5e43b, ftLastWriteTime.dwLowDateTime=0xa912e990, ftLastWriteTime.dwHighDateTime=0x1d5e43b, nFileSizeHigh=0x0, nFileSizeLow=0xddfd, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="d079BHh9aEqvN4.mp4", cAlternateFileName="D079BH~1.MP4")) returned 1 [0105.726] lstrcmpiW (lpString1="d079BHh9aEqvN4.mp4", lpString2=".") returned 1 [0105.726] lstrcmpiW (lpString1="d079BHh9aEqvN4.mp4", lpString2="..") returned 1 [0105.726] lstrcmpiW (lpString1="d079BHh9aEqvN4.mp4", lpString2="...") returned 1 [0105.726] lstrcmpiW (lpString1="d079BHh9aEqvN4.mp4", lpString2="windows") returned -1 [0105.726] lstrcmpiW (lpString1="d079BHh9aEqvN4.mp4", lpString2="$RECYCLE.BIN") returned 1 [0105.726] lstrcmpiW (lpString1="d079BHh9aEqvN4.mp4", lpString2="rsa") returned -1 [0105.726] lstrcmpiW (lpString1="d079BHh9aEqvN4.mp4", lpString2="log") returned -1 [0105.726] lstrcmpiW (lpString1="d079BHh9aEqvN4.mp4", lpString2="NTDETECT.COM") returned -1 [0105.726] lstrcmpiW (lpString1="d079BHh9aEqvN4.mp4", lpString2="ntldr") returned -1 [0105.726] lstrcmpiW (lpString1="d079BHh9aEqvN4.mp4", lpString2="MSDOS.SYS") returned -1 [0105.726] lstrcmpiW (lpString1="d079BHh9aEqvN4.mp4", lpString2="IO.SYS") returned -1 [0105.726] lstrcmpiW (lpString1="d079BHh9aEqvN4.mp4", lpString2="boot.ini") returned 1 [0105.726] lstrcmpiW (lpString1="d079BHh9aEqvN4.mp4", lpString2="AUTOEXEC.BAT") returned 1 [0105.726] lstrcmpiW (lpString1="d079BHh9aEqvN4.mp4", lpString2="ntuser.dat") returned -1 [0105.726] lstrcmpiW (lpString1="d079BHh9aEqvN4.mp4", lpString2="desktop.ini") returned -1 [0105.726] lstrcmpiW (lpString1="d079BHh9aEqvN4.mp4", lpString2="CONFIG.SYS") returned 1 [0105.726] lstrcmpiW (lpString1="d079BHh9aEqvN4.mp4", lpString2="RECYCLER") returned -1 [0105.726] lstrcmpiW (lpString1="d079BHh9aEqvN4.mp4", lpString2="BOOTSECT.BAK") returned 1 [0105.726] lstrcmpiW (lpString1="d079BHh9aEqvN4.mp4", lpString2="bootmgr") returned 1 [0105.726] lstrcmpiW (lpString1="d079BHh9aEqvN4.mp4", lpString2="programdata") returned -1 [0105.726] lstrcmpiW (lpString1="d079BHh9aEqvN4.mp4", lpString2="appdata") returned 1 [0105.726] lstrcmpiW (lpString1="d079BHh9aEqvN4.mp4", lpString2="program files") returned -1 [0105.726] lstrcmpiW (lpString1="d079BHh9aEqvN4.mp4", lpString2="program files (x86)") returned -1 [0105.726] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0105.726] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="d079BHh9aEqvN4.mp4" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\d079BHh9aEqvN4.mp4") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\d079BHh9aEqvN4.mp4" [0105.727] PathFindExtensionW (pszPath="d079BHh9aEqvN4.mp4") returned=".mp4" [0105.727] lstrcmpiW (lpString1=".mp4", lpString2=".exe") returned 1 [0105.727] lstrcmpiW (lpString1=".mp4", lpString2=".log") returned 1 [0105.727] lstrcmpiW (lpString1=".mp4", lpString2=".cab") returned 1 [0105.727] lstrcmpiW (lpString1=".mp4", lpString2=".cmd") returned 1 [0105.727] lstrcmpiW (lpString1=".mp4", lpString2=".com") returned 1 [0105.727] lstrcmpiW (lpString1=".mp4", lpString2=".cpl") returned 1 [0105.727] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0105.727] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0105.727] lstrcmpiW (lpString1=".mp4", lpString2=".url") returned -1 [0105.727] lstrcmpiW (lpString1=".mp4", lpString2=".ttf") returned -1 [0105.727] lstrcmpiW (lpString1=".mp4", lpString2=".mp3") returned 1 [0105.727] lstrcmpiW (lpString1=".mp4", lpString2=".pif") returned -1 [0105.727] lstrcmpiW (lpString1=".mp4", lpString2=".mp4") returned 0 [0105.727] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0105.727] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0105.727] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0105.727] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0105.727] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0105.727] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0105.727] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0105.727] lstrcmpiW (lpString1="desktop.ini", lpString2="log") returned -1 [0105.727] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0105.727] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0105.727] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0105.728] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0105.728] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0105.728] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0105.728] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0105.728] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0105.728] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c4dec90, ftCreationTime.dwHighDateTime=0x1d5e353, ftLastAccessTime.dwLowDateTime=0x30872020, ftLastAccessTime.dwHighDateTime=0x1d5e1e5, ftLastWriteTime.dwLowDateTime=0x30872020, ftLastWriteTime.dwHighDateTime=0x1d5e1e5, nFileSizeHigh=0x0, nFileSizeLow=0x11ebc, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="I3Q-NQ-b.mkv", cAlternateFileName="")) returned 1 [0105.728] lstrcmpiW (lpString1="I3Q-NQ-b.mkv", lpString2=".") returned 1 [0105.728] lstrcmpiW (lpString1="I3Q-NQ-b.mkv", lpString2="..") returned 1 [0105.728] lstrcmpiW (lpString1="I3Q-NQ-b.mkv", lpString2="...") returned 1 [0105.728] lstrcmpiW (lpString1="I3Q-NQ-b.mkv", lpString2="windows") returned -1 [0105.728] lstrcmpiW (lpString1="I3Q-NQ-b.mkv", lpString2="$RECYCLE.BIN") returned 1 [0105.728] lstrcmpiW (lpString1="I3Q-NQ-b.mkv", lpString2="rsa") returned -1 [0105.728] lstrcmpiW (lpString1="I3Q-NQ-b.mkv", lpString2="log") returned -1 [0105.728] lstrcmpiW (lpString1="I3Q-NQ-b.mkv", lpString2="NTDETECT.COM") returned -1 [0105.728] lstrcmpiW (lpString1="I3Q-NQ-b.mkv", lpString2="ntldr") returned -1 [0105.728] lstrcmpiW (lpString1="I3Q-NQ-b.mkv", lpString2="MSDOS.SYS") returned -1 [0105.728] lstrcmpiW (lpString1="I3Q-NQ-b.mkv", lpString2="IO.SYS") returned -1 [0105.728] lstrcmpiW (lpString1="I3Q-NQ-b.mkv", lpString2="boot.ini") returned 1 [0105.728] lstrcmpiW (lpString1="I3Q-NQ-b.mkv", lpString2="AUTOEXEC.BAT") returned 1 [0105.728] lstrcmpiW (lpString1="I3Q-NQ-b.mkv", lpString2="ntuser.dat") returned -1 [0105.728] lstrcmpiW (lpString1="I3Q-NQ-b.mkv", lpString2="desktop.ini") returned 1 [0105.728] lstrcmpiW (lpString1="I3Q-NQ-b.mkv", lpString2="CONFIG.SYS") returned 1 [0105.728] lstrcmpiW (lpString1="I3Q-NQ-b.mkv", lpString2="RECYCLER") returned -1 [0105.728] lstrcmpiW (lpString1="I3Q-NQ-b.mkv", lpString2="BOOTSECT.BAK") returned 1 [0105.728] lstrcmpiW (lpString1="I3Q-NQ-b.mkv", lpString2="bootmgr") returned 1 [0105.728] lstrcmpiW (lpString1="I3Q-NQ-b.mkv", lpString2="programdata") returned -1 [0105.729] lstrcmpiW (lpString1="I3Q-NQ-b.mkv", lpString2="appdata") returned 1 [0105.729] lstrcmpiW (lpString1="I3Q-NQ-b.mkv", lpString2="program files") returned -1 [0105.729] lstrcmpiW (lpString1="I3Q-NQ-b.mkv", lpString2="program files (x86)") returned -1 [0105.729] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0105.729] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="I3Q-NQ-b.mkv" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\I3Q-NQ-b.mkv") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\I3Q-NQ-b.mkv" [0105.729] PathFindExtensionW (pszPath="I3Q-NQ-b.mkv") returned=".mkv" [0105.729] lstrcmpiW (lpString1=".mkv", lpString2=".exe") returned 1 [0105.729] lstrcmpiW (lpString1=".mkv", lpString2=".log") returned 1 [0105.729] lstrcmpiW (lpString1=".mkv", lpString2=".cab") returned 1 [0105.729] lstrcmpiW (lpString1=".mkv", lpString2=".cmd") returned 1 [0105.729] lstrcmpiW (lpString1=".mkv", lpString2=".com") returned 1 [0105.729] lstrcmpiW (lpString1=".mkv", lpString2=".cpl") returned 1 [0105.729] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0105.729] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0105.729] lstrcmpiW (lpString1=".mkv", lpString2=".url") returned -1 [0105.729] lstrcmpiW (lpString1=".mkv", lpString2=".ttf") returned -1 [0105.729] lstrcmpiW (lpString1=".mkv", lpString2=".mp3") returned -1 [0105.729] lstrcmpiW (lpString1=".mkv", lpString2=".pif") returned -1 [0105.729] lstrcmpiW (lpString1=".mkv", lpString2=".mp4") returned -1 [0105.729] lstrcmpiW (lpString1=".mkv", lpString2=".NEPHILIM") returned -1 [0105.729] lstrcmpiW (lpString1=".mkv", lpString2=".msi") returned -1 [0105.729] lstrcmpiW (lpString1=".mkv", lpString2=".lnk") returned 1 [0105.729] lstrcmpiW (lpString1="I3Q-NQ-b.mkv", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0105.729] lstrlenA (lpString="NEPHILIM") returned 8 [0105.729] GetProcessHeap () returned 0x4e0000 [0105.730] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50b8e0 [0105.730] lstrlenA (lpString="NEPHILIM") returned 8 [0105.730] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\I3Q-NQ-b.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\i3q-nq-b.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0105.730] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=73404) returned 1 [0105.730] GetProcessHeap () returned 0x4e0000 [0105.730] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e10 [0105.730] GetProcessHeap () returned 0x4e0000 [0105.730] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e28 [0105.730] SystemFunction036 (in: RandomBuffer=0x504e10, RandomBufferLength=0x10 | out: RandomBuffer=0x504e10) returned 1 [0105.730] SystemFunction036 (in: RandomBuffer=0x504e28, RandomBufferLength=0x10 | out: RandomBuffer=0x504e28) returned 1 [0105.730] GetProcessHeap () returned 0x4e0000 [0105.730] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508f68 [0105.730] GetProcessHeap () returned 0x4e0000 [0105.730] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x509070 [0105.730] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508f68*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508f68*, pdwDataLen=0x24de208*=0x100) returned 1 [0105.731] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x509070*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x509070*, pdwDataLen=0x24de204*=0x100) returned 1 [0105.731] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x11ebc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.731] SetLastError (dwErrCode=0x0) [0105.731] WriteFile (in: hFile=0xec, lpBuffer=0x508f68*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508f68*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.732] GetLastError () returned 0x0 [0105.732] GetLastError () returned 0x0 [0105.732] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x11fbc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.732] WriteFile (in: hFile=0xec, lpBuffer=0x509070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x509070*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.733] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x120bc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.733] lstrlenA (lpString="NEPHILIM") returned 8 [0105.733] WriteFile (in: hFile=0xec, lpBuffer=0x50b8e0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50b8e0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0105.733] GetProcessHeap () returned 0x4e0000 [0105.733] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x11ebc) returned 0x50dcb8 [0105.733] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.733] ReadFile (in: hFile=0xec, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x11ebc, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24de430*=0x11ebc, lpOverlapped=0x0) returned 1 [0105.738] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.738] WriteFile (in: hFile=0xec, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x11ebc, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24de43c*=0x11ebc, lpOverlapped=0x0) returned 1 [0105.738] GetProcessHeap () returned 0x4e0000 [0105.738] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.738] CloseHandle (hObject=0xec) returned 1 [0105.740] GetProcessHeap () returned 0x4e0000 [0105.740] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508f68 | out: hHeap=0x4e0000) returned 1 [0105.740] GetProcessHeap () returned 0x4e0000 [0105.740] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x509070 | out: hHeap=0x4e0000) returned 1 [0105.740] GetProcessHeap () returned 0x4e0000 [0105.740] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e10 | out: hHeap=0x4e0000) returned 1 [0105.740] GetProcessHeap () returned 0x4e0000 [0105.740] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e28 | out: hHeap=0x4e0000) returned 1 [0105.740] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\I3Q-NQ-b.mkv" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\I3Q-NQ-b.mkv") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\I3Q-NQ-b.mkv" [0105.740] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\I3Q-NQ-b.mkv", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\I3Q-NQ-b.mkv.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\I3Q-NQ-b.mkv.NEPHILIM" [0105.741] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\I3Q-NQ-b.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\i3q-nq-b.mkv"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\I3Q-NQ-b.mkv.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\i3q-nq-b.mkv.nephilim")) returned 1 [0105.741] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3cfc6970, ftCreationTime.dwHighDateTime=0x1d5e643, ftLastAccessTime.dwLowDateTime=0xd1e2bd80, ftLastAccessTime.dwHighDateTime=0x1d5de52, ftLastWriteTime.dwLowDateTime=0xd1e2bd80, ftLastWriteTime.dwHighDateTime=0x1d5de52, nFileSizeHigh=0x0, nFileSizeLow=0x1300d, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="iGVSRibs-r0ZBuDJPJcf.avi", cAlternateFileName="IGVSRI~1.AVI")) returned 1 [0105.742] lstrcmpiW (lpString1="iGVSRibs-r0ZBuDJPJcf.avi", lpString2=".") returned 1 [0105.742] lstrcmpiW (lpString1="iGVSRibs-r0ZBuDJPJcf.avi", lpString2="..") returned 1 [0105.742] lstrcmpiW (lpString1="iGVSRibs-r0ZBuDJPJcf.avi", lpString2="...") returned 1 [0105.742] lstrcmpiW (lpString1="iGVSRibs-r0ZBuDJPJcf.avi", lpString2="windows") returned -1 [0105.742] lstrcmpiW (lpString1="iGVSRibs-r0ZBuDJPJcf.avi", lpString2="$RECYCLE.BIN") returned 1 [0105.742] lstrcmpiW (lpString1="iGVSRibs-r0ZBuDJPJcf.avi", lpString2="rsa") returned -1 [0105.742] lstrcmpiW (lpString1="iGVSRibs-r0ZBuDJPJcf.avi", lpString2="log") returned -1 [0105.742] lstrcmpiW (lpString1="iGVSRibs-r0ZBuDJPJcf.avi", lpString2="NTDETECT.COM") returned -1 [0105.742] lstrcmpiW (lpString1="iGVSRibs-r0ZBuDJPJcf.avi", lpString2="ntldr") returned -1 [0105.742] lstrcmpiW (lpString1="iGVSRibs-r0ZBuDJPJcf.avi", lpString2="MSDOS.SYS") returned -1 [0105.742] lstrcmpiW (lpString1="iGVSRibs-r0ZBuDJPJcf.avi", lpString2="IO.SYS") returned -1 [0105.742] lstrcmpiW (lpString1="iGVSRibs-r0ZBuDJPJcf.avi", lpString2="boot.ini") returned 1 [0105.742] lstrcmpiW (lpString1="iGVSRibs-r0ZBuDJPJcf.avi", lpString2="AUTOEXEC.BAT") returned 1 [0105.742] lstrcmpiW (lpString1="iGVSRibs-r0ZBuDJPJcf.avi", lpString2="ntuser.dat") returned -1 [0105.742] lstrcmpiW (lpString1="iGVSRibs-r0ZBuDJPJcf.avi", lpString2="desktop.ini") returned 1 [0105.742] lstrcmpiW (lpString1="iGVSRibs-r0ZBuDJPJcf.avi", lpString2="CONFIG.SYS") returned 1 [0105.742] lstrcmpiW (lpString1="iGVSRibs-r0ZBuDJPJcf.avi", lpString2="RECYCLER") returned -1 [0105.742] lstrcmpiW (lpString1="iGVSRibs-r0ZBuDJPJcf.avi", lpString2="BOOTSECT.BAK") returned 1 [0105.742] lstrcmpiW (lpString1="iGVSRibs-r0ZBuDJPJcf.avi", lpString2="bootmgr") returned 1 [0105.742] lstrcmpiW (lpString1="iGVSRibs-r0ZBuDJPJcf.avi", lpString2="programdata") returned -1 [0105.742] lstrcmpiW (lpString1="iGVSRibs-r0ZBuDJPJcf.avi", lpString2="appdata") returned 1 [0105.742] lstrcmpiW (lpString1="iGVSRibs-r0ZBuDJPJcf.avi", lpString2="program files") returned -1 [0105.742] lstrcmpiW (lpString1="iGVSRibs-r0ZBuDJPJcf.avi", lpString2="program files (x86)") returned -1 [0105.742] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0105.742] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="iGVSRibs-r0ZBuDJPJcf.avi" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\iGVSRibs-r0ZBuDJPJcf.avi") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\iGVSRibs-r0ZBuDJPJcf.avi" [0105.742] PathFindExtensionW (pszPath="iGVSRibs-r0ZBuDJPJcf.avi") returned=".avi" [0105.743] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0105.743] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0105.743] lstrcmpiW (lpString1=".avi", lpString2=".cab") returned -1 [0105.743] lstrcmpiW (lpString1=".avi", lpString2=".cmd") returned -1 [0105.743] lstrcmpiW (lpString1=".avi", lpString2=".com") returned -1 [0105.743] lstrcmpiW (lpString1=".avi", lpString2=".cpl") returned -1 [0105.743] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0105.743] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0105.743] lstrcmpiW (lpString1=".avi", lpString2=".url") returned -1 [0105.743] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0105.743] lstrcmpiW (lpString1=".avi", lpString2=".mp3") returned -1 [0105.743] lstrcmpiW (lpString1=".avi", lpString2=".pif") returned -1 [0105.743] lstrcmpiW (lpString1=".avi", lpString2=".mp4") returned -1 [0105.743] lstrcmpiW (lpString1=".avi", lpString2=".NEPHILIM") returned -1 [0105.743] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0105.743] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0105.743] lstrcmpiW (lpString1="iGVSRibs-r0ZBuDJPJcf.avi", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0105.743] lstrlenA (lpString="NEPHILIM") returned 8 [0105.743] GetProcessHeap () returned 0x4e0000 [0105.743] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50b8f0 [0105.743] lstrlenA (lpString="NEPHILIM") returned 8 [0105.743] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\iGVSRibs-r0ZBuDJPJcf.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\igvsribs-r0zbudjpjcf.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0105.744] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=77837) returned 1 [0105.744] GetProcessHeap () returned 0x4e0000 [0105.744] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e28 [0105.744] GetProcessHeap () returned 0x4e0000 [0105.744] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e10 [0105.744] SystemFunction036 (in: RandomBuffer=0x504e28, RandomBufferLength=0x10 | out: RandomBuffer=0x504e28) returned 1 [0105.744] SystemFunction036 (in: RandomBuffer=0x504e10, RandomBufferLength=0x10 | out: RandomBuffer=0x504e10) returned 1 [0105.744] GetProcessHeap () returned 0x4e0000 [0105.744] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x509070 [0105.744] GetProcessHeap () returned 0x4e0000 [0105.744] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508f68 [0105.744] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x509070*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x509070*, pdwDataLen=0x24de208*=0x100) returned 1 [0105.744] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508f68*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508f68*, pdwDataLen=0x24de204*=0x100) returned 1 [0105.744] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x1300d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.745] SetLastError (dwErrCode=0x0) [0105.745] WriteFile (in: hFile=0xec, lpBuffer=0x509070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x509070*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.746] GetLastError () returned 0x0 [0105.746] GetLastError () returned 0x0 [0105.746] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x1310d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.746] WriteFile (in: hFile=0xec, lpBuffer=0x508f68*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508f68*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.746] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x1320d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.746] lstrlenA (lpString="NEPHILIM") returned 8 [0105.746] WriteFile (in: hFile=0xec, lpBuffer=0x50b8f0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50b8f0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0105.746] GetProcessHeap () returned 0x4e0000 [0105.746] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1300d) returned 0x50dcb8 [0105.746] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.746] ReadFile (in: hFile=0xec, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x1300d, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24de430*=0x1300d, lpOverlapped=0x0) returned 1 [0105.751] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.751] WriteFile (in: hFile=0xec, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x1300d, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24de43c*=0x1300d, lpOverlapped=0x0) returned 1 [0105.751] GetProcessHeap () returned 0x4e0000 [0105.752] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.752] CloseHandle (hObject=0xec) returned 1 [0105.753] GetProcessHeap () returned 0x4e0000 [0105.753] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x509070 | out: hHeap=0x4e0000) returned 1 [0105.753] GetProcessHeap () returned 0x4e0000 [0105.753] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508f68 | out: hHeap=0x4e0000) returned 1 [0105.753] GetProcessHeap () returned 0x4e0000 [0105.753] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e28 | out: hHeap=0x4e0000) returned 1 [0105.753] GetProcessHeap () returned 0x4e0000 [0105.754] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e10 | out: hHeap=0x4e0000) returned 1 [0105.754] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\iGVSRibs-r0ZBuDJPJcf.avi" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\iGVSRibs-r0ZBuDJPJcf.avi") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\iGVSRibs-r0ZBuDJPJcf.avi" [0105.754] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\iGVSRibs-r0ZBuDJPJcf.avi", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\iGVSRibs-r0ZBuDJPJcf.avi.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\iGVSRibs-r0ZBuDJPJcf.avi.NEPHILIM" [0105.754] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\iGVSRibs-r0ZBuDJPJcf.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\igvsribs-r0zbudjpjcf.avi"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\iGVSRibs-r0ZBuDJPJcf.avi.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\igvsribs-r0zbudjpjcf.avi.nephilim")) returned 1 [0105.755] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90cfca10, ftCreationTime.dwHighDateTime=0x1d5e77e, ftLastAccessTime.dwLowDateTime=0xddc5e0f0, ftLastAccessTime.dwHighDateTime=0x1d5db05, ftLastWriteTime.dwLowDateTime=0xddc5e0f0, ftLastWriteTime.dwHighDateTime=0x1d5db05, nFileSizeHigh=0x0, nFileSizeLow=0x102ac, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="iJe a2W.avi", cAlternateFileName="IJEA2W~1.AVI")) returned 1 [0105.755] lstrcmpiW (lpString1="iJe a2W.avi", lpString2=".") returned 1 [0105.755] lstrcmpiW (lpString1="iJe a2W.avi", lpString2="..") returned 1 [0105.755] lstrcmpiW (lpString1="iJe a2W.avi", lpString2="...") returned 1 [0105.755] lstrcmpiW (lpString1="iJe a2W.avi", lpString2="windows") returned -1 [0105.755] lstrcmpiW (lpString1="iJe a2W.avi", lpString2="$RECYCLE.BIN") returned 1 [0105.755] lstrcmpiW (lpString1="iJe a2W.avi", lpString2="rsa") returned -1 [0105.755] lstrcmpiW (lpString1="iJe a2W.avi", lpString2="log") returned -1 [0105.755] lstrcmpiW (lpString1="iJe a2W.avi", lpString2="NTDETECT.COM") returned -1 [0105.755] lstrcmpiW (lpString1="iJe a2W.avi", lpString2="ntldr") returned -1 [0105.755] lstrcmpiW (lpString1="iJe a2W.avi", lpString2="MSDOS.SYS") returned -1 [0105.755] lstrcmpiW (lpString1="iJe a2W.avi", lpString2="IO.SYS") returned -1 [0105.755] lstrcmpiW (lpString1="iJe a2W.avi", lpString2="boot.ini") returned 1 [0105.755] lstrcmpiW (lpString1="iJe a2W.avi", lpString2="AUTOEXEC.BAT") returned 1 [0105.755] lstrcmpiW (lpString1="iJe a2W.avi", lpString2="ntuser.dat") returned -1 [0105.755] lstrcmpiW (lpString1="iJe a2W.avi", lpString2="desktop.ini") returned 1 [0105.755] lstrcmpiW (lpString1="iJe a2W.avi", lpString2="CONFIG.SYS") returned 1 [0105.755] lstrcmpiW (lpString1="iJe a2W.avi", lpString2="RECYCLER") returned -1 [0105.755] lstrcmpiW (lpString1="iJe a2W.avi", lpString2="BOOTSECT.BAK") returned 1 [0105.755] lstrcmpiW (lpString1="iJe a2W.avi", lpString2="bootmgr") returned 1 [0105.755] lstrcmpiW (lpString1="iJe a2W.avi", lpString2="programdata") returned -1 [0105.755] lstrcmpiW (lpString1="iJe a2W.avi", lpString2="appdata") returned 1 [0105.755] lstrcmpiW (lpString1="iJe a2W.avi", lpString2="program files") returned -1 [0105.756] lstrcmpiW (lpString1="iJe a2W.avi", lpString2="program files (x86)") returned -1 [0105.756] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0105.756] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="iJe a2W.avi" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\iJe a2W.avi") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\iJe a2W.avi" [0105.756] PathFindExtensionW (pszPath="iJe a2W.avi") returned=".avi" [0105.756] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0105.756] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0105.756] lstrcmpiW (lpString1=".avi", lpString2=".cab") returned -1 [0105.756] lstrcmpiW (lpString1=".avi", lpString2=".cmd") returned -1 [0105.756] lstrcmpiW (lpString1=".avi", lpString2=".com") returned -1 [0105.756] lstrcmpiW (lpString1=".avi", lpString2=".cpl") returned -1 [0105.756] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0105.756] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0105.756] lstrcmpiW (lpString1=".avi", lpString2=".url") returned -1 [0105.756] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0105.756] lstrcmpiW (lpString1=".avi", lpString2=".mp3") returned -1 [0105.756] lstrcmpiW (lpString1=".avi", lpString2=".pif") returned -1 [0105.756] lstrcmpiW (lpString1=".avi", lpString2=".mp4") returned -1 [0105.756] lstrcmpiW (lpString1=".avi", lpString2=".NEPHILIM") returned -1 [0105.756] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0105.756] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0105.756] lstrcmpiW (lpString1="iJe a2W.avi", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0105.756] lstrlenA (lpString="NEPHILIM") returned 8 [0105.756] GetProcessHeap () returned 0x4e0000 [0105.756] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50b900 [0105.757] lstrlenA (lpString="NEPHILIM") returned 8 [0105.757] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\iJe a2W.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ije a2w.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0105.757] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=66220) returned 1 [0105.757] GetProcessHeap () returned 0x4e0000 [0105.757] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e10 [0105.757] GetProcessHeap () returned 0x4e0000 [0105.757] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e28 [0105.757] SystemFunction036 (in: RandomBuffer=0x504e10, RandomBufferLength=0x10 | out: RandomBuffer=0x504e10) returned 1 [0105.757] SystemFunction036 (in: RandomBuffer=0x504e28, RandomBufferLength=0x10 | out: RandomBuffer=0x504e28) returned 1 [0105.757] GetProcessHeap () returned 0x4e0000 [0105.757] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508f68 [0105.757] GetProcessHeap () returned 0x4e0000 [0105.757] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x509070 [0105.757] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508f68*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508f68*, pdwDataLen=0x24de208*=0x100) returned 1 [0105.758] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x509070*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x509070*, pdwDataLen=0x24de204*=0x100) returned 1 [0105.758] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x102ac, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.758] SetLastError (dwErrCode=0x0) [0105.758] WriteFile (in: hFile=0xec, lpBuffer=0x508f68*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508f68*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.759] GetLastError () returned 0x0 [0105.759] GetLastError () returned 0x0 [0105.759] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x103ac, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.759] WriteFile (in: hFile=0xec, lpBuffer=0x509070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x509070*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.759] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x104ac, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.759] lstrlenA (lpString="NEPHILIM") returned 8 [0105.759] WriteFile (in: hFile=0xec, lpBuffer=0x50b900*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50b900*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0105.759] GetProcessHeap () returned 0x4e0000 [0105.759] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x102ac) returned 0x50dcb8 [0105.760] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.760] ReadFile (in: hFile=0xec, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x102ac, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24de430*=0x102ac, lpOverlapped=0x0) returned 1 [0105.768] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.768] WriteFile (in: hFile=0xec, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x102ac, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24de43c*=0x102ac, lpOverlapped=0x0) returned 1 [0105.768] GetProcessHeap () returned 0x4e0000 [0105.768] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.768] CloseHandle (hObject=0xec) returned 1 [0105.772] GetProcessHeap () returned 0x4e0000 [0105.772] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508f68 | out: hHeap=0x4e0000) returned 1 [0105.772] GetProcessHeap () returned 0x4e0000 [0105.772] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x509070 | out: hHeap=0x4e0000) returned 1 [0105.772] GetProcessHeap () returned 0x4e0000 [0105.772] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e10 | out: hHeap=0x4e0000) returned 1 [0105.772] GetProcessHeap () returned 0x4e0000 [0105.772] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e28 | out: hHeap=0x4e0000) returned 1 [0105.772] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\iJe a2W.avi" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\iJe a2W.avi") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\iJe a2W.avi" [0105.772] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\iJe a2W.avi", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\iJe a2W.avi.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\iJe a2W.avi.NEPHILIM" [0105.772] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\iJe a2W.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ije a2w.avi"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\iJe a2W.avi.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ije a2w.avi.nephilim")) returned 1 [0105.773] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56215ca0, ftCreationTime.dwHighDateTime=0x1d5e5a1, ftLastAccessTime.dwLowDateTime=0xcca5c350, ftLastAccessTime.dwHighDateTime=0x1d5e544, ftLastWriteTime.dwLowDateTime=0xcca5c350, ftLastWriteTime.dwHighDateTime=0x1d5e544, nFileSizeHigh=0x0, nFileSizeLow=0xbc98, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="JEnxvypOyvR.mp4", cAlternateFileName="JENXVY~1.MP4")) returned 1 [0105.773] lstrcmpiW (lpString1="JEnxvypOyvR.mp4", lpString2=".") returned 1 [0105.774] lstrcmpiW (lpString1="JEnxvypOyvR.mp4", lpString2="..") returned 1 [0105.774] lstrcmpiW (lpString1="JEnxvypOyvR.mp4", lpString2="...") returned 1 [0105.774] lstrcmpiW (lpString1="JEnxvypOyvR.mp4", lpString2="windows") returned -1 [0105.774] lstrcmpiW (lpString1="JEnxvypOyvR.mp4", lpString2="$RECYCLE.BIN") returned 1 [0105.774] lstrcmpiW (lpString1="JEnxvypOyvR.mp4", lpString2="rsa") returned -1 [0105.774] lstrcmpiW (lpString1="JEnxvypOyvR.mp4", lpString2="log") returned -1 [0105.774] lstrcmpiW (lpString1="JEnxvypOyvR.mp4", lpString2="NTDETECT.COM") returned -1 [0105.774] lstrcmpiW (lpString1="JEnxvypOyvR.mp4", lpString2="ntldr") returned -1 [0105.774] lstrcmpiW (lpString1="JEnxvypOyvR.mp4", lpString2="MSDOS.SYS") returned -1 [0105.774] lstrcmpiW (lpString1="JEnxvypOyvR.mp4", lpString2="IO.SYS") returned 1 [0105.774] lstrcmpiW (lpString1="JEnxvypOyvR.mp4", lpString2="boot.ini") returned 1 [0105.774] lstrcmpiW (lpString1="JEnxvypOyvR.mp4", lpString2="AUTOEXEC.BAT") returned 1 [0105.774] lstrcmpiW (lpString1="JEnxvypOyvR.mp4", lpString2="ntuser.dat") returned -1 [0105.774] lstrcmpiW (lpString1="JEnxvypOyvR.mp4", lpString2="desktop.ini") returned 1 [0105.774] lstrcmpiW (lpString1="JEnxvypOyvR.mp4", lpString2="CONFIG.SYS") returned 1 [0105.774] lstrcmpiW (lpString1="JEnxvypOyvR.mp4", lpString2="RECYCLER") returned -1 [0105.774] lstrcmpiW (lpString1="JEnxvypOyvR.mp4", lpString2="BOOTSECT.BAK") returned 1 [0105.774] lstrcmpiW (lpString1="JEnxvypOyvR.mp4", lpString2="bootmgr") returned 1 [0105.774] lstrcmpiW (lpString1="JEnxvypOyvR.mp4", lpString2="programdata") returned -1 [0105.774] lstrcmpiW (lpString1="JEnxvypOyvR.mp4", lpString2="appdata") returned 1 [0105.774] lstrcmpiW (lpString1="JEnxvypOyvR.mp4", lpString2="program files") returned -1 [0105.774] lstrcmpiW (lpString1="JEnxvypOyvR.mp4", lpString2="program files (x86)") returned -1 [0105.774] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0105.774] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="JEnxvypOyvR.mp4" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\JEnxvypOyvR.mp4") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\JEnxvypOyvR.mp4" [0105.774] PathFindExtensionW (pszPath="JEnxvypOyvR.mp4") returned=".mp4" [0105.775] lstrcmpiW (lpString1=".mp4", lpString2=".exe") returned 1 [0105.775] lstrcmpiW (lpString1=".mp4", lpString2=".log") returned 1 [0105.775] lstrcmpiW (lpString1=".mp4", lpString2=".cab") returned 1 [0105.775] lstrcmpiW (lpString1=".mp4", lpString2=".cmd") returned 1 [0105.775] lstrcmpiW (lpString1=".mp4", lpString2=".com") returned 1 [0105.775] lstrcmpiW (lpString1=".mp4", lpString2=".cpl") returned 1 [0105.775] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0105.775] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0105.775] lstrcmpiW (lpString1=".mp4", lpString2=".url") returned -1 [0105.775] lstrcmpiW (lpString1=".mp4", lpString2=".ttf") returned -1 [0105.775] lstrcmpiW (lpString1=".mp4", lpString2=".mp3") returned 1 [0105.775] lstrcmpiW (lpString1=".mp4", lpString2=".pif") returned -1 [0105.775] lstrcmpiW (lpString1=".mp4", lpString2=".mp4") returned 0 [0105.775] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3fe7e80, ftCreationTime.dwHighDateTime=0x1d5de60, ftLastAccessTime.dwLowDateTime=0x7defd430, ftLastAccessTime.dwHighDateTime=0x1d5e5ad, ftLastWriteTime.dwLowDateTime=0x7defd430, ftLastWriteTime.dwHighDateTime=0x1d5e5ad, nFileSizeHigh=0x0, nFileSizeLow=0x12c42, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="khGDyxsV_OLZUC0JCQ4.mkv", cAlternateFileName="KHGDYX~1.MKV")) returned 1 [0105.775] lstrcmpiW (lpString1="khGDyxsV_OLZUC0JCQ4.mkv", lpString2=".") returned 1 [0105.775] lstrcmpiW (lpString1="khGDyxsV_OLZUC0JCQ4.mkv", lpString2="..") returned 1 [0105.775] lstrcmpiW (lpString1="khGDyxsV_OLZUC0JCQ4.mkv", lpString2="...") returned 1 [0105.775] lstrcmpiW (lpString1="khGDyxsV_OLZUC0JCQ4.mkv", lpString2="windows") returned -1 [0105.775] lstrcmpiW (lpString1="khGDyxsV_OLZUC0JCQ4.mkv", lpString2="$RECYCLE.BIN") returned 1 [0105.775] lstrcmpiW (lpString1="khGDyxsV_OLZUC0JCQ4.mkv", lpString2="rsa") returned -1 [0105.775] lstrcmpiW (lpString1="khGDyxsV_OLZUC0JCQ4.mkv", lpString2="log") returned -1 [0105.775] lstrcmpiW (lpString1="khGDyxsV_OLZUC0JCQ4.mkv", lpString2="NTDETECT.COM") returned -1 [0105.775] lstrcmpiW (lpString1="khGDyxsV_OLZUC0JCQ4.mkv", lpString2="ntldr") returned -1 [0105.775] lstrcmpiW (lpString1="khGDyxsV_OLZUC0JCQ4.mkv", lpString2="MSDOS.SYS") returned -1 [0105.775] lstrcmpiW (lpString1="khGDyxsV_OLZUC0JCQ4.mkv", lpString2="IO.SYS") returned 1 [0105.776] lstrcmpiW (lpString1="khGDyxsV_OLZUC0JCQ4.mkv", lpString2="boot.ini") returned 1 [0105.776] lstrcmpiW (lpString1="khGDyxsV_OLZUC0JCQ4.mkv", lpString2="AUTOEXEC.BAT") returned 1 [0105.776] lstrcmpiW (lpString1="khGDyxsV_OLZUC0JCQ4.mkv", lpString2="ntuser.dat") returned -1 [0105.776] lstrcmpiW (lpString1="khGDyxsV_OLZUC0JCQ4.mkv", lpString2="desktop.ini") returned 1 [0105.776] lstrcmpiW (lpString1="khGDyxsV_OLZUC0JCQ4.mkv", lpString2="CONFIG.SYS") returned 1 [0105.776] lstrcmpiW (lpString1="khGDyxsV_OLZUC0JCQ4.mkv", lpString2="RECYCLER") returned -1 [0105.776] lstrcmpiW (lpString1="khGDyxsV_OLZUC0JCQ4.mkv", lpString2="BOOTSECT.BAK") returned 1 [0105.776] lstrcmpiW (lpString1="khGDyxsV_OLZUC0JCQ4.mkv", lpString2="bootmgr") returned 1 [0105.776] lstrcmpiW (lpString1="khGDyxsV_OLZUC0JCQ4.mkv", lpString2="programdata") returned -1 [0105.776] lstrcmpiW (lpString1="khGDyxsV_OLZUC0JCQ4.mkv", lpString2="appdata") returned 1 [0105.776] lstrcmpiW (lpString1="khGDyxsV_OLZUC0JCQ4.mkv", lpString2="program files") returned -1 [0105.776] lstrcmpiW (lpString1="khGDyxsV_OLZUC0JCQ4.mkv", lpString2="program files (x86)") returned -1 [0105.776] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0105.776] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="khGDyxsV_OLZUC0JCQ4.mkv" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\khGDyxsV_OLZUC0JCQ4.mkv") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\khGDyxsV_OLZUC0JCQ4.mkv" [0105.776] PathFindExtensionW (pszPath="khGDyxsV_OLZUC0JCQ4.mkv") returned=".mkv" [0105.776] lstrcmpiW (lpString1=".mkv", lpString2=".exe") returned 1 [0105.776] lstrcmpiW (lpString1=".mkv", lpString2=".log") returned 1 [0105.776] lstrcmpiW (lpString1=".mkv", lpString2=".cab") returned 1 [0105.776] lstrcmpiW (lpString1=".mkv", lpString2=".cmd") returned 1 [0105.776] lstrcmpiW (lpString1=".mkv", lpString2=".com") returned 1 [0105.776] lstrcmpiW (lpString1=".mkv", lpString2=".cpl") returned 1 [0105.776] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0105.776] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0105.776] lstrcmpiW (lpString1=".mkv", lpString2=".url") returned -1 [0105.776] lstrcmpiW (lpString1=".mkv", lpString2=".ttf") returned -1 [0105.777] lstrcmpiW (lpString1=".mkv", lpString2=".mp3") returned -1 [0105.777] lstrcmpiW (lpString1=".mkv", lpString2=".pif") returned -1 [0105.777] lstrcmpiW (lpString1=".mkv", lpString2=".mp4") returned -1 [0105.777] lstrcmpiW (lpString1=".mkv", lpString2=".NEPHILIM") returned -1 [0105.777] lstrcmpiW (lpString1=".mkv", lpString2=".msi") returned -1 [0105.777] lstrcmpiW (lpString1=".mkv", lpString2=".lnk") returned 1 [0105.777] lstrcmpiW (lpString1="khGDyxsV_OLZUC0JCQ4.mkv", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0105.777] lstrlenA (lpString="NEPHILIM") returned 8 [0105.777] GetProcessHeap () returned 0x4e0000 [0105.777] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50b910 [0105.777] lstrlenA (lpString="NEPHILIM") returned 8 [0105.777] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\khGDyxsV_OLZUC0JCQ4.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\khgdyxsv_olzuc0jcq4.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0105.777] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=76866) returned 1 [0105.777] GetProcessHeap () returned 0x4e0000 [0105.777] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e28 [0105.777] GetProcessHeap () returned 0x4e0000 [0105.778] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e10 [0105.778] SystemFunction036 (in: RandomBuffer=0x504e28, RandomBufferLength=0x10 | out: RandomBuffer=0x504e28) returned 1 [0105.778] SystemFunction036 (in: RandomBuffer=0x504e10, RandomBufferLength=0x10 | out: RandomBuffer=0x504e10) returned 1 [0105.778] GetProcessHeap () returned 0x4e0000 [0105.778] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x509070 [0105.778] GetProcessHeap () returned 0x4e0000 [0105.778] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508f68 [0105.778] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x509070*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x509070*, pdwDataLen=0x24de208*=0x100) returned 1 [0105.778] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508f68*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508f68*, pdwDataLen=0x24de204*=0x100) returned 1 [0105.778] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x12c42, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.778] SetLastError (dwErrCode=0x0) [0105.778] WriteFile (in: hFile=0xec, lpBuffer=0x509070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x509070*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.780] GetLastError () returned 0x0 [0105.780] GetLastError () returned 0x0 [0105.780] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x12d42, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.780] WriteFile (in: hFile=0xec, lpBuffer=0x508f68*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508f68*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.780] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x12e42, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.780] lstrlenA (lpString="NEPHILIM") returned 8 [0105.780] WriteFile (in: hFile=0xec, lpBuffer=0x50b910*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50b910*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0105.780] GetProcessHeap () returned 0x4e0000 [0105.780] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x12c42) returned 0x50dcb8 [0105.780] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.780] ReadFile (in: hFile=0xec, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x12c42, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24de430*=0x12c42, lpOverlapped=0x0) returned 1 [0105.785] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.785] WriteFile (in: hFile=0xec, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x12c42, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24de43c*=0x12c42, lpOverlapped=0x0) returned 1 [0105.785] GetProcessHeap () returned 0x4e0000 [0105.785] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.785] CloseHandle (hObject=0xec) returned 1 [0105.788] GetProcessHeap () returned 0x4e0000 [0105.788] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x509070 | out: hHeap=0x4e0000) returned 1 [0105.788] GetProcessHeap () returned 0x4e0000 [0105.788] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508f68 | out: hHeap=0x4e0000) returned 1 [0105.788] GetProcessHeap () returned 0x4e0000 [0105.788] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e28 | out: hHeap=0x4e0000) returned 1 [0105.788] GetProcessHeap () returned 0x4e0000 [0105.788] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e10 | out: hHeap=0x4e0000) returned 1 [0105.788] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\khGDyxsV_OLZUC0JCQ4.mkv" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\khGDyxsV_OLZUC0JCQ4.mkv") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\khGDyxsV_OLZUC0JCQ4.mkv" [0105.788] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\khGDyxsV_OLZUC0JCQ4.mkv", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\khGDyxsV_OLZUC0JCQ4.mkv.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\khGDyxsV_OLZUC0JCQ4.mkv.NEPHILIM" [0105.788] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\khGDyxsV_OLZUC0JCQ4.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\khgdyxsv_olzuc0jcq4.mkv"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\khGDyxsV_OLZUC0JCQ4.mkv.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\khgdyxsv_olzuc0jcq4.mkv.nephilim")) returned 1 [0105.792] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d49b3c0, ftCreationTime.dwHighDateTime=0x1d5dd49, ftLastAccessTime.dwLowDateTime=0x9acb38e0, ftLastAccessTime.dwHighDateTime=0x1d5e7ee, ftLastWriteTime.dwLowDateTime=0x9acb38e0, ftLastWriteTime.dwHighDateTime=0x1d5e7ee, nFileSizeHigh=0x0, nFileSizeLow=0xcc2c, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="KNn9-FpPmi_nrt NaJ.flv", cAlternateFileName="KNN9-F~1.FLV")) returned 1 [0105.792] lstrcmpiW (lpString1="KNn9-FpPmi_nrt NaJ.flv", lpString2=".") returned 1 [0105.792] lstrcmpiW (lpString1="KNn9-FpPmi_nrt NaJ.flv", lpString2="..") returned 1 [0105.792] lstrcmpiW (lpString1="KNn9-FpPmi_nrt NaJ.flv", lpString2="...") returned 1 [0105.792] lstrcmpiW (lpString1="KNn9-FpPmi_nrt NaJ.flv", lpString2="windows") returned -1 [0105.792] lstrcmpiW (lpString1="KNn9-FpPmi_nrt NaJ.flv", lpString2="$RECYCLE.BIN") returned 1 [0105.793] lstrcmpiW (lpString1="KNn9-FpPmi_nrt NaJ.flv", lpString2="rsa") returned -1 [0105.793] lstrcmpiW (lpString1="KNn9-FpPmi_nrt NaJ.flv", lpString2="log") returned -1 [0105.793] lstrcmpiW (lpString1="KNn9-FpPmi_nrt NaJ.flv", lpString2="NTDETECT.COM") returned -1 [0105.793] lstrcmpiW (lpString1="KNn9-FpPmi_nrt NaJ.flv", lpString2="ntldr") returned -1 [0105.793] lstrcmpiW (lpString1="KNn9-FpPmi_nrt NaJ.flv", lpString2="MSDOS.SYS") returned -1 [0105.793] lstrcmpiW (lpString1="KNn9-FpPmi_nrt NaJ.flv", lpString2="IO.SYS") returned 1 [0105.793] lstrcmpiW (lpString1="KNn9-FpPmi_nrt NaJ.flv", lpString2="boot.ini") returned 1 [0105.793] lstrcmpiW (lpString1="KNn9-FpPmi_nrt NaJ.flv", lpString2="AUTOEXEC.BAT") returned 1 [0105.793] lstrcmpiW (lpString1="KNn9-FpPmi_nrt NaJ.flv", lpString2="ntuser.dat") returned -1 [0105.793] lstrcmpiW (lpString1="KNn9-FpPmi_nrt NaJ.flv", lpString2="desktop.ini") returned 1 [0105.793] lstrcmpiW (lpString1="KNn9-FpPmi_nrt NaJ.flv", lpString2="CONFIG.SYS") returned 1 [0105.793] lstrcmpiW (lpString1="KNn9-FpPmi_nrt NaJ.flv", lpString2="RECYCLER") returned -1 [0105.793] lstrcmpiW (lpString1="KNn9-FpPmi_nrt NaJ.flv", lpString2="BOOTSECT.BAK") returned 1 [0105.793] lstrcmpiW (lpString1="KNn9-FpPmi_nrt NaJ.flv", lpString2="bootmgr") returned 1 [0105.793] lstrcmpiW (lpString1="KNn9-FpPmi_nrt NaJ.flv", lpString2="programdata") returned -1 [0105.793] lstrcmpiW (lpString1="KNn9-FpPmi_nrt NaJ.flv", lpString2="appdata") returned 1 [0105.793] lstrcmpiW (lpString1="KNn9-FpPmi_nrt NaJ.flv", lpString2="program files") returned -1 [0105.793] lstrcmpiW (lpString1="KNn9-FpPmi_nrt NaJ.flv", lpString2="program files (x86)") returned -1 [0105.793] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0105.793] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="KNn9-FpPmi_nrt NaJ.flv" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\KNn9-FpPmi_nrt NaJ.flv") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\KNn9-FpPmi_nrt NaJ.flv" [0105.793] PathFindExtensionW (pszPath="KNn9-FpPmi_nrt NaJ.flv") returned=".flv" [0105.794] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0105.794] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0105.794] lstrcmpiW (lpString1=".flv", lpString2=".cab") returned 1 [0105.794] lstrcmpiW (lpString1=".flv", lpString2=".cmd") returned 1 [0105.794] lstrcmpiW (lpString1=".flv", lpString2=".com") returned 1 [0105.794] lstrcmpiW (lpString1=".flv", lpString2=".cpl") returned 1 [0105.794] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0105.794] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0105.794] lstrcmpiW (lpString1=".flv", lpString2=".url") returned -1 [0105.794] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0105.794] lstrcmpiW (lpString1=".flv", lpString2=".mp3") returned -1 [0105.794] lstrcmpiW (lpString1=".flv", lpString2=".pif") returned -1 [0105.794] lstrcmpiW (lpString1=".flv", lpString2=".mp4") returned -1 [0105.794] lstrcmpiW (lpString1=".flv", lpString2=".NEPHILIM") returned -1 [0105.794] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0105.794] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0105.794] lstrcmpiW (lpString1="KNn9-FpPmi_nrt NaJ.flv", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0105.794] lstrlenA (lpString="NEPHILIM") returned 8 [0105.794] GetProcessHeap () returned 0x4e0000 [0105.794] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50b920 [0105.794] lstrlenA (lpString="NEPHILIM") returned 8 [0105.794] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\KNn9-FpPmi_nrt NaJ.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\knn9-fppmi_nrt naj.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0105.795] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=52268) returned 1 [0105.795] GetProcessHeap () returned 0x4e0000 [0105.795] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e10 [0105.795] GetProcessHeap () returned 0x4e0000 [0105.795] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e28 [0105.795] SystemFunction036 (in: RandomBuffer=0x504e10, RandomBufferLength=0x10 | out: RandomBuffer=0x504e10) returned 1 [0105.795] SystemFunction036 (in: RandomBuffer=0x504e28, RandomBufferLength=0x10 | out: RandomBuffer=0x504e28) returned 1 [0105.795] GetProcessHeap () returned 0x4e0000 [0105.795] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508f68 [0105.795] GetProcessHeap () returned 0x4e0000 [0105.795] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x509070 [0105.795] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508f68*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508f68*, pdwDataLen=0x24de208*=0x100) returned 1 [0105.796] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x509070*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x509070*, pdwDataLen=0x24de204*=0x100) returned 1 [0105.796] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xcc2c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.796] SetLastError (dwErrCode=0x0) [0105.796] WriteFile (in: hFile=0xec, lpBuffer=0x508f68*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508f68*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.797] GetLastError () returned 0x0 [0105.797] GetLastError () returned 0x0 [0105.797] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xcd2c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.797] WriteFile (in: hFile=0xec, lpBuffer=0x509070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x509070*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.797] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xce2c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.797] lstrlenA (lpString="NEPHILIM") returned 8 [0105.797] WriteFile (in: hFile=0xec, lpBuffer=0x50b920*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50b920*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0105.797] GetProcessHeap () returned 0x4e0000 [0105.797] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xcc2c) returned 0x50dcb8 [0105.797] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.798] ReadFile (in: hFile=0xec, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0xcc2c, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24de430*=0xcc2c, lpOverlapped=0x0) returned 1 [0105.801] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.801] WriteFile (in: hFile=0xec, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0xcc2c, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24de43c*=0xcc2c, lpOverlapped=0x0) returned 1 [0105.801] GetProcessHeap () returned 0x4e0000 [0105.801] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.801] CloseHandle (hObject=0xec) returned 1 [0105.804] GetProcessHeap () returned 0x4e0000 [0105.804] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508f68 | out: hHeap=0x4e0000) returned 1 [0105.804] GetProcessHeap () returned 0x4e0000 [0105.804] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x509070 | out: hHeap=0x4e0000) returned 1 [0105.804] GetProcessHeap () returned 0x4e0000 [0105.804] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e10 | out: hHeap=0x4e0000) returned 1 [0105.804] GetProcessHeap () returned 0x4e0000 [0105.804] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e28 | out: hHeap=0x4e0000) returned 1 [0105.804] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\KNn9-FpPmi_nrt NaJ.flv" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\KNn9-FpPmi_nrt NaJ.flv") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\KNn9-FpPmi_nrt NaJ.flv" [0105.804] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\KNn9-FpPmi_nrt NaJ.flv", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\KNn9-FpPmi_nrt NaJ.flv.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\KNn9-FpPmi_nrt NaJ.flv.NEPHILIM" [0105.804] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\KNn9-FpPmi_nrt NaJ.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\knn9-fppmi_nrt naj.flv"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\KNn9-FpPmi_nrt NaJ.flv.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\knn9-fppmi_nrt naj.flv.nephilim")) returned 1 [0105.805] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb48a3270, ftCreationTime.dwHighDateTime=0x1d5dde6, ftLastAccessTime.dwLowDateTime=0x92634a60, ftLastAccessTime.dwHighDateTime=0x1d5d9e0, ftLastWriteTime.dwLowDateTime=0x92634a60, ftLastWriteTime.dwHighDateTime=0x1d5d9e0, nFileSizeHigh=0x0, nFileSizeLow=0x18031, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="LPk-XAXk-zcc6.flv", cAlternateFileName="LPK-XA~1.FLV")) returned 1 [0105.805] lstrcmpiW (lpString1="LPk-XAXk-zcc6.flv", lpString2=".") returned 1 [0105.805] lstrcmpiW (lpString1="LPk-XAXk-zcc6.flv", lpString2="..") returned 1 [0105.805] lstrcmpiW (lpString1="LPk-XAXk-zcc6.flv", lpString2="...") returned 1 [0105.805] lstrcmpiW (lpString1="LPk-XAXk-zcc6.flv", lpString2="windows") returned -1 [0105.805] lstrcmpiW (lpString1="LPk-XAXk-zcc6.flv", lpString2="$RECYCLE.BIN") returned 1 [0105.805] lstrcmpiW (lpString1="LPk-XAXk-zcc6.flv", lpString2="rsa") returned -1 [0105.805] lstrcmpiW (lpString1="LPk-XAXk-zcc6.flv", lpString2="log") returned 1 [0105.805] lstrcmpiW (lpString1="LPk-XAXk-zcc6.flv", lpString2="NTDETECT.COM") returned -1 [0105.805] lstrcmpiW (lpString1="LPk-XAXk-zcc6.flv", lpString2="ntldr") returned -1 [0105.805] lstrcmpiW (lpString1="LPk-XAXk-zcc6.flv", lpString2="MSDOS.SYS") returned -1 [0105.806] lstrcmpiW (lpString1="LPk-XAXk-zcc6.flv", lpString2="IO.SYS") returned 1 [0105.806] lstrcmpiW (lpString1="LPk-XAXk-zcc6.flv", lpString2="boot.ini") returned 1 [0105.806] lstrcmpiW (lpString1="LPk-XAXk-zcc6.flv", lpString2="AUTOEXEC.BAT") returned 1 [0105.806] lstrcmpiW (lpString1="LPk-XAXk-zcc6.flv", lpString2="ntuser.dat") returned -1 [0105.806] lstrcmpiW (lpString1="LPk-XAXk-zcc6.flv", lpString2="desktop.ini") returned 1 [0105.806] lstrcmpiW (lpString1="LPk-XAXk-zcc6.flv", lpString2="CONFIG.SYS") returned 1 [0105.806] lstrcmpiW (lpString1="LPk-XAXk-zcc6.flv", lpString2="RECYCLER") returned -1 [0105.806] lstrcmpiW (lpString1="LPk-XAXk-zcc6.flv", lpString2="BOOTSECT.BAK") returned 1 [0105.806] lstrcmpiW (lpString1="LPk-XAXk-zcc6.flv", lpString2="bootmgr") returned 1 [0105.806] lstrcmpiW (lpString1="LPk-XAXk-zcc6.flv", lpString2="programdata") returned -1 [0105.806] lstrcmpiW (lpString1="LPk-XAXk-zcc6.flv", lpString2="appdata") returned 1 [0105.806] lstrcmpiW (lpString1="LPk-XAXk-zcc6.flv", lpString2="program files") returned -1 [0105.806] lstrcmpiW (lpString1="LPk-XAXk-zcc6.flv", lpString2="program files (x86)") returned -1 [0105.806] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0105.806] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="LPk-XAXk-zcc6.flv" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LPk-XAXk-zcc6.flv") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LPk-XAXk-zcc6.flv" [0105.806] PathFindExtensionW (pszPath="LPk-XAXk-zcc6.flv") returned=".flv" [0105.806] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0105.806] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0105.806] lstrcmpiW (lpString1=".flv", lpString2=".cab") returned 1 [0105.806] lstrcmpiW (lpString1=".flv", lpString2=".cmd") returned 1 [0105.806] lstrcmpiW (lpString1=".flv", lpString2=".com") returned 1 [0105.806] lstrcmpiW (lpString1=".flv", lpString2=".cpl") returned 1 [0105.806] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0105.806] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0105.806] lstrcmpiW (lpString1=".flv", lpString2=".url") returned -1 [0105.806] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0105.806] lstrcmpiW (lpString1=".flv", lpString2=".mp3") returned -1 [0105.807] lstrcmpiW (lpString1=".flv", lpString2=".pif") returned -1 [0105.807] lstrcmpiW (lpString1=".flv", lpString2=".mp4") returned -1 [0105.807] lstrcmpiW (lpString1=".flv", lpString2=".NEPHILIM") returned -1 [0105.807] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0105.807] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0105.807] lstrcmpiW (lpString1="LPk-XAXk-zcc6.flv", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0105.807] lstrlenA (lpString="NEPHILIM") returned 8 [0105.807] GetProcessHeap () returned 0x4e0000 [0105.807] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50b930 [0105.807] lstrlenA (lpString="NEPHILIM") returned 8 [0105.807] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LPk-XAXk-zcc6.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\lpk-xaxk-zcc6.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0105.807] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=98353) returned 1 [0105.807] GetProcessHeap () returned 0x4e0000 [0105.807] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e28 [0105.807] GetProcessHeap () returned 0x4e0000 [0105.807] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e10 [0105.807] SystemFunction036 (in: RandomBuffer=0x504e28, RandomBufferLength=0x10 | out: RandomBuffer=0x504e28) returned 1 [0105.807] SystemFunction036 (in: RandomBuffer=0x504e10, RandomBufferLength=0x10 | out: RandomBuffer=0x504e10) returned 1 [0105.807] GetProcessHeap () returned 0x4e0000 [0105.807] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x509070 [0105.808] GetProcessHeap () returned 0x4e0000 [0105.808] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508f68 [0105.808] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x509070*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x509070*, pdwDataLen=0x24de208*=0x100) returned 1 [0105.808] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508f68*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508f68*, pdwDataLen=0x24de204*=0x100) returned 1 [0105.808] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x18031, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.808] SetLastError (dwErrCode=0x0) [0105.808] WriteFile (in: hFile=0xec, lpBuffer=0x509070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x509070*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.812] GetLastError () returned 0x0 [0105.812] GetLastError () returned 0x0 [0105.812] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x18131, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.812] WriteFile (in: hFile=0xec, lpBuffer=0x508f68*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508f68*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.812] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x18231, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.812] lstrlenA (lpString="NEPHILIM") returned 8 [0105.812] WriteFile (in: hFile=0xec, lpBuffer=0x50b930*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50b930*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0105.812] GetProcessHeap () returned 0x4e0000 [0105.812] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x18031) returned 0x50dcb8 [0105.812] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.812] ReadFile (in: hFile=0xec, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x18031, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24de430*=0x18031, lpOverlapped=0x0) returned 1 [0105.818] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.818] WriteFile (in: hFile=0xec, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x18031, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24de43c*=0x18031, lpOverlapped=0x0) returned 1 [0105.819] GetProcessHeap () returned 0x4e0000 [0105.819] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.819] CloseHandle (hObject=0xec) returned 1 [0105.824] GetProcessHeap () returned 0x4e0000 [0105.824] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x509070 | out: hHeap=0x4e0000) returned 1 [0105.824] GetProcessHeap () returned 0x4e0000 [0105.824] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508f68 | out: hHeap=0x4e0000) returned 1 [0105.824] GetProcessHeap () returned 0x4e0000 [0105.824] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e28 | out: hHeap=0x4e0000) returned 1 [0105.824] GetProcessHeap () returned 0x4e0000 [0105.824] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e10 | out: hHeap=0x4e0000) returned 1 [0105.824] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LPk-XAXk-zcc6.flv" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LPk-XAXk-zcc6.flv") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LPk-XAXk-zcc6.flv" [0105.824] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LPk-XAXk-zcc6.flv", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LPk-XAXk-zcc6.flv.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LPk-XAXk-zcc6.flv.NEPHILIM" [0105.824] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LPk-XAXk-zcc6.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\lpk-xaxk-zcc6.flv"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LPk-XAXk-zcc6.flv.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\lpk-xaxk-zcc6.flv.nephilim")) returned 1 [0105.826] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7315b0d0, ftCreationTime.dwHighDateTime=0x1d5e0ed, ftLastAccessTime.dwLowDateTime=0xcd2970a0, ftLastAccessTime.dwHighDateTime=0x1d5de51, ftLastWriteTime.dwLowDateTime=0xcd2970a0, ftLastWriteTime.dwHighDateTime=0x1d5de51, nFileSizeHigh=0x0, nFileSizeLow=0x13dbf, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="LPNHujbo7.flv", cAlternateFileName="LPNHUJ~1.FLV")) returned 1 [0105.826] lstrcmpiW (lpString1="LPNHujbo7.flv", lpString2=".") returned 1 [0105.826] lstrcmpiW (lpString1="LPNHujbo7.flv", lpString2="..") returned 1 [0105.826] lstrcmpiW (lpString1="LPNHujbo7.flv", lpString2="...") returned 1 [0105.826] lstrcmpiW (lpString1="LPNHujbo7.flv", lpString2="windows") returned -1 [0105.826] lstrcmpiW (lpString1="LPNHujbo7.flv", lpString2="$RECYCLE.BIN") returned 1 [0105.826] lstrcmpiW (lpString1="LPNHujbo7.flv", lpString2="rsa") returned -1 [0105.826] lstrcmpiW (lpString1="LPNHujbo7.flv", lpString2="log") returned 1 [0105.826] lstrcmpiW (lpString1="LPNHujbo7.flv", lpString2="NTDETECT.COM") returned -1 [0105.826] lstrcmpiW (lpString1="LPNHujbo7.flv", lpString2="ntldr") returned -1 [0105.826] lstrcmpiW (lpString1="LPNHujbo7.flv", lpString2="MSDOS.SYS") returned -1 [0105.826] lstrcmpiW (lpString1="LPNHujbo7.flv", lpString2="IO.SYS") returned 1 [0105.826] lstrcmpiW (lpString1="LPNHujbo7.flv", lpString2="boot.ini") returned 1 [0105.826] lstrcmpiW (lpString1="LPNHujbo7.flv", lpString2="AUTOEXEC.BAT") returned 1 [0105.826] lstrcmpiW (lpString1="LPNHujbo7.flv", lpString2="ntuser.dat") returned -1 [0105.826] lstrcmpiW (lpString1="LPNHujbo7.flv", lpString2="desktop.ini") returned 1 [0105.827] lstrcmpiW (lpString1="LPNHujbo7.flv", lpString2="CONFIG.SYS") returned 1 [0105.827] lstrcmpiW (lpString1="LPNHujbo7.flv", lpString2="RECYCLER") returned -1 [0105.827] lstrcmpiW (lpString1="LPNHujbo7.flv", lpString2="BOOTSECT.BAK") returned 1 [0105.827] lstrcmpiW (lpString1="LPNHujbo7.flv", lpString2="bootmgr") returned 1 [0105.827] lstrcmpiW (lpString1="LPNHujbo7.flv", lpString2="programdata") returned -1 [0105.827] lstrcmpiW (lpString1="LPNHujbo7.flv", lpString2="appdata") returned 1 [0105.827] lstrcmpiW (lpString1="LPNHujbo7.flv", lpString2="program files") returned -1 [0105.827] lstrcmpiW (lpString1="LPNHujbo7.flv", lpString2="program files (x86)") returned -1 [0105.827] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0105.827] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="LPNHujbo7.flv" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LPNHujbo7.flv") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LPNHujbo7.flv" [0105.827] PathFindExtensionW (pszPath="LPNHujbo7.flv") returned=".flv" [0105.827] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0105.827] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0105.827] lstrcmpiW (lpString1=".flv", lpString2=".cab") returned 1 [0105.827] lstrcmpiW (lpString1=".flv", lpString2=".cmd") returned 1 [0105.827] lstrcmpiW (lpString1=".flv", lpString2=".com") returned 1 [0105.827] lstrcmpiW (lpString1=".flv", lpString2=".cpl") returned 1 [0105.827] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0105.827] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0105.827] lstrcmpiW (lpString1=".flv", lpString2=".url") returned -1 [0105.827] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0105.827] lstrcmpiW (lpString1=".flv", lpString2=".mp3") returned -1 [0105.827] lstrcmpiW (lpString1=".flv", lpString2=".pif") returned -1 [0105.827] lstrcmpiW (lpString1=".flv", lpString2=".mp4") returned -1 [0105.827] lstrcmpiW (lpString1=".flv", lpString2=".NEPHILIM") returned -1 [0105.827] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0105.828] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0105.828] lstrcmpiW (lpString1="LPNHujbo7.flv", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0105.828] lstrlenA (lpString="NEPHILIM") returned 8 [0105.828] GetProcessHeap () returned 0x4e0000 [0105.828] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50b940 [0105.828] lstrlenA (lpString="NEPHILIM") returned 8 [0105.828] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LPNHujbo7.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\lpnhujbo7.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0105.828] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=81343) returned 1 [0105.828] GetProcessHeap () returned 0x4e0000 [0105.828] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e10 [0105.828] GetProcessHeap () returned 0x4e0000 [0105.828] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e28 [0105.828] SystemFunction036 (in: RandomBuffer=0x504e10, RandomBufferLength=0x10 | out: RandomBuffer=0x504e10) returned 1 [0105.828] SystemFunction036 (in: RandomBuffer=0x504e28, RandomBufferLength=0x10 | out: RandomBuffer=0x504e28) returned 1 [0105.828] GetProcessHeap () returned 0x4e0000 [0105.828] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508f68 [0105.828] GetProcessHeap () returned 0x4e0000 [0105.828] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x509070 [0105.828] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508f68*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508f68*, pdwDataLen=0x24de208*=0x100) returned 1 [0105.829] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x509070*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x509070*, pdwDataLen=0x24de204*=0x100) returned 1 [0105.829] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x13dbf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.829] SetLastError (dwErrCode=0x0) [0105.829] WriteFile (in: hFile=0xec, lpBuffer=0x508f68*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508f68*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.830] GetLastError () returned 0x0 [0105.830] GetLastError () returned 0x0 [0105.830] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x13ebf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.830] WriteFile (in: hFile=0xec, lpBuffer=0x509070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x509070*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.830] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x13fbf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.830] lstrlenA (lpString="NEPHILIM") returned 8 [0105.830] WriteFile (in: hFile=0xec, lpBuffer=0x50b940*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50b940*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0105.830] GetProcessHeap () returned 0x4e0000 [0105.830] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x13dbf) returned 0x50dcb8 [0105.830] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.830] ReadFile (in: hFile=0xec, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x13dbf, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24de430*=0x13dbf, lpOverlapped=0x0) returned 1 [0105.835] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.835] WriteFile (in: hFile=0xec, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x13dbf, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24de43c*=0x13dbf, lpOverlapped=0x0) returned 1 [0105.835] GetProcessHeap () returned 0x4e0000 [0105.835] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.835] CloseHandle (hObject=0xec) returned 1 [0105.837] GetProcessHeap () returned 0x4e0000 [0105.837] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508f68 | out: hHeap=0x4e0000) returned 1 [0105.837] GetProcessHeap () returned 0x4e0000 [0105.837] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x509070 | out: hHeap=0x4e0000) returned 1 [0105.837] GetProcessHeap () returned 0x4e0000 [0105.837] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e10 | out: hHeap=0x4e0000) returned 1 [0105.837] GetProcessHeap () returned 0x4e0000 [0105.837] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e28 | out: hHeap=0x4e0000) returned 1 [0105.837] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LPNHujbo7.flv" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LPNHujbo7.flv") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LPNHujbo7.flv" [0105.837] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LPNHujbo7.flv", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LPNHujbo7.flv.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LPNHujbo7.flv.NEPHILIM" [0105.837] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LPNHujbo7.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\lpnhujbo7.flv"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\LPNHujbo7.flv.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\lpnhujbo7.flv.nephilim")) returned 1 [0105.838] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf57ff500, ftCreationTime.dwHighDateTime=0x1d5e802, ftLastAccessTime.dwLowDateTime=0x706b59d0, ftLastAccessTime.dwHighDateTime=0x1d5dce6, ftLastWriteTime.dwLowDateTime=0x706b59d0, ftLastWriteTime.dwHighDateTime=0x1d5dce6, nFileSizeHigh=0x0, nFileSizeLow=0xde82, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="mGaqWH9Golx6HWsD.flv", cAlternateFileName="MGAQWH~1.FLV")) returned 1 [0105.838] lstrcmpiW (lpString1="mGaqWH9Golx6HWsD.flv", lpString2=".") returned 1 [0105.838] lstrcmpiW (lpString1="mGaqWH9Golx6HWsD.flv", lpString2="..") returned 1 [0105.838] lstrcmpiW (lpString1="mGaqWH9Golx6HWsD.flv", lpString2="...") returned 1 [0105.838] lstrcmpiW (lpString1="mGaqWH9Golx6HWsD.flv", lpString2="windows") returned -1 [0105.838] lstrcmpiW (lpString1="mGaqWH9Golx6HWsD.flv", lpString2="$RECYCLE.BIN") returned 1 [0105.838] lstrcmpiW (lpString1="mGaqWH9Golx6HWsD.flv", lpString2="rsa") returned -1 [0105.838] lstrcmpiW (lpString1="mGaqWH9Golx6HWsD.flv", lpString2="log") returned 1 [0105.838] lstrcmpiW (lpString1="mGaqWH9Golx6HWsD.flv", lpString2="NTDETECT.COM") returned -1 [0105.839] lstrcmpiW (lpString1="mGaqWH9Golx6HWsD.flv", lpString2="ntldr") returned -1 [0105.839] lstrcmpiW (lpString1="mGaqWH9Golx6HWsD.flv", lpString2="MSDOS.SYS") returned -1 [0105.839] lstrcmpiW (lpString1="mGaqWH9Golx6HWsD.flv", lpString2="IO.SYS") returned 1 [0105.839] lstrcmpiW (lpString1="mGaqWH9Golx6HWsD.flv", lpString2="boot.ini") returned 1 [0105.839] lstrcmpiW (lpString1="mGaqWH9Golx6HWsD.flv", lpString2="AUTOEXEC.BAT") returned 1 [0105.839] lstrcmpiW (lpString1="mGaqWH9Golx6HWsD.flv", lpString2="ntuser.dat") returned -1 [0105.839] lstrcmpiW (lpString1="mGaqWH9Golx6HWsD.flv", lpString2="desktop.ini") returned 1 [0105.839] lstrcmpiW (lpString1="mGaqWH9Golx6HWsD.flv", lpString2="CONFIG.SYS") returned 1 [0105.839] lstrcmpiW (lpString1="mGaqWH9Golx6HWsD.flv", lpString2="RECYCLER") returned -1 [0105.839] lstrcmpiW (lpString1="mGaqWH9Golx6HWsD.flv", lpString2="BOOTSECT.BAK") returned 1 [0105.839] lstrcmpiW (lpString1="mGaqWH9Golx6HWsD.flv", lpString2="bootmgr") returned 1 [0105.839] lstrcmpiW (lpString1="mGaqWH9Golx6HWsD.flv", lpString2="programdata") returned -1 [0105.839] lstrcmpiW (lpString1="mGaqWH9Golx6HWsD.flv", lpString2="appdata") returned 1 [0105.839] lstrcmpiW (lpString1="mGaqWH9Golx6HWsD.flv", lpString2="program files") returned -1 [0105.839] lstrcmpiW (lpString1="mGaqWH9Golx6HWsD.flv", lpString2="program files (x86)") returned -1 [0105.839] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0105.839] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="mGaqWH9Golx6HWsD.flv" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\mGaqWH9Golx6HWsD.flv") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\mGaqWH9Golx6HWsD.flv" [0105.839] PathFindExtensionW (pszPath="mGaqWH9Golx6HWsD.flv") returned=".flv" [0105.839] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0105.839] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0105.839] lstrcmpiW (lpString1=".flv", lpString2=".cab") returned 1 [0105.839] lstrcmpiW (lpString1=".flv", lpString2=".cmd") returned 1 [0105.839] lstrcmpiW (lpString1=".flv", lpString2=".com") returned 1 [0105.839] lstrcmpiW (lpString1=".flv", lpString2=".cpl") returned 1 [0105.839] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0105.840] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0105.840] lstrcmpiW (lpString1=".flv", lpString2=".url") returned -1 [0105.840] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0105.840] lstrcmpiW (lpString1=".flv", lpString2=".mp3") returned -1 [0105.840] lstrcmpiW (lpString1=".flv", lpString2=".pif") returned -1 [0105.840] lstrcmpiW (lpString1=".flv", lpString2=".mp4") returned -1 [0105.840] lstrcmpiW (lpString1=".flv", lpString2=".NEPHILIM") returned -1 [0105.840] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0105.840] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0105.840] lstrcmpiW (lpString1="mGaqWH9Golx6HWsD.flv", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0105.840] lstrlenA (lpString="NEPHILIM") returned 8 [0105.840] GetProcessHeap () returned 0x4e0000 [0105.840] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50b950 [0105.840] lstrlenA (lpString="NEPHILIM") returned 8 [0105.840] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\mGaqWH9Golx6HWsD.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\mgaqwh9golx6hwsd.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0105.840] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=56962) returned 1 [0105.840] GetProcessHeap () returned 0x4e0000 [0105.841] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e28 [0105.841] GetProcessHeap () returned 0x4e0000 [0105.841] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e10 [0105.841] SystemFunction036 (in: RandomBuffer=0x504e28, RandomBufferLength=0x10 | out: RandomBuffer=0x504e28) returned 1 [0105.841] SystemFunction036 (in: RandomBuffer=0x504e10, RandomBufferLength=0x10 | out: RandomBuffer=0x504e10) returned 1 [0105.841] GetProcessHeap () returned 0x4e0000 [0105.841] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x509070 [0105.841] GetProcessHeap () returned 0x4e0000 [0105.841] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508f68 [0105.841] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x509070*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x509070*, pdwDataLen=0x24de208*=0x100) returned 1 [0105.841] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508f68*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508f68*, pdwDataLen=0x24de204*=0x100) returned 1 [0105.841] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xde82, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.841] SetLastError (dwErrCode=0x0) [0105.841] WriteFile (in: hFile=0xec, lpBuffer=0x509070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x509070*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.843] GetLastError () returned 0x0 [0105.843] GetLastError () returned 0x0 [0105.843] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xdf82, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.843] WriteFile (in: hFile=0xec, lpBuffer=0x508f68*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508f68*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.843] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xe082, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.843] lstrlenA (lpString="NEPHILIM") returned 8 [0105.843] WriteFile (in: hFile=0xec, lpBuffer=0x50b950*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50b950*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0105.843] GetProcessHeap () returned 0x4e0000 [0105.843] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xde82) returned 0x50dcb8 [0105.843] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.843] ReadFile (in: hFile=0xec, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0xde82, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24de430*=0xde82, lpOverlapped=0x0) returned 1 [0105.847] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.847] WriteFile (in: hFile=0xec, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0xde82, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24de43c*=0xde82, lpOverlapped=0x0) returned 1 [0105.847] GetProcessHeap () returned 0x4e0000 [0105.847] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.847] CloseHandle (hObject=0xec) returned 1 [0105.849] GetProcessHeap () returned 0x4e0000 [0105.849] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x509070 | out: hHeap=0x4e0000) returned 1 [0105.849] GetProcessHeap () returned 0x4e0000 [0105.849] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508f68 | out: hHeap=0x4e0000) returned 1 [0105.849] GetProcessHeap () returned 0x4e0000 [0105.849] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e28 | out: hHeap=0x4e0000) returned 1 [0105.849] GetProcessHeap () returned 0x4e0000 [0105.849] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e10 | out: hHeap=0x4e0000) returned 1 [0105.849] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\mGaqWH9Golx6HWsD.flv" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\mGaqWH9Golx6HWsD.flv") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\mGaqWH9Golx6HWsD.flv" [0105.849] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\mGaqWH9Golx6HWsD.flv", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\mGaqWH9Golx6HWsD.flv.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\mGaqWH9Golx6HWsD.flv.NEPHILIM" [0105.850] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\mGaqWH9Golx6HWsD.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\mgaqwh9golx6hwsd.flv"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\mGaqWH9Golx6HWsD.flv.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\mgaqwh9golx6hwsd.flv.nephilim")) returned 1 [0105.850] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd6788cb0, ftCreationTime.dwHighDateTime=0x1d5e19c, ftLastAccessTime.dwLowDateTime=0x7e864f60, ftLastAccessTime.dwHighDateTime=0x1d5e35e, ftLastWriteTime.dwLowDateTime=0x7e864f60, ftLastWriteTime.dwHighDateTime=0x1d5e35e, nFileSizeHigh=0x0, nFileSizeLow=0x14129, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="MJQuKXhYdh.mp4", cAlternateFileName="MJQUKX~1.MP4")) returned 1 [0105.850] lstrcmpiW (lpString1="MJQuKXhYdh.mp4", lpString2=".") returned 1 [0105.850] lstrcmpiW (lpString1="MJQuKXhYdh.mp4", lpString2="..") returned 1 [0105.850] lstrcmpiW (lpString1="MJQuKXhYdh.mp4", lpString2="...") returned 1 [0105.850] lstrcmpiW (lpString1="MJQuKXhYdh.mp4", lpString2="windows") returned -1 [0105.850] lstrcmpiW (lpString1="MJQuKXhYdh.mp4", lpString2="$RECYCLE.BIN") returned 1 [0105.851] lstrcmpiW (lpString1="MJQuKXhYdh.mp4", lpString2="rsa") returned -1 [0105.851] lstrcmpiW (lpString1="MJQuKXhYdh.mp4", lpString2="log") returned 1 [0105.851] lstrcmpiW (lpString1="MJQuKXhYdh.mp4", lpString2="NTDETECT.COM") returned -1 [0105.851] lstrcmpiW (lpString1="MJQuKXhYdh.mp4", lpString2="ntldr") returned -1 [0105.851] lstrcmpiW (lpString1="MJQuKXhYdh.mp4", lpString2="MSDOS.SYS") returned -1 [0105.851] lstrcmpiW (lpString1="MJQuKXhYdh.mp4", lpString2="IO.SYS") returned 1 [0105.851] lstrcmpiW (lpString1="MJQuKXhYdh.mp4", lpString2="boot.ini") returned 1 [0105.851] lstrcmpiW (lpString1="MJQuKXhYdh.mp4", lpString2="AUTOEXEC.BAT") returned 1 [0105.851] lstrcmpiW (lpString1="MJQuKXhYdh.mp4", lpString2="ntuser.dat") returned -1 [0105.851] lstrcmpiW (lpString1="MJQuKXhYdh.mp4", lpString2="desktop.ini") returned 1 [0105.851] lstrcmpiW (lpString1="MJQuKXhYdh.mp4", lpString2="CONFIG.SYS") returned 1 [0105.851] lstrcmpiW (lpString1="MJQuKXhYdh.mp4", lpString2="RECYCLER") returned -1 [0105.851] lstrcmpiW (lpString1="MJQuKXhYdh.mp4", lpString2="BOOTSECT.BAK") returned 1 [0105.851] lstrcmpiW (lpString1="MJQuKXhYdh.mp4", lpString2="bootmgr") returned 1 [0105.851] lstrcmpiW (lpString1="MJQuKXhYdh.mp4", lpString2="programdata") returned -1 [0105.851] lstrcmpiW (lpString1="MJQuKXhYdh.mp4", lpString2="appdata") returned 1 [0105.851] lstrcmpiW (lpString1="MJQuKXhYdh.mp4", lpString2="program files") returned -1 [0105.851] lstrcmpiW (lpString1="MJQuKXhYdh.mp4", lpString2="program files (x86)") returned -1 [0105.851] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0105.851] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="MJQuKXhYdh.mp4" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\MJQuKXhYdh.mp4") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\MJQuKXhYdh.mp4" [0105.851] PathFindExtensionW (pszPath="MJQuKXhYdh.mp4") returned=".mp4" [0105.851] lstrcmpiW (lpString1=".mp4", lpString2=".exe") returned 1 [0105.851] lstrcmpiW (lpString1=".mp4", lpString2=".log") returned 1 [0105.851] lstrcmpiW (lpString1=".mp4", lpString2=".cab") returned 1 [0105.851] lstrcmpiW (lpString1=".mp4", lpString2=".cmd") returned 1 [0105.851] lstrcmpiW (lpString1=".mp4", lpString2=".com") returned 1 [0105.851] lstrcmpiW (lpString1=".mp4", lpString2=".cpl") returned 1 [0105.852] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0105.852] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0105.852] lstrcmpiW (lpString1=".mp4", lpString2=".url") returned -1 [0105.852] lstrcmpiW (lpString1=".mp4", lpString2=".ttf") returned -1 [0105.852] lstrcmpiW (lpString1=".mp4", lpString2=".mp3") returned 1 [0105.852] lstrcmpiW (lpString1=".mp4", lpString2=".pif") returned -1 [0105.852] lstrcmpiW (lpString1=".mp4", lpString2=".mp4") returned 0 [0105.852] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3150be10, ftCreationTime.dwHighDateTime=0x1d5e1ab, ftLastAccessTime.dwLowDateTime=0x704b55d0, ftLastAccessTime.dwHighDateTime=0x1d5d8a0, ftLastWriteTime.dwLowDateTime=0x704b55d0, ftLastWriteTime.dwHighDateTime=0x1d5d8a0, nFileSizeHigh=0x0, nFileSizeLow=0xd744, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="nIx7_sMdrHpfn.flv", cAlternateFileName="NIX7_S~1.FLV")) returned 1 [0105.852] lstrcmpiW (lpString1="nIx7_sMdrHpfn.flv", lpString2=".") returned 1 [0105.852] lstrcmpiW (lpString1="nIx7_sMdrHpfn.flv", lpString2="..") returned 1 [0105.852] lstrcmpiW (lpString1="nIx7_sMdrHpfn.flv", lpString2="...") returned 1 [0105.852] lstrcmpiW (lpString1="nIx7_sMdrHpfn.flv", lpString2="windows") returned -1 [0105.852] lstrcmpiW (lpString1="nIx7_sMdrHpfn.flv", lpString2="$RECYCLE.BIN") returned 1 [0105.852] lstrcmpiW (lpString1="nIx7_sMdrHpfn.flv", lpString2="rsa") returned -1 [0105.852] lstrcmpiW (lpString1="nIx7_sMdrHpfn.flv", lpString2="log") returned 1 [0105.852] lstrcmpiW (lpString1="nIx7_sMdrHpfn.flv", lpString2="NTDETECT.COM") returned -1 [0105.852] lstrcmpiW (lpString1="nIx7_sMdrHpfn.flv", lpString2="ntldr") returned -1 [0105.852] lstrcmpiW (lpString1="nIx7_sMdrHpfn.flv", lpString2="MSDOS.SYS") returned 1 [0105.852] lstrcmpiW (lpString1="nIx7_sMdrHpfn.flv", lpString2="IO.SYS") returned 1 [0105.852] lstrcmpiW (lpString1="nIx7_sMdrHpfn.flv", lpString2="boot.ini") returned 1 [0105.852] lstrcmpiW (lpString1="nIx7_sMdrHpfn.flv", lpString2="AUTOEXEC.BAT") returned 1 [0105.852] lstrcmpiW (lpString1="nIx7_sMdrHpfn.flv", lpString2="ntuser.dat") returned -1 [0105.852] lstrcmpiW (lpString1="nIx7_sMdrHpfn.flv", lpString2="desktop.ini") returned 1 [0105.852] lstrcmpiW (lpString1="nIx7_sMdrHpfn.flv", lpString2="CONFIG.SYS") returned 1 [0105.852] lstrcmpiW (lpString1="nIx7_sMdrHpfn.flv", lpString2="RECYCLER") returned -1 [0105.852] lstrcmpiW (lpString1="nIx7_sMdrHpfn.flv", lpString2="BOOTSECT.BAK") returned 1 [0105.852] lstrcmpiW (lpString1="nIx7_sMdrHpfn.flv", lpString2="bootmgr") returned 1 [0105.852] lstrcmpiW (lpString1="nIx7_sMdrHpfn.flv", lpString2="programdata") returned -1 [0105.852] lstrcmpiW (lpString1="nIx7_sMdrHpfn.flv", lpString2="appdata") returned 1 [0105.852] lstrcmpiW (lpString1="nIx7_sMdrHpfn.flv", lpString2="program files") returned -1 [0105.853] lstrcmpiW (lpString1="nIx7_sMdrHpfn.flv", lpString2="program files (x86)") returned -1 [0105.853] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0105.853] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="nIx7_sMdrHpfn.flv" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\nIx7_sMdrHpfn.flv") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\nIx7_sMdrHpfn.flv" [0105.853] PathFindExtensionW (pszPath="nIx7_sMdrHpfn.flv") returned=".flv" [0105.853] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0105.853] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0105.853] lstrcmpiW (lpString1=".flv", lpString2=".cab") returned 1 [0105.853] lstrcmpiW (lpString1=".flv", lpString2=".cmd") returned 1 [0105.853] lstrcmpiW (lpString1=".flv", lpString2=".com") returned 1 [0105.853] lstrcmpiW (lpString1=".flv", lpString2=".cpl") returned 1 [0105.853] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0105.853] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0105.853] lstrcmpiW (lpString1=".flv", lpString2=".url") returned -1 [0105.853] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0105.853] lstrcmpiW (lpString1=".flv", lpString2=".mp3") returned -1 [0105.853] lstrcmpiW (lpString1=".flv", lpString2=".pif") returned -1 [0105.853] lstrcmpiW (lpString1=".flv", lpString2=".mp4") returned -1 [0105.853] lstrcmpiW (lpString1=".flv", lpString2=".NEPHILIM") returned -1 [0105.853] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0105.853] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0105.853] lstrcmpiW (lpString1="nIx7_sMdrHpfn.flv", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0105.853] lstrlenA (lpString="NEPHILIM") returned 8 [0105.853] GetProcessHeap () returned 0x4e0000 [0105.853] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50b960 [0105.853] lstrlenA (lpString="NEPHILIM") returned 8 [0105.853] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\nIx7_sMdrHpfn.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\nix7_smdrhpfn.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0105.854] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=55108) returned 1 [0105.854] GetProcessHeap () returned 0x4e0000 [0105.854] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e10 [0105.854] GetProcessHeap () returned 0x4e0000 [0105.854] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e28 [0105.854] SystemFunction036 (in: RandomBuffer=0x504e10, RandomBufferLength=0x10 | out: RandomBuffer=0x504e10) returned 1 [0105.854] SystemFunction036 (in: RandomBuffer=0x504e28, RandomBufferLength=0x10 | out: RandomBuffer=0x504e28) returned 1 [0105.854] GetProcessHeap () returned 0x4e0000 [0105.854] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508f68 [0105.854] GetProcessHeap () returned 0x4e0000 [0105.854] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x509070 [0105.854] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508f68*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508f68*, pdwDataLen=0x24de208*=0x100) returned 1 [0105.854] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x509070*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x509070*, pdwDataLen=0x24de204*=0x100) returned 1 [0105.854] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xd744, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.854] SetLastError (dwErrCode=0x0) [0105.854] WriteFile (in: hFile=0xec, lpBuffer=0x508f68*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508f68*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.855] GetLastError () returned 0x0 [0105.855] GetLastError () returned 0x0 [0105.855] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xd844, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.855] WriteFile (in: hFile=0xec, lpBuffer=0x509070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x509070*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.855] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xd944, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.856] lstrlenA (lpString="NEPHILIM") returned 8 [0105.856] WriteFile (in: hFile=0xec, lpBuffer=0x50b960*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50b960*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0105.856] GetProcessHeap () returned 0x4e0000 [0105.867] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xd744) returned 0x50dcb8 [0105.867] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.868] ReadFile (in: hFile=0xec, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0xd744, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24de430*=0xd744, lpOverlapped=0x0) returned 1 [0105.871] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.871] WriteFile (in: hFile=0xec, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0xd744, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24de43c*=0xd744, lpOverlapped=0x0) returned 1 [0105.871] GetProcessHeap () returned 0x4e0000 [0105.871] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.871] CloseHandle (hObject=0xec) returned 1 [0105.876] GetProcessHeap () returned 0x4e0000 [0105.876] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508f68 | out: hHeap=0x4e0000) returned 1 [0105.876] GetProcessHeap () returned 0x4e0000 [0105.876] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x509070 | out: hHeap=0x4e0000) returned 1 [0105.876] GetProcessHeap () returned 0x4e0000 [0105.876] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e10 | out: hHeap=0x4e0000) returned 1 [0105.876] GetProcessHeap () returned 0x4e0000 [0105.876] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e28 | out: hHeap=0x4e0000) returned 1 [0105.876] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\nIx7_sMdrHpfn.flv" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\nIx7_sMdrHpfn.flv") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\nIx7_sMdrHpfn.flv" [0105.876] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\nIx7_sMdrHpfn.flv", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\nIx7_sMdrHpfn.flv.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\nIx7_sMdrHpfn.flv.NEPHILIM" [0105.876] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\nIx7_sMdrHpfn.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\nix7_smdrhpfn.flv"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\nIx7_sMdrHpfn.flv.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\nix7_smdrhpfn.flv.nephilim")) returned 1 [0105.877] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad724e00, ftCreationTime.dwHighDateTime=0x1d5d8b4, ftLastAccessTime.dwLowDateTime=0x9d2f94d0, ftLastAccessTime.dwHighDateTime=0x1d5dc60, ftLastWriteTime.dwLowDateTime=0x9d2f94d0, ftLastWriteTime.dwHighDateTime=0x1d5dc60, nFileSizeHigh=0x0, nFileSizeLow=0xf920, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="nVZsSQJJqgF12m.mp4", cAlternateFileName="NVZSSQ~1.MP4")) returned 1 [0105.877] lstrcmpiW (lpString1="nVZsSQJJqgF12m.mp4", lpString2=".") returned 1 [0105.877] lstrcmpiW (lpString1="nVZsSQJJqgF12m.mp4", lpString2="..") returned 1 [0105.877] lstrcmpiW (lpString1="nVZsSQJJqgF12m.mp4", lpString2="...") returned 1 [0105.877] lstrcmpiW (lpString1="nVZsSQJJqgF12m.mp4", lpString2="windows") returned -1 [0105.877] lstrcmpiW (lpString1="nVZsSQJJqgF12m.mp4", lpString2="$RECYCLE.BIN") returned 1 [0105.877] lstrcmpiW (lpString1="nVZsSQJJqgF12m.mp4", lpString2="rsa") returned -1 [0105.877] lstrcmpiW (lpString1="nVZsSQJJqgF12m.mp4", lpString2="log") returned 1 [0105.877] lstrcmpiW (lpString1="nVZsSQJJqgF12m.mp4", lpString2="NTDETECT.COM") returned 1 [0105.877] lstrcmpiW (lpString1="nVZsSQJJqgF12m.mp4", lpString2="ntldr") returned 1 [0105.877] lstrcmpiW (lpString1="nVZsSQJJqgF12m.mp4", lpString2="MSDOS.SYS") returned 1 [0105.877] lstrcmpiW (lpString1="nVZsSQJJqgF12m.mp4", lpString2="IO.SYS") returned 1 [0105.877] lstrcmpiW (lpString1="nVZsSQJJqgF12m.mp4", lpString2="boot.ini") returned 1 [0105.877] lstrcmpiW (lpString1="nVZsSQJJqgF12m.mp4", lpString2="AUTOEXEC.BAT") returned 1 [0105.877] lstrcmpiW (lpString1="nVZsSQJJqgF12m.mp4", lpString2="ntuser.dat") returned 1 [0105.878] lstrcmpiW (lpString1="nVZsSQJJqgF12m.mp4", lpString2="desktop.ini") returned 1 [0105.878] lstrcmpiW (lpString1="nVZsSQJJqgF12m.mp4", lpString2="CONFIG.SYS") returned 1 [0105.878] lstrcmpiW (lpString1="nVZsSQJJqgF12m.mp4", lpString2="RECYCLER") returned -1 [0105.878] lstrcmpiW (lpString1="nVZsSQJJqgF12m.mp4", lpString2="BOOTSECT.BAK") returned 1 [0105.878] lstrcmpiW (lpString1="nVZsSQJJqgF12m.mp4", lpString2="bootmgr") returned 1 [0105.878] lstrcmpiW (lpString1="nVZsSQJJqgF12m.mp4", lpString2="programdata") returned -1 [0105.878] lstrcmpiW (lpString1="nVZsSQJJqgF12m.mp4", lpString2="appdata") returned 1 [0105.878] lstrcmpiW (lpString1="nVZsSQJJqgF12m.mp4", lpString2="program files") returned -1 [0105.878] lstrcmpiW (lpString1="nVZsSQJJqgF12m.mp4", lpString2="program files (x86)") returned -1 [0105.878] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0105.878] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="nVZsSQJJqgF12m.mp4" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\nVZsSQJJqgF12m.mp4") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\nVZsSQJJqgF12m.mp4" [0105.878] PathFindExtensionW (pszPath="nVZsSQJJqgF12m.mp4") returned=".mp4" [0105.878] lstrcmpiW (lpString1=".mp4", lpString2=".exe") returned 1 [0105.878] lstrcmpiW (lpString1=".mp4", lpString2=".log") returned 1 [0105.878] lstrcmpiW (lpString1=".mp4", lpString2=".cab") returned 1 [0105.878] lstrcmpiW (lpString1=".mp4", lpString2=".cmd") returned 1 [0105.878] lstrcmpiW (lpString1=".mp4", lpString2=".com") returned 1 [0105.878] lstrcmpiW (lpString1=".mp4", lpString2=".cpl") returned 1 [0105.878] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0105.878] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0105.878] lstrcmpiW (lpString1=".mp4", lpString2=".url") returned -1 [0105.878] lstrcmpiW (lpString1=".mp4", lpString2=".ttf") returned -1 [0105.878] lstrcmpiW (lpString1=".mp4", lpString2=".mp3") returned 1 [0105.878] lstrcmpiW (lpString1=".mp4", lpString2=".pif") returned -1 [0105.878] lstrcmpiW (lpString1=".mp4", lpString2=".mp4") returned 0 [0105.879] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1be9ca0, ftCreationTime.dwHighDateTime=0x1d5dbcd, ftLastAccessTime.dwLowDateTime=0xfb08c0c0, ftLastAccessTime.dwHighDateTime=0x1d5e009, ftLastWriteTime.dwLowDateTime=0xfb08c0c0, ftLastWriteTime.dwHighDateTime=0x1d5e009, nFileSizeHigh=0x0, nFileSizeLow=0xbfa2, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="OyfV5 iV5L3aLTKdy1FG.swf", cAlternateFileName="OYFV5I~1.SWF")) returned 1 [0105.879] lstrcmpiW (lpString1="OyfV5 iV5L3aLTKdy1FG.swf", lpString2=".") returned 1 [0105.879] lstrcmpiW (lpString1="OyfV5 iV5L3aLTKdy1FG.swf", lpString2="..") returned 1 [0105.879] lstrcmpiW (lpString1="OyfV5 iV5L3aLTKdy1FG.swf", lpString2="...") returned 1 [0105.879] lstrcmpiW (lpString1="OyfV5 iV5L3aLTKdy1FG.swf", lpString2="windows") returned -1 [0105.879] lstrcmpiW (lpString1="OyfV5 iV5L3aLTKdy1FG.swf", lpString2="$RECYCLE.BIN") returned 1 [0105.879] lstrcmpiW (lpString1="OyfV5 iV5L3aLTKdy1FG.swf", lpString2="rsa") returned -1 [0105.879] lstrcmpiW (lpString1="OyfV5 iV5L3aLTKdy1FG.swf", lpString2="log") returned 1 [0105.879] lstrcmpiW (lpString1="OyfV5 iV5L3aLTKdy1FG.swf", lpString2="NTDETECT.COM") returned 1 [0105.879] lstrcmpiW (lpString1="OyfV5 iV5L3aLTKdy1FG.swf", lpString2="ntldr") returned 1 [0105.879] lstrcmpiW (lpString1="OyfV5 iV5L3aLTKdy1FG.swf", lpString2="MSDOS.SYS") returned 1 [0105.879] lstrcmpiW (lpString1="OyfV5 iV5L3aLTKdy1FG.swf", lpString2="IO.SYS") returned 1 [0105.879] lstrcmpiW (lpString1="OyfV5 iV5L3aLTKdy1FG.swf", lpString2="boot.ini") returned 1 [0105.879] lstrcmpiW (lpString1="OyfV5 iV5L3aLTKdy1FG.swf", lpString2="AUTOEXEC.BAT") returned 1 [0105.879] lstrcmpiW (lpString1="OyfV5 iV5L3aLTKdy1FG.swf", lpString2="ntuser.dat") returned 1 [0105.879] lstrcmpiW (lpString1="OyfV5 iV5L3aLTKdy1FG.swf", lpString2="desktop.ini") returned 1 [0105.879] lstrcmpiW (lpString1="OyfV5 iV5L3aLTKdy1FG.swf", lpString2="CONFIG.SYS") returned 1 [0105.879] lstrcmpiW (lpString1="OyfV5 iV5L3aLTKdy1FG.swf", lpString2="RECYCLER") returned -1 [0105.879] lstrcmpiW (lpString1="OyfV5 iV5L3aLTKdy1FG.swf", lpString2="BOOTSECT.BAK") returned 1 [0105.879] lstrcmpiW (lpString1="OyfV5 iV5L3aLTKdy1FG.swf", lpString2="bootmgr") returned 1 [0105.879] lstrcmpiW (lpString1="OyfV5 iV5L3aLTKdy1FG.swf", lpString2="programdata") returned -1 [0105.879] lstrcmpiW (lpString1="OyfV5 iV5L3aLTKdy1FG.swf", lpString2="appdata") returned 1 [0105.879] lstrcmpiW (lpString1="OyfV5 iV5L3aLTKdy1FG.swf", lpString2="program files") returned -1 [0105.879] lstrcmpiW (lpString1="OyfV5 iV5L3aLTKdy1FG.swf", lpString2="program files (x86)") returned -1 [0105.879] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0105.879] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="OyfV5 iV5L3aLTKdy1FG.swf" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\OyfV5 iV5L3aLTKdy1FG.swf") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\OyfV5 iV5L3aLTKdy1FG.swf" [0105.880] PathFindExtensionW (pszPath="OyfV5 iV5L3aLTKdy1FG.swf") returned=".swf" [0105.880] lstrcmpiW (lpString1=".swf", lpString2=".exe") returned 1 [0105.880] lstrcmpiW (lpString1=".swf", lpString2=".log") returned 1 [0105.880] lstrcmpiW (lpString1=".swf", lpString2=".cab") returned 1 [0105.880] lstrcmpiW (lpString1=".swf", lpString2=".cmd") returned 1 [0105.880] lstrcmpiW (lpString1=".swf", lpString2=".com") returned 1 [0105.880] lstrcmpiW (lpString1=".swf", lpString2=".cpl") returned 1 [0105.880] lstrcmpiW (lpString1=".swf", lpString2=".ini") returned 1 [0105.880] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0105.880] lstrcmpiW (lpString1=".swf", lpString2=".url") returned -1 [0105.880] lstrcmpiW (lpString1=".swf", lpString2=".ttf") returned -1 [0105.880] lstrcmpiW (lpString1=".swf", lpString2=".mp3") returned 1 [0105.880] lstrcmpiW (lpString1=".swf", lpString2=".pif") returned 1 [0105.880] lstrcmpiW (lpString1=".swf", lpString2=".mp4") returned 1 [0105.880] lstrcmpiW (lpString1=".swf", lpString2=".NEPHILIM") returned 1 [0105.880] lstrcmpiW (lpString1=".swf", lpString2=".msi") returned 1 [0105.880] lstrcmpiW (lpString1=".swf", lpString2=".lnk") returned 1 [0105.880] lstrcmpiW (lpString1="OyfV5 iV5L3aLTKdy1FG.swf", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0105.880] lstrlenA (lpString="NEPHILIM") returned 8 [0105.880] GetProcessHeap () returned 0x4e0000 [0105.880] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50b970 [0105.880] lstrlenA (lpString="NEPHILIM") returned 8 [0105.880] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\OyfV5 iV5L3aLTKdy1FG.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\oyfv5 iv5l3altkdy1fg.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0105.881] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=49058) returned 1 [0105.881] GetProcessHeap () returned 0x4e0000 [0105.881] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e28 [0105.881] GetProcessHeap () returned 0x4e0000 [0105.881] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e10 [0105.881] SystemFunction036 (in: RandomBuffer=0x504e28, RandomBufferLength=0x10 | out: RandomBuffer=0x504e28) returned 1 [0105.881] SystemFunction036 (in: RandomBuffer=0x504e10, RandomBufferLength=0x10 | out: RandomBuffer=0x504e10) returned 1 [0105.881] GetProcessHeap () returned 0x4e0000 [0105.881] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x509070 [0105.881] GetProcessHeap () returned 0x4e0000 [0105.881] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508f68 [0105.881] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x509070*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x509070*, pdwDataLen=0x24de208*=0x100) returned 1 [0105.881] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508f68*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508f68*, pdwDataLen=0x24de204*=0x100) returned 1 [0105.882] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xbfa2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.882] SetLastError (dwErrCode=0x0) [0105.882] WriteFile (in: hFile=0xec, lpBuffer=0x509070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x509070*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.883] GetLastError () returned 0x0 [0105.883] GetLastError () returned 0x0 [0105.883] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xc0a2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.883] WriteFile (in: hFile=0xec, lpBuffer=0x508f68*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508f68*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.883] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xc1a2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.883] lstrlenA (lpString="NEPHILIM") returned 8 [0105.883] WriteFile (in: hFile=0xec, lpBuffer=0x50b970*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50b970*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0105.883] GetProcessHeap () returned 0x4e0000 [0105.883] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xbfa2) returned 0x50dcb8 [0105.883] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.883] ReadFile (in: hFile=0xec, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0xbfa2, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24de430*=0xbfa2, lpOverlapped=0x0) returned 1 [0105.886] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.886] WriteFile (in: hFile=0xec, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0xbfa2, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24de43c*=0xbfa2, lpOverlapped=0x0) returned 1 [0105.886] GetProcessHeap () returned 0x4e0000 [0105.886] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.886] CloseHandle (hObject=0xec) returned 1 [0105.892] GetProcessHeap () returned 0x4e0000 [0105.892] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x509070 | out: hHeap=0x4e0000) returned 1 [0105.893] GetProcessHeap () returned 0x4e0000 [0105.893] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508f68 | out: hHeap=0x4e0000) returned 1 [0105.893] GetProcessHeap () returned 0x4e0000 [0105.893] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e28 | out: hHeap=0x4e0000) returned 1 [0105.893] GetProcessHeap () returned 0x4e0000 [0105.893] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e10 | out: hHeap=0x4e0000) returned 1 [0105.893] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\OyfV5 iV5L3aLTKdy1FG.swf" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\OyfV5 iV5L3aLTKdy1FG.swf") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\OyfV5 iV5L3aLTKdy1FG.swf" [0105.893] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\OyfV5 iV5L3aLTKdy1FG.swf", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\OyfV5 iV5L3aLTKdy1FG.swf.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\OyfV5 iV5L3aLTKdy1FG.swf.NEPHILIM" [0105.893] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\OyfV5 iV5L3aLTKdy1FG.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\oyfv5 iv5l3altkdy1fg.swf"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\OyfV5 iV5L3aLTKdy1FG.swf.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\oyfv5 iv5l3altkdy1fg.swf.nephilim")) returned 1 [0105.894] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbb4f000, ftCreationTime.dwHighDateTime=0x1d5e015, ftLastAccessTime.dwLowDateTime=0xdd610dc0, ftLastAccessTime.dwHighDateTime=0x1d5e7c0, ftLastWriteTime.dwLowDateTime=0xdd610dc0, ftLastWriteTime.dwHighDateTime=0x1d5e7c0, nFileSizeHigh=0x0, nFileSizeLow=0x8c5f, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="P2_bWcO132my2U-GwQ6.mkv", cAlternateFileName="P2_BWC~1.MKV")) returned 1 [0105.894] lstrcmpiW (lpString1="P2_bWcO132my2U-GwQ6.mkv", lpString2=".") returned 1 [0105.894] lstrcmpiW (lpString1="P2_bWcO132my2U-GwQ6.mkv", lpString2="..") returned 1 [0105.894] lstrcmpiW (lpString1="P2_bWcO132my2U-GwQ6.mkv", lpString2="...") returned 1 [0105.894] lstrcmpiW (lpString1="P2_bWcO132my2U-GwQ6.mkv", lpString2="windows") returned -1 [0105.894] lstrcmpiW (lpString1="P2_bWcO132my2U-GwQ6.mkv", lpString2="$RECYCLE.BIN") returned 1 [0105.894] lstrcmpiW (lpString1="P2_bWcO132my2U-GwQ6.mkv", lpString2="rsa") returned -1 [0105.894] lstrcmpiW (lpString1="P2_bWcO132my2U-GwQ6.mkv", lpString2="log") returned 1 [0105.894] lstrcmpiW (lpString1="P2_bWcO132my2U-GwQ6.mkv", lpString2="NTDETECT.COM") returned 1 [0105.894] lstrcmpiW (lpString1="P2_bWcO132my2U-GwQ6.mkv", lpString2="ntldr") returned 1 [0105.894] lstrcmpiW (lpString1="P2_bWcO132my2U-GwQ6.mkv", lpString2="MSDOS.SYS") returned 1 [0105.894] lstrcmpiW (lpString1="P2_bWcO132my2U-GwQ6.mkv", lpString2="IO.SYS") returned 1 [0105.894] lstrcmpiW (lpString1="P2_bWcO132my2U-GwQ6.mkv", lpString2="boot.ini") returned 1 [0105.894] lstrcmpiW (lpString1="P2_bWcO132my2U-GwQ6.mkv", lpString2="AUTOEXEC.BAT") returned 1 [0105.894] lstrcmpiW (lpString1="P2_bWcO132my2U-GwQ6.mkv", lpString2="ntuser.dat") returned 1 [0105.894] lstrcmpiW (lpString1="P2_bWcO132my2U-GwQ6.mkv", lpString2="desktop.ini") returned 1 [0105.894] lstrcmpiW (lpString1="P2_bWcO132my2U-GwQ6.mkv", lpString2="CONFIG.SYS") returned 1 [0105.894] lstrcmpiW (lpString1="P2_bWcO132my2U-GwQ6.mkv", lpString2="RECYCLER") returned -1 [0105.894] lstrcmpiW (lpString1="P2_bWcO132my2U-GwQ6.mkv", lpString2="BOOTSECT.BAK") returned 1 [0105.894] lstrcmpiW (lpString1="P2_bWcO132my2U-GwQ6.mkv", lpString2="bootmgr") returned 1 [0105.894] lstrcmpiW (lpString1="P2_bWcO132my2U-GwQ6.mkv", lpString2="programdata") returned -1 [0105.895] lstrcmpiW (lpString1="P2_bWcO132my2U-GwQ6.mkv", lpString2="appdata") returned 1 [0105.895] lstrcmpiW (lpString1="P2_bWcO132my2U-GwQ6.mkv", lpString2="program files") returned -1 [0105.895] lstrcmpiW (lpString1="P2_bWcO132my2U-GwQ6.mkv", lpString2="program files (x86)") returned -1 [0105.895] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0105.895] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="P2_bWcO132my2U-GwQ6.mkv" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2_bWcO132my2U-GwQ6.mkv") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2_bWcO132my2U-GwQ6.mkv" [0105.895] PathFindExtensionW (pszPath="P2_bWcO132my2U-GwQ6.mkv") returned=".mkv" [0105.895] lstrcmpiW (lpString1=".mkv", lpString2=".exe") returned 1 [0105.895] lstrcmpiW (lpString1=".mkv", lpString2=".log") returned 1 [0105.895] lstrcmpiW (lpString1=".mkv", lpString2=".cab") returned 1 [0105.895] lstrcmpiW (lpString1=".mkv", lpString2=".cmd") returned 1 [0105.895] lstrcmpiW (lpString1=".mkv", lpString2=".com") returned 1 [0105.895] lstrcmpiW (lpString1=".mkv", lpString2=".cpl") returned 1 [0105.895] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0105.895] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0105.895] lstrcmpiW (lpString1=".mkv", lpString2=".url") returned -1 [0105.895] lstrcmpiW (lpString1=".mkv", lpString2=".ttf") returned -1 [0105.895] lstrcmpiW (lpString1=".mkv", lpString2=".mp3") returned -1 [0105.895] lstrcmpiW (lpString1=".mkv", lpString2=".pif") returned -1 [0105.895] lstrcmpiW (lpString1=".mkv", lpString2=".mp4") returned -1 [0105.895] lstrcmpiW (lpString1=".mkv", lpString2=".NEPHILIM") returned -1 [0105.895] lstrcmpiW (lpString1=".mkv", lpString2=".msi") returned -1 [0105.895] lstrcmpiW (lpString1=".mkv", lpString2=".lnk") returned 1 [0105.895] lstrcmpiW (lpString1="P2_bWcO132my2U-GwQ6.mkv", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0105.895] lstrlenA (lpString="NEPHILIM") returned 8 [0105.895] GetProcessHeap () returned 0x4e0000 [0105.895] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50b980 [0105.896] lstrlenA (lpString="NEPHILIM") returned 8 [0105.896] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2_bWcO132my2U-GwQ6.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2_bwco132my2u-gwq6.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0105.896] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=35935) returned 1 [0105.896] GetProcessHeap () returned 0x4e0000 [0105.896] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e10 [0105.896] GetProcessHeap () returned 0x4e0000 [0105.896] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e28 [0105.896] SystemFunction036 (in: RandomBuffer=0x504e10, RandomBufferLength=0x10 | out: RandomBuffer=0x504e10) returned 1 [0105.896] SystemFunction036 (in: RandomBuffer=0x504e28, RandomBufferLength=0x10 | out: RandomBuffer=0x504e28) returned 1 [0105.896] GetProcessHeap () returned 0x4e0000 [0105.896] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508f68 [0105.896] GetProcessHeap () returned 0x4e0000 [0105.896] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x509070 [0105.896] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508f68*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508f68*, pdwDataLen=0x24de208*=0x100) returned 1 [0105.897] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x509070*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x509070*, pdwDataLen=0x24de204*=0x100) returned 1 [0105.897] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x8c5f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.897] SetLastError (dwErrCode=0x0) [0105.897] WriteFile (in: hFile=0xec, lpBuffer=0x508f68*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508f68*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.898] GetLastError () returned 0x0 [0105.898] GetLastError () returned 0x0 [0105.898] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x8d5f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.898] WriteFile (in: hFile=0xec, lpBuffer=0x509070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x509070*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.898] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x8e5f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.899] lstrlenA (lpString="NEPHILIM") returned 8 [0105.899] WriteFile (in: hFile=0xec, lpBuffer=0x50b980*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50b980*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0105.899] GetProcessHeap () returned 0x4e0000 [0105.899] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8c5f) returned 0x50dcb8 [0105.899] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.899] ReadFile (in: hFile=0xec, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x8c5f, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24de430*=0x8c5f, lpOverlapped=0x0) returned 1 [0105.901] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.901] WriteFile (in: hFile=0xec, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x8c5f, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24de43c*=0x8c5f, lpOverlapped=0x0) returned 1 [0105.902] GetProcessHeap () returned 0x4e0000 [0105.902] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.902] CloseHandle (hObject=0xec) returned 1 [0105.906] GetProcessHeap () returned 0x4e0000 [0105.906] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508f68 | out: hHeap=0x4e0000) returned 1 [0105.906] GetProcessHeap () returned 0x4e0000 [0105.906] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x509070 | out: hHeap=0x4e0000) returned 1 [0105.906] GetProcessHeap () returned 0x4e0000 [0105.906] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e10 | out: hHeap=0x4e0000) returned 1 [0105.906] GetProcessHeap () returned 0x4e0000 [0105.906] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e28 | out: hHeap=0x4e0000) returned 1 [0105.906] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2_bWcO132my2U-GwQ6.mkv" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2_bWcO132my2U-GwQ6.mkv") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2_bWcO132my2U-GwQ6.mkv" [0105.906] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2_bWcO132my2U-GwQ6.mkv", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2_bWcO132my2U-GwQ6.mkv.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2_bWcO132my2U-GwQ6.mkv.NEPHILIM" [0105.906] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2_bWcO132my2U-GwQ6.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2_bwco132my2u-gwq6.mkv"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\P2_bWcO132my2U-GwQ6.mkv.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p2_bwco132my2u-gwq6.mkv.nephilim")) returned 1 [0105.907] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe7c5ff10, ftCreationTime.dwHighDateTime=0x1d5e607, ftLastAccessTime.dwLowDateTime=0x7aa3d720, ftLastAccessTime.dwHighDateTime=0x1d5de52, ftLastWriteTime.dwLowDateTime=0x7aa3d720, ftLastWriteTime.dwHighDateTime=0x1d5de52, nFileSizeHigh=0x0, nFileSizeLow=0x65d5, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="Rc317_O.flv", cAlternateFileName="")) returned 1 [0105.907] lstrcmpiW (lpString1="Rc317_O.flv", lpString2=".") returned 1 [0105.908] lstrcmpiW (lpString1="Rc317_O.flv", lpString2="..") returned 1 [0105.908] lstrcmpiW (lpString1="Rc317_O.flv", lpString2="...") returned 1 [0105.908] lstrcmpiW (lpString1="Rc317_O.flv", lpString2="windows") returned -1 [0105.908] lstrcmpiW (lpString1="Rc317_O.flv", lpString2="$RECYCLE.BIN") returned 1 [0105.908] lstrcmpiW (lpString1="Rc317_O.flv", lpString2="rsa") returned -1 [0105.908] lstrcmpiW (lpString1="Rc317_O.flv", lpString2="log") returned 1 [0105.908] lstrcmpiW (lpString1="Rc317_O.flv", lpString2="NTDETECT.COM") returned 1 [0105.908] lstrcmpiW (lpString1="Rc317_O.flv", lpString2="ntldr") returned 1 [0105.908] lstrcmpiW (lpString1="Rc317_O.flv", lpString2="MSDOS.SYS") returned 1 [0105.908] lstrcmpiW (lpString1="Rc317_O.flv", lpString2="IO.SYS") returned 1 [0105.908] lstrcmpiW (lpString1="Rc317_O.flv", lpString2="boot.ini") returned 1 [0105.908] lstrcmpiW (lpString1="Rc317_O.flv", lpString2="AUTOEXEC.BAT") returned 1 [0105.908] lstrcmpiW (lpString1="Rc317_O.flv", lpString2="ntuser.dat") returned 1 [0105.908] lstrcmpiW (lpString1="Rc317_O.flv", lpString2="desktop.ini") returned 1 [0105.908] lstrcmpiW (lpString1="Rc317_O.flv", lpString2="CONFIG.SYS") returned 1 [0105.908] lstrcmpiW (lpString1="Rc317_O.flv", lpString2="RECYCLER") returned -1 [0105.908] lstrcmpiW (lpString1="Rc317_O.flv", lpString2="BOOTSECT.BAK") returned 1 [0105.908] lstrcmpiW (lpString1="Rc317_O.flv", lpString2="bootmgr") returned 1 [0105.908] lstrcmpiW (lpString1="Rc317_O.flv", lpString2="programdata") returned 1 [0105.908] lstrcmpiW (lpString1="Rc317_O.flv", lpString2="appdata") returned 1 [0105.908] lstrcmpiW (lpString1="Rc317_O.flv", lpString2="program files") returned 1 [0105.908] lstrcmpiW (lpString1="Rc317_O.flv", lpString2="program files (x86)") returned 1 [0105.908] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0105.908] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="Rc317_O.flv" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Rc317_O.flv") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Rc317_O.flv" [0105.909] PathFindExtensionW (pszPath="Rc317_O.flv") returned=".flv" [0105.909] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0105.909] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0105.909] lstrcmpiW (lpString1=".flv", lpString2=".cab") returned 1 [0105.909] lstrcmpiW (lpString1=".flv", lpString2=".cmd") returned 1 [0105.909] lstrcmpiW (lpString1=".flv", lpString2=".com") returned 1 [0105.909] lstrcmpiW (lpString1=".flv", lpString2=".cpl") returned 1 [0105.909] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0105.909] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0105.909] lstrcmpiW (lpString1=".flv", lpString2=".url") returned -1 [0105.909] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0105.909] lstrcmpiW (lpString1=".flv", lpString2=".mp3") returned -1 [0105.909] lstrcmpiW (lpString1=".flv", lpString2=".pif") returned -1 [0105.909] lstrcmpiW (lpString1=".flv", lpString2=".mp4") returned -1 [0105.909] lstrcmpiW (lpString1=".flv", lpString2=".NEPHILIM") returned -1 [0105.909] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0105.909] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0105.909] lstrcmpiW (lpString1="Rc317_O.flv", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0105.909] lstrlenA (lpString="NEPHILIM") returned 8 [0105.909] GetProcessHeap () returned 0x4e0000 [0105.909] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50b990 [0105.909] lstrlenA (lpString="NEPHILIM") returned 8 [0105.909] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Rc317_O.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\rc317_o.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0105.910] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=26069) returned 1 [0105.910] GetProcessHeap () returned 0x4e0000 [0105.910] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e28 [0105.910] GetProcessHeap () returned 0x4e0000 [0105.910] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e10 [0105.910] SystemFunction036 (in: RandomBuffer=0x504e28, RandomBufferLength=0x10 | out: RandomBuffer=0x504e28) returned 1 [0105.910] SystemFunction036 (in: RandomBuffer=0x504e10, RandomBufferLength=0x10 | out: RandomBuffer=0x504e10) returned 1 [0105.910] GetProcessHeap () returned 0x4e0000 [0105.910] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x509070 [0105.910] GetProcessHeap () returned 0x4e0000 [0105.910] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508f68 [0105.910] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x509070*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x509070*, pdwDataLen=0x24de208*=0x100) returned 1 [0105.910] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508f68*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508f68*, pdwDataLen=0x24de204*=0x100) returned 1 [0105.911] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x65d5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.911] SetLastError (dwErrCode=0x0) [0105.911] WriteFile (in: hFile=0xec, lpBuffer=0x509070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x509070*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.912] GetLastError () returned 0x0 [0105.912] GetLastError () returned 0x0 [0105.912] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x66d5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.912] WriteFile (in: hFile=0xec, lpBuffer=0x508f68*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508f68*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.912] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x67d5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.912] lstrlenA (lpString="NEPHILIM") returned 8 [0105.912] WriteFile (in: hFile=0xec, lpBuffer=0x50b990*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50b990*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0105.912] GetProcessHeap () returned 0x4e0000 [0105.912] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x65d5) returned 0x50dcb8 [0105.912] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.912] ReadFile (in: hFile=0xec, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x65d5, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24de430*=0x65d5, lpOverlapped=0x0) returned 1 [0105.914] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.914] WriteFile (in: hFile=0xec, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x65d5, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24de43c*=0x65d5, lpOverlapped=0x0) returned 1 [0105.914] GetProcessHeap () returned 0x4e0000 [0105.915] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.915] CloseHandle (hObject=0xec) returned 1 [0105.920] GetProcessHeap () returned 0x4e0000 [0105.920] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x509070 | out: hHeap=0x4e0000) returned 1 [0105.920] GetProcessHeap () returned 0x4e0000 [0105.920] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508f68 | out: hHeap=0x4e0000) returned 1 [0105.920] GetProcessHeap () returned 0x4e0000 [0105.920] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e28 | out: hHeap=0x4e0000) returned 1 [0105.921] GetProcessHeap () returned 0x4e0000 [0105.921] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e10 | out: hHeap=0x4e0000) returned 1 [0105.921] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Rc317_O.flv" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Rc317_O.flv") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Rc317_O.flv" [0105.921] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Rc317_O.flv", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Rc317_O.flv.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Rc317_O.flv.NEPHILIM" [0105.921] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Rc317_O.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\rc317_o.flv"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Rc317_O.flv.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\rc317_o.flv.nephilim")) returned 1 [0105.922] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b3f54e0, ftCreationTime.dwHighDateTime=0x1d5e1a2, ftLastAccessTime.dwLowDateTime=0x1efbf220, ftLastAccessTime.dwHighDateTime=0x1d5e304, ftLastWriteTime.dwLowDateTime=0x1efbf220, ftLastWriteTime.dwHighDateTime=0x1d5e304, nFileSizeHigh=0x0, nFileSizeLow=0x12807, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="Sh8obPrmTDGZG.mp4", cAlternateFileName="SH8OBP~1.MP4")) returned 1 [0105.922] lstrcmpiW (lpString1="Sh8obPrmTDGZG.mp4", lpString2=".") returned 1 [0105.922] lstrcmpiW (lpString1="Sh8obPrmTDGZG.mp4", lpString2="..") returned 1 [0105.922] lstrcmpiW (lpString1="Sh8obPrmTDGZG.mp4", lpString2="...") returned 1 [0105.922] lstrcmpiW (lpString1="Sh8obPrmTDGZG.mp4", lpString2="windows") returned -1 [0105.922] lstrcmpiW (lpString1="Sh8obPrmTDGZG.mp4", lpString2="$RECYCLE.BIN") returned 1 [0105.922] lstrcmpiW (lpString1="Sh8obPrmTDGZG.mp4", lpString2="rsa") returned 1 [0105.922] lstrcmpiW (lpString1="Sh8obPrmTDGZG.mp4", lpString2="log") returned 1 [0105.922] lstrcmpiW (lpString1="Sh8obPrmTDGZG.mp4", lpString2="NTDETECT.COM") returned 1 [0105.922] lstrcmpiW (lpString1="Sh8obPrmTDGZG.mp4", lpString2="ntldr") returned 1 [0105.922] lstrcmpiW (lpString1="Sh8obPrmTDGZG.mp4", lpString2="MSDOS.SYS") returned 1 [0105.922] lstrcmpiW (lpString1="Sh8obPrmTDGZG.mp4", lpString2="IO.SYS") returned 1 [0105.922] lstrcmpiW (lpString1="Sh8obPrmTDGZG.mp4", lpString2="boot.ini") returned 1 [0105.922] lstrcmpiW (lpString1="Sh8obPrmTDGZG.mp4", lpString2="AUTOEXEC.BAT") returned 1 [0105.922] lstrcmpiW (lpString1="Sh8obPrmTDGZG.mp4", lpString2="ntuser.dat") returned 1 [0105.922] lstrcmpiW (lpString1="Sh8obPrmTDGZG.mp4", lpString2="desktop.ini") returned 1 [0105.922] lstrcmpiW (lpString1="Sh8obPrmTDGZG.mp4", lpString2="CONFIG.SYS") returned 1 [0105.923] lstrcmpiW (lpString1="Sh8obPrmTDGZG.mp4", lpString2="RECYCLER") returned 1 [0105.923] lstrcmpiW (lpString1="Sh8obPrmTDGZG.mp4", lpString2="BOOTSECT.BAK") returned 1 [0105.923] lstrcmpiW (lpString1="Sh8obPrmTDGZG.mp4", lpString2="bootmgr") returned 1 [0105.923] lstrcmpiW (lpString1="Sh8obPrmTDGZG.mp4", lpString2="programdata") returned 1 [0105.923] lstrcmpiW (lpString1="Sh8obPrmTDGZG.mp4", lpString2="appdata") returned 1 [0105.923] lstrcmpiW (lpString1="Sh8obPrmTDGZG.mp4", lpString2="program files") returned 1 [0105.923] lstrcmpiW (lpString1="Sh8obPrmTDGZG.mp4", lpString2="program files (x86)") returned 1 [0105.923] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0105.923] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="Sh8obPrmTDGZG.mp4" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Sh8obPrmTDGZG.mp4") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Sh8obPrmTDGZG.mp4" [0105.923] PathFindExtensionW (pszPath="Sh8obPrmTDGZG.mp4") returned=".mp4" [0105.923] lstrcmpiW (lpString1=".mp4", lpString2=".exe") returned 1 [0105.923] lstrcmpiW (lpString1=".mp4", lpString2=".log") returned 1 [0105.923] lstrcmpiW (lpString1=".mp4", lpString2=".cab") returned 1 [0105.923] lstrcmpiW (lpString1=".mp4", lpString2=".cmd") returned 1 [0105.923] lstrcmpiW (lpString1=".mp4", lpString2=".com") returned 1 [0105.923] lstrcmpiW (lpString1=".mp4", lpString2=".cpl") returned 1 [0105.923] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0105.923] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0105.923] lstrcmpiW (lpString1=".mp4", lpString2=".url") returned -1 [0105.923] lstrcmpiW (lpString1=".mp4", lpString2=".ttf") returned -1 [0105.923] lstrcmpiW (lpString1=".mp4", lpString2=".mp3") returned 1 [0105.923] lstrcmpiW (lpString1=".mp4", lpString2=".pif") returned -1 [0105.923] lstrcmpiW (lpString1=".mp4", lpString2=".mp4") returned 0 [0105.923] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d418b70, ftCreationTime.dwHighDateTime=0x1d5dc3a, ftLastAccessTime.dwLowDateTime=0xb9e5b630, ftLastAccessTime.dwHighDateTime=0x1d5e49f, ftLastWriteTime.dwLowDateTime=0xb9e5b630, ftLastWriteTime.dwHighDateTime=0x1d5e49f, nFileSizeHigh=0x0, nFileSizeLow=0x9f97, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="sXRDodAxncGscJ.mp4", cAlternateFileName="SXRDOD~1.MP4")) returned 1 [0105.924] lstrcmpiW (lpString1="sXRDodAxncGscJ.mp4", lpString2=".") returned 1 [0105.924] lstrcmpiW (lpString1="sXRDodAxncGscJ.mp4", lpString2="..") returned 1 [0105.924] lstrcmpiW (lpString1="sXRDodAxncGscJ.mp4", lpString2="...") returned 1 [0105.924] lstrcmpiW (lpString1="sXRDodAxncGscJ.mp4", lpString2="windows") returned -1 [0105.924] lstrcmpiW (lpString1="sXRDodAxncGscJ.mp4", lpString2="$RECYCLE.BIN") returned 1 [0105.924] lstrcmpiW (lpString1="sXRDodAxncGscJ.mp4", lpString2="rsa") returned 1 [0105.924] lstrcmpiW (lpString1="sXRDodAxncGscJ.mp4", lpString2="log") returned 1 [0105.924] lstrcmpiW (lpString1="sXRDodAxncGscJ.mp4", lpString2="NTDETECT.COM") returned 1 [0105.924] lstrcmpiW (lpString1="sXRDodAxncGscJ.mp4", lpString2="ntldr") returned 1 [0105.924] lstrcmpiW (lpString1="sXRDodAxncGscJ.mp4", lpString2="MSDOS.SYS") returned 1 [0105.924] lstrcmpiW (lpString1="sXRDodAxncGscJ.mp4", lpString2="IO.SYS") returned 1 [0105.924] lstrcmpiW (lpString1="sXRDodAxncGscJ.mp4", lpString2="boot.ini") returned 1 [0105.924] lstrcmpiW (lpString1="sXRDodAxncGscJ.mp4", lpString2="AUTOEXEC.BAT") returned 1 [0105.924] lstrcmpiW (lpString1="sXRDodAxncGscJ.mp4", lpString2="ntuser.dat") returned 1 [0105.924] lstrcmpiW (lpString1="sXRDodAxncGscJ.mp4", lpString2="desktop.ini") returned 1 [0105.924] lstrcmpiW (lpString1="sXRDodAxncGscJ.mp4", lpString2="CONFIG.SYS") returned 1 [0105.924] lstrcmpiW (lpString1="sXRDodAxncGscJ.mp4", lpString2="RECYCLER") returned 1 [0105.924] lstrcmpiW (lpString1="sXRDodAxncGscJ.mp4", lpString2="BOOTSECT.BAK") returned 1 [0105.924] lstrcmpiW (lpString1="sXRDodAxncGscJ.mp4", lpString2="bootmgr") returned 1 [0105.924] lstrcmpiW (lpString1="sXRDodAxncGscJ.mp4", lpString2="programdata") returned 1 [0105.924] lstrcmpiW (lpString1="sXRDodAxncGscJ.mp4", lpString2="appdata") returned 1 [0105.924] lstrcmpiW (lpString1="sXRDodAxncGscJ.mp4", lpString2="program files") returned 1 [0105.924] lstrcmpiW (lpString1="sXRDodAxncGscJ.mp4", lpString2="program files (x86)") returned 1 [0105.924] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0105.925] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="sXRDodAxncGscJ.mp4" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\sXRDodAxncGscJ.mp4") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\sXRDodAxncGscJ.mp4" [0105.925] PathFindExtensionW (pszPath="sXRDodAxncGscJ.mp4") returned=".mp4" [0105.925] lstrcmpiW (lpString1=".mp4", lpString2=".exe") returned 1 [0105.925] lstrcmpiW (lpString1=".mp4", lpString2=".log") returned 1 [0105.925] lstrcmpiW (lpString1=".mp4", lpString2=".cab") returned 1 [0105.925] lstrcmpiW (lpString1=".mp4", lpString2=".cmd") returned 1 [0105.925] lstrcmpiW (lpString1=".mp4", lpString2=".com") returned 1 [0105.925] lstrcmpiW (lpString1=".mp4", lpString2=".cpl") returned 1 [0105.925] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0105.925] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0105.925] lstrcmpiW (lpString1=".mp4", lpString2=".url") returned -1 [0105.925] lstrcmpiW (lpString1=".mp4", lpString2=".ttf") returned -1 [0105.925] lstrcmpiW (lpString1=".mp4", lpString2=".mp3") returned 1 [0105.925] lstrcmpiW (lpString1=".mp4", lpString2=".pif") returned -1 [0105.925] lstrcmpiW (lpString1=".mp4", lpString2=".mp4") returned 0 [0105.925] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x65ddd860, ftCreationTime.dwHighDateTime=0x1d5e472, ftLastAccessTime.dwLowDateTime=0x5922b4e0, ftLastAccessTime.dwHighDateTime=0x1d5e695, ftLastWriteTime.dwLowDateTime=0x5922b4e0, ftLastWriteTime.dwHighDateTime=0x1d5e695, nFileSizeHigh=0x0, nFileSizeLow=0x176df, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="tjsnLloeJl4l2.flv", cAlternateFileName="TJSNLL~1.FLV")) returned 1 [0105.925] lstrcmpiW (lpString1="tjsnLloeJl4l2.flv", lpString2=".") returned 1 [0105.925] lstrcmpiW (lpString1="tjsnLloeJl4l2.flv", lpString2="..") returned 1 [0105.925] lstrcmpiW (lpString1="tjsnLloeJl4l2.flv", lpString2="...") returned 1 [0105.925] lstrcmpiW (lpString1="tjsnLloeJl4l2.flv", lpString2="windows") returned -1 [0105.925] lstrcmpiW (lpString1="tjsnLloeJl4l2.flv", lpString2="$RECYCLE.BIN") returned 1 [0105.925] lstrcmpiW (lpString1="tjsnLloeJl4l2.flv", lpString2="rsa") returned 1 [0105.925] lstrcmpiW (lpString1="tjsnLloeJl4l2.flv", lpString2="log") returned 1 [0105.925] lstrcmpiW (lpString1="tjsnLloeJl4l2.flv", lpString2="NTDETECT.COM") returned 1 [0105.926] lstrcmpiW (lpString1="tjsnLloeJl4l2.flv", lpString2="ntldr") returned 1 [0105.926] lstrcmpiW (lpString1="tjsnLloeJl4l2.flv", lpString2="MSDOS.SYS") returned 1 [0105.926] lstrcmpiW (lpString1="tjsnLloeJl4l2.flv", lpString2="IO.SYS") returned 1 [0105.926] lstrcmpiW (lpString1="tjsnLloeJl4l2.flv", lpString2="boot.ini") returned 1 [0105.926] lstrcmpiW (lpString1="tjsnLloeJl4l2.flv", lpString2="AUTOEXEC.BAT") returned 1 [0105.926] lstrcmpiW (lpString1="tjsnLloeJl4l2.flv", lpString2="ntuser.dat") returned 1 [0105.926] lstrcmpiW (lpString1="tjsnLloeJl4l2.flv", lpString2="desktop.ini") returned 1 [0105.926] lstrcmpiW (lpString1="tjsnLloeJl4l2.flv", lpString2="CONFIG.SYS") returned 1 [0105.926] lstrcmpiW (lpString1="tjsnLloeJl4l2.flv", lpString2="RECYCLER") returned 1 [0105.926] lstrcmpiW (lpString1="tjsnLloeJl4l2.flv", lpString2="BOOTSECT.BAK") returned 1 [0105.926] lstrcmpiW (lpString1="tjsnLloeJl4l2.flv", lpString2="bootmgr") returned 1 [0105.926] lstrcmpiW (lpString1="tjsnLloeJl4l2.flv", lpString2="programdata") returned 1 [0105.926] lstrcmpiW (lpString1="tjsnLloeJl4l2.flv", lpString2="appdata") returned 1 [0105.926] lstrcmpiW (lpString1="tjsnLloeJl4l2.flv", lpString2="program files") returned 1 [0105.926] lstrcmpiW (lpString1="tjsnLloeJl4l2.flv", lpString2="program files (x86)") returned 1 [0105.926] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0105.926] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="tjsnLloeJl4l2.flv" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tjsnLloeJl4l2.flv") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tjsnLloeJl4l2.flv" [0105.926] PathFindExtensionW (pszPath="tjsnLloeJl4l2.flv") returned=".flv" [0105.926] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0105.926] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0105.926] lstrcmpiW (lpString1=".flv", lpString2=".cab") returned 1 [0105.926] lstrcmpiW (lpString1=".flv", lpString2=".cmd") returned 1 [0105.926] lstrcmpiW (lpString1=".flv", lpString2=".com") returned 1 [0105.926] lstrcmpiW (lpString1=".flv", lpString2=".cpl") returned 1 [0105.927] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0105.927] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0105.927] lstrcmpiW (lpString1=".flv", lpString2=".url") returned -1 [0105.927] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0105.927] lstrcmpiW (lpString1=".flv", lpString2=".mp3") returned -1 [0105.927] lstrcmpiW (lpString1=".flv", lpString2=".pif") returned -1 [0105.927] lstrcmpiW (lpString1=".flv", lpString2=".mp4") returned -1 [0105.927] lstrcmpiW (lpString1=".flv", lpString2=".NEPHILIM") returned -1 [0105.927] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0105.927] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0105.927] lstrcmpiW (lpString1="tjsnLloeJl4l2.flv", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0105.927] lstrlenA (lpString="NEPHILIM") returned 8 [0105.927] GetProcessHeap () returned 0x4e0000 [0105.927] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50b9a0 [0105.927] lstrlenA (lpString="NEPHILIM") returned 8 [0105.927] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tjsnLloeJl4l2.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\tjsnlloejl4l2.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0105.928] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=95967) returned 1 [0105.928] GetProcessHeap () returned 0x4e0000 [0105.928] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e10 [0105.928] GetProcessHeap () returned 0x4e0000 [0105.928] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e28 [0105.928] SystemFunction036 (in: RandomBuffer=0x504e10, RandomBufferLength=0x10 | out: RandomBuffer=0x504e10) returned 1 [0105.928] SystemFunction036 (in: RandomBuffer=0x504e28, RandomBufferLength=0x10 | out: RandomBuffer=0x504e28) returned 1 [0105.928] GetProcessHeap () returned 0x4e0000 [0105.928] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508f68 [0105.928] GetProcessHeap () returned 0x4e0000 [0105.928] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x509070 [0105.928] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508f68*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508f68*, pdwDataLen=0x24de208*=0x100) returned 1 [0105.928] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x509070*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x509070*, pdwDataLen=0x24de204*=0x100) returned 1 [0105.929] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x176df, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.929] SetLastError (dwErrCode=0x0) [0105.929] WriteFile (in: hFile=0xec, lpBuffer=0x508f68*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508f68*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.930] GetLastError () returned 0x0 [0105.930] GetLastError () returned 0x0 [0105.930] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x177df, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.930] WriteFile (in: hFile=0xec, lpBuffer=0x509070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x509070*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.930] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x178df, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.930] lstrlenA (lpString="NEPHILIM") returned 8 [0105.930] WriteFile (in: hFile=0xec, lpBuffer=0x50b9a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50b9a0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0105.930] GetProcessHeap () returned 0x4e0000 [0105.930] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x176df) returned 0x50dcb8 [0105.930] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.930] ReadFile (in: hFile=0xec, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x176df, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24de430*=0x176df, lpOverlapped=0x0) returned 1 [0105.936] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.936] WriteFile (in: hFile=0xec, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x176df, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24de43c*=0x176df, lpOverlapped=0x0) returned 1 [0105.937] GetProcessHeap () returned 0x4e0000 [0105.937] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.937] CloseHandle (hObject=0xec) returned 1 [0105.944] GetProcessHeap () returned 0x4e0000 [0105.944] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508f68 | out: hHeap=0x4e0000) returned 1 [0105.944] GetProcessHeap () returned 0x4e0000 [0105.944] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x509070 | out: hHeap=0x4e0000) returned 1 [0105.944] GetProcessHeap () returned 0x4e0000 [0105.944] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e10 | out: hHeap=0x4e0000) returned 1 [0105.944] GetProcessHeap () returned 0x4e0000 [0105.944] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e28 | out: hHeap=0x4e0000) returned 1 [0105.944] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tjsnLloeJl4l2.flv" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tjsnLloeJl4l2.flv") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tjsnLloeJl4l2.flv" [0105.944] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tjsnLloeJl4l2.flv", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tjsnLloeJl4l2.flv.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tjsnLloeJl4l2.flv.NEPHILIM" [0105.944] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tjsnLloeJl4l2.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\tjsnlloejl4l2.flv"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\tjsnLloeJl4l2.flv.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\tjsnlloejl4l2.flv.nephilim")) returned 1 [0105.945] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4cd0870, ftCreationTime.dwHighDateTime=0x1d5e077, ftLastAccessTime.dwLowDateTime=0x79f7f2e0, ftLastAccessTime.dwHighDateTime=0x1d5d8c4, ftLastWriteTime.dwLowDateTime=0x79f7f2e0, ftLastWriteTime.dwHighDateTime=0x1d5d8c4, nFileSizeHigh=0x0, nFileSizeLow=0x17053, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="UhZbJoCx_ElfPUlH30A.swf", cAlternateFileName="UHZBJO~1.SWF")) returned 1 [0105.945] lstrcmpiW (lpString1="UhZbJoCx_ElfPUlH30A.swf", lpString2=".") returned 1 [0105.945] lstrcmpiW (lpString1="UhZbJoCx_ElfPUlH30A.swf", lpString2="..") returned 1 [0105.945] lstrcmpiW (lpString1="UhZbJoCx_ElfPUlH30A.swf", lpString2="...") returned 1 [0105.945] lstrcmpiW (lpString1="UhZbJoCx_ElfPUlH30A.swf", lpString2="windows") returned -1 [0105.945] lstrcmpiW (lpString1="UhZbJoCx_ElfPUlH30A.swf", lpString2="$RECYCLE.BIN") returned 1 [0105.945] lstrcmpiW (lpString1="UhZbJoCx_ElfPUlH30A.swf", lpString2="rsa") returned 1 [0105.945] lstrcmpiW (lpString1="UhZbJoCx_ElfPUlH30A.swf", lpString2="log") returned 1 [0105.945] lstrcmpiW (lpString1="UhZbJoCx_ElfPUlH30A.swf", lpString2="NTDETECT.COM") returned 1 [0105.946] lstrcmpiW (lpString1="UhZbJoCx_ElfPUlH30A.swf", lpString2="ntldr") returned 1 [0105.946] lstrcmpiW (lpString1="UhZbJoCx_ElfPUlH30A.swf", lpString2="MSDOS.SYS") returned 1 [0105.946] lstrcmpiW (lpString1="UhZbJoCx_ElfPUlH30A.swf", lpString2="IO.SYS") returned 1 [0105.946] lstrcmpiW (lpString1="UhZbJoCx_ElfPUlH30A.swf", lpString2="boot.ini") returned 1 [0105.946] lstrcmpiW (lpString1="UhZbJoCx_ElfPUlH30A.swf", lpString2="AUTOEXEC.BAT") returned 1 [0105.946] lstrcmpiW (lpString1="UhZbJoCx_ElfPUlH30A.swf", lpString2="ntuser.dat") returned 1 [0105.946] lstrcmpiW (lpString1="UhZbJoCx_ElfPUlH30A.swf", lpString2="desktop.ini") returned 1 [0105.946] lstrcmpiW (lpString1="UhZbJoCx_ElfPUlH30A.swf", lpString2="CONFIG.SYS") returned 1 [0105.946] lstrcmpiW (lpString1="UhZbJoCx_ElfPUlH30A.swf", lpString2="RECYCLER") returned 1 [0105.946] lstrcmpiW (lpString1="UhZbJoCx_ElfPUlH30A.swf", lpString2="BOOTSECT.BAK") returned 1 [0105.946] lstrcmpiW (lpString1="UhZbJoCx_ElfPUlH30A.swf", lpString2="bootmgr") returned 1 [0105.946] lstrcmpiW (lpString1="UhZbJoCx_ElfPUlH30A.swf", lpString2="programdata") returned 1 [0105.946] lstrcmpiW (lpString1="UhZbJoCx_ElfPUlH30A.swf", lpString2="appdata") returned 1 [0105.946] lstrcmpiW (lpString1="UhZbJoCx_ElfPUlH30A.swf", lpString2="program files") returned 1 [0105.946] lstrcmpiW (lpString1="UhZbJoCx_ElfPUlH30A.swf", lpString2="program files (x86)") returned 1 [0105.946] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0105.946] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="UhZbJoCx_ElfPUlH30A.swf" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\UhZbJoCx_ElfPUlH30A.swf") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\UhZbJoCx_ElfPUlH30A.swf" [0105.946] PathFindExtensionW (pszPath="UhZbJoCx_ElfPUlH30A.swf") returned=".swf" [0105.946] lstrcmpiW (lpString1=".swf", lpString2=".exe") returned 1 [0105.946] lstrcmpiW (lpString1=".swf", lpString2=".log") returned 1 [0105.946] lstrcmpiW (lpString1=".swf", lpString2=".cab") returned 1 [0105.946] lstrcmpiW (lpString1=".swf", lpString2=".cmd") returned 1 [0105.946] lstrcmpiW (lpString1=".swf", lpString2=".com") returned 1 [0105.946] lstrcmpiW (lpString1=".swf", lpString2=".cpl") returned 1 [0105.947] lstrcmpiW (lpString1=".swf", lpString2=".ini") returned 1 [0105.947] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0105.947] lstrcmpiW (lpString1=".swf", lpString2=".url") returned -1 [0105.947] lstrcmpiW (lpString1=".swf", lpString2=".ttf") returned -1 [0105.947] lstrcmpiW (lpString1=".swf", lpString2=".mp3") returned 1 [0105.947] lstrcmpiW (lpString1=".swf", lpString2=".pif") returned 1 [0105.947] lstrcmpiW (lpString1=".swf", lpString2=".mp4") returned 1 [0105.947] lstrcmpiW (lpString1=".swf", lpString2=".NEPHILIM") returned 1 [0105.947] lstrcmpiW (lpString1=".swf", lpString2=".msi") returned 1 [0105.947] lstrcmpiW (lpString1=".swf", lpString2=".lnk") returned 1 [0105.947] lstrcmpiW (lpString1="UhZbJoCx_ElfPUlH30A.swf", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0105.947] lstrlenA (lpString="NEPHILIM") returned 8 [0105.947] GetProcessHeap () returned 0x4e0000 [0105.947] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50b9b0 [0105.947] lstrlenA (lpString="NEPHILIM") returned 8 [0105.947] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\UhZbJoCx_ElfPUlH30A.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uhzbjocx_elfpulh30a.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0105.948] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=94291) returned 1 [0105.948] GetProcessHeap () returned 0x4e0000 [0105.948] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e28 [0105.948] GetProcessHeap () returned 0x4e0000 [0105.948] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e10 [0105.948] SystemFunction036 (in: RandomBuffer=0x504e28, RandomBufferLength=0x10 | out: RandomBuffer=0x504e28) returned 1 [0105.948] SystemFunction036 (in: RandomBuffer=0x504e10, RandomBufferLength=0x10 | out: RandomBuffer=0x504e10) returned 1 [0105.948] GetProcessHeap () returned 0x4e0000 [0105.948] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x509070 [0105.948] GetProcessHeap () returned 0x4e0000 [0105.948] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508f68 [0105.948] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x509070*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x509070*, pdwDataLen=0x24de208*=0x100) returned 1 [0105.948] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508f68*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508f68*, pdwDataLen=0x24de204*=0x100) returned 1 [0105.948] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x17053, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.949] SetLastError (dwErrCode=0x0) [0105.949] WriteFile (in: hFile=0xec, lpBuffer=0x509070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x509070*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.953] GetLastError () returned 0x0 [0105.953] GetLastError () returned 0x0 [0105.954] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x17153, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.954] WriteFile (in: hFile=0xec, lpBuffer=0x508f68*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508f68*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.954] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x17253, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.954] lstrlenA (lpString="NEPHILIM") returned 8 [0105.954] WriteFile (in: hFile=0xec, lpBuffer=0x50b9b0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50b9b0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0105.954] GetProcessHeap () returned 0x4e0000 [0105.954] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x17053) returned 0x50dcb8 [0105.954] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.954] ReadFile (in: hFile=0xec, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x17053, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24de430*=0x17053, lpOverlapped=0x0) returned 1 [0105.960] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.960] WriteFile (in: hFile=0xec, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x17053, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24de43c*=0x17053, lpOverlapped=0x0) returned 1 [0105.961] GetProcessHeap () returned 0x4e0000 [0105.961] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.961] CloseHandle (hObject=0xec) returned 1 [0105.964] GetProcessHeap () returned 0x4e0000 [0105.964] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x509070 | out: hHeap=0x4e0000) returned 1 [0105.964] GetProcessHeap () returned 0x4e0000 [0105.964] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508f68 | out: hHeap=0x4e0000) returned 1 [0105.964] GetProcessHeap () returned 0x4e0000 [0105.964] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e28 | out: hHeap=0x4e0000) returned 1 [0105.964] GetProcessHeap () returned 0x4e0000 [0105.964] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e10 | out: hHeap=0x4e0000) returned 1 [0105.964] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\UhZbJoCx_ElfPUlH30A.swf" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\UhZbJoCx_ElfPUlH30A.swf") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\UhZbJoCx_ElfPUlH30A.swf" [0105.964] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\UhZbJoCx_ElfPUlH30A.swf", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\UhZbJoCx_ElfPUlH30A.swf.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\UhZbJoCx_ElfPUlH30A.swf.NEPHILIM" [0105.964] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\UhZbJoCx_ElfPUlH30A.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uhzbjocx_elfpulh30a.swf"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\UhZbJoCx_ElfPUlH30A.swf.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uhzbjocx_elfpulh30a.swf.nephilim")) returned 1 [0105.965] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd11a49e0, ftCreationTime.dwHighDateTime=0x1d5df01, ftLastAccessTime.dwLowDateTime=0x2fa857d0, ftLastAccessTime.dwHighDateTime=0x1d5d8f0, ftLastWriteTime.dwLowDateTime=0x2fa857d0, ftLastWriteTime.dwHighDateTime=0x1d5d8f0, nFileSizeHigh=0x0, nFileSizeLow=0x22df, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="VqGxYN5.flv", cAlternateFileName="")) returned 1 [0105.965] lstrcmpiW (lpString1="VqGxYN5.flv", lpString2=".") returned 1 [0105.966] lstrcmpiW (lpString1="VqGxYN5.flv", lpString2="..") returned 1 [0105.966] lstrcmpiW (lpString1="VqGxYN5.flv", lpString2="...") returned 1 [0105.966] lstrcmpiW (lpString1="VqGxYN5.flv", lpString2="windows") returned -1 [0105.966] lstrcmpiW (lpString1="VqGxYN5.flv", lpString2="$RECYCLE.BIN") returned 1 [0105.966] lstrcmpiW (lpString1="VqGxYN5.flv", lpString2="rsa") returned 1 [0105.966] lstrcmpiW (lpString1="VqGxYN5.flv", lpString2="log") returned 1 [0105.966] lstrcmpiW (lpString1="VqGxYN5.flv", lpString2="NTDETECT.COM") returned 1 [0105.966] lstrcmpiW (lpString1="VqGxYN5.flv", lpString2="ntldr") returned 1 [0105.966] lstrcmpiW (lpString1="VqGxYN5.flv", lpString2="MSDOS.SYS") returned 1 [0105.966] lstrcmpiW (lpString1="VqGxYN5.flv", lpString2="IO.SYS") returned 1 [0105.966] lstrcmpiW (lpString1="VqGxYN5.flv", lpString2="boot.ini") returned 1 [0105.966] lstrcmpiW (lpString1="VqGxYN5.flv", lpString2="AUTOEXEC.BAT") returned 1 [0105.966] lstrcmpiW (lpString1="VqGxYN5.flv", lpString2="ntuser.dat") returned 1 [0105.966] lstrcmpiW (lpString1="VqGxYN5.flv", lpString2="desktop.ini") returned 1 [0105.966] lstrcmpiW (lpString1="VqGxYN5.flv", lpString2="CONFIG.SYS") returned 1 [0105.966] lstrcmpiW (lpString1="VqGxYN5.flv", lpString2="RECYCLER") returned 1 [0105.966] lstrcmpiW (lpString1="VqGxYN5.flv", lpString2="BOOTSECT.BAK") returned 1 [0105.966] lstrcmpiW (lpString1="VqGxYN5.flv", lpString2="bootmgr") returned 1 [0105.966] lstrcmpiW (lpString1="VqGxYN5.flv", lpString2="programdata") returned 1 [0105.966] lstrcmpiW (lpString1="VqGxYN5.flv", lpString2="appdata") returned 1 [0105.966] lstrcmpiW (lpString1="VqGxYN5.flv", lpString2="program files") returned 1 [0105.966] lstrcmpiW (lpString1="VqGxYN5.flv", lpString2="program files (x86)") returned 1 [0105.966] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0105.967] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="VqGxYN5.flv" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\VqGxYN5.flv") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\VqGxYN5.flv" [0105.967] PathFindExtensionW (pszPath="VqGxYN5.flv") returned=".flv" [0105.967] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0105.967] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0105.967] lstrcmpiW (lpString1=".flv", lpString2=".cab") returned 1 [0105.967] lstrcmpiW (lpString1=".flv", lpString2=".cmd") returned 1 [0105.967] lstrcmpiW (lpString1=".flv", lpString2=".com") returned 1 [0105.967] lstrcmpiW (lpString1=".flv", lpString2=".cpl") returned 1 [0105.967] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0105.967] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0105.967] lstrcmpiW (lpString1=".flv", lpString2=".url") returned -1 [0105.967] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0105.967] lstrcmpiW (lpString1=".flv", lpString2=".mp3") returned -1 [0105.967] lstrcmpiW (lpString1=".flv", lpString2=".pif") returned -1 [0105.967] lstrcmpiW (lpString1=".flv", lpString2=".mp4") returned -1 [0105.967] lstrcmpiW (lpString1=".flv", lpString2=".NEPHILIM") returned -1 [0105.967] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0105.967] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0105.967] lstrcmpiW (lpString1="VqGxYN5.flv", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0105.967] lstrlenA (lpString="NEPHILIM") returned 8 [0105.967] GetProcessHeap () returned 0x4e0000 [0105.967] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50b9c0 [0105.967] lstrlenA (lpString="NEPHILIM") returned 8 [0105.968] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\VqGxYN5.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\vqgxyn5.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0105.968] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=8927) returned 1 [0105.968] GetProcessHeap () returned 0x4e0000 [0105.968] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e10 [0105.968] GetProcessHeap () returned 0x4e0000 [0105.968] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e28 [0105.968] SystemFunction036 (in: RandomBuffer=0x504e10, RandomBufferLength=0x10 | out: RandomBuffer=0x504e10) returned 1 [0105.968] SystemFunction036 (in: RandomBuffer=0x504e28, RandomBufferLength=0x10 | out: RandomBuffer=0x504e28) returned 1 [0105.968] GetProcessHeap () returned 0x4e0000 [0105.968] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508f68 [0105.968] GetProcessHeap () returned 0x4e0000 [0105.968] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x509070 [0105.968] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508f68*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508f68*, pdwDataLen=0x24de208*=0x100) returned 1 [0105.969] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x509070*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x509070*, pdwDataLen=0x24de204*=0x100) returned 1 [0105.969] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x22df, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.969] SetLastError (dwErrCode=0x0) [0105.969] WriteFile (in: hFile=0xec, lpBuffer=0x508f68*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508f68*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.970] GetLastError () returned 0x0 [0105.970] GetLastError () returned 0x0 [0105.970] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x23df, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.970] WriteFile (in: hFile=0xec, lpBuffer=0x509070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x509070*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.970] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x24df, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.971] lstrlenA (lpString="NEPHILIM") returned 8 [0105.971] WriteFile (in: hFile=0xec, lpBuffer=0x50b9c0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50b9c0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0105.971] GetProcessHeap () returned 0x4e0000 [0105.971] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x22df) returned 0x50dcb8 [0105.971] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.971] ReadFile (in: hFile=0xec, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x22df, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24de430*=0x22df, lpOverlapped=0x0) returned 1 [0105.971] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.972] WriteFile (in: hFile=0xec, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x22df, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24de43c*=0x22df, lpOverlapped=0x0) returned 1 [0105.972] GetProcessHeap () returned 0x4e0000 [0105.972] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.972] CloseHandle (hObject=0xec) returned 1 [0105.973] GetProcessHeap () returned 0x4e0000 [0105.973] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508f68 | out: hHeap=0x4e0000) returned 1 [0105.973] GetProcessHeap () returned 0x4e0000 [0105.973] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x509070 | out: hHeap=0x4e0000) returned 1 [0105.973] GetProcessHeap () returned 0x4e0000 [0105.973] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e10 | out: hHeap=0x4e0000) returned 1 [0105.973] GetProcessHeap () returned 0x4e0000 [0105.973] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e28 | out: hHeap=0x4e0000) returned 1 [0105.973] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\VqGxYN5.flv" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\VqGxYN5.flv") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\VqGxYN5.flv" [0105.973] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\VqGxYN5.flv", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\VqGxYN5.flv.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\VqGxYN5.flv.NEPHILIM" [0105.973] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\VqGxYN5.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\vqgxyn5.flv"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\VqGxYN5.flv.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\vqgxyn5.flv.nephilim")) returned 1 [0105.978] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14d50920, ftCreationTime.dwHighDateTime=0x1d5e70b, ftLastAccessTime.dwLowDateTime=0x9f4e9c60, ftLastAccessTime.dwHighDateTime=0x1d5d8bf, ftLastWriteTime.dwLowDateTime=0x9f4e9c60, ftLastWriteTime.dwHighDateTime=0x1d5d8bf, nFileSizeHigh=0x0, nFileSizeLow=0x15250, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="WLlslyldTTX.avi", cAlternateFileName="WLLSLY~1.AVI")) returned 1 [0105.978] lstrcmpiW (lpString1="WLlslyldTTX.avi", lpString2=".") returned 1 [0105.978] lstrcmpiW (lpString1="WLlslyldTTX.avi", lpString2="..") returned 1 [0105.978] lstrcmpiW (lpString1="WLlslyldTTX.avi", lpString2="...") returned 1 [0105.978] lstrcmpiW (lpString1="WLlslyldTTX.avi", lpString2="windows") returned 1 [0105.978] lstrcmpiW (lpString1="WLlslyldTTX.avi", lpString2="$RECYCLE.BIN") returned 1 [0105.978] lstrcmpiW (lpString1="WLlslyldTTX.avi", lpString2="rsa") returned 1 [0105.978] lstrcmpiW (lpString1="WLlslyldTTX.avi", lpString2="log") returned 1 [0105.978] lstrcmpiW (lpString1="WLlslyldTTX.avi", lpString2="NTDETECT.COM") returned 1 [0105.978] lstrcmpiW (lpString1="WLlslyldTTX.avi", lpString2="ntldr") returned 1 [0105.978] lstrcmpiW (lpString1="WLlslyldTTX.avi", lpString2="MSDOS.SYS") returned 1 [0105.978] lstrcmpiW (lpString1="WLlslyldTTX.avi", lpString2="IO.SYS") returned 1 [0105.978] lstrcmpiW (lpString1="WLlslyldTTX.avi", lpString2="boot.ini") returned 1 [0105.978] lstrcmpiW (lpString1="WLlslyldTTX.avi", lpString2="AUTOEXEC.BAT") returned 1 [0105.979] lstrcmpiW (lpString1="WLlslyldTTX.avi", lpString2="ntuser.dat") returned 1 [0105.979] lstrcmpiW (lpString1="WLlslyldTTX.avi", lpString2="desktop.ini") returned 1 [0105.979] lstrcmpiW (lpString1="WLlslyldTTX.avi", lpString2="CONFIG.SYS") returned 1 [0105.979] lstrcmpiW (lpString1="WLlslyldTTX.avi", lpString2="RECYCLER") returned 1 [0105.979] lstrcmpiW (lpString1="WLlslyldTTX.avi", lpString2="BOOTSECT.BAK") returned 1 [0105.979] lstrcmpiW (lpString1="WLlslyldTTX.avi", lpString2="bootmgr") returned 1 [0105.979] lstrcmpiW (lpString1="WLlslyldTTX.avi", lpString2="programdata") returned 1 [0105.979] lstrcmpiW (lpString1="WLlslyldTTX.avi", lpString2="appdata") returned 1 [0105.979] lstrcmpiW (lpString1="WLlslyldTTX.avi", lpString2="program files") returned 1 [0105.979] lstrcmpiW (lpString1="WLlslyldTTX.avi", lpString2="program files (x86)") returned 1 [0105.979] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0105.979] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="WLlslyldTTX.avi" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\WLlslyldTTX.avi") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\WLlslyldTTX.avi" [0105.979] PathFindExtensionW (pszPath="WLlslyldTTX.avi") returned=".avi" [0105.979] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0105.979] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0105.979] lstrcmpiW (lpString1=".avi", lpString2=".cab") returned -1 [0105.979] lstrcmpiW (lpString1=".avi", lpString2=".cmd") returned -1 [0105.979] lstrcmpiW (lpString1=".avi", lpString2=".com") returned -1 [0105.979] lstrcmpiW (lpString1=".avi", lpString2=".cpl") returned -1 [0105.979] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0105.979] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0105.979] lstrcmpiW (lpString1=".avi", lpString2=".url") returned -1 [0105.979] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0105.979] lstrcmpiW (lpString1=".avi", lpString2=".mp3") returned -1 [0105.979] lstrcmpiW (lpString1=".avi", lpString2=".pif") returned -1 [0105.980] lstrcmpiW (lpString1=".avi", lpString2=".mp4") returned -1 [0105.980] lstrcmpiW (lpString1=".avi", lpString2=".NEPHILIM") returned -1 [0105.980] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0105.980] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0105.980] lstrcmpiW (lpString1="WLlslyldTTX.avi", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0105.980] lstrlenA (lpString="NEPHILIM") returned 8 [0105.980] GetProcessHeap () returned 0x4e0000 [0105.980] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50b9d0 [0105.980] lstrlenA (lpString="NEPHILIM") returned 8 [0105.980] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\WLlslyldTTX.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wllslyldttx.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0105.980] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=86608) returned 1 [0105.980] GetProcessHeap () returned 0x4e0000 [0105.980] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e28 [0105.980] GetProcessHeap () returned 0x4e0000 [0105.980] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e10 [0105.981] SystemFunction036 (in: RandomBuffer=0x504e28, RandomBufferLength=0x10 | out: RandomBuffer=0x504e28) returned 1 [0105.981] SystemFunction036 (in: RandomBuffer=0x504e10, RandomBufferLength=0x10 | out: RandomBuffer=0x504e10) returned 1 [0105.981] GetProcessHeap () returned 0x4e0000 [0105.981] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x509070 [0105.981] GetProcessHeap () returned 0x4e0000 [0105.981] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508f68 [0105.981] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x509070*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x509070*, pdwDataLen=0x24de208*=0x100) returned 1 [0105.981] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508f68*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508f68*, pdwDataLen=0x24de204*=0x100) returned 1 [0105.981] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x15250, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.982] SetLastError (dwErrCode=0x0) [0105.982] WriteFile (in: hFile=0xec, lpBuffer=0x509070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x509070*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.983] GetLastError () returned 0x0 [0105.983] GetLastError () returned 0x0 [0105.983] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x15350, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.983] WriteFile (in: hFile=0xec, lpBuffer=0x508f68*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508f68*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.983] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x15450, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.983] lstrlenA (lpString="NEPHILIM") returned 8 [0105.983] WriteFile (in: hFile=0xec, lpBuffer=0x50b9d0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50b9d0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0105.983] GetProcessHeap () returned 0x4e0000 [0105.983] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x15250) returned 0x50dcb8 [0105.983] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.983] ReadFile (in: hFile=0xec, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x15250, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24de430*=0x15250, lpOverlapped=0x0) returned 1 [0105.989] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.989] WriteFile (in: hFile=0xec, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x15250, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24de43c*=0x15250, lpOverlapped=0x0) returned 1 [0105.989] GetProcessHeap () returned 0x4e0000 [0105.989] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0105.989] CloseHandle (hObject=0xec) returned 1 [0105.991] GetProcessHeap () returned 0x4e0000 [0105.991] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x509070 | out: hHeap=0x4e0000) returned 1 [0105.991] GetProcessHeap () returned 0x4e0000 [0105.991] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508f68 | out: hHeap=0x4e0000) returned 1 [0105.991] GetProcessHeap () returned 0x4e0000 [0105.991] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e28 | out: hHeap=0x4e0000) returned 1 [0105.991] GetProcessHeap () returned 0x4e0000 [0105.991] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e10 | out: hHeap=0x4e0000) returned 1 [0105.991] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\WLlslyldTTX.avi" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\WLlslyldTTX.avi") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\WLlslyldTTX.avi" [0105.991] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\WLlslyldTTX.avi", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\WLlslyldTTX.avi.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\WLlslyldTTX.avi.NEPHILIM" [0105.992] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\WLlslyldTTX.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wllslyldttx.avi"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\WLlslyldTTX.avi.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wllslyldttx.avi.nephilim")) returned 1 [0105.992] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab64d6a0, ftCreationTime.dwHighDateTime=0x1d5dc29, ftLastAccessTime.dwLowDateTime=0x849dde70, ftLastAccessTime.dwHighDateTime=0x1d5de56, ftLastWriteTime.dwLowDateTime=0x849dde70, ftLastWriteTime.dwHighDateTime=0x1d5de56, nFileSizeHigh=0x0, nFileSizeLow=0x10d26, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="XwOu.avi", cAlternateFileName="")) returned 1 [0105.992] lstrcmpiW (lpString1="XwOu.avi", lpString2=".") returned 1 [0105.992] lstrcmpiW (lpString1="XwOu.avi", lpString2="..") returned 1 [0105.993] lstrcmpiW (lpString1="XwOu.avi", lpString2="...") returned 1 [0105.993] lstrcmpiW (lpString1="XwOu.avi", lpString2="windows") returned 1 [0105.993] lstrcmpiW (lpString1="XwOu.avi", lpString2="$RECYCLE.BIN") returned 1 [0105.993] lstrcmpiW (lpString1="XwOu.avi", lpString2="rsa") returned 1 [0105.993] lstrcmpiW (lpString1="XwOu.avi", lpString2="log") returned 1 [0105.993] lstrcmpiW (lpString1="XwOu.avi", lpString2="NTDETECT.COM") returned 1 [0105.993] lstrcmpiW (lpString1="XwOu.avi", lpString2="ntldr") returned 1 [0105.993] lstrcmpiW (lpString1="XwOu.avi", lpString2="MSDOS.SYS") returned 1 [0105.993] lstrcmpiW (lpString1="XwOu.avi", lpString2="IO.SYS") returned 1 [0105.993] lstrcmpiW (lpString1="XwOu.avi", lpString2="boot.ini") returned 1 [0105.993] lstrcmpiW (lpString1="XwOu.avi", lpString2="AUTOEXEC.BAT") returned 1 [0105.993] lstrcmpiW (lpString1="XwOu.avi", lpString2="ntuser.dat") returned 1 [0105.993] lstrcmpiW (lpString1="XwOu.avi", lpString2="desktop.ini") returned 1 [0105.993] lstrcmpiW (lpString1="XwOu.avi", lpString2="CONFIG.SYS") returned 1 [0105.993] lstrcmpiW (lpString1="XwOu.avi", lpString2="RECYCLER") returned 1 [0105.993] lstrcmpiW (lpString1="XwOu.avi", lpString2="BOOTSECT.BAK") returned 1 [0105.993] lstrcmpiW (lpString1="XwOu.avi", lpString2="bootmgr") returned 1 [0105.993] lstrcmpiW (lpString1="XwOu.avi", lpString2="programdata") returned 1 [0105.993] lstrcmpiW (lpString1="XwOu.avi", lpString2="appdata") returned 1 [0105.993] lstrcmpiW (lpString1="XwOu.avi", lpString2="program files") returned 1 [0105.993] lstrcmpiW (lpString1="XwOu.avi", lpString2="program files (x86)") returned 1 [0105.993] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0105.993] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="XwOu.avi" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\XwOu.avi") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\XwOu.avi" [0105.993] PathFindExtensionW (pszPath="XwOu.avi") returned=".avi" [0105.993] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0105.993] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0105.994] lstrcmpiW (lpString1=".avi", lpString2=".cab") returned -1 [0105.994] lstrcmpiW (lpString1=".avi", lpString2=".cmd") returned -1 [0105.994] lstrcmpiW (lpString1=".avi", lpString2=".com") returned -1 [0105.994] lstrcmpiW (lpString1=".avi", lpString2=".cpl") returned -1 [0105.994] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0105.994] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0105.994] lstrcmpiW (lpString1=".avi", lpString2=".url") returned -1 [0105.994] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0105.994] lstrcmpiW (lpString1=".avi", lpString2=".mp3") returned -1 [0105.994] lstrcmpiW (lpString1=".avi", lpString2=".pif") returned -1 [0105.994] lstrcmpiW (lpString1=".avi", lpString2=".mp4") returned -1 [0105.994] lstrcmpiW (lpString1=".avi", lpString2=".NEPHILIM") returned -1 [0105.994] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0105.994] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0105.994] lstrcmpiW (lpString1="XwOu.avi", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0105.994] lstrlenA (lpString="NEPHILIM") returned 8 [0105.994] GetProcessHeap () returned 0x4e0000 [0105.994] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50b9e0 [0105.994] lstrlenA (lpString="NEPHILIM") returned 8 [0105.994] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\XwOu.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\xwou.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0105.995] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=68902) returned 1 [0105.995] GetProcessHeap () returned 0x4e0000 [0105.995] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e10 [0105.995] GetProcessHeap () returned 0x4e0000 [0105.995] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e28 [0105.995] SystemFunction036 (in: RandomBuffer=0x504e10, RandomBufferLength=0x10 | out: RandomBuffer=0x504e10) returned 1 [0105.995] SystemFunction036 (in: RandomBuffer=0x504e28, RandomBufferLength=0x10 | out: RandomBuffer=0x504e28) returned 1 [0105.995] GetProcessHeap () returned 0x4e0000 [0105.995] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508f68 [0105.995] GetProcessHeap () returned 0x4e0000 [0105.995] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x509070 [0105.995] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508f68*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x508f68*, pdwDataLen=0x24de208*=0x100) returned 1 [0105.995] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x509070*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x509070*, pdwDataLen=0x24de204*=0x100) returned 1 [0105.996] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x10d26, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.996] SetLastError (dwErrCode=0x0) [0105.996] WriteFile (in: hFile=0xec, lpBuffer=0x508f68*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508f68*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0105.999] GetLastError () returned 0x0 [0105.999] GetLastError () returned 0x0 [0105.999] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x10e26, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.999] WriteFile (in: hFile=0xec, lpBuffer=0x509070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x509070*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0106.000] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x10f26, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.000] lstrlenA (lpString="NEPHILIM") returned 8 [0106.000] WriteFile (in: hFile=0xec, lpBuffer=0x50b9e0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50b9e0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0106.000] GetProcessHeap () returned 0x4e0000 [0106.000] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10d26) returned 0x50dcb8 [0106.000] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.000] ReadFile (in: hFile=0xec, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x10d26, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24de430*=0x10d26, lpOverlapped=0x0) returned 1 [0106.004] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.004] WriteFile (in: hFile=0xec, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x10d26, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24de43c*=0x10d26, lpOverlapped=0x0) returned 1 [0106.005] GetProcessHeap () returned 0x4e0000 [0106.005] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0106.005] CloseHandle (hObject=0xec) returned 1 [0106.008] GetProcessHeap () returned 0x4e0000 [0106.008] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508f68 | out: hHeap=0x4e0000) returned 1 [0106.008] GetProcessHeap () returned 0x4e0000 [0106.008] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x509070 | out: hHeap=0x4e0000) returned 1 [0106.008] GetProcessHeap () returned 0x4e0000 [0106.008] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e10 | out: hHeap=0x4e0000) returned 1 [0106.008] GetProcessHeap () returned 0x4e0000 [0106.008] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e28 | out: hHeap=0x4e0000) returned 1 [0106.008] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\XwOu.avi" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\XwOu.avi") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\XwOu.avi" [0106.008] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\XwOu.avi", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\XwOu.avi.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\XwOu.avi.NEPHILIM" [0106.008] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\XwOu.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\xwou.avi"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\XwOu.avi.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\xwou.avi.nephilim")) returned 1 [0106.009] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3a96e70, ftCreationTime.dwHighDateTime=0x1d5e544, ftLastAccessTime.dwLowDateTime=0x6cfe2800, ftLastAccessTime.dwHighDateTime=0x1d5ddc1, ftLastWriteTime.dwLowDateTime=0x6cfe2800, ftLastWriteTime.dwHighDateTime=0x1d5ddc1, nFileSizeHigh=0x0, nFileSizeLow=0x6767, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="yhp6kwj.flv", cAlternateFileName="")) returned 1 [0106.009] lstrcmpiW (lpString1="yhp6kwj.flv", lpString2=".") returned 1 [0106.009] lstrcmpiW (lpString1="yhp6kwj.flv", lpString2="..") returned 1 [0106.009] lstrcmpiW (lpString1="yhp6kwj.flv", lpString2="...") returned 1 [0106.009] lstrcmpiW (lpString1="yhp6kwj.flv", lpString2="windows") returned 1 [0106.009] lstrcmpiW (lpString1="yhp6kwj.flv", lpString2="$RECYCLE.BIN") returned 1 [0106.009] lstrcmpiW (lpString1="yhp6kwj.flv", lpString2="rsa") returned 1 [0106.009] lstrcmpiW (lpString1="yhp6kwj.flv", lpString2="log") returned 1 [0106.009] lstrcmpiW (lpString1="yhp6kwj.flv", lpString2="NTDETECT.COM") returned 1 [0106.009] lstrcmpiW (lpString1="yhp6kwj.flv", lpString2="ntldr") returned 1 [0106.009] lstrcmpiW (lpString1="yhp6kwj.flv", lpString2="MSDOS.SYS") returned 1 [0106.009] lstrcmpiW (lpString1="yhp6kwj.flv", lpString2="IO.SYS") returned 1 [0106.009] lstrcmpiW (lpString1="yhp6kwj.flv", lpString2="boot.ini") returned 1 [0106.009] lstrcmpiW (lpString1="yhp6kwj.flv", lpString2="AUTOEXEC.BAT") returned 1 [0106.009] lstrcmpiW (lpString1="yhp6kwj.flv", lpString2="ntuser.dat") returned 1 [0106.009] lstrcmpiW (lpString1="yhp6kwj.flv", lpString2="desktop.ini") returned 1 [0106.009] lstrcmpiW (lpString1="yhp6kwj.flv", lpString2="CONFIG.SYS") returned 1 [0106.009] lstrcmpiW (lpString1="yhp6kwj.flv", lpString2="RECYCLER") returned 1 [0106.010] lstrcmpiW (lpString1="yhp6kwj.flv", lpString2="BOOTSECT.BAK") returned 1 [0106.010] lstrcmpiW (lpString1="yhp6kwj.flv", lpString2="bootmgr") returned 1 [0106.010] lstrcmpiW (lpString1="yhp6kwj.flv", lpString2="programdata") returned 1 [0106.010] lstrcmpiW (lpString1="yhp6kwj.flv", lpString2="appdata") returned 1 [0106.010] lstrcmpiW (lpString1="yhp6kwj.flv", lpString2="program files") returned 1 [0106.010] lstrcmpiW (lpString1="yhp6kwj.flv", lpString2="program files (x86)") returned 1 [0106.010] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0106.010] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="yhp6kwj.flv" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\yhp6kwj.flv") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\yhp6kwj.flv" [0106.010] PathFindExtensionW (pszPath="yhp6kwj.flv") returned=".flv" [0106.010] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0106.010] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0106.010] lstrcmpiW (lpString1=".flv", lpString2=".cab") returned 1 [0106.010] lstrcmpiW (lpString1=".flv", lpString2=".cmd") returned 1 [0106.010] lstrcmpiW (lpString1=".flv", lpString2=".com") returned 1 [0106.010] lstrcmpiW (lpString1=".flv", lpString2=".cpl") returned 1 [0106.010] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0106.010] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0106.010] lstrcmpiW (lpString1=".flv", lpString2=".url") returned -1 [0106.010] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0106.010] lstrcmpiW (lpString1=".flv", lpString2=".mp3") returned -1 [0106.010] lstrcmpiW (lpString1=".flv", lpString2=".pif") returned -1 [0106.010] lstrcmpiW (lpString1=".flv", lpString2=".mp4") returned -1 [0106.010] lstrcmpiW (lpString1=".flv", lpString2=".NEPHILIM") returned -1 [0106.010] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0106.010] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0106.011] lstrcmpiW (lpString1="yhp6kwj.flv", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0106.011] lstrlenA (lpString="NEPHILIM") returned 8 [0106.011] GetProcessHeap () returned 0x4e0000 [0106.011] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50b9f0 [0106.011] lstrlenA (lpString="NEPHILIM") returned 8 [0106.011] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\yhp6kwj.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\yhp6kwj.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0106.011] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=26471) returned 1 [0106.011] GetProcessHeap () returned 0x4e0000 [0106.011] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e28 [0106.011] GetProcessHeap () returned 0x4e0000 [0106.011] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e10 [0106.011] SystemFunction036 (in: RandomBuffer=0x504e28, RandomBufferLength=0x10 | out: RandomBuffer=0x504e28) returned 1 [0106.011] SystemFunction036 (in: RandomBuffer=0x504e10, RandomBufferLength=0x10 | out: RandomBuffer=0x504e10) returned 1 [0106.011] GetProcessHeap () returned 0x4e0000 [0106.011] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x509070 [0106.011] GetProcessHeap () returned 0x4e0000 [0106.011] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508f68 [0106.011] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x509070*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x509070*, pdwDataLen=0x24de208*=0x100) returned 1 [0106.012] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508f68*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x508f68*, pdwDataLen=0x24de204*=0x100) returned 1 [0106.012] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x6767, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.012] SetLastError (dwErrCode=0x0) [0106.012] WriteFile (in: hFile=0xec, lpBuffer=0x509070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x509070*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0106.013] GetLastError () returned 0x0 [0106.013] GetLastError () returned 0x0 [0106.013] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x6867, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.014] WriteFile (in: hFile=0xec, lpBuffer=0x508f68*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x508f68*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0106.014] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x6967, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.014] lstrlenA (lpString="NEPHILIM") returned 8 [0106.014] WriteFile (in: hFile=0xec, lpBuffer=0x50b9f0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50b9f0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0106.014] GetProcessHeap () returned 0x4e0000 [0106.014] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x6767) returned 0x50dcb8 [0106.014] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.014] ReadFile (in: hFile=0xec, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x6767, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24de430*=0x6767, lpOverlapped=0x0) returned 1 [0106.016] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.016] WriteFile (in: hFile=0xec, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x6767, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24de43c*=0x6767, lpOverlapped=0x0) returned 1 [0106.016] GetProcessHeap () returned 0x4e0000 [0106.016] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0106.016] CloseHandle (hObject=0xec) returned 1 [0106.017] GetProcessHeap () returned 0x4e0000 [0106.017] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x509070 | out: hHeap=0x4e0000) returned 1 [0106.017] GetProcessHeap () returned 0x4e0000 [0106.017] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508f68 | out: hHeap=0x4e0000) returned 1 [0106.017] GetProcessHeap () returned 0x4e0000 [0106.018] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e28 | out: hHeap=0x4e0000) returned 1 [0106.018] GetProcessHeap () returned 0x4e0000 [0106.018] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e10 | out: hHeap=0x4e0000) returned 1 [0106.018] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\yhp6kwj.flv" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\yhp6kwj.flv") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\yhp6kwj.flv" [0106.018] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\yhp6kwj.flv", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\yhp6kwj.flv.NEPHILIM") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\yhp6kwj.flv.NEPHILIM" [0106.018] MoveFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\yhp6kwj.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\yhp6kwj.flv"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\yhp6kwj.flv.NEPHILIM" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\yhp6kwj.flv.nephilim")) returned 1 [0106.018] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3a96e70, ftCreationTime.dwHighDateTime=0x1d5e544, ftLastAccessTime.dwLowDateTime=0x6cfe2800, ftLastAccessTime.dwHighDateTime=0x1d5ddc1, ftLastWriteTime.dwLowDateTime=0x6cfe2800, ftLastWriteTime.dwHighDateTime=0x1d5ddc1, nFileSizeHigh=0x0, nFileSizeLow=0x6767, dwReserved0=0xa8330e1b, dwReserved1=0x8147446f, cFileName="yhp6kwj.flv", cAlternateFileName="")) returned 0 [0106.019] FindClose (in: hFindFile=0x50a8c0 | out: hFindFile=0x50a8c0) returned 1 [0106.019] FindNextFileW (in: hFindFile=0x5026e8, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xde99e620, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xde99e620, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Videos", cAlternateFileName="")) returned 0 [0106.019] FindClose (in: hFindFile=0x5026e8 | out: hFindFile=0x5026e8) returned 1 [0106.019] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x3c67b114, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0106.019] lstrcmpiW (lpString1="All Users", lpString2=".") returned 1 [0106.019] lstrcmpiW (lpString1="All Users", lpString2="..") returned 1 [0106.019] lstrcmpiW (lpString1="All Users", lpString2="...") returned 1 [0106.019] lstrcmpiW (lpString1="All Users", lpString2="windows") returned -1 [0106.019] lstrcmpiW (lpString1="All Users", lpString2="$RECYCLE.BIN") returned 1 [0106.019] lstrcmpiW (lpString1="All Users", lpString2="rsa") returned -1 [0106.019] lstrcmpiW (lpString1="All Users", lpString2="log") returned -1 [0106.019] lstrcmpiW (lpString1="All Users", lpString2="NTDETECT.COM") returned -1 [0106.019] lstrcmpiW (lpString1="All Users", lpString2="ntldr") returned -1 [0106.019] lstrcmpiW (lpString1="All Users", lpString2="MSDOS.SYS") returned -1 [0106.019] lstrcmpiW (lpString1="All Users", lpString2="IO.SYS") returned -1 [0106.019] lstrcmpiW (lpString1="All Users", lpString2="boot.ini") returned -1 [0106.019] lstrcmpiW (lpString1="All Users", lpString2="AUTOEXEC.BAT") returned -1 [0106.019] lstrcmpiW (lpString1="All Users", lpString2="ntuser.dat") returned -1 [0106.020] lstrcmpiW (lpString1="All Users", lpString2="desktop.ini") returned -1 [0106.020] lstrcmpiW (lpString1="All Users", lpString2="CONFIG.SYS") returned -1 [0106.020] lstrcmpiW (lpString1="All Users", lpString2="RECYCLER") returned -1 [0106.020] lstrcmpiW (lpString1="All Users", lpString2="BOOTSECT.BAK") returned -1 [0106.020] lstrcmpiW (lpString1="All Users", lpString2="bootmgr") returned -1 [0106.020] lstrcmpiW (lpString1="All Users", lpString2="programdata") returned -1 [0106.020] lstrcmpiW (lpString1="All Users", lpString2="appdata") returned -1 [0106.020] lstrcmpiW (lpString1="All Users", lpString2="program files") returned -1 [0106.020] lstrcmpiW (lpString1="All Users", lpString2="program files (x86)") returned -1 [0106.020] lstrcpyW (in: lpString1=0x24df3d8, lpString2="C:\\Users\\" | out: lpString1="C:\\Users\\") returned="C:\\Users\\" [0106.020] lstrcatW (in: lpString1="C:\\Users\\", lpString2="All Users" | out: lpString1="C:\\Users\\All Users") returned="C:\\Users\\All Users" [0106.020] lstrcatW (in: lpString1="C:\\Users\\All Users", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\") returned="C:\\Users\\All Users\\" [0106.020] lstrcpyW (in: lpString1=0x24def60, lpString2="C:\\Users\\All Users\\" | out: lpString1="C:\\Users\\All Users\\") returned="C:\\Users\\All Users\\" [0106.020] lstrcatW (in: lpString1="C:\\Users\\All Users\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\*.*") returned="C:\\Users\\All Users\\*.*" [0106.020] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\*.*", lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName=".", cAlternateFileName="")) returned 0x50a8c0 [0106.020] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0106.020] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="..", cAlternateFileName="")) returned 1 [0106.021] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0106.021] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0106.021] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0106.021] lstrcmpiW (lpString1="Adobe", lpString2=".") returned 1 [0106.021] lstrcmpiW (lpString1="Adobe", lpString2="..") returned 1 [0106.021] lstrcmpiW (lpString1="Adobe", lpString2="...") returned 1 [0106.021] lstrcmpiW (lpString1="Adobe", lpString2="windows") returned -1 [0106.021] lstrcmpiW (lpString1="Adobe", lpString2="$RECYCLE.BIN") returned 1 [0106.021] lstrcmpiW (lpString1="Adobe", lpString2="rsa") returned -1 [0106.021] lstrcmpiW (lpString1="Adobe", lpString2="log") returned -1 [0106.021] lstrcmpiW (lpString1="Adobe", lpString2="NTDETECT.COM") returned -1 [0106.021] lstrcmpiW (lpString1="Adobe", lpString2="ntldr") returned -1 [0106.021] lstrcmpiW (lpString1="Adobe", lpString2="MSDOS.SYS") returned -1 [0106.021] lstrcmpiW (lpString1="Adobe", lpString2="IO.SYS") returned -1 [0106.021] lstrcmpiW (lpString1="Adobe", lpString2="boot.ini") returned -1 [0106.021] lstrcmpiW (lpString1="Adobe", lpString2="AUTOEXEC.BAT") returned -1 [0106.021] lstrcmpiW (lpString1="Adobe", lpString2="ntuser.dat") returned -1 [0106.021] lstrcmpiW (lpString1="Adobe", lpString2="desktop.ini") returned -1 [0106.021] lstrcmpiW (lpString1="Adobe", lpString2="CONFIG.SYS") returned -1 [0106.021] lstrcmpiW (lpString1="Adobe", lpString2="RECYCLER") returned -1 [0106.021] lstrcmpiW (lpString1="Adobe", lpString2="BOOTSECT.BAK") returned -1 [0106.021] lstrcmpiW (lpString1="Adobe", lpString2="bootmgr") returned -1 [0106.021] lstrcmpiW (lpString1="Adobe", lpString2="programdata") returned -1 [0106.021] lstrcmpiW (lpString1="Adobe", lpString2="appdata") returned -1 [0106.021] lstrcmpiW (lpString1="Adobe", lpString2="program files") returned -1 [0106.021] lstrcmpiW (lpString1="Adobe", lpString2="program files (x86)") returned -1 [0106.022] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\All Users\\" | out: lpString1="C:\\Users\\All Users\\") returned="C:\\Users\\All Users\\" [0106.022] lstrcatW (in: lpString1="C:\\Users\\All Users\\", lpString2="Adobe" | out: lpString1="C:\\Users\\All Users\\Adobe") returned="C:\\Users\\All Users\\Adobe" [0106.022] lstrcatW (in: lpString1="C:\\Users\\All Users\\Adobe", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Adobe\\") returned="C:\\Users\\All Users\\Adobe\\" [0106.022] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\All Users\\Adobe\\" | out: lpString1="C:\\Users\\All Users\\Adobe\\") returned="C:\\Users\\All Users\\Adobe\\" [0106.022] lstrcatW (in: lpString1="C:\\Users\\All Users\\Adobe\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Adobe\\*.*") returned="C:\\Users\\All Users\\Adobe\\*.*" [0106.022] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Adobe\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x50a900 [0106.022] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0106.022] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0106.022] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0106.022] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0106.022] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="Acrobat", cAlternateFileName="")) returned 1 [0106.022] lstrcmpiW (lpString1="Acrobat", lpString2=".") returned 1 [0106.022] lstrcmpiW (lpString1="Acrobat", lpString2="..") returned 1 [0106.022] lstrcmpiW (lpString1="Acrobat", lpString2="...") returned 1 [0106.022] lstrcmpiW (lpString1="Acrobat", lpString2="windows") returned -1 [0106.022] lstrcmpiW (lpString1="Acrobat", lpString2="$RECYCLE.BIN") returned 1 [0106.023] lstrcmpiW (lpString1="Acrobat", lpString2="rsa") returned -1 [0106.023] lstrcmpiW (lpString1="Acrobat", lpString2="log") returned -1 [0106.023] lstrcmpiW (lpString1="Acrobat", lpString2="NTDETECT.COM") returned -1 [0106.023] lstrcmpiW (lpString1="Acrobat", lpString2="ntldr") returned -1 [0106.023] lstrcmpiW (lpString1="Acrobat", lpString2="MSDOS.SYS") returned -1 [0106.023] lstrcmpiW (lpString1="Acrobat", lpString2="IO.SYS") returned -1 [0106.023] lstrcmpiW (lpString1="Acrobat", lpString2="boot.ini") returned -1 [0106.023] lstrcmpiW (lpString1="Acrobat", lpString2="AUTOEXEC.BAT") returned -1 [0106.023] lstrcmpiW (lpString1="Acrobat", lpString2="ntuser.dat") returned -1 [0106.023] lstrcmpiW (lpString1="Acrobat", lpString2="desktop.ini") returned -1 [0106.023] lstrcmpiW (lpString1="Acrobat", lpString2="CONFIG.SYS") returned -1 [0106.023] lstrcmpiW (lpString1="Acrobat", lpString2="RECYCLER") returned -1 [0106.023] lstrcmpiW (lpString1="Acrobat", lpString2="BOOTSECT.BAK") returned -1 [0106.023] lstrcmpiW (lpString1="Acrobat", lpString2="bootmgr") returned -1 [0106.023] lstrcmpiW (lpString1="Acrobat", lpString2="programdata") returned -1 [0106.023] lstrcmpiW (lpString1="Acrobat", lpString2="appdata") returned -1 [0106.023] lstrcmpiW (lpString1="Acrobat", lpString2="program files") returned -1 [0106.023] lstrcmpiW (lpString1="Acrobat", lpString2="program files (x86)") returned -1 [0106.023] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Adobe\\" | out: lpString1="C:\\Users\\All Users\\Adobe\\") returned="C:\\Users\\All Users\\Adobe\\" [0106.023] lstrcatW (in: lpString1="C:\\Users\\All Users\\Adobe\\", lpString2="Acrobat" | out: lpString1="C:\\Users\\All Users\\Adobe\\Acrobat") returned="C:\\Users\\All Users\\Adobe\\Acrobat" [0106.023] lstrcatW (in: lpString1="C:\\Users\\All Users\\Adobe\\Acrobat", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Adobe\\Acrobat\\") returned="C:\\Users\\All Users\\Adobe\\Acrobat\\" [0106.023] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Adobe\\Acrobat\\" | out: lpString1="C:\\Users\\All Users\\Adobe\\Acrobat\\") returned="C:\\Users\\All Users\\Adobe\\Acrobat\\" [0106.023] lstrcatW (in: lpString1="C:\\Users\\All Users\\Adobe\\Acrobat\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Adobe\\Acrobat\\*.*") returned="C:\\Users\\All Users\\Adobe\\Acrobat\\*.*" [0106.023] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Adobe\\Acrobat\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3a0038, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0106.024] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0106.024] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3a0038, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0106.024] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0106.024] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0106.024] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3a0038, dwReserved1=0x24de8e0, cFileName="10.0", cAlternateFileName="")) returned 1 [0106.024] lstrcmpiW (lpString1="10.0", lpString2=".") returned 1 [0106.024] lstrcmpiW (lpString1="10.0", lpString2="..") returned 1 [0106.024] lstrcmpiW (lpString1="10.0", lpString2="...") returned 1 [0106.024] lstrcmpiW (lpString1="10.0", lpString2="windows") returned -1 [0106.024] lstrcmpiW (lpString1="10.0", lpString2="$RECYCLE.BIN") returned 1 [0106.024] lstrcmpiW (lpString1="10.0", lpString2="rsa") returned -1 [0106.024] lstrcmpiW (lpString1="10.0", lpString2="log") returned -1 [0106.024] lstrcmpiW (lpString1="10.0", lpString2="NTDETECT.COM") returned -1 [0106.024] lstrcmpiW (lpString1="10.0", lpString2="ntldr") returned -1 [0106.024] lstrcmpiW (lpString1="10.0", lpString2="MSDOS.SYS") returned -1 [0106.024] lstrcmpiW (lpString1="10.0", lpString2="IO.SYS") returned -1 [0106.024] lstrcmpiW (lpString1="10.0", lpString2="boot.ini") returned -1 [0106.024] lstrcmpiW (lpString1="10.0", lpString2="AUTOEXEC.BAT") returned -1 [0106.024] lstrcmpiW (lpString1="10.0", lpString2="ntuser.dat") returned -1 [0106.025] lstrcmpiW (lpString1="10.0", lpString2="desktop.ini") returned -1 [0106.025] lstrcmpiW (lpString1="10.0", lpString2="CONFIG.SYS") returned -1 [0106.025] lstrcmpiW (lpString1="10.0", lpString2="RECYCLER") returned -1 [0106.025] lstrcmpiW (lpString1="10.0", lpString2="BOOTSECT.BAK") returned -1 [0106.025] lstrcmpiW (lpString1="10.0", lpString2="bootmgr") returned -1 [0106.025] lstrcmpiW (lpString1="10.0", lpString2="programdata") returned -1 [0106.025] lstrcmpiW (lpString1="10.0", lpString2="appdata") returned -1 [0106.025] lstrcmpiW (lpString1="10.0", lpString2="program files") returned -1 [0106.025] lstrcmpiW (lpString1="10.0", lpString2="program files (x86)") returned -1 [0106.025] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Adobe\\Acrobat\\" | out: lpString1="C:\\Users\\All Users\\Adobe\\Acrobat\\") returned="C:\\Users\\All Users\\Adobe\\Acrobat\\" [0106.025] lstrcatW (in: lpString1="C:\\Users\\All Users\\Adobe\\Acrobat\\", lpString2="10.0" | out: lpString1="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0") returned="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0" [0106.025] lstrcatW (in: lpString1="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\") returned="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\" [0106.025] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\" | out: lpString1="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\") returned="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\" [0106.025] lstrcatW (in: lpString1="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\*.*") returned="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\*.*" [0106.025] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de260, cFileName=".", cAlternateFileName="")) returned 0x50a980 [0106.025] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0106.025] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 1 [0106.025] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0106.025] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0106.026] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de260, cFileName="Replicate", cAlternateFileName="REPLIC~1")) returned 1 [0106.026] lstrcmpiW (lpString1="Replicate", lpString2=".") returned 1 [0106.026] lstrcmpiW (lpString1="Replicate", lpString2="..") returned 1 [0106.026] lstrcmpiW (lpString1="Replicate", lpString2="...") returned 1 [0106.026] lstrcmpiW (lpString1="Replicate", lpString2="windows") returned -1 [0106.026] lstrcmpiW (lpString1="Replicate", lpString2="$RECYCLE.BIN") returned 1 [0106.026] lstrcmpiW (lpString1="Replicate", lpString2="rsa") returned -1 [0106.026] lstrcmpiW (lpString1="Replicate", lpString2="log") returned 1 [0106.026] lstrcmpiW (lpString1="Replicate", lpString2="NTDETECT.COM") returned 1 [0106.026] lstrcmpiW (lpString1="Replicate", lpString2="ntldr") returned 1 [0106.026] lstrcmpiW (lpString1="Replicate", lpString2="MSDOS.SYS") returned 1 [0106.026] lstrcmpiW (lpString1="Replicate", lpString2="IO.SYS") returned 1 [0106.026] lstrcmpiW (lpString1="Replicate", lpString2="boot.ini") returned 1 [0106.026] lstrcmpiW (lpString1="Replicate", lpString2="AUTOEXEC.BAT") returned 1 [0106.026] lstrcmpiW (lpString1="Replicate", lpString2="ntuser.dat") returned 1 [0106.026] lstrcmpiW (lpString1="Replicate", lpString2="desktop.ini") returned 1 [0106.026] lstrcmpiW (lpString1="Replicate", lpString2="CONFIG.SYS") returned 1 [0106.026] lstrcmpiW (lpString1="Replicate", lpString2="RECYCLER") returned 1 [0106.026] lstrcmpiW (lpString1="Replicate", lpString2="BOOTSECT.BAK") returned 1 [0106.026] lstrcmpiW (lpString1="Replicate", lpString2="bootmgr") returned 1 [0106.026] lstrcmpiW (lpString1="Replicate", lpString2="programdata") returned 1 [0106.026] lstrcmpiW (lpString1="Replicate", lpString2="appdata") returned 1 [0106.026] lstrcmpiW (lpString1="Replicate", lpString2="program files") returned 1 [0106.026] lstrcmpiW (lpString1="Replicate", lpString2="program files (x86)") returned 1 [0106.026] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\" | out: lpString1="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\") returned="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\" [0106.026] lstrcatW (in: lpString1="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\", lpString2="Replicate" | out: lpString1="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate") returned="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate" [0106.026] lstrcatW (in: lpString1="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\") returned="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\" [0106.027] lstrcpyW (in: lpString1=0x24dd560, lpString2="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\" | out: lpString1="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\") returned="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\" [0106.027] lstrcatW (in: lpString1="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\*.*") returned="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\*.*" [0106.027] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\*.*", lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x540052, dwReserved1=0x24ddbe0, cFileName=".", cAlternateFileName="")) returned 0x50a9c0 [0106.077] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0106.077] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x540052, dwReserved1=0x24ddbe0, cFileName="..", cAlternateFileName="")) returned 1 [0106.077] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0106.078] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0106.078] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x540052, dwReserved1=0x24ddbe0, cFileName="Security", cAlternateFileName="")) returned 1 [0106.078] lstrcmpiW (lpString1="Security", lpString2=".") returned 1 [0106.078] lstrcmpiW (lpString1="Security", lpString2="..") returned 1 [0106.078] lstrcmpiW (lpString1="Security", lpString2="...") returned 1 [0106.078] lstrcmpiW (lpString1="Security", lpString2="windows") returned -1 [0106.078] lstrcmpiW (lpString1="Security", lpString2="$RECYCLE.BIN") returned 1 [0106.078] lstrcmpiW (lpString1="Security", lpString2="rsa") returned 1 [0106.078] lstrcmpiW (lpString1="Security", lpString2="log") returned 1 [0106.078] lstrcmpiW (lpString1="Security", lpString2="NTDETECT.COM") returned 1 [0106.078] lstrcmpiW (lpString1="Security", lpString2="ntldr") returned 1 [0106.078] lstrcmpiW (lpString1="Security", lpString2="MSDOS.SYS") returned 1 [0106.078] lstrcmpiW (lpString1="Security", lpString2="IO.SYS") returned 1 [0106.078] lstrcmpiW (lpString1="Security", lpString2="boot.ini") returned 1 [0106.078] lstrcmpiW (lpString1="Security", lpString2="AUTOEXEC.BAT") returned 1 [0106.078] lstrcmpiW (lpString1="Security", lpString2="ntuser.dat") returned 1 [0106.078] lstrcmpiW (lpString1="Security", lpString2="desktop.ini") returned 1 [0106.078] lstrcmpiW (lpString1="Security", lpString2="CONFIG.SYS") returned 1 [0106.078] lstrcmpiW (lpString1="Security", lpString2="RECYCLER") returned 1 [0106.078] lstrcmpiW (lpString1="Security", lpString2="BOOTSECT.BAK") returned 1 [0106.078] lstrcmpiW (lpString1="Security", lpString2="bootmgr") returned 1 [0106.078] lstrcmpiW (lpString1="Security", lpString2="programdata") returned 1 [0106.078] lstrcmpiW (lpString1="Security", lpString2="appdata") returned 1 [0106.078] lstrcmpiW (lpString1="Security", lpString2="program files") returned 1 [0106.078] lstrcmpiW (lpString1="Security", lpString2="program files (x86)") returned 1 [0106.078] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\" | out: lpString1="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\") returned="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\" [0106.079] lstrcatW (in: lpString1="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\", lpString2="Security" | out: lpString1="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security") returned="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security" [0106.079] lstrcatW (in: lpString1="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\") returned="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\" [0106.079] lstrcpyW (in: lpString1=0x24dcee0, lpString2="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\" | out: lpString1="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\") returned="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\" [0106.079] lstrcatW (in: lpString1="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*.*") returned="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*.*" [0106.079] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*.*", lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x680066, dwReserved1=0x24dd560, cFileName=".", cAlternateFileName="")) returned 0x50aa00 [0106.079] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0106.079] FindNextFileW (in: hFindFile=0x50aa00, lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x680066, dwReserved1=0x24dd560, cFileName="..", cAlternateFileName="")) returned 1 [0106.079] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0106.079] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0106.079] FindNextFileW (in: hFindFile=0x50aa00, lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x93de7300, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x93de7300, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x1df, dwReserved0=0x680066, dwReserved1=0x24dd560, cFileName="directories.acrodata", cAlternateFileName="DIRECT~1.ACR")) returned 1 [0106.079] lstrcmpiW (lpString1="directories.acrodata", lpString2=".") returned 1 [0106.079] lstrcmpiW (lpString1="directories.acrodata", lpString2="..") returned 1 [0106.079] lstrcmpiW (lpString1="directories.acrodata", lpString2="...") returned 1 [0106.079] lstrcmpiW (lpString1="directories.acrodata", lpString2="windows") returned -1 [0106.080] lstrcmpiW (lpString1="directories.acrodata", lpString2="$RECYCLE.BIN") returned 1 [0106.080] lstrcmpiW (lpString1="directories.acrodata", lpString2="rsa") returned -1 [0106.080] lstrcmpiW (lpString1="directories.acrodata", lpString2="log") returned -1 [0106.080] lstrcmpiW (lpString1="directories.acrodata", lpString2="NTDETECT.COM") returned -1 [0106.080] lstrcmpiW (lpString1="directories.acrodata", lpString2="ntldr") returned -1 [0106.080] lstrcmpiW (lpString1="directories.acrodata", lpString2="MSDOS.SYS") returned -1 [0106.080] lstrcmpiW (lpString1="directories.acrodata", lpString2="IO.SYS") returned -1 [0106.080] lstrcmpiW (lpString1="directories.acrodata", lpString2="boot.ini") returned 1 [0106.080] lstrcmpiW (lpString1="directories.acrodata", lpString2="AUTOEXEC.BAT") returned 1 [0106.080] lstrcmpiW (lpString1="directories.acrodata", lpString2="ntuser.dat") returned -1 [0106.080] lstrcmpiW (lpString1="directories.acrodata", lpString2="desktop.ini") returned 1 [0106.080] lstrcmpiW (lpString1="directories.acrodata", lpString2="CONFIG.SYS") returned 1 [0106.080] lstrcmpiW (lpString1="directories.acrodata", lpString2="RECYCLER") returned -1 [0106.080] lstrcmpiW (lpString1="directories.acrodata", lpString2="BOOTSECT.BAK") returned 1 [0106.080] lstrcmpiW (lpString1="directories.acrodata", lpString2="bootmgr") returned 1 [0106.080] lstrcmpiW (lpString1="directories.acrodata", lpString2="programdata") returned -1 [0106.080] lstrcmpiW (lpString1="directories.acrodata", lpString2="appdata") returned 1 [0106.080] lstrcmpiW (lpString1="directories.acrodata", lpString2="program files") returned -1 [0106.080] lstrcmpiW (lpString1="directories.acrodata", lpString2="program files (x86)") returned -1 [0106.080] lstrcpyW (in: lpString1=0x24dccd8, lpString2="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\" | out: lpString1="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\") returned="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\" [0106.080] lstrcatW (in: lpString1="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\", lpString2="directories.acrodata" | out: lpString1="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata") returned="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata" [0106.080] PathFindExtensionW (pszPath="directories.acrodata") returned=".acrodata" [0106.080] lstrcmpiW (lpString1=".acrodata", lpString2=".exe") returned -1 [0106.080] lstrcmpiW (lpString1=".acrodata", lpString2=".log") returned -1 [0106.080] lstrcmpiW (lpString1=".acrodata", lpString2=".cab") returned -1 [0106.080] lstrcmpiW (lpString1=".acrodata", lpString2=".cmd") returned -1 [0106.080] lstrcmpiW (lpString1=".acrodata", lpString2=".com") returned -1 [0106.081] lstrcmpiW (lpString1=".acrodata", lpString2=".cpl") returned -1 [0106.081] lstrcmpiW (lpString1=".acrodata", lpString2=".ini") returned -1 [0106.081] lstrcmpiW (lpString1=".acrodata", lpString2=".dll") returned -1 [0106.081] lstrcmpiW (lpString1=".acrodata", lpString2=".url") returned -1 [0106.081] lstrcmpiW (lpString1=".acrodata", lpString2=".ttf") returned -1 [0106.081] lstrcmpiW (lpString1=".acrodata", lpString2=".mp3") returned -1 [0106.081] lstrcmpiW (lpString1=".acrodata", lpString2=".pif") returned -1 [0106.081] lstrcmpiW (lpString1=".acrodata", lpString2=".mp4") returned -1 [0106.081] lstrcmpiW (lpString1=".acrodata", lpString2=".NEPHILIM") returned -1 [0106.081] lstrcmpiW (lpString1=".acrodata", lpString2=".msi") returned -1 [0106.081] lstrcmpiW (lpString1=".acrodata", lpString2=".lnk") returned -1 [0106.081] lstrcmpiW (lpString1="directories.acrodata", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0106.081] lstrlenA (lpString="NEPHILIM") returned 8 [0106.081] GetProcessHeap () returned 0x4e0000 [0106.081] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50ba00 [0106.081] lstrlenA (lpString="NEPHILIM") returned 8 [0106.081] CreateFileW (lpFileName="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata" (normalized: "c:\\users\\all users\\adobe\\acrobat\\10.0\\replicate\\security\\directories.acrodata"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xfc [0106.082] GetFileSizeEx (in: hFile=0xfc, lpFileSize=0x24dca48 | out: lpFileSize=0x24dca48*=479) returned 1 [0106.082] GetProcessHeap () returned 0x4e0000 [0106.082] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e10 [0106.082] GetProcessHeap () returned 0x4e0000 [0106.082] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e28 [0106.082] SystemFunction036 (in: RandomBuffer=0x504e10, RandomBufferLength=0x10 | out: RandomBuffer=0x504e10) returned 1 [0106.082] SystemFunction036 (in: RandomBuffer=0x504e28, RandomBufferLength=0x10 | out: RandomBuffer=0x504e28) returned 1 [0106.082] GetProcessHeap () returned 0x4e0000 [0106.082] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508f68 [0106.082] GetProcessHeap () returned 0x4e0000 [0106.082] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x509070 [0106.082] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508f68*, pdwDataLen=0x24dc808*=0x10, dwBufLen=0x100 | out: pbData=0x508f68*, pdwDataLen=0x24dc808*=0x100) returned 1 [0106.083] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x509070*, pdwDataLen=0x24dc804*=0x10, dwBufLen=0x100 | out: pbData=0x509070*, pdwDataLen=0x24dc804*=0x100) returned 1 [0106.083] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x1df, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.083] SetLastError (dwErrCode=0x0) [0106.083] WriteFile (in: hFile=0xfc, lpBuffer=0x508f68*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpBuffer=0x508f68*, lpNumberOfBytesWritten=0x24dca3c*=0x100, lpOverlapped=0x0) returned 1 [0106.103] GetLastError () returned 0x0 [0106.103] GetLastError () returned 0x0 [0106.103] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x2df, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.104] WriteFile (in: hFile=0xfc, lpBuffer=0x509070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpBuffer=0x509070*, lpNumberOfBytesWritten=0x24dca3c*=0x100, lpOverlapped=0x0) returned 1 [0106.104] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x3df, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.104] lstrlenA (lpString="NEPHILIM") returned 8 [0106.104] WriteFile (in: hFile=0xfc, lpBuffer=0x50ba00*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpBuffer=0x50ba00*, lpNumberOfBytesWritten=0x24dca3c*=0x8, lpOverlapped=0x0) returned 1 [0106.104] GetProcessHeap () returned 0x4e0000 [0106.104] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1df) returned 0x50ccb0 [0106.104] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.104] ReadFile (in: hFile=0xfc, lpBuffer=0x50ccb0, nNumberOfBytesToRead=0x1df, lpNumberOfBytesRead=0x24dca30, lpOverlapped=0x0 | out: lpBuffer=0x50ccb0*, lpNumberOfBytesRead=0x24dca30*=0x1df, lpOverlapped=0x0) returned 1 [0106.104] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.105] WriteFile (in: hFile=0xfc, lpBuffer=0x50ccb0*, nNumberOfBytesToWrite=0x1df, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpBuffer=0x50ccb0*, lpNumberOfBytesWritten=0x24dca3c*=0x1df, lpOverlapped=0x0) returned 1 [0106.105] GetProcessHeap () returned 0x4e0000 [0106.105] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50ccb0 | out: hHeap=0x4e0000) returned 1 [0106.105] CloseHandle (hObject=0xfc) returned 1 [0106.108] GetProcessHeap () returned 0x4e0000 [0106.108] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508f68 | out: hHeap=0x4e0000) returned 1 [0106.108] GetProcessHeap () returned 0x4e0000 [0106.108] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x509070 | out: hHeap=0x4e0000) returned 1 [0106.108] GetProcessHeap () returned 0x4e0000 [0106.109] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e10 | out: hHeap=0x4e0000) returned 1 [0106.109] GetProcessHeap () returned 0x4e0000 [0106.109] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e28 | out: hHeap=0x4e0000) returned 1 [0106.109] lstrcpyW (in: lpString1=0x24dc828, lpString2="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata" | out: lpString1="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata") returned="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata" [0106.109] lstrcatW (in: lpString1="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata.NEPHILIM") returned="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata.NEPHILIM" [0106.109] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata" (normalized: "c:\\users\\all users\\adobe\\acrobat\\10.0\\replicate\\security\\directories.acrodata"), lpNewFileName="C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata.NEPHILIM" (normalized: "c:\\users\\all users\\adobe\\acrobat\\10.0\\replicate\\security\\directories.acrodata.nephilim")) returned 1 [0106.110] FindNextFileW (in: hFindFile=0x50aa00, lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x93de7300, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x93de7300, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x1df, dwReserved0=0x680066, dwReserved1=0x24dd560, cFileName="directories.acrodata", cAlternateFileName="DIRECT~1.ACR")) returned 0 [0106.110] FindClose (in: hFindFile=0x50aa00 | out: hFindFile=0x50aa00) returned 1 [0106.110] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x540052, dwReserved1=0x24ddbe0, cFileName="Security", cAlternateFileName="")) returned 0 [0106.110] FindClose (in: hFindFile=0x50a9c0 | out: hFindFile=0x50a9c0) returned 1 [0106.110] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de260, cFileName="Replicate", cAlternateFileName="REPLIC~1")) returned 0 [0106.110] FindClose (in: hFindFile=0x50a980 | out: hFindFile=0x50a980) returned 1 [0106.110] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3a0038, dwReserved1=0x24de8e0, cFileName="10.0", cAlternateFileName="")) returned 0 [0106.111] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0106.111] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="ARM", cAlternateFileName="")) returned 1 [0106.111] lstrcmpiW (lpString1="ARM", lpString2=".") returned 1 [0106.111] lstrcmpiW (lpString1="ARM", lpString2="..") returned 1 [0106.111] lstrcmpiW (lpString1="ARM", lpString2="...") returned 1 [0106.111] lstrcmpiW (lpString1="ARM", lpString2="windows") returned -1 [0106.111] lstrcmpiW (lpString1="ARM", lpString2="$RECYCLE.BIN") returned 1 [0106.111] lstrcmpiW (lpString1="ARM", lpString2="rsa") returned -1 [0106.111] lstrcmpiW (lpString1="ARM", lpString2="log") returned -1 [0106.111] lstrcmpiW (lpString1="ARM", lpString2="NTDETECT.COM") returned -1 [0106.111] lstrcmpiW (lpString1="ARM", lpString2="ntldr") returned -1 [0106.111] lstrcmpiW (lpString1="ARM", lpString2="MSDOS.SYS") returned -1 [0106.111] lstrcmpiW (lpString1="ARM", lpString2="IO.SYS") returned -1 [0106.111] lstrcmpiW (lpString1="ARM", lpString2="boot.ini") returned -1 [0106.111] lstrcmpiW (lpString1="ARM", lpString2="AUTOEXEC.BAT") returned -1 [0106.111] lstrcmpiW (lpString1="ARM", lpString2="ntuser.dat") returned -1 [0106.111] lstrcmpiW (lpString1="ARM", lpString2="desktop.ini") returned -1 [0106.111] lstrcmpiW (lpString1="ARM", lpString2="CONFIG.SYS") returned -1 [0106.111] lstrcmpiW (lpString1="ARM", lpString2="RECYCLER") returned -1 [0106.111] lstrcmpiW (lpString1="ARM", lpString2="BOOTSECT.BAK") returned -1 [0106.111] lstrcmpiW (lpString1="ARM", lpString2="bootmgr") returned -1 [0106.111] lstrcmpiW (lpString1="ARM", lpString2="programdata") returned -1 [0106.112] lstrcmpiW (lpString1="ARM", lpString2="appdata") returned 1 [0106.112] lstrcmpiW (lpString1="ARM", lpString2="program files") returned -1 [0106.112] lstrcmpiW (lpString1="ARM", lpString2="program files (x86)") returned -1 [0106.112] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Adobe\\" | out: lpString1="C:\\Users\\All Users\\Adobe\\") returned="C:\\Users\\All Users\\Adobe\\" [0106.112] lstrcatW (in: lpString1="C:\\Users\\All Users\\Adobe\\", lpString2="ARM" | out: lpString1="C:\\Users\\All Users\\Adobe\\ARM") returned="C:\\Users\\All Users\\Adobe\\ARM" [0106.112] lstrcatW (in: lpString1="C:\\Users\\All Users\\Adobe\\ARM", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Adobe\\ARM\\") returned="C:\\Users\\All Users\\Adobe\\ARM\\" [0106.112] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Adobe\\ARM\\" | out: lpString1="C:\\Users\\All Users\\Adobe\\ARM\\") returned="C:\\Users\\All Users\\Adobe\\ARM\\" [0106.112] lstrcatW (in: lpString1="C:\\Users\\All Users\\Adobe\\ARM\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Adobe\\ARM\\*.*") returned="C:\\Users\\All Users\\Adobe\\ARM\\*.*" [0106.112] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Adobe\\ARM\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3a0038, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0106.112] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0106.112] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3a0038, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0106.113] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0106.113] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0106.113] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xf2028d90, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xf2028d90, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3a0038, dwReserved1=0x24de8e0, cFileName="Reader_10.0.0", cAlternateFileName="READER~1.0")) returned 1 [0106.113] lstrcmpiW (lpString1="Reader_10.0.0", lpString2=".") returned 1 [0106.113] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="..") returned 1 [0106.113] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="...") returned 1 [0106.113] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="windows") returned -1 [0106.113] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="$RECYCLE.BIN") returned 1 [0106.113] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="rsa") returned -1 [0106.113] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="log") returned 1 [0106.113] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="NTDETECT.COM") returned 1 [0106.113] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="ntldr") returned 1 [0106.113] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="MSDOS.SYS") returned 1 [0106.113] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="IO.SYS") returned 1 [0106.113] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="boot.ini") returned 1 [0106.113] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="AUTOEXEC.BAT") returned 1 [0106.113] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="ntuser.dat") returned 1 [0106.113] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="desktop.ini") returned 1 [0106.113] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="CONFIG.SYS") returned 1 [0106.113] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="RECYCLER") returned -1 [0106.113] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="BOOTSECT.BAK") returned 1 [0106.113] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="bootmgr") returned 1 [0106.113] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="programdata") returned 1 [0106.113] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="appdata") returned 1 [0106.114] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="program files") returned 1 [0106.114] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="program files (x86)") returned 1 [0106.114] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Adobe\\ARM\\" | out: lpString1="C:\\Users\\All Users\\Adobe\\ARM\\") returned="C:\\Users\\All Users\\Adobe\\ARM\\" [0106.114] lstrcatW (in: lpString1="C:\\Users\\All Users\\Adobe\\ARM\\", lpString2="Reader_10.0.0" | out: lpString1="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0") returned="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0" [0106.114] lstrcatW (in: lpString1="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\") returned="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\" [0106.114] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\" | out: lpString1="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\") returned="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\" [0106.114] lstrcatW (in: lpString1="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\*.*") returned="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\*.*" [0106.114] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xf2028d90, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xf2028d90, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de260, cFileName=".", cAlternateFileName="")) returned 0x50a980 [0106.118] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0106.118] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xf2028d90, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xf2028d90, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 1 [0106.118] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0106.118] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0106.118] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e186d00, ftCreationTime.dwHighDateTime=0x1cfb543, ftLastAccessTime.dwLowDateTime=0x7e186d00, ftLastAccessTime.dwHighDateTime=0x1cfb543, ftLastWriteTime.dwLowDateTime=0x7e186d00, ftLastWriteTime.dwHighDateTime=0x1cfb543, nFileSizeHigh=0x0, nFileSizeLow=0x3d800, dwReserved0=0x420040, dwReserved1=0x24de260, cFileName="AdbeRdrSecUpd10111.msp", cAlternateFileName="ADBERD~2.MSP")) returned 1 [0106.118] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2=".") returned 1 [0106.118] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="..") returned 1 [0106.118] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="...") returned 1 [0106.118] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="windows") returned -1 [0106.119] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="$RECYCLE.BIN") returned 1 [0106.119] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="rsa") returned -1 [0106.119] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="log") returned -1 [0106.119] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="NTDETECT.COM") returned -1 [0106.119] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="ntldr") returned -1 [0106.119] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="MSDOS.SYS") returned -1 [0106.119] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="IO.SYS") returned -1 [0106.119] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="boot.ini") returned -1 [0106.119] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="AUTOEXEC.BAT") returned -1 [0106.119] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="ntuser.dat") returned -1 [0106.119] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="desktop.ini") returned -1 [0106.119] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="CONFIG.SYS") returned -1 [0106.119] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="RECYCLER") returned -1 [0106.119] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="BOOTSECT.BAK") returned -1 [0106.119] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="bootmgr") returned -1 [0106.119] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="programdata") returned -1 [0106.119] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="appdata") returned -1 [0106.119] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="program files") returned -1 [0106.119] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="program files (x86)") returned -1 [0106.119] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\" | out: lpString1="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\") returned="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\" [0106.119] lstrcatW (in: lpString1="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\", lpString2="AdbeRdrSecUpd10111.msp" | out: lpString1="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp") returned="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp" [0106.119] PathFindExtensionW (pszPath="AdbeRdrSecUpd10111.msp") returned=".msp" [0106.119] lstrcmpiW (lpString1=".msp", lpString2=".exe") returned 1 [0106.119] lstrcmpiW (lpString1=".msp", lpString2=".log") returned 1 [0106.119] lstrcmpiW (lpString1=".msp", lpString2=".cab") returned 1 [0106.120] lstrcmpiW (lpString1=".msp", lpString2=".cmd") returned 1 [0106.120] lstrcmpiW (lpString1=".msp", lpString2=".com") returned 1 [0106.120] lstrcmpiW (lpString1=".msp", lpString2=".cpl") returned 1 [0106.120] lstrcmpiW (lpString1=".msp", lpString2=".ini") returned 1 [0106.120] lstrcmpiW (lpString1=".msp", lpString2=".dll") returned 1 [0106.120] lstrcmpiW (lpString1=".msp", lpString2=".url") returned -1 [0106.120] lstrcmpiW (lpString1=".msp", lpString2=".ttf") returned -1 [0106.120] lstrcmpiW (lpString1=".msp", lpString2=".mp3") returned 1 [0106.120] lstrcmpiW (lpString1=".msp", lpString2=".pif") returned -1 [0106.120] lstrcmpiW (lpString1=".msp", lpString2=".mp4") returned 1 [0106.120] lstrcmpiW (lpString1=".msp", lpString2=".NEPHILIM") returned -1 [0106.120] lstrcmpiW (lpString1=".msp", lpString2=".msi") returned 1 [0106.120] lstrcmpiW (lpString1=".msp", lpString2=".lnk") returned 1 [0106.120] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0106.120] lstrlenA (lpString="NEPHILIM") returned 8 [0106.120] GetProcessHeap () returned 0x4e0000 [0106.120] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50ba10 [0106.120] lstrlenA (lpString="NEPHILIM") returned 8 [0106.120] CreateFileW (lpFileName="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\adberdrsecupd10111.msp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0106.124] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=251904) returned 1 [0106.124] GetProcessHeap () returned 0x4e0000 [0106.124] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e28 [0106.124] GetProcessHeap () returned 0x4e0000 [0106.124] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e10 [0106.124] SystemFunction036 (in: RandomBuffer=0x504e28, RandomBufferLength=0x10 | out: RandomBuffer=0x504e28) returned 1 [0106.125] SystemFunction036 (in: RandomBuffer=0x504e10, RandomBufferLength=0x10 | out: RandomBuffer=0x504e10) returned 1 [0106.125] GetProcessHeap () returned 0x4e0000 [0106.125] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x509070 [0106.125] GetProcessHeap () returned 0x4e0000 [0106.125] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508f68 [0106.125] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x509070*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x509070*, pdwDataLen=0x24dd508*=0x100) returned 1 [0106.125] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508f68*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x508f68*, pdwDataLen=0x24dd504*=0x100) returned 1 [0106.125] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x3d800, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.125] SetLastError (dwErrCode=0x0) [0106.125] WriteFile (in: hFile=0xf4, lpBuffer=0x509070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x509070*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0106.130] GetLastError () returned 0x0 [0106.130] GetLastError () returned 0x0 [0106.130] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x3d900, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.130] WriteFile (in: hFile=0xf4, lpBuffer=0x508f68*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508f68*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0106.130] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x3da00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.130] lstrlenA (lpString="NEPHILIM") returned 8 [0106.130] WriteFile (in: hFile=0xf4, lpBuffer=0x50ba10*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50ba10*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0106.130] GetProcessHeap () returned 0x4e0000 [0106.130] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x3d800) returned 0x50ecc0 [0106.130] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.130] ReadFile (in: hFile=0xf4, lpBuffer=0x50ecc0, nNumberOfBytesToRead=0x3d800, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x50ecc0*, lpNumberOfBytesRead=0x24dd730*=0x3d800, lpOverlapped=0x0) returned 1 [0106.150] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.150] WriteFile (in: hFile=0xf4, lpBuffer=0x50ecc0*, nNumberOfBytesToWrite=0x3d800, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50ecc0*, lpNumberOfBytesWritten=0x24dd73c*=0x3d800, lpOverlapped=0x0) returned 1 [0106.151] GetProcessHeap () returned 0x4e0000 [0106.151] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50ecc0 | out: hHeap=0x4e0000) returned 1 [0106.151] CloseHandle (hObject=0xf4) returned 1 [0106.162] GetProcessHeap () returned 0x4e0000 [0106.162] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x509070 | out: hHeap=0x4e0000) returned 1 [0106.162] GetProcessHeap () returned 0x4e0000 [0106.162] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508f68 | out: hHeap=0x4e0000) returned 1 [0106.163] GetProcessHeap () returned 0x4e0000 [0106.163] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e28 | out: hHeap=0x4e0000) returned 1 [0106.163] GetProcessHeap () returned 0x4e0000 [0106.163] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e10 | out: hHeap=0x4e0000) returned 1 [0106.163] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp" | out: lpString1="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp") returned="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp" [0106.163] lstrcatW (in: lpString1="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp.NEPHILIM") returned="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp.NEPHILIM" [0106.163] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\adberdrsecupd10111.msp"), lpNewFileName="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp.NEPHILIM" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\adberdrsecupd10111.msp.nephilim")) returned 1 [0106.164] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4450880, ftCreationTime.dwHighDateTime=0x1cf6c45, ftLastAccessTime.dwLowDateTime=0xb4450880, ftLastAccessTime.dwHighDateTime=0x1cf6c45, ftLastWriteTime.dwLowDateTime=0xb4450880, ftLastWriteTime.dwHighDateTime=0x1cf6c45, nFileSizeHigh=0x0, nFileSizeLow=0x10e3000, dwReserved0=0x420040, dwReserved1=0x24de260, cFileName="AdbeRdrUpd10110_MUI.msp", cAlternateFileName="ADBERD~1.MSP")) returned 1 [0106.164] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2=".") returned 1 [0106.164] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="..") returned 1 [0106.164] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="...") returned 1 [0106.164] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="windows") returned -1 [0106.164] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="$RECYCLE.BIN") returned 1 [0106.164] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="rsa") returned -1 [0106.164] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="log") returned -1 [0106.165] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="NTDETECT.COM") returned -1 [0106.165] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="ntldr") returned -1 [0106.165] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="MSDOS.SYS") returned -1 [0106.165] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="IO.SYS") returned -1 [0106.165] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="boot.ini") returned -1 [0106.165] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="AUTOEXEC.BAT") returned -1 [0106.165] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="ntuser.dat") returned -1 [0106.165] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="desktop.ini") returned -1 [0106.165] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="CONFIG.SYS") returned -1 [0106.165] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="RECYCLER") returned -1 [0106.165] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="BOOTSECT.BAK") returned -1 [0106.165] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="bootmgr") returned -1 [0106.165] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="programdata") returned -1 [0106.165] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="appdata") returned -1 [0106.165] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="program files") returned -1 [0106.165] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="program files (x86)") returned -1 [0106.165] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\" | out: lpString1="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\") returned="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\" [0106.165] lstrcatW (in: lpString1="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\", lpString2="AdbeRdrUpd10110_MUI.msp" | out: lpString1="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp") returned="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp" [0106.165] PathFindExtensionW (pszPath="AdbeRdrUpd10110_MUI.msp") returned=".msp" [0106.165] lstrcmpiW (lpString1=".msp", lpString2=".exe") returned 1 [0106.165] lstrcmpiW (lpString1=".msp", lpString2=".log") returned 1 [0106.165] lstrcmpiW (lpString1=".msp", lpString2=".cab") returned 1 [0106.165] lstrcmpiW (lpString1=".msp", lpString2=".cmd") returned 1 [0106.166] lstrcmpiW (lpString1=".msp", lpString2=".com") returned 1 [0106.166] lstrcmpiW (lpString1=".msp", lpString2=".cpl") returned 1 [0106.166] lstrcmpiW (lpString1=".msp", lpString2=".ini") returned 1 [0106.166] lstrcmpiW (lpString1=".msp", lpString2=".dll") returned 1 [0106.166] lstrcmpiW (lpString1=".msp", lpString2=".url") returned -1 [0106.166] lstrcmpiW (lpString1=".msp", lpString2=".ttf") returned -1 [0106.166] lstrcmpiW (lpString1=".msp", lpString2=".mp3") returned 1 [0106.166] lstrcmpiW (lpString1=".msp", lpString2=".pif") returned -1 [0106.166] lstrcmpiW (lpString1=".msp", lpString2=".mp4") returned 1 [0106.166] lstrcmpiW (lpString1=".msp", lpString2=".NEPHILIM") returned -1 [0106.166] lstrcmpiW (lpString1=".msp", lpString2=".msi") returned 1 [0106.166] lstrcmpiW (lpString1=".msp", lpString2=".lnk") returned 1 [0106.166] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0106.166] lstrlenA (lpString="NEPHILIM") returned 8 [0106.166] GetProcessHeap () returned 0x4e0000 [0106.166] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50ba20 [0106.166] lstrlenA (lpString="NEPHILIM") returned 8 [0106.166] CreateFileW (lpFileName="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\adberdrupd10110_mui.msp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0106.167] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=17707008) returned 1 [0106.167] GetProcessHeap () returned 0x4e0000 [0106.167] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e10 [0106.167] GetProcessHeap () returned 0x4e0000 [0106.167] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e28 [0106.167] SystemFunction036 (in: RandomBuffer=0x504e10, RandomBufferLength=0x10 | out: RandomBuffer=0x504e10) returned 1 [0106.167] SystemFunction036 (in: RandomBuffer=0x504e28, RandomBufferLength=0x10 | out: RandomBuffer=0x504e28) returned 1 [0106.167] GetProcessHeap () returned 0x4e0000 [0106.167] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508f68 [0106.167] GetProcessHeap () returned 0x4e0000 [0106.167] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x509070 [0106.167] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508f68*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x508f68*, pdwDataLen=0x24dd508*=0x100) returned 1 [0106.168] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x509070*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x509070*, pdwDataLen=0x24dd504*=0x100) returned 1 [0106.168] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x10e3000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.168] SetLastError (dwErrCode=0x0) [0106.168] WriteFile (in: hFile=0xf4, lpBuffer=0x508f68*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508f68*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0106.170] GetLastError () returned 0x0 [0106.170] GetLastError () returned 0x0 [0106.170] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x10e3100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.170] WriteFile (in: hFile=0xf4, lpBuffer=0x509070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x509070*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0106.170] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x10e3200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.170] lstrlenA (lpString="NEPHILIM") returned 8 [0106.170] WriteFile (in: hFile=0xf4, lpBuffer=0x50ba20*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50ba20*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0106.171] GetProcessHeap () returned 0x4e0000 [0106.171] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x927c0) returned 0x2010020 [0106.171] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.171] ReadFile (in: hFile=0xf4, lpBuffer=0x2010020, nNumberOfBytesToRead=0x927c0, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x2010020*, lpNumberOfBytesRead=0x24dd730*=0x927c0, lpOverlapped=0x0) returned 1 [0106.244] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.244] WriteFile (in: hFile=0xf4, lpBuffer=0x2010020*, nNumberOfBytesToWrite=0x927c0, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x2010020*, lpNumberOfBytesWritten=0x24dd73c*=0x927c0, lpOverlapped=0x0) returned 1 [0106.246] GetProcessHeap () returned 0x4e0000 [0106.246] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x2010020 | out: hHeap=0x4e0000) returned 1 [0106.250] CloseHandle (hObject=0xf4) returned 1 [0106.740] GetProcessHeap () returned 0x4e0000 [0106.741] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508f68 | out: hHeap=0x4e0000) returned 1 [0106.741] GetProcessHeap () returned 0x4e0000 [0106.741] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x509070 | out: hHeap=0x4e0000) returned 1 [0106.741] GetProcessHeap () returned 0x4e0000 [0106.741] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e10 | out: hHeap=0x4e0000) returned 1 [0106.741] GetProcessHeap () returned 0x4e0000 [0106.741] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e28 | out: hHeap=0x4e0000) returned 1 [0106.741] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp" | out: lpString1="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp") returned="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp" [0106.742] lstrcatW (in: lpString1="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp.NEPHILIM") returned="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp.NEPHILIM" [0106.742] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\adberdrupd10110_mui.msp"), lpNewFileName="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp.NEPHILIM" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\adberdrupd10110_mui.msp.nephilim")) returned 1 [0106.743] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2540cc00, ftCreationTime.dwHighDateTime=0x1d1056e, ftLastAccessTime.dwLowDateTime=0x2540cc00, ftLastAccessTime.dwHighDateTime=0x1d1056e, ftLastWriteTime.dwLowDateTime=0x2540cc00, ftLastWriteTime.dwHighDateTime=0x1d1056e, nFileSizeHigh=0x0, nFileSizeLow=0x109d000, dwReserved0=0x420040, dwReserved1=0x24de260, cFileName="AdbeRdrUpd10116_MUI.msp", cAlternateFileName="ADBERD~3.MSP")) returned 1 [0106.743] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2=".") returned 1 [0106.743] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="..") returned 1 [0106.743] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="...") returned 1 [0106.743] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="windows") returned -1 [0106.743] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="$RECYCLE.BIN") returned 1 [0106.743] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="rsa") returned -1 [0106.743] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="log") returned -1 [0106.743] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="NTDETECT.COM") returned -1 [0106.743] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="ntldr") returned -1 [0106.743] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="MSDOS.SYS") returned -1 [0106.743] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="IO.SYS") returned -1 [0106.743] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="boot.ini") returned -1 [0106.744] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="AUTOEXEC.BAT") returned -1 [0106.744] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="ntuser.dat") returned -1 [0106.744] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="desktop.ini") returned -1 [0106.744] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="CONFIG.SYS") returned -1 [0106.744] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="RECYCLER") returned -1 [0106.744] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="BOOTSECT.BAK") returned -1 [0106.744] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="bootmgr") returned -1 [0106.744] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="programdata") returned -1 [0106.744] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="appdata") returned -1 [0106.744] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="program files") returned -1 [0106.744] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="program files (x86)") returned -1 [0106.744] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\" | out: lpString1="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\") returned="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\" [0106.744] lstrcatW (in: lpString1="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\", lpString2="AdbeRdrUpd10116_MUI.msp" | out: lpString1="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp") returned="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp" [0106.744] PathFindExtensionW (pszPath="AdbeRdrUpd10116_MUI.msp") returned=".msp" [0106.744] lstrcmpiW (lpString1=".msp", lpString2=".exe") returned 1 [0106.744] lstrcmpiW (lpString1=".msp", lpString2=".log") returned 1 [0106.744] lstrcmpiW (lpString1=".msp", lpString2=".cab") returned 1 [0106.744] lstrcmpiW (lpString1=".msp", lpString2=".cmd") returned 1 [0106.744] lstrcmpiW (lpString1=".msp", lpString2=".com") returned 1 [0106.744] lstrcmpiW (lpString1=".msp", lpString2=".cpl") returned 1 [0106.744] lstrcmpiW (lpString1=".msp", lpString2=".ini") returned 1 [0106.745] lstrcmpiW (lpString1=".msp", lpString2=".dll") returned 1 [0106.745] lstrcmpiW (lpString1=".msp", lpString2=".url") returned -1 [0106.745] lstrcmpiW (lpString1=".msp", lpString2=".ttf") returned -1 [0106.745] lstrcmpiW (lpString1=".msp", lpString2=".mp3") returned 1 [0106.745] lstrcmpiW (lpString1=".msp", lpString2=".pif") returned -1 [0106.745] lstrcmpiW (lpString1=".msp", lpString2=".mp4") returned 1 [0106.745] lstrcmpiW (lpString1=".msp", lpString2=".NEPHILIM") returned -1 [0106.745] lstrcmpiW (lpString1=".msp", lpString2=".msi") returned 1 [0106.745] lstrcmpiW (lpString1=".msp", lpString2=".lnk") returned 1 [0106.745] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0106.745] lstrlenA (lpString="NEPHILIM") returned 8 [0106.745] GetProcessHeap () returned 0x4e0000 [0106.745] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50ba30 [0106.746] lstrlenA (lpString="NEPHILIM") returned 8 [0106.746] CreateFileW (lpFileName="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\adberdrupd10116_mui.msp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0106.746] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=17420288) returned 1 [0106.746] GetProcessHeap () returned 0x4e0000 [0106.746] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e28 [0106.746] GetProcessHeap () returned 0x4e0000 [0106.746] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e10 [0106.746] SystemFunction036 (in: RandomBuffer=0x504e28, RandomBufferLength=0x10 | out: RandomBuffer=0x504e28) returned 1 [0106.746] SystemFunction036 (in: RandomBuffer=0x504e10, RandomBufferLength=0x10 | out: RandomBuffer=0x504e10) returned 1 [0106.746] GetProcessHeap () returned 0x4e0000 [0106.746] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x509070 [0106.746] GetProcessHeap () returned 0x4e0000 [0106.746] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508f68 [0106.746] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x509070*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x509070*, pdwDataLen=0x24dd508*=0x100) returned 1 [0106.747] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508f68*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x508f68*, pdwDataLen=0x24dd504*=0x100) returned 1 [0106.747] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x109d000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.747] SetLastError (dwErrCode=0x0) [0106.747] WriteFile (in: hFile=0xf4, lpBuffer=0x509070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x509070*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0106.749] GetLastError () returned 0x0 [0106.749] GetLastError () returned 0x0 [0106.749] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x109d100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.749] WriteFile (in: hFile=0xf4, lpBuffer=0x508f68*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x508f68*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0106.749] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x109d200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.749] lstrlenA (lpString="NEPHILIM") returned 8 [0106.749] WriteFile (in: hFile=0xf4, lpBuffer=0x50ba30*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50ba30*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0106.749] GetProcessHeap () returned 0x4e0000 [0106.749] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x927c0) returned 0x2010020 [0106.750] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.750] ReadFile (in: hFile=0xf4, lpBuffer=0x2010020, nNumberOfBytesToRead=0x927c0, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x2010020*, lpNumberOfBytesRead=0x24dd730*=0x927c0, lpOverlapped=0x0) returned 1 [0106.819] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.819] WriteFile (in: hFile=0xf4, lpBuffer=0x2010020*, nNumberOfBytesToWrite=0x927c0, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x2010020*, lpNumberOfBytesWritten=0x24dd73c*=0x927c0, lpOverlapped=0x0) returned 1 [0106.821] GetProcessHeap () returned 0x4e0000 [0106.821] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x2010020 | out: hHeap=0x4e0000) returned 1 [0106.825] CloseHandle (hObject=0xf4) returned 1 [0107.682] GetProcessHeap () returned 0x4e0000 [0107.682] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x509070 | out: hHeap=0x4e0000) returned 1 [0107.682] GetProcessHeap () returned 0x4e0000 [0107.682] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508f68 | out: hHeap=0x4e0000) returned 1 [0107.682] GetProcessHeap () returned 0x4e0000 [0107.683] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e28 | out: hHeap=0x4e0000) returned 1 [0107.683] GetProcessHeap () returned 0x4e0000 [0107.683] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e10 | out: hHeap=0x4e0000) returned 1 [0107.683] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp" | out: lpString1="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp") returned="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp" [0107.683] lstrcatW (in: lpString1="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp.NEPHILIM") returned="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp.NEPHILIM" [0107.683] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\adberdrupd10116_mui.msp"), lpNewFileName="C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp.NEPHILIM" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\adberdrupd10116_mui.msp.nephilim")) returned 1 [0107.687] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2540cc00, ftCreationTime.dwHighDateTime=0x1d1056e, ftLastAccessTime.dwLowDateTime=0x2540cc00, ftLastAccessTime.dwHighDateTime=0x1d1056e, ftLastWriteTime.dwLowDateTime=0x2540cc00, ftLastWriteTime.dwHighDateTime=0x1d1056e, nFileSizeHigh=0x0, nFileSizeLow=0x109d000, dwReserved0=0x420040, dwReserved1=0x24de260, cFileName="AdbeRdrUpd10116_MUI.msp", cAlternateFileName="ADBERD~3.MSP")) returned 0 [0107.687] FindClose (in: hFindFile=0x50a980 | out: hFindFile=0x50a980) returned 1 [0107.687] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xf2028d90, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xf2028d90, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3a0038, dwReserved1=0x24de8e0, cFileName="Reader_10.0.0", cAlternateFileName="READER~1.0")) returned 0 [0107.687] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0107.688] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="ARM", cAlternateFileName="")) returned 0 [0107.688] FindClose (in: hFindFile=0x50a900 | out: hFindFile=0x50a900) returned 1 [0107.688] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3074f252, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3074f252, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3074f252, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0107.688] lstrcmpiW (lpString1="Application Data", lpString2=".") returned 1 [0107.688] lstrcmpiW (lpString1="Application Data", lpString2="..") returned 1 [0107.688] lstrcmpiW (lpString1="Application Data", lpString2="...") returned 1 [0107.688] lstrcmpiW (lpString1="Application Data", lpString2="windows") returned -1 [0107.688] lstrcmpiW (lpString1="Application Data", lpString2="$RECYCLE.BIN") returned 1 [0107.688] lstrcmpiW (lpString1="Application Data", lpString2="rsa") returned -1 [0107.688] lstrcmpiW (lpString1="Application Data", lpString2="log") returned -1 [0107.688] lstrcmpiW (lpString1="Application Data", lpString2="NTDETECT.COM") returned -1 [0107.688] lstrcmpiW (lpString1="Application Data", lpString2="ntldr") returned -1 [0107.688] lstrcmpiW (lpString1="Application Data", lpString2="MSDOS.SYS") returned -1 [0107.688] lstrcmpiW (lpString1="Application Data", lpString2="IO.SYS") returned -1 [0107.688] lstrcmpiW (lpString1="Application Data", lpString2="boot.ini") returned -1 [0107.688] lstrcmpiW (lpString1="Application Data", lpString2="AUTOEXEC.BAT") returned -1 [0107.689] lstrcmpiW (lpString1="Application Data", lpString2="ntuser.dat") returned -1 [0107.689] lstrcmpiW (lpString1="Application Data", lpString2="desktop.ini") returned -1 [0107.689] lstrcmpiW (lpString1="Application Data", lpString2="CONFIG.SYS") returned -1 [0107.689] lstrcmpiW (lpString1="Application Data", lpString2="RECYCLER") returned -1 [0107.689] lstrcmpiW (lpString1="Application Data", lpString2="BOOTSECT.BAK") returned -1 [0107.689] lstrcmpiW (lpString1="Application Data", lpString2="bootmgr") returned -1 [0107.689] lstrcmpiW (lpString1="Application Data", lpString2="programdata") returned -1 [0107.689] lstrcmpiW (lpString1="Application Data", lpString2="appdata") returned 1 [0107.689] lstrcmpiW (lpString1="Application Data", lpString2="program files") returned -1 [0107.689] lstrcmpiW (lpString1="Application Data", lpString2="program files (x86)") returned -1 [0107.689] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\All Users\\" | out: lpString1="C:\\Users\\All Users\\") returned="C:\\Users\\All Users\\" [0107.689] lstrcatW (in: lpString1="C:\\Users\\All Users\\", lpString2="Application Data" | out: lpString1="C:\\Users\\All Users\\Application Data") returned="C:\\Users\\All Users\\Application Data" [0107.689] lstrcatW (in: lpString1="C:\\Users\\All Users\\Application Data", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Application Data\\") returned="C:\\Users\\All Users\\Application Data\\" [0107.689] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\All Users\\Application Data\\" | out: lpString1="C:\\Users\\All Users\\Application Data\\") returned="C:\\Users\\All Users\\Application Data\\" [0107.689] lstrcatW (in: lpString1="C:\\Users\\All Users\\Application Data\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Application Data\\*.*") returned="C:\\Users\\All Users\\Application Data\\*.*" [0107.689] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Application Data\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="ARM", cAlternateFileName="")) returned 0xffffffff [0107.690] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0107.690] lstrcmpiW (lpString1="Desktop", lpString2=".") returned 1 [0107.690] lstrcmpiW (lpString1="Desktop", lpString2="..") returned 1 [0107.690] lstrcmpiW (lpString1="Desktop", lpString2="...") returned 1 [0107.690] lstrcmpiW (lpString1="Desktop", lpString2="windows") returned -1 [0107.690] lstrcmpiW (lpString1="Desktop", lpString2="$RECYCLE.BIN") returned 1 [0107.690] lstrcmpiW (lpString1="Desktop", lpString2="rsa") returned -1 [0107.690] lstrcmpiW (lpString1="Desktop", lpString2="log") returned -1 [0107.690] lstrcmpiW (lpString1="Desktop", lpString2="NTDETECT.COM") returned -1 [0107.690] lstrcmpiW (lpString1="Desktop", lpString2="ntldr") returned -1 [0107.690] lstrcmpiW (lpString1="Desktop", lpString2="MSDOS.SYS") returned -1 [0107.690] lstrcmpiW (lpString1="Desktop", lpString2="IO.SYS") returned -1 [0107.690] lstrcmpiW (lpString1="Desktop", lpString2="boot.ini") returned 1 [0107.690] lstrcmpiW (lpString1="Desktop", lpString2="AUTOEXEC.BAT") returned 1 [0107.690] lstrcmpiW (lpString1="Desktop", lpString2="ntuser.dat") returned -1 [0107.690] lstrcmpiW (lpString1="Desktop", lpString2="desktop.ini") returned -1 [0107.690] lstrcmpiW (lpString1="Desktop", lpString2="CONFIG.SYS") returned 1 [0107.691] lstrcmpiW (lpString1="Desktop", lpString2="RECYCLER") returned -1 [0107.691] lstrcmpiW (lpString1="Desktop", lpString2="BOOTSECT.BAK") returned 1 [0107.691] lstrcmpiW (lpString1="Desktop", lpString2="bootmgr") returned 1 [0107.691] lstrcmpiW (lpString1="Desktop", lpString2="programdata") returned -1 [0107.691] lstrcmpiW (lpString1="Desktop", lpString2="appdata") returned 1 [0107.691] lstrcmpiW (lpString1="Desktop", lpString2="program files") returned -1 [0107.691] lstrcmpiW (lpString1="Desktop", lpString2="program files (x86)") returned -1 [0107.691] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\All Users\\" | out: lpString1="C:\\Users\\All Users\\") returned="C:\\Users\\All Users\\" [0107.691] lstrcatW (in: lpString1="C:\\Users\\All Users\\", lpString2="Desktop" | out: lpString1="C:\\Users\\All Users\\Desktop") returned="C:\\Users\\All Users\\Desktop" [0107.691] lstrcatW (in: lpString1="C:\\Users\\All Users\\Desktop", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Desktop\\") returned="C:\\Users\\All Users\\Desktop\\" [0107.691] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\All Users\\Desktop\\" | out: lpString1="C:\\Users\\All Users\\Desktop\\") returned="C:\\Users\\All Users\\Desktop\\" [0107.691] lstrcatW (in: lpString1="C:\\Users\\All Users\\Desktop\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Desktop\\*.*") returned="C:\\Users\\All Users\\Desktop\\*.*" [0107.691] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Desktop\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="ARM", cAlternateFileName="")) returned 0xffffffff [0107.691] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3074f252, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3074f252, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3074f252, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0107.691] lstrcmpiW (lpString1="Documents", lpString2=".") returned 1 [0107.691] lstrcmpiW (lpString1="Documents", lpString2="..") returned 1 [0107.691] lstrcmpiW (lpString1="Documents", lpString2="...") returned 1 [0107.691] lstrcmpiW (lpString1="Documents", lpString2="windows") returned -1 [0107.692] lstrcmpiW (lpString1="Documents", lpString2="$RECYCLE.BIN") returned 1 [0107.692] lstrcmpiW (lpString1="Documents", lpString2="rsa") returned -1 [0107.692] lstrcmpiW (lpString1="Documents", lpString2="log") returned -1 [0107.692] lstrcmpiW (lpString1="Documents", lpString2="NTDETECT.COM") returned -1 [0107.692] lstrcmpiW (lpString1="Documents", lpString2="ntldr") returned -1 [0107.692] lstrcmpiW (lpString1="Documents", lpString2="MSDOS.SYS") returned -1 [0107.692] lstrcmpiW (lpString1="Documents", lpString2="IO.SYS") returned -1 [0107.692] lstrcmpiW (lpString1="Documents", lpString2="boot.ini") returned 1 [0107.692] lstrcmpiW (lpString1="Documents", lpString2="AUTOEXEC.BAT") returned 1 [0107.692] lstrcmpiW (lpString1="Documents", lpString2="ntuser.dat") returned -1 [0107.692] lstrcmpiW (lpString1="Documents", lpString2="desktop.ini") returned 1 [0107.692] lstrcmpiW (lpString1="Documents", lpString2="CONFIG.SYS") returned 1 [0107.692] lstrcmpiW (lpString1="Documents", lpString2="RECYCLER") returned -1 [0107.692] lstrcmpiW (lpString1="Documents", lpString2="BOOTSECT.BAK") returned 1 [0107.692] lstrcmpiW (lpString1="Documents", lpString2="bootmgr") returned 1 [0107.692] lstrcmpiW (lpString1="Documents", lpString2="programdata") returned -1 [0107.692] lstrcmpiW (lpString1="Documents", lpString2="appdata") returned 1 [0107.692] lstrcmpiW (lpString1="Documents", lpString2="program files") returned -1 [0107.692] lstrcmpiW (lpString1="Documents", lpString2="program files (x86)") returned -1 [0107.692] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\All Users\\" | out: lpString1="C:\\Users\\All Users\\") returned="C:\\Users\\All Users\\" [0107.692] lstrcatW (in: lpString1="C:\\Users\\All Users\\", lpString2="Documents" | out: lpString1="C:\\Users\\All Users\\Documents") returned="C:\\Users\\All Users\\Documents" [0107.692] lstrcatW (in: lpString1="C:\\Users\\All Users\\Documents", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Documents\\") returned="C:\\Users\\All Users\\Documents\\" [0107.693] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\All Users\\Documents\\" | out: lpString1="C:\\Users\\All Users\\Documents\\") returned="C:\\Users\\All Users\\Documents\\" [0107.693] lstrcatW (in: lpString1="C:\\Users\\All Users\\Documents\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Documents\\*.*") returned="C:\\Users\\All Users\\Documents\\*.*" [0107.693] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Documents\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="ARM", cAlternateFileName="")) returned 0xffffffff [0107.693] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3074f252, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3074f252, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3074f252, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0107.693] lstrcmpiW (lpString1="Favorites", lpString2=".") returned 1 [0107.693] lstrcmpiW (lpString1="Favorites", lpString2="..") returned 1 [0107.693] lstrcmpiW (lpString1="Favorites", lpString2="...") returned 1 [0107.693] lstrcmpiW (lpString1="Favorites", lpString2="windows") returned -1 [0107.693] lstrcmpiW (lpString1="Favorites", lpString2="$RECYCLE.BIN") returned 1 [0107.693] lstrcmpiW (lpString1="Favorites", lpString2="rsa") returned -1 [0107.693] lstrcmpiW (lpString1="Favorites", lpString2="log") returned -1 [0107.693] lstrcmpiW (lpString1="Favorites", lpString2="NTDETECT.COM") returned -1 [0107.693] lstrcmpiW (lpString1="Favorites", lpString2="ntldr") returned -1 [0107.693] lstrcmpiW (lpString1="Favorites", lpString2="MSDOS.SYS") returned -1 [0107.693] lstrcmpiW (lpString1="Favorites", lpString2="IO.SYS") returned -1 [0107.693] lstrcmpiW (lpString1="Favorites", lpString2="boot.ini") returned 1 [0107.693] lstrcmpiW (lpString1="Favorites", lpString2="AUTOEXEC.BAT") returned 1 [0107.693] lstrcmpiW (lpString1="Favorites", lpString2="ntuser.dat") returned -1 [0107.693] lstrcmpiW (lpString1="Favorites", lpString2="desktop.ini") returned 1 [0107.693] lstrcmpiW (lpString1="Favorites", lpString2="CONFIG.SYS") returned 1 [0107.694] lstrcmpiW (lpString1="Favorites", lpString2="RECYCLER") returned -1 [0107.694] lstrcmpiW (lpString1="Favorites", lpString2="BOOTSECT.BAK") returned 1 [0107.694] lstrcmpiW (lpString1="Favorites", lpString2="bootmgr") returned 1 [0107.694] lstrcmpiW (lpString1="Favorites", lpString2="programdata") returned -1 [0107.694] lstrcmpiW (lpString1="Favorites", lpString2="appdata") returned 1 [0107.694] lstrcmpiW (lpString1="Favorites", lpString2="program files") returned -1 [0107.694] lstrcmpiW (lpString1="Favorites", lpString2="program files (x86)") returned -1 [0107.694] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\All Users\\" | out: lpString1="C:\\Users\\All Users\\") returned="C:\\Users\\All Users\\" [0107.694] lstrcatW (in: lpString1="C:\\Users\\All Users\\", lpString2="Favorites" | out: lpString1="C:\\Users\\All Users\\Favorites") returned="C:\\Users\\All Users\\Favorites" [0107.694] lstrcatW (in: lpString1="C:\\Users\\All Users\\Favorites", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Favorites\\") returned="C:\\Users\\All Users\\Favorites\\" [0107.694] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\All Users\\Favorites\\" | out: lpString1="C:\\Users\\All Users\\Favorites\\") returned="C:\\Users\\All Users\\Favorites\\" [0107.694] lstrcatW (in: lpString1="C:\\Users\\All Users\\Favorites\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Favorites\\*.*") returned="C:\\Users\\All Users\\Favorites\\*.*" [0107.694] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Favorites\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="ARM", cAlternateFileName="")) returned 0xffffffff [0107.694] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0107.694] lstrcmpiW (lpString1="Microsoft", lpString2=".") returned 1 [0107.694] lstrcmpiW (lpString1="Microsoft", lpString2="..") returned 1 [0107.694] lstrcmpiW (lpString1="Microsoft", lpString2="...") returned 1 [0107.694] lstrcmpiW (lpString1="Microsoft", lpString2="windows") returned -1 [0107.695] lstrcmpiW (lpString1="Microsoft", lpString2="$RECYCLE.BIN") returned 1 [0107.695] lstrcmpiW (lpString1="Microsoft", lpString2="rsa") returned -1 [0107.695] lstrcmpiW (lpString1="Microsoft", lpString2="log") returned 1 [0107.695] lstrcmpiW (lpString1="Microsoft", lpString2="NTDETECT.COM") returned -1 [0107.695] lstrcmpiW (lpString1="Microsoft", lpString2="ntldr") returned -1 [0107.695] lstrcmpiW (lpString1="Microsoft", lpString2="MSDOS.SYS") returned -1 [0107.695] lstrcmpiW (lpString1="Microsoft", lpString2="IO.SYS") returned 1 [0107.695] lstrcmpiW (lpString1="Microsoft", lpString2="boot.ini") returned 1 [0107.695] lstrcmpiW (lpString1="Microsoft", lpString2="AUTOEXEC.BAT") returned 1 [0107.695] lstrcmpiW (lpString1="Microsoft", lpString2="ntuser.dat") returned -1 [0107.695] lstrcmpiW (lpString1="Microsoft", lpString2="desktop.ini") returned 1 [0107.695] lstrcmpiW (lpString1="Microsoft", lpString2="CONFIG.SYS") returned 1 [0107.695] lstrcmpiW (lpString1="Microsoft", lpString2="RECYCLER") returned -1 [0107.695] lstrcmpiW (lpString1="Microsoft", lpString2="BOOTSECT.BAK") returned 1 [0107.695] lstrcmpiW (lpString1="Microsoft", lpString2="bootmgr") returned 1 [0107.695] lstrcmpiW (lpString1="Microsoft", lpString2="programdata") returned -1 [0107.695] lstrcmpiW (lpString1="Microsoft", lpString2="appdata") returned 1 [0107.695] lstrcmpiW (lpString1="Microsoft", lpString2="program files") returned -1 [0107.695] lstrcmpiW (lpString1="Microsoft", lpString2="program files (x86)") returned -1 [0107.696] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\All Users\\" | out: lpString1="C:\\Users\\All Users\\") returned="C:\\Users\\All Users\\" [0107.696] lstrcatW (in: lpString1="C:\\Users\\All Users\\", lpString2="Microsoft" | out: lpString1="C:\\Users\\All Users\\Microsoft") returned="C:\\Users\\All Users\\Microsoft" [0107.696] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\" [0107.696] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\All Users\\Microsoft\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\" [0107.696] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\*.*") returned="C:\\Users\\All Users\\Microsoft\\*.*" [0107.696] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x50a900 [0107.696] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0107.696] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0107.696] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0107.696] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0107.696] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0x3fc949a4, ftLastAccessTime.dwHighDateTime=0x1ca0445, ftLastWriteTime.dwLowDateTime=0x3fc949a4, ftLastWriteTime.dwHighDateTime=0x1ca0445, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="Assistance", cAlternateFileName="ASSIST~1")) returned 1 [0107.696] lstrcmpiW (lpString1="Assistance", lpString2=".") returned 1 [0107.696] lstrcmpiW (lpString1="Assistance", lpString2="..") returned 1 [0107.697] lstrcmpiW (lpString1="Assistance", lpString2="...") returned 1 [0107.697] lstrcmpiW (lpString1="Assistance", lpString2="windows") returned -1 [0107.697] lstrcmpiW (lpString1="Assistance", lpString2="$RECYCLE.BIN") returned 1 [0107.697] lstrcmpiW (lpString1="Assistance", lpString2="rsa") returned -1 [0107.697] lstrcmpiW (lpString1="Assistance", lpString2="log") returned -1 [0107.697] lstrcmpiW (lpString1="Assistance", lpString2="NTDETECT.COM") returned -1 [0107.697] lstrcmpiW (lpString1="Assistance", lpString2="ntldr") returned -1 [0107.697] lstrcmpiW (lpString1="Assistance", lpString2="MSDOS.SYS") returned -1 [0107.697] lstrcmpiW (lpString1="Assistance", lpString2="IO.SYS") returned -1 [0107.697] lstrcmpiW (lpString1="Assistance", lpString2="boot.ini") returned -1 [0107.697] lstrcmpiW (lpString1="Assistance", lpString2="AUTOEXEC.BAT") returned -1 [0107.697] lstrcmpiW (lpString1="Assistance", lpString2="ntuser.dat") returned -1 [0107.697] lstrcmpiW (lpString1="Assistance", lpString2="desktop.ini") returned -1 [0107.697] lstrcmpiW (lpString1="Assistance", lpString2="CONFIG.SYS") returned -1 [0107.697] lstrcmpiW (lpString1="Assistance", lpString2="RECYCLER") returned -1 [0107.697] lstrcmpiW (lpString1="Assistance", lpString2="BOOTSECT.BAK") returned -1 [0107.697] lstrcmpiW (lpString1="Assistance", lpString2="bootmgr") returned -1 [0107.697] lstrcmpiW (lpString1="Assistance", lpString2="programdata") returned -1 [0107.697] lstrcmpiW (lpString1="Assistance", lpString2="appdata") returned 1 [0107.698] lstrcmpiW (lpString1="Assistance", lpString2="program files") returned -1 [0107.698] lstrcmpiW (lpString1="Assistance", lpString2="program files (x86)") returned -1 [0107.698] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\" [0107.698] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="Assistance" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance") returned="C:\\Users\\All Users\\Microsoft\\Assistance" [0107.698] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\" [0107.698] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Microsoft\\Assistance\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\" [0107.698] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\*.*" [0107.698] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0x3fc949a4, ftLastAccessTime.dwHighDateTime=0x1ca0445, ftLastWriteTime.dwLowDateTime=0x3fc949a4, ftLastWriteTime.dwHighDateTime=0x1ca0445, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0107.698] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0107.698] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0x3fc949a4, ftLastAccessTime.dwHighDateTime=0x1ca0445, ftLastWriteTime.dwLowDateTime=0x3fc949a4, ftLastWriteTime.dwHighDateTime=0x1ca0445, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0107.698] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0107.698] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0107.698] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0x3fc949a4, ftLastAccessTime.dwHighDateTime=0x1ca0445, ftLastWriteTime.dwLowDateTime=0x3fc949a4, ftLastWriteTime.dwHighDateTime=0x1ca0445, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="Client", cAlternateFileName="")) returned 1 [0107.699] lstrcmpiW (lpString1="Client", lpString2=".") returned 1 [0107.699] lstrcmpiW (lpString1="Client", lpString2="..") returned 1 [0107.699] lstrcmpiW (lpString1="Client", lpString2="...") returned 1 [0107.699] lstrcmpiW (lpString1="Client", lpString2="windows") returned -1 [0107.699] lstrcmpiW (lpString1="Client", lpString2="$RECYCLE.BIN") returned 1 [0107.699] lstrcmpiW (lpString1="Client", lpString2="rsa") returned -1 [0107.699] lstrcmpiW (lpString1="Client", lpString2="log") returned -1 [0107.699] lstrcmpiW (lpString1="Client", lpString2="NTDETECT.COM") returned -1 [0107.699] lstrcmpiW (lpString1="Client", lpString2="ntldr") returned -1 [0107.699] lstrcmpiW (lpString1="Client", lpString2="MSDOS.SYS") returned -1 [0107.699] lstrcmpiW (lpString1="Client", lpString2="IO.SYS") returned -1 [0107.699] lstrcmpiW (lpString1="Client", lpString2="boot.ini") returned 1 [0107.699] lstrcmpiW (lpString1="Client", lpString2="AUTOEXEC.BAT") returned 1 [0107.699] lstrcmpiW (lpString1="Client", lpString2="ntuser.dat") returned -1 [0107.699] lstrcmpiW (lpString1="Client", lpString2="desktop.ini") returned -1 [0107.699] lstrcmpiW (lpString1="Client", lpString2="CONFIG.SYS") returned -1 [0107.699] lstrcmpiW (lpString1="Client", lpString2="RECYCLER") returned -1 [0107.699] lstrcmpiW (lpString1="Client", lpString2="BOOTSECT.BAK") returned 1 [0107.699] lstrcmpiW (lpString1="Client", lpString2="bootmgr") returned 1 [0107.699] lstrcmpiW (lpString1="Client", lpString2="programdata") returned -1 [0107.699] lstrcmpiW (lpString1="Client", lpString2="appdata") returned 1 [0107.699] lstrcmpiW (lpString1="Client", lpString2="program files") returned -1 [0107.699] lstrcmpiW (lpString1="Client", lpString2="program files (x86)") returned -1 [0107.700] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Microsoft\\Assistance\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\" [0107.700] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\", lpString2="Client" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\Client" [0107.700] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\" [0107.700] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\" [0107.700] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\*.*" [0107.700] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0x3fc949a4, ftLastAccessTime.dwHighDateTime=0x1ca0445, ftLastWriteTime.dwLowDateTime=0x3fc949a4, ftLastWriteTime.dwHighDateTime=0x1ca0445, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x24de260, cFileName=".", cAlternateFileName="")) returned 0x50a980 [0107.700] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0107.700] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0x3fc949a4, ftLastAccessTime.dwHighDateTime=0x1ca0445, ftLastWriteTime.dwLowDateTime=0x3fc949a4, ftLastWriteTime.dwHighDateTime=0x1ca0445, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 1 [0107.700] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0107.700] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0107.700] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0xa8f17049, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x243448f1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x24de260, cFileName="1.0", cAlternateFileName="")) returned 1 [0107.700] lstrcmpiW (lpString1="1.0", lpString2=".") returned 1 [0107.700] lstrcmpiW (lpString1="1.0", lpString2="..") returned 1 [0107.700] lstrcmpiW (lpString1="1.0", lpString2="...") returned 1 [0107.700] lstrcmpiW (lpString1="1.0", lpString2="windows") returned -1 [0107.700] lstrcmpiW (lpString1="1.0", lpString2="$RECYCLE.BIN") returned 1 [0107.700] lstrcmpiW (lpString1="1.0", lpString2="rsa") returned -1 [0107.701] lstrcmpiW (lpString1="1.0", lpString2="log") returned -1 [0107.702] lstrcmpiW (lpString1="1.0", lpString2="NTDETECT.COM") returned -1 [0107.702] lstrcmpiW (lpString1="1.0", lpString2="ntldr") returned -1 [0107.702] lstrcmpiW (lpString1="1.0", lpString2="MSDOS.SYS") returned -1 [0107.702] lstrcmpiW (lpString1="1.0", lpString2="IO.SYS") returned -1 [0107.702] lstrcmpiW (lpString1="1.0", lpString2="boot.ini") returned -1 [0107.702] lstrcmpiW (lpString1="1.0", lpString2="AUTOEXEC.BAT") returned -1 [0107.702] lstrcmpiW (lpString1="1.0", lpString2="ntuser.dat") returned -1 [0107.702] lstrcmpiW (lpString1="1.0", lpString2="desktop.ini") returned -1 [0107.702] lstrcmpiW (lpString1="1.0", lpString2="CONFIG.SYS") returned -1 [0107.702] lstrcmpiW (lpString1="1.0", lpString2="RECYCLER") returned -1 [0107.702] lstrcmpiW (lpString1="1.0", lpString2="BOOTSECT.BAK") returned -1 [0107.702] lstrcmpiW (lpString1="1.0", lpString2="bootmgr") returned -1 [0107.702] lstrcmpiW (lpString1="1.0", lpString2="programdata") returned -1 [0107.702] lstrcmpiW (lpString1="1.0", lpString2="appdata") returned -1 [0107.702] lstrcmpiW (lpString1="1.0", lpString2="program files") returned -1 [0107.702] lstrcmpiW (lpString1="1.0", lpString2="program files (x86)") returned -1 [0107.702] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\" [0107.702] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\", lpString2="1.0" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0" [0107.702] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\" [0107.702] lstrcpyW (in: lpString1=0x24dd560, lpString2="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\" [0107.702] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\*.*" [0107.703] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\*.*", lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0xa8f17049, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x243448f1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName=".", cAlternateFileName="")) returned 0x50a9c0 [0107.703] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0107.703] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0xa8f17049, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x243448f1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="..", cAlternateFileName="")) returned 1 [0107.703] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0107.703] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0107.703] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x243448f1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae0e8854, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae0e8854, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="en-US", cAlternateFileName="")) returned 1 [0107.703] lstrcmpiW (lpString1="en-US", lpString2=".") returned 1 [0107.703] lstrcmpiW (lpString1="en-US", lpString2="..") returned 1 [0107.703] lstrcmpiW (lpString1="en-US", lpString2="...") returned 1 [0107.703] lstrcmpiW (lpString1="en-US", lpString2="windows") returned -1 [0107.703] lstrcmpiW (lpString1="en-US", lpString2="$RECYCLE.BIN") returned 1 [0107.703] lstrcmpiW (lpString1="en-US", lpString2="rsa") returned -1 [0107.703] lstrcmpiW (lpString1="en-US", lpString2="log") returned -1 [0107.703] lstrcmpiW (lpString1="en-US", lpString2="NTDETECT.COM") returned -1 [0107.703] lstrcmpiW (lpString1="en-US", lpString2="ntldr") returned -1 [0107.703] lstrcmpiW (lpString1="en-US", lpString2="MSDOS.SYS") returned -1 [0107.703] lstrcmpiW (lpString1="en-US", lpString2="IO.SYS") returned -1 [0107.704] lstrcmpiW (lpString1="en-US", lpString2="boot.ini") returned 1 [0107.704] lstrcmpiW (lpString1="en-US", lpString2="AUTOEXEC.BAT") returned 1 [0107.704] lstrcmpiW (lpString1="en-US", lpString2="ntuser.dat") returned -1 [0107.704] lstrcmpiW (lpString1="en-US", lpString2="desktop.ini") returned 1 [0107.704] lstrcmpiW (lpString1="en-US", lpString2="CONFIG.SYS") returned 1 [0107.704] lstrcmpiW (lpString1="en-US", lpString2="RECYCLER") returned -1 [0107.704] lstrcmpiW (lpString1="en-US", lpString2="BOOTSECT.BAK") returned 1 [0107.704] lstrcmpiW (lpString1="en-US", lpString2="bootmgr") returned 1 [0107.704] lstrcmpiW (lpString1="en-US", lpString2="programdata") returned -1 [0107.704] lstrcmpiW (lpString1="en-US", lpString2="appdata") returned 1 [0107.704] lstrcmpiW (lpString1="en-US", lpString2="program files") returned -1 [0107.704] lstrcmpiW (lpString1="en-US", lpString2="program files (x86)") returned -1 [0107.704] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\" [0107.704] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\", lpString2="en-US" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US" [0107.704] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\" [0107.704] lstrcpyW (in: lpString1=0x24dcee0, lpString2="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\" [0107.704] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\*.*" [0107.704] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\*.*", lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x243448f1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae0e8854, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae0e8854, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6e006c, dwReserved1=0x24dd560, cFileName=".", cAlternateFileName="")) returned 0x50aa00 [0107.709] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0107.709] FindNextFileW (in: hFindFile=0x50aa00, lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x243448f1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae0e8854, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae0e8854, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6e006c, dwReserved1=0x24dd560, cFileName="..", cAlternateFileName="")) returned 1 [0107.709] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0107.709] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0107.709] FindNextFileW (in: hFindFile=0x50aa00, lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x2436abaa, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xabde2c6f, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa65a8bbf, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x2f22, dwReserved0=0x6e006c, dwReserved1=0x24dd560, cFileName="Help_CValidator.H1D", cAlternateFileName="HELP_C~1.H1D")) returned 1 [0107.709] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2=".") returned 1 [0107.709] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="..") returned 1 [0107.709] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="...") returned 1 [0107.709] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="windows") returned -1 [0107.709] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="$RECYCLE.BIN") returned 1 [0107.709] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="rsa") returned -1 [0107.709] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="log") returned -1 [0107.709] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="NTDETECT.COM") returned -1 [0107.709] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="ntldr") returned -1 [0107.709] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="MSDOS.SYS") returned -1 [0107.709] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="IO.SYS") returned -1 [0107.709] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="boot.ini") returned 1 [0107.709] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="AUTOEXEC.BAT") returned 1 [0107.709] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="ntuser.dat") returned -1 [0107.710] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="desktop.ini") returned 1 [0107.710] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="CONFIG.SYS") returned 1 [0107.710] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="RECYCLER") returned -1 [0107.710] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="BOOTSECT.BAK") returned 1 [0107.710] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="bootmgr") returned 1 [0107.710] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="programdata") returned -1 [0107.710] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="appdata") returned 1 [0107.710] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="program files") returned -1 [0107.710] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="program files (x86)") returned -1 [0107.710] lstrcpyW (in: lpString1=0x24dccd8, lpString2="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\" [0107.710] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\", lpString2="Help_CValidator.H1D" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D" [0107.710] PathFindExtensionW (pszPath="Help_CValidator.H1D") returned=".H1D" [0107.710] lstrcmpiW (lpString1=".H1D", lpString2=".exe") returned 1 [0107.710] lstrcmpiW (lpString1=".H1D", lpString2=".log") returned -1 [0107.710] lstrcmpiW (lpString1=".H1D", lpString2=".cab") returned 1 [0107.710] lstrcmpiW (lpString1=".H1D", lpString2=".cmd") returned 1 [0107.710] lstrcmpiW (lpString1=".H1D", lpString2=".com") returned 1 [0107.710] lstrcmpiW (lpString1=".H1D", lpString2=".cpl") returned 1 [0107.710] lstrcmpiW (lpString1=".H1D", lpString2=".ini") returned -1 [0107.710] lstrcmpiW (lpString1=".H1D", lpString2=".dll") returned 1 [0107.710] lstrcmpiW (lpString1=".H1D", lpString2=".url") returned -1 [0107.711] lstrcmpiW (lpString1=".H1D", lpString2=".ttf") returned -1 [0107.711] lstrcmpiW (lpString1=".H1D", lpString2=".mp3") returned -1 [0107.711] lstrcmpiW (lpString1=".H1D", lpString2=".pif") returned -1 [0107.711] lstrcmpiW (lpString1=".H1D", lpString2=".mp4") returned -1 [0107.711] lstrcmpiW (lpString1=".H1D", lpString2=".NEPHILIM") returned -1 [0107.711] lstrcmpiW (lpString1=".H1D", lpString2=".msi") returned -1 [0107.711] lstrcmpiW (lpString1=".H1D", lpString2=".lnk") returned -1 [0107.711] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0107.711] lstrlenA (lpString="NEPHILIM") returned 8 [0107.711] GetProcessHeap () returned 0x4e0000 [0107.711] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50ba40 [0107.711] lstrlenA (lpString="NEPHILIM") returned 8 [0107.711] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_cvalidator.h1d"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xfc [0107.713] GetFileSizeEx (in: hFile=0xfc, lpFileSize=0x24dca48 | out: lpFileSize=0x24dca48*=12066) returned 1 [0107.713] GetProcessHeap () returned 0x4e0000 [0107.713] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e10 [0107.713] GetProcessHeap () returned 0x4e0000 [0107.713] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e28 [0107.713] SystemFunction036 (in: RandomBuffer=0x504e10, RandomBufferLength=0x10 | out: RandomBuffer=0x504e10) returned 1 [0107.713] SystemFunction036 (in: RandomBuffer=0x504e28, RandomBufferLength=0x10 | out: RandomBuffer=0x504e28) returned 1 [0107.713] GetProcessHeap () returned 0x4e0000 [0107.713] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508f68 [0107.713] GetProcessHeap () returned 0x4e0000 [0107.713] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x509070 [0107.714] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508f68*, pdwDataLen=0x24dc808*=0x10, dwBufLen=0x100 | out: pbData=0x508f68*, pdwDataLen=0x24dc808*=0x100) returned 1 [0107.714] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x509070*, pdwDataLen=0x24dc804*=0x10, dwBufLen=0x100 | out: pbData=0x509070*, pdwDataLen=0x24dc804*=0x100) returned 1 [0107.714] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x2f22, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.714] SetLastError (dwErrCode=0x0) [0107.714] WriteFile (in: hFile=0xfc, lpBuffer=0x508f68*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpBuffer=0x508f68*, lpNumberOfBytesWritten=0x24dca3c*=0x100, lpOverlapped=0x0) returned 1 [0107.725] GetLastError () returned 0x0 [0107.725] GetLastError () returned 0x0 [0107.725] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x3022, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.725] WriteFile (in: hFile=0xfc, lpBuffer=0x509070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpBuffer=0x509070*, lpNumberOfBytesWritten=0x24dca3c*=0x100, lpOverlapped=0x0) returned 1 [0107.726] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x3122, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.726] lstrlenA (lpString="NEPHILIM") returned 8 [0107.726] WriteFile (in: hFile=0xfc, lpBuffer=0x50ba40*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpBuffer=0x50ba40*, lpNumberOfBytesWritten=0x24dca3c*=0x8, lpOverlapped=0x0) returned 1 [0107.726] GetProcessHeap () returned 0x4e0000 [0107.726] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x2f22) returned 0x510cd0 [0107.726] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.726] ReadFile (in: hFile=0xfc, lpBuffer=0x510cd0, nNumberOfBytesToRead=0x2f22, lpNumberOfBytesRead=0x24dca30, lpOverlapped=0x0 | out: lpBuffer=0x510cd0*, lpNumberOfBytesRead=0x24dca30*=0x2f22, lpOverlapped=0x0) returned 1 [0107.731] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.731] WriteFile (in: hFile=0xfc, lpBuffer=0x510cd0*, nNumberOfBytesToWrite=0x2f22, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpBuffer=0x510cd0*, lpNumberOfBytesWritten=0x24dca3c*=0x2f22, lpOverlapped=0x0) returned 1 [0107.731] GetProcessHeap () returned 0x4e0000 [0107.731] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x510cd0 | out: hHeap=0x4e0000) returned 1 [0107.732] CloseHandle (hObject=0xfc) returned 1 [0107.736] GetProcessHeap () returned 0x4e0000 [0107.736] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508f68 | out: hHeap=0x4e0000) returned 1 [0107.736] GetProcessHeap () returned 0x4e0000 [0107.736] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x509070 | out: hHeap=0x4e0000) returned 1 [0107.736] GetProcessHeap () returned 0x4e0000 [0107.736] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e10 | out: hHeap=0x4e0000) returned 1 [0107.736] GetProcessHeap () returned 0x4e0000 [0107.736] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e28 | out: hHeap=0x4e0000) returned 1 [0107.736] lstrcpyW (in: lpString1=0x24dc828, lpString2="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D" [0107.736] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D.NEPHILIM" [0107.737] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_cvalidator.h1d"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_cvalidator.h1d.nephilim")) returned 1 [0107.737] FindNextFileW (in: hFindFile=0x50aa00, lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x24534c56, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae2660aa, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae2660aa, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x365fc, dwReserved0=0x6e006c, dwReserved1=0x24dd560, cFileName="Help_MKWD_AssetId.H1W", cAlternateFileName="HELP_M~1.H1W")) returned 1 [0107.737] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2=".") returned 1 [0107.738] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="..") returned 1 [0107.738] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="...") returned 1 [0107.738] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="windows") returned -1 [0107.738] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="$RECYCLE.BIN") returned 1 [0107.738] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="rsa") returned -1 [0107.738] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="log") returned -1 [0107.738] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="NTDETECT.COM") returned -1 [0107.738] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="ntldr") returned -1 [0107.738] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="MSDOS.SYS") returned -1 [0107.738] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="IO.SYS") returned -1 [0107.738] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="boot.ini") returned 1 [0107.738] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="AUTOEXEC.BAT") returned 1 [0107.738] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="ntuser.dat") returned -1 [0107.738] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="desktop.ini") returned 1 [0107.738] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="CONFIG.SYS") returned 1 [0107.738] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="RECYCLER") returned -1 [0107.738] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="BOOTSECT.BAK") returned 1 [0107.738] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="bootmgr") returned 1 [0107.738] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="programdata") returned -1 [0107.738] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="appdata") returned 1 [0107.738] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="program files") returned -1 [0107.739] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="program files (x86)") returned -1 [0107.739] lstrcpyW (in: lpString1=0x24dccd8, lpString2="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\" [0107.739] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\", lpString2="Help_MKWD_AssetId.H1W" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W" [0107.739] PathFindExtensionW (pszPath="Help_MKWD_AssetId.H1W") returned=".H1W" [0107.739] lstrcmpiW (lpString1=".H1W", lpString2=".exe") returned 1 [0107.739] lstrcmpiW (lpString1=".H1W", lpString2=".log") returned -1 [0107.739] lstrcmpiW (lpString1=".H1W", lpString2=".cab") returned 1 [0107.739] lstrcmpiW (lpString1=".H1W", lpString2=".cmd") returned 1 [0107.739] lstrcmpiW (lpString1=".H1W", lpString2=".com") returned 1 [0107.739] lstrcmpiW (lpString1=".H1W", lpString2=".cpl") returned 1 [0107.739] lstrcmpiW (lpString1=".H1W", lpString2=".ini") returned -1 [0107.739] lstrcmpiW (lpString1=".H1W", lpString2=".dll") returned 1 [0107.739] lstrcmpiW (lpString1=".H1W", lpString2=".url") returned -1 [0107.739] lstrcmpiW (lpString1=".H1W", lpString2=".ttf") returned -1 [0107.739] lstrcmpiW (lpString1=".H1W", lpString2=".mp3") returned -1 [0107.739] lstrcmpiW (lpString1=".H1W", lpString2=".pif") returned -1 [0107.739] lstrcmpiW (lpString1=".H1W", lpString2=".mp4") returned -1 [0107.739] lstrcmpiW (lpString1=".H1W", lpString2=".NEPHILIM") returned -1 [0107.739] lstrcmpiW (lpString1=".H1W", lpString2=".msi") returned -1 [0107.739] lstrcmpiW (lpString1=".H1W", lpString2=".lnk") returned -1 [0107.739] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0107.740] lstrlenA (lpString="NEPHILIM") returned 8 [0107.740] GetProcessHeap () returned 0x4e0000 [0107.740] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50ba50 [0107.740] lstrlenA (lpString="NEPHILIM") returned 8 [0107.740] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_assetid.h1w"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xfc [0107.740] GetFileSizeEx (in: hFile=0xfc, lpFileSize=0x24dca48 | out: lpFileSize=0x24dca48*=222716) returned 1 [0107.740] GetProcessHeap () returned 0x4e0000 [0107.740] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e28 [0107.740] GetProcessHeap () returned 0x4e0000 [0107.740] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e10 [0107.740] SystemFunction036 (in: RandomBuffer=0x504e28, RandomBufferLength=0x10 | out: RandomBuffer=0x504e28) returned 1 [0107.740] SystemFunction036 (in: RandomBuffer=0x504e10, RandomBufferLength=0x10 | out: RandomBuffer=0x504e10) returned 1 [0107.740] GetProcessHeap () returned 0x4e0000 [0107.740] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x509070 [0107.740] GetProcessHeap () returned 0x4e0000 [0107.741] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508f68 [0107.741] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x509070*, pdwDataLen=0x24dc808*=0x10, dwBufLen=0x100 | out: pbData=0x509070*, pdwDataLen=0x24dc808*=0x100) returned 1 [0107.741] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508f68*, pdwDataLen=0x24dc804*=0x10, dwBufLen=0x100 | out: pbData=0x508f68*, pdwDataLen=0x24dc804*=0x100) returned 1 [0107.741] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x365fc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.741] SetLastError (dwErrCode=0x0) [0107.741] WriteFile (in: hFile=0xfc, lpBuffer=0x509070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpBuffer=0x509070*, lpNumberOfBytesWritten=0x24dca3c*=0x100, lpOverlapped=0x0) returned 1 [0107.744] GetLastError () returned 0x0 [0107.744] GetLastError () returned 0x0 [0107.744] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x366fc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.744] WriteFile (in: hFile=0xfc, lpBuffer=0x508f68*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpBuffer=0x508f68*, lpNumberOfBytesWritten=0x24dca3c*=0x100, lpOverlapped=0x0) returned 1 [0107.744] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x367fc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.744] lstrlenA (lpString="NEPHILIM") returned 8 [0107.744] WriteFile (in: hFile=0xfc, lpBuffer=0x50ba50*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpBuffer=0x50ba50*, lpNumberOfBytesWritten=0x24dca3c*=0x8, lpOverlapped=0x0) returned 1 [0107.744] GetProcessHeap () returned 0x4e0000 [0107.744] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x365fc) returned 0x510cd0 [0107.744] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.744] ReadFile (in: hFile=0xfc, lpBuffer=0x510cd0, nNumberOfBytesToRead=0x365fc, lpNumberOfBytesRead=0x24dca30, lpOverlapped=0x0 | out: lpBuffer=0x510cd0*, lpNumberOfBytesRead=0x24dca30*=0x365fc, lpOverlapped=0x0) returned 1 [0107.772] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.772] WriteFile (in: hFile=0xfc, lpBuffer=0x510cd0*, nNumberOfBytesToWrite=0x365fc, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpBuffer=0x510cd0*, lpNumberOfBytesWritten=0x24dca3c*=0x365fc, lpOverlapped=0x0) returned 1 [0107.773] GetProcessHeap () returned 0x4e0000 [0107.773] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x510cd0 | out: hHeap=0x4e0000) returned 1 [0107.774] CloseHandle (hObject=0xfc) returned 1 [0107.784] GetProcessHeap () returned 0x4e0000 [0107.784] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x509070 | out: hHeap=0x4e0000) returned 1 [0107.784] GetProcessHeap () returned 0x4e0000 [0107.784] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508f68 | out: hHeap=0x4e0000) returned 1 [0107.784] GetProcessHeap () returned 0x4e0000 [0107.784] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e28 | out: hHeap=0x4e0000) returned 1 [0107.784] GetProcessHeap () returned 0x4e0000 [0107.784] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e10 | out: hHeap=0x4e0000) returned 1 [0107.784] lstrcpyW (in: lpString1=0x24dc828, lpString2="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W" [0107.784] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W.NEPHILIM" [0107.784] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_assetid.h1w"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_assetid.h1w.nephilim")) returned 1 [0107.785] FindNextFileW (in: hFindFile=0x50aa00, lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x24534c56, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae409b6f, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae409b6f, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x325ec, dwReserved0=0x6e006c, dwReserved1=0x24dd560, cFileName="Help_MKWD_BestBet.H1W", cAlternateFileName="HELP_M~2.H1W")) returned 1 [0107.785] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2=".") returned 1 [0107.785] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="..") returned 1 [0107.785] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="...") returned 1 [0107.785] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="windows") returned -1 [0107.785] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="$RECYCLE.BIN") returned 1 [0107.785] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="rsa") returned -1 [0107.785] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="log") returned -1 [0107.785] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="NTDETECT.COM") returned -1 [0107.785] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="ntldr") returned -1 [0107.785] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="MSDOS.SYS") returned -1 [0107.785] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="IO.SYS") returned -1 [0107.785] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="boot.ini") returned 1 [0107.785] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="AUTOEXEC.BAT") returned 1 [0107.785] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="ntuser.dat") returned -1 [0107.785] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="desktop.ini") returned 1 [0107.786] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="CONFIG.SYS") returned 1 [0107.786] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="RECYCLER") returned -1 [0107.786] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="BOOTSECT.BAK") returned 1 [0107.786] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="bootmgr") returned 1 [0107.786] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="programdata") returned -1 [0107.786] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="appdata") returned 1 [0107.786] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="program files") returned -1 [0107.786] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="program files (x86)") returned -1 [0107.786] lstrcpyW (in: lpString1=0x24dccd8, lpString2="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\" [0107.786] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\", lpString2="Help_MKWD_BestBet.H1W" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W" [0107.786] PathFindExtensionW (pszPath="Help_MKWD_BestBet.H1W") returned=".H1W" [0107.786] lstrcmpiW (lpString1=".H1W", lpString2=".exe") returned 1 [0107.786] lstrcmpiW (lpString1=".H1W", lpString2=".log") returned -1 [0107.786] lstrcmpiW (lpString1=".H1W", lpString2=".cab") returned 1 [0107.786] lstrcmpiW (lpString1=".H1W", lpString2=".cmd") returned 1 [0107.786] lstrcmpiW (lpString1=".H1W", lpString2=".com") returned 1 [0107.786] lstrcmpiW (lpString1=".H1W", lpString2=".cpl") returned 1 [0107.786] lstrcmpiW (lpString1=".H1W", lpString2=".ini") returned -1 [0107.786] lstrcmpiW (lpString1=".H1W", lpString2=".dll") returned 1 [0107.786] lstrcmpiW (lpString1=".H1W", lpString2=".url") returned -1 [0107.786] lstrcmpiW (lpString1=".H1W", lpString2=".ttf") returned -1 [0107.786] lstrcmpiW (lpString1=".H1W", lpString2=".mp3") returned -1 [0107.786] lstrcmpiW (lpString1=".H1W", lpString2=".pif") returned -1 [0107.786] lstrcmpiW (lpString1=".H1W", lpString2=".mp4") returned -1 [0107.787] lstrcmpiW (lpString1=".H1W", lpString2=".NEPHILIM") returned -1 [0107.787] lstrcmpiW (lpString1=".H1W", lpString2=".msi") returned -1 [0107.787] lstrcmpiW (lpString1=".H1W", lpString2=".lnk") returned -1 [0107.787] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0107.787] lstrlenA (lpString="NEPHILIM") returned 8 [0107.787] GetProcessHeap () returned 0x4e0000 [0107.787] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50ba60 [0107.787] lstrlenA (lpString="NEPHILIM") returned 8 [0107.787] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_bestbet.h1w"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xfc [0107.789] GetFileSizeEx (in: hFile=0xfc, lpFileSize=0x24dca48 | out: lpFileSize=0x24dca48*=206316) returned 1 [0107.789] GetProcessHeap () returned 0x4e0000 [0107.789] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e10 [0107.789] GetProcessHeap () returned 0x4e0000 [0107.789] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e28 [0107.789] SystemFunction036 (in: RandomBuffer=0x504e10, RandomBufferLength=0x10 | out: RandomBuffer=0x504e10) returned 1 [0107.789] SystemFunction036 (in: RandomBuffer=0x504e28, RandomBufferLength=0x10 | out: RandomBuffer=0x504e28) returned 1 [0107.789] GetProcessHeap () returned 0x4e0000 [0107.789] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508f68 [0107.789] GetProcessHeap () returned 0x4e0000 [0107.789] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x509070 [0107.789] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508f68*, pdwDataLen=0x24dc808*=0x10, dwBufLen=0x100 | out: pbData=0x508f68*, pdwDataLen=0x24dc808*=0x100) returned 1 [0107.790] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x509070*, pdwDataLen=0x24dc804*=0x10, dwBufLen=0x100 | out: pbData=0x509070*, pdwDataLen=0x24dc804*=0x100) returned 1 [0107.790] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x325ec, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.790] SetLastError (dwErrCode=0x0) [0107.790] WriteFile (in: hFile=0xfc, lpBuffer=0x508f68*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpBuffer=0x508f68*, lpNumberOfBytesWritten=0x24dca3c*=0x100, lpOverlapped=0x0) returned 1 [0107.795] GetLastError () returned 0x0 [0107.795] GetLastError () returned 0x0 [0107.795] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x326ec, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.795] WriteFile (in: hFile=0xfc, lpBuffer=0x509070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpBuffer=0x509070*, lpNumberOfBytesWritten=0x24dca3c*=0x100, lpOverlapped=0x0) returned 1 [0107.795] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x327ec, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.795] lstrlenA (lpString="NEPHILIM") returned 8 [0107.795] WriteFile (in: hFile=0xfc, lpBuffer=0x50ba60*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpBuffer=0x50ba60*, lpNumberOfBytesWritten=0x24dca3c*=0x8, lpOverlapped=0x0) returned 1 [0107.796] GetProcessHeap () returned 0x4e0000 [0107.796] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x325ec) returned 0x510cd0 [0107.796] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.796] ReadFile (in: hFile=0xfc, lpBuffer=0x510cd0, nNumberOfBytesToRead=0x325ec, lpNumberOfBytesRead=0x24dca30, lpOverlapped=0x0 | out: lpBuffer=0x510cd0*, lpNumberOfBytesRead=0x24dca30*=0x325ec, lpOverlapped=0x0) returned 1 [0107.816] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.816] WriteFile (in: hFile=0xfc, lpBuffer=0x510cd0*, nNumberOfBytesToWrite=0x325ec, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpBuffer=0x510cd0*, lpNumberOfBytesWritten=0x24dca3c*=0x325ec, lpOverlapped=0x0) returned 1 [0107.817] GetProcessHeap () returned 0x4e0000 [0107.817] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x510cd0 | out: hHeap=0x4e0000) returned 1 [0107.817] CloseHandle (hObject=0xfc) returned 1 [0107.820] GetProcessHeap () returned 0x4e0000 [0107.820] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508f68 | out: hHeap=0x4e0000) returned 1 [0107.820] GetProcessHeap () returned 0x4e0000 [0107.820] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x509070 | out: hHeap=0x4e0000) returned 1 [0107.820] GetProcessHeap () returned 0x4e0000 [0107.820] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e10 | out: hHeap=0x4e0000) returned 1 [0107.820] GetProcessHeap () returned 0x4e0000 [0107.821] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e28 | out: hHeap=0x4e0000) returned 1 [0107.821] lstrcpyW (in: lpString1=0x24dc828, lpString2="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W" [0107.821] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W.NEPHILIM" [0107.821] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_bestbet.h1w"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_bestbet.h1w.nephilim")) returned 1 [0107.822] FindNextFileW (in: hFindFile=0x50aa00, lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x24534c56, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae45604d, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae45604d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x79f1a, dwReserved0=0x6e006c, dwReserved1=0x24dd560, cFileName="Help_MTOC_help.H1H", cAlternateFileName="HELP_M~1.H1H")) returned 1 [0107.822] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2=".") returned 1 [0107.822] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="..") returned 1 [0107.822] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="...") returned 1 [0107.822] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="windows") returned -1 [0107.822] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="$RECYCLE.BIN") returned 1 [0107.822] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="rsa") returned -1 [0107.822] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="log") returned -1 [0107.822] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="NTDETECT.COM") returned -1 [0107.822] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="ntldr") returned -1 [0107.822] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="MSDOS.SYS") returned -1 [0107.822] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="IO.SYS") returned -1 [0107.822] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="boot.ini") returned 1 [0107.822] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="AUTOEXEC.BAT") returned 1 [0107.822] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="ntuser.dat") returned -1 [0107.822] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="desktop.ini") returned 1 [0107.822] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="CONFIG.SYS") returned 1 [0107.823] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="RECYCLER") returned -1 [0107.823] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="BOOTSECT.BAK") returned 1 [0107.823] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="bootmgr") returned 1 [0107.823] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="programdata") returned -1 [0107.823] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="appdata") returned 1 [0107.823] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="program files") returned -1 [0107.823] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="program files (x86)") returned -1 [0107.823] lstrcpyW (in: lpString1=0x24dccd8, lpString2="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\" [0107.823] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\", lpString2="Help_MTOC_help.H1H" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H" [0107.823] PathFindExtensionW (pszPath="Help_MTOC_help.H1H") returned=".H1H" [0107.823] lstrcmpiW (lpString1=".H1H", lpString2=".exe") returned 1 [0107.823] lstrcmpiW (lpString1=".H1H", lpString2=".log") returned -1 [0107.823] lstrcmpiW (lpString1=".H1H", lpString2=".cab") returned 1 [0107.823] lstrcmpiW (lpString1=".H1H", lpString2=".cmd") returned 1 [0107.823] lstrcmpiW (lpString1=".H1H", lpString2=".com") returned 1 [0107.823] lstrcmpiW (lpString1=".H1H", lpString2=".cpl") returned 1 [0107.823] lstrcmpiW (lpString1=".H1H", lpString2=".ini") returned -1 [0107.823] lstrcmpiW (lpString1=".H1H", lpString2=".dll") returned 1 [0107.823] lstrcmpiW (lpString1=".H1H", lpString2=".url") returned -1 [0107.824] lstrcmpiW (lpString1=".H1H", lpString2=".ttf") returned -1 [0107.824] lstrcmpiW (lpString1=".H1H", lpString2=".mp3") returned -1 [0107.824] lstrcmpiW (lpString1=".H1H", lpString2=".pif") returned -1 [0107.824] lstrcmpiW (lpString1=".H1H", lpString2=".mp4") returned -1 [0107.824] lstrcmpiW (lpString1=".H1H", lpString2=".NEPHILIM") returned -1 [0107.824] lstrcmpiW (lpString1=".H1H", lpString2=".msi") returned -1 [0107.824] lstrcmpiW (lpString1=".H1H", lpString2=".lnk") returned -1 [0107.824] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0107.824] lstrlenA (lpString="NEPHILIM") returned 8 [0107.824] GetProcessHeap () returned 0x4e0000 [0107.824] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50ba70 [0107.824] lstrlenA (lpString="NEPHILIM") returned 8 [0107.824] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mtoc_help.h1h"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xfc [0107.824] GetFileSizeEx (in: hFile=0xfc, lpFileSize=0x24dca48 | out: lpFileSize=0x24dca48*=499482) returned 1 [0107.825] GetProcessHeap () returned 0x4e0000 [0107.825] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e28 [0107.825] GetProcessHeap () returned 0x4e0000 [0107.825] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e10 [0107.825] SystemFunction036 (in: RandomBuffer=0x504e28, RandomBufferLength=0x10 | out: RandomBuffer=0x504e28) returned 1 [0107.825] SystemFunction036 (in: RandomBuffer=0x504e10, RandomBufferLength=0x10 | out: RandomBuffer=0x504e10) returned 1 [0107.825] GetProcessHeap () returned 0x4e0000 [0107.825] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x509070 [0107.825] GetProcessHeap () returned 0x4e0000 [0107.825] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508f68 [0107.825] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x509070*, pdwDataLen=0x24dc808*=0x10, dwBufLen=0x100 | out: pbData=0x509070*, pdwDataLen=0x24dc808*=0x100) returned 1 [0107.825] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508f68*, pdwDataLen=0x24dc804*=0x10, dwBufLen=0x100 | out: pbData=0x508f68*, pdwDataLen=0x24dc804*=0x100) returned 1 [0107.826] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x79f1a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.826] SetLastError (dwErrCode=0x0) [0107.826] WriteFile (in: hFile=0xfc, lpBuffer=0x509070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpBuffer=0x509070*, lpNumberOfBytesWritten=0x24dca3c*=0x100, lpOverlapped=0x0) returned 1 [0107.829] GetLastError () returned 0x0 [0107.829] GetLastError () returned 0x0 [0107.829] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x7a01a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.829] WriteFile (in: hFile=0xfc, lpBuffer=0x508f68*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpBuffer=0x508f68*, lpNumberOfBytesWritten=0x24dca3c*=0x100, lpOverlapped=0x0) returned 1 [0107.829] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x7a11a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.829] lstrlenA (lpString="NEPHILIM") returned 8 [0107.829] WriteFile (in: hFile=0xfc, lpBuffer=0x50ba70*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpBuffer=0x50ba70*, lpNumberOfBytesWritten=0x24dca3c*=0x8, lpOverlapped=0x0) returned 1 [0107.829] GetProcessHeap () returned 0x4e0000 [0107.829] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x79f1a) returned 0x2010048 [0107.831] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.832] ReadFile (in: hFile=0xfc, lpBuffer=0x2010048, nNumberOfBytesToRead=0x79f1a, lpNumberOfBytesRead=0x24dca30, lpOverlapped=0x0 | out: lpBuffer=0x2010048*, lpNumberOfBytesRead=0x24dca30*=0x79f1a, lpOverlapped=0x0) returned 1 [0107.875] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.875] WriteFile (in: hFile=0xfc, lpBuffer=0x2010048*, nNumberOfBytesToWrite=0x79f1a, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpBuffer=0x2010048*, lpNumberOfBytesWritten=0x24dca3c*=0x79f1a, lpOverlapped=0x0) returned 1 [0107.877] GetProcessHeap () returned 0x4e0000 [0107.877] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x2010048 | out: hHeap=0x4e0000) returned 1 [0107.877] CloseHandle (hObject=0xfc) returned 1 [0107.884] GetProcessHeap () returned 0x4e0000 [0107.884] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x509070 | out: hHeap=0x4e0000) returned 1 [0107.884] GetProcessHeap () returned 0x4e0000 [0107.884] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508f68 | out: hHeap=0x4e0000) returned 1 [0107.884] GetProcessHeap () returned 0x4e0000 [0107.885] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e28 | out: hHeap=0x4e0000) returned 1 [0107.885] GetProcessHeap () returned 0x4e0000 [0107.885] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e10 | out: hHeap=0x4e0000) returned 1 [0107.885] lstrcpyW (in: lpString1=0x24dc828, lpString2="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H" [0107.885] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H.NEPHILIM" [0107.885] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mtoc_help.h1h"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mtoc_help.h1h.nephilim")) returned 1 [0107.886] FindNextFileW (in: hFindFile=0x50aa00, lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x26353250, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae45604d, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae45604d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x3944, dwReserved0=0x6e006c, dwReserved1=0x24dd560, cFileName="Help_MValidator.H1D", cAlternateFileName="HELP_M~1.H1D")) returned 1 [0107.886] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2=".") returned 1 [0107.886] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="..") returned 1 [0107.886] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="...") returned 1 [0107.886] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="windows") returned -1 [0107.886] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="$RECYCLE.BIN") returned 1 [0107.886] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="rsa") returned -1 [0107.886] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="log") returned -1 [0107.886] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="NTDETECT.COM") returned -1 [0107.886] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="ntldr") returned -1 [0107.886] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="MSDOS.SYS") returned -1 [0107.886] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="IO.SYS") returned -1 [0107.886] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="boot.ini") returned 1 [0107.886] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="AUTOEXEC.BAT") returned 1 [0107.886] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="ntuser.dat") returned -1 [0107.886] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="desktop.ini") returned 1 [0107.886] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="CONFIG.SYS") returned 1 [0107.887] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="RECYCLER") returned -1 [0107.887] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="BOOTSECT.BAK") returned 1 [0107.887] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="bootmgr") returned 1 [0107.887] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="programdata") returned -1 [0107.887] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="appdata") returned 1 [0107.887] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="program files") returned -1 [0107.887] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="program files (x86)") returned -1 [0107.887] lstrcpyW (in: lpString1=0x24dccd8, lpString2="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\" [0107.887] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\", lpString2="Help_MValidator.H1D" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D" [0107.887] PathFindExtensionW (pszPath="Help_MValidator.H1D") returned=".H1D" [0107.887] lstrcmpiW (lpString1=".H1D", lpString2=".exe") returned 1 [0107.887] lstrcmpiW (lpString1=".H1D", lpString2=".log") returned -1 [0107.887] lstrcmpiW (lpString1=".H1D", lpString2=".cab") returned 1 [0107.887] lstrcmpiW (lpString1=".H1D", lpString2=".cmd") returned 1 [0107.887] lstrcmpiW (lpString1=".H1D", lpString2=".com") returned 1 [0107.887] lstrcmpiW (lpString1=".H1D", lpString2=".cpl") returned 1 [0107.887] lstrcmpiW (lpString1=".H1D", lpString2=".ini") returned -1 [0107.887] lstrcmpiW (lpString1=".H1D", lpString2=".dll") returned 1 [0107.887] lstrcmpiW (lpString1=".H1D", lpString2=".url") returned -1 [0107.887] lstrcmpiW (lpString1=".H1D", lpString2=".ttf") returned -1 [0107.888] lstrcmpiW (lpString1=".H1D", lpString2=".mp3") returned -1 [0107.888] lstrcmpiW (lpString1=".H1D", lpString2=".pif") returned -1 [0107.888] lstrcmpiW (lpString1=".H1D", lpString2=".mp4") returned -1 [0107.888] lstrcmpiW (lpString1=".H1D", lpString2=".NEPHILIM") returned -1 [0107.888] lstrcmpiW (lpString1=".H1D", lpString2=".msi") returned -1 [0107.888] lstrcmpiW (lpString1=".H1D", lpString2=".lnk") returned -1 [0107.888] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0107.888] lstrlenA (lpString="NEPHILIM") returned 8 [0107.888] GetProcessHeap () returned 0x4e0000 [0107.888] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50ba80 [0107.888] lstrlenA (lpString="NEPHILIM") returned 8 [0107.888] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.h1d"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xfc [0107.889] GetFileSizeEx (in: hFile=0xfc, lpFileSize=0x24dca48 | out: lpFileSize=0x24dca48*=14660) returned 1 [0107.889] GetProcessHeap () returned 0x4e0000 [0107.889] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e10 [0107.889] GetProcessHeap () returned 0x4e0000 [0107.889] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e28 [0107.889] SystemFunction036 (in: RandomBuffer=0x504e10, RandomBufferLength=0x10 | out: RandomBuffer=0x504e10) returned 1 [0107.889] SystemFunction036 (in: RandomBuffer=0x504e28, RandomBufferLength=0x10 | out: RandomBuffer=0x504e28) returned 1 [0107.889] GetProcessHeap () returned 0x4e0000 [0107.889] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508f68 [0107.889] GetProcessHeap () returned 0x4e0000 [0107.889] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x509070 [0107.889] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508f68*, pdwDataLen=0x24dc808*=0x10, dwBufLen=0x100 | out: pbData=0x508f68*, pdwDataLen=0x24dc808*=0x100) returned 1 [0107.889] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x509070*, pdwDataLen=0x24dc804*=0x10, dwBufLen=0x100 | out: pbData=0x509070*, pdwDataLen=0x24dc804*=0x100) returned 1 [0107.890] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x3944, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.890] SetLastError (dwErrCode=0x0) [0107.890] WriteFile (in: hFile=0xfc, lpBuffer=0x508f68*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpBuffer=0x508f68*, lpNumberOfBytesWritten=0x24dca3c*=0x100, lpOverlapped=0x0) returned 1 [0107.893] GetLastError () returned 0x0 [0107.893] GetLastError () returned 0x0 [0107.894] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x3a44, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.894] WriteFile (in: hFile=0xfc, lpBuffer=0x509070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpBuffer=0x509070*, lpNumberOfBytesWritten=0x24dca3c*=0x100, lpOverlapped=0x0) returned 1 [0107.894] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x3b44, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.894] lstrlenA (lpString="NEPHILIM") returned 8 [0107.894] WriteFile (in: hFile=0xfc, lpBuffer=0x50ba80*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpBuffer=0x50ba80*, lpNumberOfBytesWritten=0x24dca3c*=0x8, lpOverlapped=0x0) returned 1 [0107.894] GetProcessHeap () returned 0x4e0000 [0107.894] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x3944) returned 0x510cd0 [0107.894] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.894] ReadFile (in: hFile=0xfc, lpBuffer=0x510cd0, nNumberOfBytesToRead=0x3944, lpNumberOfBytesRead=0x24dca30, lpOverlapped=0x0 | out: lpBuffer=0x510cd0*, lpNumberOfBytesRead=0x24dca30*=0x3944, lpOverlapped=0x0) returned 1 [0107.896] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.897] WriteFile (in: hFile=0xfc, lpBuffer=0x510cd0*, nNumberOfBytesToWrite=0x3944, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpBuffer=0x510cd0*, lpNumberOfBytesWritten=0x24dca3c*=0x3944, lpOverlapped=0x0) returned 1 [0107.897] GetProcessHeap () returned 0x4e0000 [0107.897] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x510cd0 | out: hHeap=0x4e0000) returned 1 [0107.897] CloseHandle (hObject=0xfc) returned 1 [0107.898] GetProcessHeap () returned 0x4e0000 [0107.898] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508f68 | out: hHeap=0x4e0000) returned 1 [0107.898] GetProcessHeap () returned 0x4e0000 [0107.898] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x509070 | out: hHeap=0x4e0000) returned 1 [0107.898] GetProcessHeap () returned 0x4e0000 [0107.898] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e10 | out: hHeap=0x4e0000) returned 1 [0107.899] GetProcessHeap () returned 0x4e0000 [0107.899] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e28 | out: hHeap=0x4e0000) returned 1 [0107.899] lstrcpyW (in: lpString1=0x24dc828, lpString2="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D" [0107.899] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D.NEPHILIM" [0107.899] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.h1d"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.h1d.nephilim")) returned 1 [0107.900] FindNextFileW (in: hFindFile=0x50aa00, lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x24534c56, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae45604d, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae45604d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x6e006c, dwReserved1=0x24dd560, cFileName="Help_MValidator.Lck", cAlternateFileName="HELP_M~1.LCK")) returned 1 [0107.900] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2=".") returned 1 [0107.901] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="..") returned 1 [0107.901] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="...") returned 1 [0107.901] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="windows") returned -1 [0107.901] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="$RECYCLE.BIN") returned 1 [0107.901] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="rsa") returned -1 [0107.901] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="log") returned -1 [0107.901] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="NTDETECT.COM") returned -1 [0107.901] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="ntldr") returned -1 [0107.901] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="MSDOS.SYS") returned -1 [0107.901] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="IO.SYS") returned -1 [0107.901] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="boot.ini") returned 1 [0107.901] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="AUTOEXEC.BAT") returned 1 [0107.901] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="ntuser.dat") returned -1 [0107.901] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="desktop.ini") returned 1 [0107.901] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="CONFIG.SYS") returned 1 [0107.901] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="RECYCLER") returned -1 [0107.901] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="BOOTSECT.BAK") returned 1 [0107.901] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="bootmgr") returned 1 [0107.901] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="programdata") returned -1 [0107.901] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="appdata") returned 1 [0107.901] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="program files") returned -1 [0107.901] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="program files (x86)") returned -1 [0107.901] lstrcpyW (in: lpString1=0x24dccd8, lpString2="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\" [0107.902] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\", lpString2="Help_MValidator.Lck" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck" [0107.902] PathFindExtensionW (pszPath="Help_MValidator.Lck") returned=".Lck" [0107.902] lstrcmpiW (lpString1=".Lck", lpString2=".exe") returned 1 [0107.902] lstrcmpiW (lpString1=".Lck", lpString2=".log") returned -1 [0107.902] lstrcmpiW (lpString1=".Lck", lpString2=".cab") returned 1 [0107.902] lstrcmpiW (lpString1=".Lck", lpString2=".cmd") returned 1 [0107.902] lstrcmpiW (lpString1=".Lck", lpString2=".com") returned 1 [0107.902] lstrcmpiW (lpString1=".Lck", lpString2=".cpl") returned 1 [0107.902] lstrcmpiW (lpString1=".Lck", lpString2=".ini") returned 1 [0107.902] lstrcmpiW (lpString1=".Lck", lpString2=".dll") returned 1 [0107.902] lstrcmpiW (lpString1=".Lck", lpString2=".url") returned -1 [0107.902] lstrcmpiW (lpString1=".Lck", lpString2=".ttf") returned -1 [0107.902] lstrcmpiW (lpString1=".Lck", lpString2=".mp3") returned -1 [0107.902] lstrcmpiW (lpString1=".Lck", lpString2=".pif") returned -1 [0107.902] lstrcmpiW (lpString1=".Lck", lpString2=".mp4") returned -1 [0107.902] lstrcmpiW (lpString1=".Lck", lpString2=".NEPHILIM") returned -1 [0107.902] lstrcmpiW (lpString1=".Lck", lpString2=".msi") returned -1 [0107.902] lstrcmpiW (lpString1=".Lck", lpString2=".lnk") returned -1 [0107.902] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0107.902] lstrlenA (lpString="NEPHILIM") returned 8 [0107.902] GetProcessHeap () returned 0x4e0000 [0107.902] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50ba90 [0107.903] lstrlenA (lpString="NEPHILIM") returned 8 [0107.903] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.lck"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xfc [0107.903] GetFileSizeEx (in: hFile=0xfc, lpFileSize=0x24dca48 | out: lpFileSize=0x24dca48*=4) returned 1 [0107.903] GetProcessHeap () returned 0x4e0000 [0107.903] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e28 [0107.903] GetProcessHeap () returned 0x4e0000 [0107.903] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e10 [0107.903] SystemFunction036 (in: RandomBuffer=0x504e28, RandomBufferLength=0x10 | out: RandomBuffer=0x504e28) returned 1 [0107.903] SystemFunction036 (in: RandomBuffer=0x504e10, RandomBufferLength=0x10 | out: RandomBuffer=0x504e10) returned 1 [0107.903] GetProcessHeap () returned 0x4e0000 [0107.903] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x509070 [0107.904] GetProcessHeap () returned 0x4e0000 [0107.904] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508f68 [0107.904] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x509070*, pdwDataLen=0x24dc808*=0x10, dwBufLen=0x100 | out: pbData=0x509070*, pdwDataLen=0x24dc808*=0x100) returned 1 [0107.904] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508f68*, pdwDataLen=0x24dc804*=0x10, dwBufLen=0x100 | out: pbData=0x508f68*, pdwDataLen=0x24dc804*=0x100) returned 1 [0107.904] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.904] SetLastError (dwErrCode=0x0) [0107.904] WriteFile (in: hFile=0xfc, lpBuffer=0x509070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpBuffer=0x509070*, lpNumberOfBytesWritten=0x24dca3c*=0x100, lpOverlapped=0x0) returned 1 [0107.906] GetLastError () returned 0x0 [0107.906] GetLastError () returned 0x0 [0107.906] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x104, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.906] WriteFile (in: hFile=0xfc, lpBuffer=0x508f68*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpBuffer=0x508f68*, lpNumberOfBytesWritten=0x24dca3c*=0x100, lpOverlapped=0x0) returned 1 [0107.906] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x204, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.906] lstrlenA (lpString="NEPHILIM") returned 8 [0107.906] WriteFile (in: hFile=0xfc, lpBuffer=0x50ba90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpBuffer=0x50ba90*, lpNumberOfBytesWritten=0x24dca3c*=0x8, lpOverlapped=0x0) returned 1 [0107.907] GetProcessHeap () returned 0x4e0000 [0107.907] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x4) returned 0x50baa0 [0107.907] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.907] ReadFile (in: hFile=0xfc, lpBuffer=0x50baa0, nNumberOfBytesToRead=0x4, lpNumberOfBytesRead=0x24dca30, lpOverlapped=0x0 | out: lpBuffer=0x50baa0*, lpNumberOfBytesRead=0x24dca30*=0x4, lpOverlapped=0x0) returned 1 [0107.907] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.907] WriteFile (in: hFile=0xfc, lpBuffer=0x50baa0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpBuffer=0x50baa0*, lpNumberOfBytesWritten=0x24dca3c*=0x4, lpOverlapped=0x0) returned 1 [0107.907] GetProcessHeap () returned 0x4e0000 [0107.907] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50baa0 | out: hHeap=0x4e0000) returned 1 [0107.907] CloseHandle (hObject=0xfc) returned 1 [0107.909] GetProcessHeap () returned 0x4e0000 [0107.909] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x509070 | out: hHeap=0x4e0000) returned 1 [0107.909] GetProcessHeap () returned 0x4e0000 [0107.909] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508f68 | out: hHeap=0x4e0000) returned 1 [0107.909] GetProcessHeap () returned 0x4e0000 [0107.909] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e28 | out: hHeap=0x4e0000) returned 1 [0107.909] GetProcessHeap () returned 0x4e0000 [0107.909] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e10 | out: hHeap=0x4e0000) returned 1 [0107.909] lstrcpyW (in: lpString1=0x24dc828, lpString2="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck" [0107.909] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck.NEPHILIM" [0107.909] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.lck"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.lck.nephilim")) returned 1 [0107.910] FindNextFileW (in: hFindFile=0x50aa00, lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x249fa376, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae0e8854, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae0e8854, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0xd5310, dwReserved0=0x6e006c, dwReserved1=0x24dd560, cFileName="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", cAlternateFileName="HELP{9~1.H1Q")) returned 1 [0107.910] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2=".") returned 1 [0107.910] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="..") returned 1 [0107.910] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="...") returned 1 [0107.910] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="windows") returned -1 [0107.910] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="$RECYCLE.BIN") returned 1 [0107.910] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="rsa") returned -1 [0107.910] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="log") returned -1 [0107.910] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="NTDETECT.COM") returned -1 [0107.910] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="ntldr") returned -1 [0107.910] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="MSDOS.SYS") returned -1 [0107.910] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="IO.SYS") returned -1 [0107.911] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="boot.ini") returned 1 [0107.911] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="AUTOEXEC.BAT") returned 1 [0107.911] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="ntuser.dat") returned -1 [0107.911] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="desktop.ini") returned 1 [0107.911] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="CONFIG.SYS") returned 1 [0107.911] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="RECYCLER") returned -1 [0107.911] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="BOOTSECT.BAK") returned 1 [0107.911] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="bootmgr") returned 1 [0107.911] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="programdata") returned -1 [0107.911] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="appdata") returned 1 [0107.911] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="program files") returned -1 [0107.911] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="program files (x86)") returned -1 [0107.911] lstrcpyW (in: lpString1=0x24dccd8, lpString2="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\" [0107.911] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\", lpString2="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q" [0107.911] PathFindExtensionW (pszPath="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q") returned=".H1Q" [0107.911] lstrcmpiW (lpString1=".H1Q", lpString2=".exe") returned 1 [0107.911] lstrcmpiW (lpString1=".H1Q", lpString2=".log") returned -1 [0107.911] lstrcmpiW (lpString1=".H1Q", lpString2=".cab") returned 1 [0107.911] lstrcmpiW (lpString1=".H1Q", lpString2=".cmd") returned 1 [0107.912] lstrcmpiW (lpString1=".H1Q", lpString2=".com") returned 1 [0107.912] lstrcmpiW (lpString1=".H1Q", lpString2=".cpl") returned 1 [0107.912] lstrcmpiW (lpString1=".H1Q", lpString2=".ini") returned -1 [0107.912] lstrcmpiW (lpString1=".H1Q", lpString2=".dll") returned 1 [0107.912] lstrcmpiW (lpString1=".H1Q", lpString2=".url") returned -1 [0107.912] lstrcmpiW (lpString1=".H1Q", lpString2=".ttf") returned -1 [0107.912] lstrcmpiW (lpString1=".H1Q", lpString2=".mp3") returned -1 [0107.912] lstrcmpiW (lpString1=".H1Q", lpString2=".pif") returned -1 [0107.912] lstrcmpiW (lpString1=".H1Q", lpString2=".mp4") returned -1 [0107.912] lstrcmpiW (lpString1=".H1Q", lpString2=".NEPHILIM") returned -1 [0107.912] lstrcmpiW (lpString1=".H1Q", lpString2=".msi") returned -1 [0107.912] lstrcmpiW (lpString1=".H1Q", lpString2=".lnk") returned -1 [0107.912] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0107.912] lstrlenA (lpString="NEPHILIM") returned 8 [0107.912] GetProcessHeap () returned 0x4e0000 [0107.912] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50baa0 [0107.913] lstrlenA (lpString="NEPHILIM") returned 8 [0107.913] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help{9daa54e8-cd95-4107-8e7f-ba3f24732d95}.h1q"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xfc [0107.913] GetFileSizeEx (in: hFile=0xfc, lpFileSize=0x24dca48 | out: lpFileSize=0x24dca48*=873232) returned 1 [0107.913] GetProcessHeap () returned 0x4e0000 [0107.913] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e10 [0107.913] GetProcessHeap () returned 0x4e0000 [0107.913] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e28 [0107.913] SystemFunction036 (in: RandomBuffer=0x504e10, RandomBufferLength=0x10 | out: RandomBuffer=0x504e10) returned 1 [0107.913] SystemFunction036 (in: RandomBuffer=0x504e28, RandomBufferLength=0x10 | out: RandomBuffer=0x504e28) returned 1 [0107.913] GetProcessHeap () returned 0x4e0000 [0107.913] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508f68 [0107.913] GetProcessHeap () returned 0x4e0000 [0107.913] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x509070 [0107.914] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508f68*, pdwDataLen=0x24dc808*=0x10, dwBufLen=0x100 | out: pbData=0x508f68*, pdwDataLen=0x24dc808*=0x100) returned 1 [0107.914] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x509070*, pdwDataLen=0x24dc804*=0x10, dwBufLen=0x100 | out: pbData=0x509070*, pdwDataLen=0x24dc804*=0x100) returned 1 [0107.914] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0xd5310, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.914] SetLastError (dwErrCode=0x0) [0107.914] WriteFile (in: hFile=0xfc, lpBuffer=0x508f68*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpBuffer=0x508f68*, lpNumberOfBytesWritten=0x24dca3c*=0x100, lpOverlapped=0x0) returned 1 [0107.939] GetLastError () returned 0x0 [0107.939] GetLastError () returned 0x0 [0107.939] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0xd5410, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.939] WriteFile (in: hFile=0xfc, lpBuffer=0x509070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpBuffer=0x509070*, lpNumberOfBytesWritten=0x24dca3c*=0x100, lpOverlapped=0x0) returned 1 [0107.939] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0xd5510, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.939] lstrlenA (lpString="NEPHILIM") returned 8 [0107.939] WriteFile (in: hFile=0xfc, lpBuffer=0x50baa0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpBuffer=0x50baa0*, lpNumberOfBytesWritten=0x24dca3c*=0x8, lpOverlapped=0x0) returned 1 [0107.939] GetProcessHeap () returned 0x4e0000 [0107.939] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xd5310) returned 0x22b0020 [0107.940] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.940] ReadFile (in: hFile=0xfc, lpBuffer=0x22b0020, nNumberOfBytesToRead=0xd5310, lpNumberOfBytesRead=0x24dca30, lpOverlapped=0x0 | out: lpBuffer=0x22b0020*, lpNumberOfBytesRead=0x24dca30*=0xd5310, lpOverlapped=0x0) returned 1 [0108.019] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.019] WriteFile (in: hFile=0xfc, lpBuffer=0x22b0020*, nNumberOfBytesToWrite=0xd5310, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpBuffer=0x22b0020*, lpNumberOfBytesWritten=0x24dca3c*=0xd5310, lpOverlapped=0x0) returned 1 [0108.022] GetProcessHeap () returned 0x4e0000 [0108.022] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x22b0020 | out: hHeap=0x4e0000) returned 1 [0108.029] CloseHandle (hObject=0xfc) returned 1 [0108.041] GetProcessHeap () returned 0x4e0000 [0108.041] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x508f68 | out: hHeap=0x4e0000) returned 1 [0108.041] GetProcessHeap () returned 0x4e0000 [0108.041] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x509070 | out: hHeap=0x4e0000) returned 1 [0108.041] GetProcessHeap () returned 0x4e0000 [0108.041] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e10 | out: hHeap=0x4e0000) returned 1 [0108.041] GetProcessHeap () returned 0x4e0000 [0108.041] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x504e28 | out: hHeap=0x4e0000) returned 1 [0108.041] lstrcpyW (in: lpString1=0x24dc828, lpString2="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q" [0108.041] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q.NEPHILIM" [0108.041] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help{9daa54e8-cd95-4107-8e7f-ba3f24732d95}.h1q"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help{9daa54e8-cd95-4107-8e7f-ba3f24732d95}.h1q.nephilim")) returned 1 [0108.042] FindNextFileW (in: hFindFile=0x50aa00, lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x249fa376, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae0e8854, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae0e8854, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0xd5310, dwReserved0=0x6e006c, dwReserved1=0x24dd560, cFileName="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", cAlternateFileName="HELP{9~1.H1Q")) returned 0 [0108.042] FindClose (in: hFindFile=0x50aa00 | out: hFindFile=0x50aa00) returned 1 [0108.043] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x243448f1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae0e8854, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae0e8854, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="en-US", cAlternateFileName="")) returned 0 [0108.043] FindClose (in: hFindFile=0x50a9c0 | out: hFindFile=0x50a9c0) returned 1 [0108.043] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0xa8f17049, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x243448f1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x24de260, cFileName="1.0", cAlternateFileName="")) returned 0 [0108.043] FindClose (in: hFindFile=0x50a980 | out: hFindFile=0x50a980) returned 1 [0108.043] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0x3fc949a4, ftLastAccessTime.dwHighDateTime=0x1ca0445, ftLastWriteTime.dwLowDateTime=0x3fc949a4, ftLastWriteTime.dwHighDateTime=0x1ca0445, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="Client", cAlternateFileName="")) returned 0 [0108.043] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0108.043] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="Crypto", cAlternateFileName="")) returned 1 [0108.043] lstrcmpiW (lpString1="Crypto", lpString2=".") returned 1 [0108.043] lstrcmpiW (lpString1="Crypto", lpString2="..") returned 1 [0108.043] lstrcmpiW (lpString1="Crypto", lpString2="...") returned 1 [0108.043] lstrcmpiW (lpString1="Crypto", lpString2="windows") returned -1 [0108.043] lstrcmpiW (lpString1="Crypto", lpString2="$RECYCLE.BIN") returned 1 [0108.043] lstrcmpiW (lpString1="Crypto", lpString2="rsa") returned -1 [0108.044] lstrcmpiW (lpString1="Crypto", lpString2="log") returned -1 [0108.044] lstrcmpiW (lpString1="Crypto", lpString2="NTDETECT.COM") returned -1 [0108.044] lstrcmpiW (lpString1="Crypto", lpString2="ntldr") returned -1 [0108.044] lstrcmpiW (lpString1="Crypto", lpString2="MSDOS.SYS") returned -1 [0108.044] lstrcmpiW (lpString1="Crypto", lpString2="IO.SYS") returned -1 [0108.044] lstrcmpiW (lpString1="Crypto", lpString2="boot.ini") returned 1 [0108.044] lstrcmpiW (lpString1="Crypto", lpString2="AUTOEXEC.BAT") returned 1 [0108.044] lstrcmpiW (lpString1="Crypto", lpString2="ntuser.dat") returned -1 [0108.044] lstrcmpiW (lpString1="Crypto", lpString2="desktop.ini") returned -1 [0108.044] lstrcmpiW (lpString1="Crypto", lpString2="CONFIG.SYS") returned 1 [0108.044] lstrcmpiW (lpString1="Crypto", lpString2="RECYCLER") returned -1 [0108.044] lstrcmpiW (lpString1="Crypto", lpString2="BOOTSECT.BAK") returned 1 [0108.044] lstrcmpiW (lpString1="Crypto", lpString2="bootmgr") returned 1 [0108.044] lstrcmpiW (lpString1="Crypto", lpString2="programdata") returned -1 [0108.044] lstrcmpiW (lpString1="Crypto", lpString2="appdata") returned 1 [0108.044] lstrcmpiW (lpString1="Crypto", lpString2="program files") returned -1 [0108.044] lstrcmpiW (lpString1="Crypto", lpString2="program files (x86)") returned -1 [0108.044] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\" [0108.044] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="Crypto" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto") returned="C:\\Users\\All Users\\Microsoft\\Crypto" [0108.044] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\" [0108.044] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\" [0108.044] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\*.*" [0108.044] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0108.045] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.045] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0108.045] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.045] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.045] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd943744, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="DSS", cAlternateFileName="")) returned 1 [0108.045] lstrcmpiW (lpString1="DSS", lpString2=".") returned 1 [0108.045] lstrcmpiW (lpString1="DSS", lpString2="..") returned 1 [0108.045] lstrcmpiW (lpString1="DSS", lpString2="...") returned 1 [0108.045] lstrcmpiW (lpString1="DSS", lpString2="windows") returned -1 [0108.045] lstrcmpiW (lpString1="DSS", lpString2="$RECYCLE.BIN") returned 1 [0108.045] lstrcmpiW (lpString1="DSS", lpString2="rsa") returned -1 [0108.045] lstrcmpiW (lpString1="DSS", lpString2="log") returned -1 [0108.045] lstrcmpiW (lpString1="DSS", lpString2="NTDETECT.COM") returned -1 [0108.045] lstrcmpiW (lpString1="DSS", lpString2="ntldr") returned -1 [0108.045] lstrcmpiW (lpString1="DSS", lpString2="MSDOS.SYS") returned -1 [0108.046] lstrcmpiW (lpString1="DSS", lpString2="IO.SYS") returned -1 [0108.046] lstrcmpiW (lpString1="DSS", lpString2="boot.ini") returned 1 [0108.046] lstrcmpiW (lpString1="DSS", lpString2="AUTOEXEC.BAT") returned 1 [0108.046] lstrcmpiW (lpString1="DSS", lpString2="ntuser.dat") returned -1 [0108.046] lstrcmpiW (lpString1="DSS", lpString2="desktop.ini") returned 1 [0108.046] lstrcmpiW (lpString1="DSS", lpString2="CONFIG.SYS") returned 1 [0108.046] lstrcmpiW (lpString1="DSS", lpString2="RECYCLER") returned -1 [0108.046] lstrcmpiW (lpString1="DSS", lpString2="BOOTSECT.BAK") returned 1 [0108.046] lstrcmpiW (lpString1="DSS", lpString2="bootmgr") returned 1 [0108.046] lstrcmpiW (lpString1="DSS", lpString2="programdata") returned -1 [0108.046] lstrcmpiW (lpString1="DSS", lpString2="appdata") returned 1 [0108.046] lstrcmpiW (lpString1="DSS", lpString2="program files") returned -1 [0108.046] lstrcmpiW (lpString1="DSS", lpString2="program files (x86)") returned -1 [0108.046] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\" [0108.046] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\", lpString2="DSS" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS" [0108.046] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\" [0108.046] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\" [0108.046] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\*.*" [0108.046] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd943744, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x50004e, dwReserved1=0x24de260, cFileName=".", cAlternateFileName="")) returned 0x50a980 [0108.047] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.047] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd943744, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x50004e, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 1 [0108.047] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.047] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.047] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x50004e, dwReserved1=0x24de260, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 1 [0108.047] lstrcmpiW (lpString1="MachineKeys", lpString2=".") returned 1 [0108.047] lstrcmpiW (lpString1="MachineKeys", lpString2="..") returned 1 [0108.047] lstrcmpiW (lpString1="MachineKeys", lpString2="...") returned 1 [0108.047] lstrcmpiW (lpString1="MachineKeys", lpString2="windows") returned -1 [0108.047] lstrcmpiW (lpString1="MachineKeys", lpString2="$RECYCLE.BIN") returned 1 [0108.047] lstrcmpiW (lpString1="MachineKeys", lpString2="rsa") returned -1 [0108.047] lstrcmpiW (lpString1="MachineKeys", lpString2="log") returned 1 [0108.047] lstrcmpiW (lpString1="MachineKeys", lpString2="NTDETECT.COM") returned -1 [0108.047] lstrcmpiW (lpString1="MachineKeys", lpString2="ntldr") returned -1 [0108.047] lstrcmpiW (lpString1="MachineKeys", lpString2="MSDOS.SYS") returned -1 [0108.047] lstrcmpiW (lpString1="MachineKeys", lpString2="IO.SYS") returned 1 [0108.047] lstrcmpiW (lpString1="MachineKeys", lpString2="boot.ini") returned 1 [0108.047] lstrcmpiW (lpString1="MachineKeys", lpString2="AUTOEXEC.BAT") returned 1 [0108.047] lstrcmpiW (lpString1="MachineKeys", lpString2="ntuser.dat") returned -1 [0108.047] lstrcmpiW (lpString1="MachineKeys", lpString2="desktop.ini") returned 1 [0108.047] lstrcmpiW (lpString1="MachineKeys", lpString2="CONFIG.SYS") returned 1 [0108.047] lstrcmpiW (lpString1="MachineKeys", lpString2="RECYCLER") returned -1 [0108.047] lstrcmpiW (lpString1="MachineKeys", lpString2="BOOTSECT.BAK") returned 1 [0108.047] lstrcmpiW (lpString1="MachineKeys", lpString2="bootmgr") returned 1 [0108.048] lstrcmpiW (lpString1="MachineKeys", lpString2="programdata") returned -1 [0108.048] lstrcmpiW (lpString1="MachineKeys", lpString2="appdata") returned 1 [0108.048] lstrcmpiW (lpString1="MachineKeys", lpString2="program files") returned -1 [0108.048] lstrcmpiW (lpString1="MachineKeys", lpString2="program files (x86)") returned -1 [0108.048] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\" [0108.048] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\", lpString2="MachineKeys" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys" [0108.048] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\" [0108.048] lstrcpyW (in: lpString1=0x24dd560, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\" [0108.048] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\*.*" [0108.048] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\*.*", lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x24ddbe0, cFileName=".", cAlternateFileName="")) returned 0x50a9c0 [0108.048] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.048] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x24ddbe0, cFileName="..", cAlternateFileName="")) returned 1 [0108.048] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.048] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.048] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x24ddbe0, cFileName="..", cAlternateFileName="")) returned 0 [0108.048] FindClose (in: hFindFile=0x50a9c0 | out: hFindFile=0x50a9c0) returned 1 [0108.049] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x50004e, dwReserved1=0x24de260, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 0 [0108.049] FindClose (in: hFindFile=0x50a980 | out: hFindFile=0x50a980) returned 1 [0108.049] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="Keys", cAlternateFileName="")) returned 1 [0108.049] lstrcmpiW (lpString1="Keys", lpString2=".") returned 1 [0108.049] lstrcmpiW (lpString1="Keys", lpString2="..") returned 1 [0108.049] lstrcmpiW (lpString1="Keys", lpString2="...") returned 1 [0108.049] lstrcmpiW (lpString1="Keys", lpString2="windows") returned -1 [0108.049] lstrcmpiW (lpString1="Keys", lpString2="$RECYCLE.BIN") returned 1 [0108.049] lstrcmpiW (lpString1="Keys", lpString2="rsa") returned -1 [0108.049] lstrcmpiW (lpString1="Keys", lpString2="log") returned -1 [0108.049] lstrcmpiW (lpString1="Keys", lpString2="NTDETECT.COM") returned -1 [0108.049] lstrcmpiW (lpString1="Keys", lpString2="ntldr") returned -1 [0108.049] lstrcmpiW (lpString1="Keys", lpString2="MSDOS.SYS") returned -1 [0108.049] lstrcmpiW (lpString1="Keys", lpString2="IO.SYS") returned 1 [0108.049] lstrcmpiW (lpString1="Keys", lpString2="boot.ini") returned 1 [0108.049] lstrcmpiW (lpString1="Keys", lpString2="AUTOEXEC.BAT") returned 1 [0108.049] lstrcmpiW (lpString1="Keys", lpString2="ntuser.dat") returned -1 [0108.049] lstrcmpiW (lpString1="Keys", lpString2="desktop.ini") returned 1 [0108.049] lstrcmpiW (lpString1="Keys", lpString2="CONFIG.SYS") returned 1 [0108.050] lstrcmpiW (lpString1="Keys", lpString2="RECYCLER") returned -1 [0108.050] lstrcmpiW (lpString1="Keys", lpString2="BOOTSECT.BAK") returned 1 [0108.050] lstrcmpiW (lpString1="Keys", lpString2="bootmgr") returned 1 [0108.050] lstrcmpiW (lpString1="Keys", lpString2="programdata") returned -1 [0108.050] lstrcmpiW (lpString1="Keys", lpString2="appdata") returned 1 [0108.050] lstrcmpiW (lpString1="Keys", lpString2="program files") returned -1 [0108.050] lstrcmpiW (lpString1="Keys", lpString2="program files (x86)") returned -1 [0108.050] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\" [0108.050] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\", lpString2="Keys" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys" [0108.050] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\" [0108.050] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\" [0108.050] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\*.*" [0108.050] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x50004e, dwReserved1=0x24de260, cFileName=".", cAlternateFileName="")) returned 0x50a980 [0108.058] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.058] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x50004e, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 1 [0108.059] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.059] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.059] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x50004e, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 0 [0108.059] FindClose (in: hFindFile=0x50a980 | out: hFindFile=0x50a980) returned 1 [0108.059] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfc65d150, ftLastAccessTime.dwHighDateTime=0x1d2dda1, ftLastWriteTime.dwLowDateTime=0xfc65d150, ftLastWriteTime.dwHighDateTime=0x1d2dda1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="RSA", cAlternateFileName="")) returned 1 [0108.059] lstrcmpiW (lpString1="RSA", lpString2=".") returned 1 [0108.059] lstrcmpiW (lpString1="RSA", lpString2="..") returned 1 [0108.059] lstrcmpiW (lpString1="RSA", lpString2="...") returned 1 [0108.059] lstrcmpiW (lpString1="RSA", lpString2="windows") returned -1 [0108.059] lstrcmpiW (lpString1="RSA", lpString2="$RECYCLE.BIN") returned 1 [0108.059] lstrcmpiW (lpString1="RSA", lpString2="rsa") returned 0 [0108.059] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfc65d150, ftLastAccessTime.dwHighDateTime=0x1d2dda1, ftLastWriteTime.dwLowDateTime=0xfc65d150, ftLastWriteTime.dwHighDateTime=0x1d2dda1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="RSA", cAlternateFileName="")) returned 0 [0108.059] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0108.060] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="Device Stage", cAlternateFileName="DEVICE~1")) returned 1 [0108.060] lstrcmpiW (lpString1="Device Stage", lpString2=".") returned 1 [0108.060] lstrcmpiW (lpString1="Device Stage", lpString2="..") returned 1 [0108.060] lstrcmpiW (lpString1="Device Stage", lpString2="...") returned 1 [0108.060] lstrcmpiW (lpString1="Device Stage", lpString2="windows") returned -1 [0108.060] lstrcmpiW (lpString1="Device Stage", lpString2="$RECYCLE.BIN") returned 1 [0108.060] lstrcmpiW (lpString1="Device Stage", lpString2="rsa") returned -1 [0108.060] lstrcmpiW (lpString1="Device Stage", lpString2="log") returned -1 [0108.060] lstrcmpiW (lpString1="Device Stage", lpString2="NTDETECT.COM") returned -1 [0108.060] lstrcmpiW (lpString1="Device Stage", lpString2="ntldr") returned -1 [0108.060] lstrcmpiW (lpString1="Device Stage", lpString2="MSDOS.SYS") returned -1 [0108.060] lstrcmpiW (lpString1="Device Stage", lpString2="IO.SYS") returned -1 [0108.060] lstrcmpiW (lpString1="Device Stage", lpString2="boot.ini") returned 1 [0108.060] lstrcmpiW (lpString1="Device Stage", lpString2="AUTOEXEC.BAT") returned 1 [0108.060] lstrcmpiW (lpString1="Device Stage", lpString2="ntuser.dat") returned -1 [0108.060] lstrcmpiW (lpString1="Device Stage", lpString2="desktop.ini") returned 1 [0108.061] lstrcmpiW (lpString1="Device Stage", lpString2="CONFIG.SYS") returned 1 [0108.061] lstrcmpiW (lpString1="Device Stage", lpString2="RECYCLER") returned -1 [0108.061] lstrcmpiW (lpString1="Device Stage", lpString2="BOOTSECT.BAK") returned 1 [0108.061] lstrcmpiW (lpString1="Device Stage", lpString2="bootmgr") returned 1 [0108.061] lstrcmpiW (lpString1="Device Stage", lpString2="programdata") returned -1 [0108.061] lstrcmpiW (lpString1="Device Stage", lpString2="appdata") returned 1 [0108.061] lstrcmpiW (lpString1="Device Stage", lpString2="program files") returned -1 [0108.061] lstrcmpiW (lpString1="Device Stage", lpString2="program files (x86)") returned -1 [0108.061] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\" [0108.061] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="Device Stage" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage") returned="C:\\Users\\All Users\\Microsoft\\Device Stage" [0108.061] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\" [0108.061] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\" [0108.061] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\*.*" [0108.061] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0108.062] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.062] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0108.062] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.062] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.062] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="Device", cAlternateFileName="")) returned 1 [0108.062] lstrcmpiW (lpString1="Device", lpString2=".") returned 1 [0108.062] lstrcmpiW (lpString1="Device", lpString2="..") returned 1 [0108.062] lstrcmpiW (lpString1="Device", lpString2="...") returned 1 [0108.062] lstrcmpiW (lpString1="Device", lpString2="windows") returned -1 [0108.062] lstrcmpiW (lpString1="Device", lpString2="$RECYCLE.BIN") returned 1 [0108.062] lstrcmpiW (lpString1="Device", lpString2="rsa") returned -1 [0108.062] lstrcmpiW (lpString1="Device", lpString2="log") returned -1 [0108.062] lstrcmpiW (lpString1="Device", lpString2="NTDETECT.COM") returned -1 [0108.062] lstrcmpiW (lpString1="Device", lpString2="ntldr") returned -1 [0108.062] lstrcmpiW (lpString1="Device", lpString2="MSDOS.SYS") returned -1 [0108.063] lstrcmpiW (lpString1="Device", lpString2="IO.SYS") returned -1 [0108.063] lstrcmpiW (lpString1="Device", lpString2="boot.ini") returned 1 [0108.063] lstrcmpiW (lpString1="Device", lpString2="AUTOEXEC.BAT") returned 1 [0108.063] lstrcmpiW (lpString1="Device", lpString2="ntuser.dat") returned -1 [0108.063] lstrcmpiW (lpString1="Device", lpString2="desktop.ini") returned 1 [0108.063] lstrcmpiW (lpString1="Device", lpString2="CONFIG.SYS") returned 1 [0108.063] lstrcmpiW (lpString1="Device", lpString2="RECYCLER") returned -1 [0108.063] lstrcmpiW (lpString1="Device", lpString2="BOOTSECT.BAK") returned 1 [0108.063] lstrcmpiW (lpString1="Device", lpString2="bootmgr") returned 1 [0108.063] lstrcmpiW (lpString1="Device", lpString2="programdata") returned -1 [0108.063] lstrcmpiW (lpString1="Device", lpString2="appdata") returned 1 [0108.063] lstrcmpiW (lpString1="Device", lpString2="program files") returned -1 [0108.063] lstrcmpiW (lpString1="Device", lpString2="program files (x86)") returned -1 [0108.063] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\" [0108.063] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\", lpString2="Device" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device" [0108.063] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\" [0108.063] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\" [0108.063] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*.*" [0108.063] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c005a, dwReserved1=0x24de260, cFileName=".", cAlternateFileName="")) returned 0x50a980 [0108.065] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.065] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c005a, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 1 [0108.065] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.065] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.065] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c005a, dwReserved1=0x24de260, cFileName="{113527a4-45d4-4b6f-b567-97838f1b04b0}", cAlternateFileName="{11352~1")) returned 1 [0108.065] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2=".") returned 1 [0108.065] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="..") returned 1 [0108.065] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="...") returned 1 [0108.065] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="windows") returned -1 [0108.065] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="$RECYCLE.BIN") returned 1 [0108.065] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="rsa") returned -1 [0108.065] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="log") returned -1 [0108.065] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="NTDETECT.COM") returned -1 [0108.065] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="ntldr") returned -1 [0108.065] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="MSDOS.SYS") returned -1 [0108.065] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="IO.SYS") returned -1 [0108.066] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="boot.ini") returned -1 [0108.066] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="AUTOEXEC.BAT") returned -1 [0108.066] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="ntuser.dat") returned -1 [0108.066] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="desktop.ini") returned -1 [0108.066] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="CONFIG.SYS") returned -1 [0108.066] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="RECYCLER") returned -1 [0108.066] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="BOOTSECT.BAK") returned -1 [0108.066] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="bootmgr") returned -1 [0108.066] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="programdata") returned -1 [0108.066] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="appdata") returned -1 [0108.066] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="program files") returned -1 [0108.066] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="program files (x86)") returned -1 [0108.066] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\" [0108.066] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\", lpString2="{113527a4-45d4-4b6f-b567-97838f1b04b0}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}" [0108.066] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\" [0108.066] lstrcpyW (in: lpString1=0x24dd560, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\" [0108.066] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*" [0108.066] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6a0068, dwReserved1=0x24ddbe0, cFileName=".", cAlternateFileName="")) returned 0x50a9c0 [0108.069] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.069] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6a0068, dwReserved1=0x24ddbe0, cFileName="..", cAlternateFileName="")) returned 1 [0108.069] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.069] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.069] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f07a66f, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f07a66f, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc76b3ce5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1fad1, dwReserved0=0x6a0068, dwReserved1=0x24ddbe0, cFileName="background.png", cAlternateFileName="")) returned 1 [0108.070] lstrcmpiW (lpString1="background.png", lpString2=".") returned 1 [0108.070] lstrcmpiW (lpString1="background.png", lpString2="..") returned 1 [0108.070] lstrcmpiW (lpString1="background.png", lpString2="...") returned 1 [0108.070] lstrcmpiW (lpString1="background.png", lpString2="windows") returned -1 [0108.070] lstrcmpiW (lpString1="background.png", lpString2="$RECYCLE.BIN") returned 1 [0108.070] lstrcmpiW (lpString1="background.png", lpString2="rsa") returned -1 [0108.070] lstrcmpiW (lpString1="background.png", lpString2="log") returned -1 [0108.070] lstrcmpiW (lpString1="background.png", lpString2="NTDETECT.COM") returned -1 [0108.070] lstrcmpiW (lpString1="background.png", lpString2="ntldr") returned -1 [0108.070] lstrcmpiW (lpString1="background.png", lpString2="MSDOS.SYS") returned -1 [0108.070] lstrcmpiW (lpString1="background.png", lpString2="IO.SYS") returned -1 [0108.070] lstrcmpiW (lpString1="background.png", lpString2="boot.ini") returned -1 [0108.070] lstrcmpiW (lpString1="background.png", lpString2="AUTOEXEC.BAT") returned 1 [0108.070] lstrcmpiW (lpString1="background.png", lpString2="ntuser.dat") returned -1 [0108.070] lstrcmpiW (lpString1="background.png", lpString2="desktop.ini") returned -1 [0108.070] lstrcmpiW (lpString1="background.png", lpString2="CONFIG.SYS") returned -1 [0108.070] lstrcmpiW (lpString1="background.png", lpString2="RECYCLER") returned -1 [0108.070] lstrcmpiW (lpString1="background.png", lpString2="BOOTSECT.BAK") returned -1 [0108.070] lstrcmpiW (lpString1="background.png", lpString2="bootmgr") returned -1 [0108.070] lstrcmpiW (lpString1="background.png", lpString2="programdata") returned -1 [0108.070] lstrcmpiW (lpString1="background.png", lpString2="appdata") returned 1 [0108.070] lstrcmpiW (lpString1="background.png", lpString2="program files") returned -1 [0108.071] lstrcmpiW (lpString1="background.png", lpString2="program files (x86)") returned -1 [0108.071] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\" [0108.071] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\", lpString2="background.png" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png" [0108.071] PathFindExtensionW (pszPath="background.png") returned=".png" [0108.071] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0108.071] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0108.071] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0108.071] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0108.071] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0108.071] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0108.071] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0108.071] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0108.071] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0108.071] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0108.071] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0108.071] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0108.071] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0108.071] lstrcmpiW (lpString1=".png", lpString2=".NEPHILIM") returned 1 [0108.072] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0108.072] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0108.072] lstrcmpiW (lpString1="background.png", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0108.072] lstrlenA (lpString="NEPHILIM") returned 8 [0108.072] GetProcessHeap () returned 0x4e0000 [0108.072] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bab0 [0108.072] lstrlenA (lpString="NEPHILIM") returned 8 [0108.072] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0108.072] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=4294968320) returned 0 [0108.072] GetProcessHeap () returned 0x4e0000 [0108.072] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e28 [0108.072] GetProcessHeap () returned 0x4e0000 [0108.072] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e10 [0108.072] SystemFunction036 (in: RandomBuffer=0x504e28, RandomBufferLength=0x10 | out: RandomBuffer=0x504e28) returned 1 [0108.072] SystemFunction036 (in: RandomBuffer=0x504e10, RandomBufferLength=0x10 | out: RandomBuffer=0x504e10) returned 1 [0108.073] GetProcessHeap () returned 0x4e0000 [0108.073] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x509070 [0108.073] GetProcessHeap () returned 0x4e0000 [0108.073] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x508f68 [0108.073] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x509070*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x509070*, pdwDataLen=0x24dce88*=0x100) returned 1 [0108.073] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x508f68*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x508f68*, pdwDataLen=0x24dce84*=0x100) returned 1 [0108.073] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0108.073] SetLastError (dwErrCode=0x0) [0108.073] WriteFile (in: hFile=0xffffffff, lpBuffer=0x509070, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0) returned 0 [0108.074] GetLastError () returned 0x6 [0108.074] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7c5b0d9, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0xc7c5b0d9, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0xc7c5b0d9, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xb61, dwReserved0=0x6a0068, dwReserved1=0x24ddbe0, cFileName="behavior.xml", cAlternateFileName="")) returned 1 [0108.074] lstrcmpiW (lpString1="behavior.xml", lpString2=".") returned 1 [0108.074] lstrcmpiW (lpString1="behavior.xml", lpString2="..") returned 1 [0108.074] lstrcmpiW (lpString1="behavior.xml", lpString2="...") returned 1 [0108.074] lstrcmpiW (lpString1="behavior.xml", lpString2="windows") returned -1 [0108.074] lstrcmpiW (lpString1="behavior.xml", lpString2="$RECYCLE.BIN") returned 1 [0108.074] lstrcmpiW (lpString1="behavior.xml", lpString2="rsa") returned -1 [0108.074] lstrcmpiW (lpString1="behavior.xml", lpString2="log") returned -1 [0108.074] lstrcmpiW (lpString1="behavior.xml", lpString2="NTDETECT.COM") returned -1 [0108.074] lstrcmpiW (lpString1="behavior.xml", lpString2="ntldr") returned -1 [0108.074] lstrcmpiW (lpString1="behavior.xml", lpString2="MSDOS.SYS") returned -1 [0108.074] lstrcmpiW (lpString1="behavior.xml", lpString2="IO.SYS") returned -1 [0108.074] lstrcmpiW (lpString1="behavior.xml", lpString2="boot.ini") returned -1 [0108.074] lstrcmpiW (lpString1="behavior.xml", lpString2="AUTOEXEC.BAT") returned 1 [0108.074] lstrcmpiW (lpString1="behavior.xml", lpString2="ntuser.dat") returned -1 [0108.074] lstrcmpiW (lpString1="behavior.xml", lpString2="desktop.ini") returned -1 [0108.074] lstrcmpiW (lpString1="behavior.xml", lpString2="CONFIG.SYS") returned -1 [0108.074] lstrcmpiW (lpString1="behavior.xml", lpString2="RECYCLER") returned -1 [0108.075] lstrcmpiW (lpString1="behavior.xml", lpString2="BOOTSECT.BAK") returned -1 [0108.075] lstrcmpiW (lpString1="behavior.xml", lpString2="bootmgr") returned -1 [0108.075] lstrcmpiW (lpString1="behavior.xml", lpString2="programdata") returned -1 [0108.075] lstrcmpiW (lpString1="behavior.xml", lpString2="appdata") returned 1 [0108.075] lstrcmpiW (lpString1="behavior.xml", lpString2="program files") returned -1 [0108.075] lstrcmpiW (lpString1="behavior.xml", lpString2="program files (x86)") returned -1 [0108.075] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\" [0108.075] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\", lpString2="behavior.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml" [0108.075] PathFindExtensionW (pszPath="behavior.xml") returned=".xml" [0108.075] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0108.075] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0108.075] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0108.075] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0108.075] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0108.075] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0108.075] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0108.075] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0108.075] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0108.075] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0108.075] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0108.075] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0108.075] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0108.076] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0108.076] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0108.076] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0108.076] lstrcmpiW (lpString1="behavior.xml", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0108.076] lstrlenA (lpString="NEPHILIM") returned 8 [0108.076] GetProcessHeap () returned 0x4e0000 [0108.076] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bac0 [0108.076] lstrlenA (lpString="NEPHILIM") returned 8 [0108.076] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0108.077] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=4294968320) returned 0 [0108.078] GetProcessHeap () returned 0x4e0000 [0108.078] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x504e40 [0108.078] GetProcessHeap () returned 0x4e0000 [0108.078] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50ccc8 [0108.078] SystemFunction036 (in: RandomBuffer=0x504e40, RandomBufferLength=0x10 | out: RandomBuffer=0x504e40) returned 1 [0108.078] SystemFunction036 (in: RandomBuffer=0x50ccc8, RandomBufferLength=0x10 | out: RandomBuffer=0x50ccc8) returned 1 [0108.078] GetProcessHeap () returned 0x4e0000 [0108.078] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x509178 [0108.078] GetProcessHeap () returned 0x4e0000 [0108.078] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x509280 [0108.078] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x509178*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x509178*, pdwDataLen=0x24dce88*=0x100) returned 1 [0108.079] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x509280*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x509280*, pdwDataLen=0x24dce84*=0x100) returned 1 [0108.079] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0108.079] SetLastError (dwErrCode=0x0) [0108.079] WriteFile (in: hFile=0xffffffff, lpBuffer=0x509178, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0) returned 0 [0108.079] GetLastError () returned 0x6 [0108.079] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f07a66f, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f07a66f, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc76b3ce5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xadc8, dwReserved0=0x6a0068, dwReserved1=0x24ddbe0, cFileName="device.png", cAlternateFileName="")) returned 1 [0108.079] lstrcmpiW (lpString1="device.png", lpString2=".") returned 1 [0108.080] lstrcmpiW (lpString1="device.png", lpString2="..") returned 1 [0108.080] lstrcmpiW (lpString1="device.png", lpString2="...") returned 1 [0108.080] lstrcmpiW (lpString1="device.png", lpString2="windows") returned -1 [0108.080] lstrcmpiW (lpString1="device.png", lpString2="$RECYCLE.BIN") returned 1 [0108.080] lstrcmpiW (lpString1="device.png", lpString2="rsa") returned -1 [0108.080] lstrcmpiW (lpString1="device.png", lpString2="log") returned -1 [0108.080] lstrcmpiW (lpString1="device.png", lpString2="NTDETECT.COM") returned -1 [0108.080] lstrcmpiW (lpString1="device.png", lpString2="ntldr") returned -1 [0108.080] lstrcmpiW (lpString1="device.png", lpString2="MSDOS.SYS") returned -1 [0108.080] lstrcmpiW (lpString1="device.png", lpString2="IO.SYS") returned -1 [0108.080] lstrcmpiW (lpString1="device.png", lpString2="boot.ini") returned 1 [0108.080] lstrcmpiW (lpString1="device.png", lpString2="AUTOEXEC.BAT") returned 1 [0108.080] lstrcmpiW (lpString1="device.png", lpString2="ntuser.dat") returned -1 [0108.081] lstrcmpiW (lpString1="device.png", lpString2="desktop.ini") returned 1 [0108.081] lstrcmpiW (lpString1="device.png", lpString2="CONFIG.SYS") returned 1 [0108.081] lstrcmpiW (lpString1="device.png", lpString2="RECYCLER") returned -1 [0108.081] lstrcmpiW (lpString1="device.png", lpString2="BOOTSECT.BAK") returned 1 [0108.081] lstrcmpiW (lpString1="device.png", lpString2="bootmgr") returned 1 [0108.081] lstrcmpiW (lpString1="device.png", lpString2="programdata") returned -1 [0108.081] lstrcmpiW (lpString1="device.png", lpString2="appdata") returned 1 [0108.081] lstrcmpiW (lpString1="device.png", lpString2="program files") returned -1 [0108.081] lstrcmpiW (lpString1="device.png", lpString2="program files (x86)") returned -1 [0108.081] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\" [0108.081] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\", lpString2="device.png" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png" [0108.081] PathFindExtensionW (pszPath="device.png") returned=".png" [0108.081] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0108.081] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0108.081] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0108.081] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0108.081] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0108.081] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0108.081] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0108.081] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0108.082] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0108.082] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0108.082] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0108.082] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0108.082] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0108.082] lstrcmpiW (lpString1=".png", lpString2=".NEPHILIM") returned 1 [0108.082] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0108.082] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0108.082] lstrcmpiW (lpString1="device.png", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0108.082] lstrlenA (lpString="NEPHILIM") returned 8 [0108.082] GetProcessHeap () returned 0x4e0000 [0108.082] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bad0 [0108.082] lstrlenA (lpString="NEPHILIM") returned 8 [0108.082] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0108.082] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=4294968320) returned 0 [0108.082] GetProcessHeap () returned 0x4e0000 [0108.083] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50cce0 [0108.083] GetProcessHeap () returned 0x4e0000 [0108.083] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50ccf8 [0108.083] SystemFunction036 (in: RandomBuffer=0x50cce0, RandomBufferLength=0x10 | out: RandomBuffer=0x50cce0) returned 1 [0108.083] SystemFunction036 (in: RandomBuffer=0x50ccf8, RandomBufferLength=0x10 | out: RandomBuffer=0x50ccf8) returned 1 [0108.083] GetProcessHeap () returned 0x4e0000 [0108.083] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x509388 [0108.083] GetProcessHeap () returned 0x4e0000 [0108.083] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x509490 [0108.083] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x509388*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x509388*, pdwDataLen=0x24dce88*=0x100) returned 1 [0108.083] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x509490*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x509490*, pdwDataLen=0x24dce84*=0x100) returned 1 [0108.083] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0108.084] SetLastError (dwErrCode=0x0) [0108.084] WriteFile (in: hFile=0xffffffff, lpBuffer=0x509388, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0) returned 0 [0108.084] GetLastError () returned 0x6 [0108.084] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f0a07cc, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f0a07cc, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc76d9e43, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x6a0068, dwReserved1=0x24ddbe0, cFileName="overlay.png", cAlternateFileName="")) returned 1 [0108.084] lstrcmpiW (lpString1="overlay.png", lpString2=".") returned 1 [0108.084] lstrcmpiW (lpString1="overlay.png", lpString2="..") returned 1 [0108.084] lstrcmpiW (lpString1="overlay.png", lpString2="...") returned 1 [0108.084] lstrcmpiW (lpString1="overlay.png", lpString2="windows") returned -1 [0108.084] lstrcmpiW (lpString1="overlay.png", lpString2="$RECYCLE.BIN") returned 1 [0108.084] lstrcmpiW (lpString1="overlay.png", lpString2="rsa") returned -1 [0108.084] lstrcmpiW (lpString1="overlay.png", lpString2="log") returned 1 [0108.084] lstrcmpiW (lpString1="overlay.png", lpString2="NTDETECT.COM") returned 1 [0108.084] lstrcmpiW (lpString1="overlay.png", lpString2="ntldr") returned 1 [0108.084] lstrcmpiW (lpString1="overlay.png", lpString2="MSDOS.SYS") returned 1 [0108.084] lstrcmpiW (lpString1="overlay.png", lpString2="IO.SYS") returned 1 [0108.084] lstrcmpiW (lpString1="overlay.png", lpString2="boot.ini") returned 1 [0108.084] lstrcmpiW (lpString1="overlay.png", lpString2="AUTOEXEC.BAT") returned 1 [0108.084] lstrcmpiW (lpString1="overlay.png", lpString2="ntuser.dat") returned 1 [0108.084] lstrcmpiW (lpString1="overlay.png", lpString2="desktop.ini") returned 1 [0108.084] lstrcmpiW (lpString1="overlay.png", lpString2="CONFIG.SYS") returned 1 [0108.084] lstrcmpiW (lpString1="overlay.png", lpString2="RECYCLER") returned -1 [0108.084] lstrcmpiW (lpString1="overlay.png", lpString2="BOOTSECT.BAK") returned 1 [0108.084] lstrcmpiW (lpString1="overlay.png", lpString2="bootmgr") returned 1 [0108.085] lstrcmpiW (lpString1="overlay.png", lpString2="programdata") returned -1 [0108.085] lstrcmpiW (lpString1="overlay.png", lpString2="appdata") returned 1 [0108.085] lstrcmpiW (lpString1="overlay.png", lpString2="program files") returned -1 [0108.085] lstrcmpiW (lpString1="overlay.png", lpString2="program files (x86)") returned -1 [0108.085] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\" [0108.085] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\", lpString2="overlay.png" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png" [0108.085] PathFindExtensionW (pszPath="overlay.png") returned=".png" [0108.085] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0108.085] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0108.085] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0108.085] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0108.085] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0108.085] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0108.085] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0108.085] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0108.085] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0108.085] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0108.085] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0108.085] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0108.085] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0108.085] lstrcmpiW (lpString1=".png", lpString2=".NEPHILIM") returned 1 [0108.085] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0108.085] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0108.085] lstrcmpiW (lpString1="overlay.png", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0108.085] lstrlenA (lpString="NEPHILIM") returned 8 [0108.085] GetProcessHeap () returned 0x4e0000 [0108.086] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bae0 [0108.086] lstrlenA (lpString="NEPHILIM") returned 8 [0108.086] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0108.086] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=4294968320) returned 0 [0108.086] GetProcessHeap () returned 0x4e0000 [0108.086] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50cd10 [0108.086] GetProcessHeap () returned 0x4e0000 [0108.086] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50cd28 [0108.086] SystemFunction036 (in: RandomBuffer=0x50cd10, RandomBufferLength=0x10 | out: RandomBuffer=0x50cd10) returned 1 [0108.086] SystemFunction036 (in: RandomBuffer=0x50cd28, RandomBufferLength=0x10 | out: RandomBuffer=0x50cd28) returned 1 [0108.086] GetProcessHeap () returned 0x4e0000 [0108.086] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x509598 [0108.086] GetProcessHeap () returned 0x4e0000 [0108.086] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5096a0 [0108.086] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x509598*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x509598*, pdwDataLen=0x24dce88*=0x100) returned 1 [0108.087] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5096a0*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x5096a0*, pdwDataLen=0x24dce84*=0x100) returned 1 [0108.087] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0108.087] SetLastError (dwErrCode=0x0) [0108.087] WriteFile (in: hFile=0xffffffff, lpBuffer=0x509598, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0) returned 0 [0108.087] GetLastError () returned 0x6 [0108.087] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f0c6929, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f0c6929, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc76d9e43, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x99d3, dwReserved0=0x6a0068, dwReserved1=0x24ddbe0, cFileName="superbar.png", cAlternateFileName="")) returned 1 [0108.088] lstrcmpiW (lpString1="superbar.png", lpString2=".") returned 1 [0108.088] lstrcmpiW (lpString1="superbar.png", lpString2="..") returned 1 [0108.088] lstrcmpiW (lpString1="superbar.png", lpString2="...") returned 1 [0108.088] lstrcmpiW (lpString1="superbar.png", lpString2="windows") returned -1 [0108.088] lstrcmpiW (lpString1="superbar.png", lpString2="$RECYCLE.BIN") returned 1 [0108.088] lstrcmpiW (lpString1="superbar.png", lpString2="rsa") returned 1 [0108.088] lstrcmpiW (lpString1="superbar.png", lpString2="log") returned 1 [0108.088] lstrcmpiW (lpString1="superbar.png", lpString2="NTDETECT.COM") returned 1 [0108.088] lstrcmpiW (lpString1="superbar.png", lpString2="ntldr") returned 1 [0108.088] lstrcmpiW (lpString1="superbar.png", lpString2="MSDOS.SYS") returned 1 [0108.088] lstrcmpiW (lpString1="superbar.png", lpString2="IO.SYS") returned 1 [0108.088] lstrcmpiW (lpString1="superbar.png", lpString2="boot.ini") returned 1 [0108.088] lstrcmpiW (lpString1="superbar.png", lpString2="AUTOEXEC.BAT") returned 1 [0108.088] lstrcmpiW (lpString1="superbar.png", lpString2="ntuser.dat") returned 1 [0108.088] lstrcmpiW (lpString1="superbar.png", lpString2="desktop.ini") returned 1 [0108.088] lstrcmpiW (lpString1="superbar.png", lpString2="CONFIG.SYS") returned 1 [0108.088] lstrcmpiW (lpString1="superbar.png", lpString2="RECYCLER") returned 1 [0108.088] lstrcmpiW (lpString1="superbar.png", lpString2="BOOTSECT.BAK") returned 1 [0108.088] lstrcmpiW (lpString1="superbar.png", lpString2="bootmgr") returned 1 [0108.088] lstrcmpiW (lpString1="superbar.png", lpString2="programdata") returned 1 [0108.088] lstrcmpiW (lpString1="superbar.png", lpString2="appdata") returned 1 [0108.088] lstrcmpiW (lpString1="superbar.png", lpString2="program files") returned 1 [0108.088] lstrcmpiW (lpString1="superbar.png", lpString2="program files (x86)") returned 1 [0108.088] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\" [0108.088] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\", lpString2="superbar.png" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png" [0108.089] PathFindExtensionW (pszPath="superbar.png") returned=".png" [0108.089] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0108.089] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0108.089] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0108.089] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0108.089] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0108.089] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0108.089] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0108.089] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0108.089] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0108.089] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0108.089] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0108.089] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0108.089] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0108.089] lstrcmpiW (lpString1=".png", lpString2=".NEPHILIM") returned 1 [0108.089] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0108.089] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0108.089] lstrcmpiW (lpString1="superbar.png", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0108.089] lstrlenA (lpString="NEPHILIM") returned 8 [0108.089] GetProcessHeap () returned 0x4e0000 [0108.090] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50baf0 [0108.090] lstrlenA (lpString="NEPHILIM") returned 8 [0108.090] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0108.091] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=4294968320) returned 0 [0108.091] GetProcessHeap () returned 0x4e0000 [0108.091] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50cd40 [0108.091] GetProcessHeap () returned 0x4e0000 [0108.091] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50cd58 [0108.091] SystemFunction036 (in: RandomBuffer=0x50cd40, RandomBufferLength=0x10 | out: RandomBuffer=0x50cd40) returned 1 [0108.091] SystemFunction036 (in: RandomBuffer=0x50cd58, RandomBufferLength=0x10 | out: RandomBuffer=0x50cd58) returned 1 [0108.091] GetProcessHeap () returned 0x4e0000 [0108.091] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x50ffe8 [0108.092] GetProcessHeap () returned 0x4e0000 [0108.092] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5100f0 [0108.092] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x50ffe8*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x50ffe8*, pdwDataLen=0x24dce88*=0x100) returned 1 [0108.092] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5100f0*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x5100f0*, pdwDataLen=0x24dce84*=0x100) returned 1 [0108.092] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0108.092] SetLastError (dwErrCode=0x0) [0108.092] WriteFile (in: hFile=0xffffffff, lpBuffer=0x50ffe8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0) returned 0 [0108.092] GetLastError () returned 0x6 [0108.092] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f0c6929, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f0c6929, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc76d9e43, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x99d3, dwReserved0=0x6a0068, dwReserved1=0x24ddbe0, cFileName="superbar.png", cAlternateFileName="")) returned 0 [0108.093] FindClose (in: hFindFile=0x50a9c0 | out: hFindFile=0x50a9c0) returned 1 [0108.094] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c005a, dwReserved1=0x24de260, cFileName="{8702d817-5aad-4674-9ef3-4d3decd87120}", cAlternateFileName="{8702D~1")) returned 1 [0108.094] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2=".") returned 1 [0108.094] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="..") returned 1 [0108.094] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="...") returned 1 [0108.094] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="windows") returned -1 [0108.094] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="$RECYCLE.BIN") returned 1 [0108.094] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="rsa") returned -1 [0108.094] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="log") returned -1 [0108.094] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="NTDETECT.COM") returned -1 [0108.094] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="ntldr") returned -1 [0108.094] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="MSDOS.SYS") returned -1 [0108.094] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="IO.SYS") returned -1 [0108.094] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="boot.ini") returned -1 [0108.094] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="AUTOEXEC.BAT") returned -1 [0108.094] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="ntuser.dat") returned -1 [0108.094] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="desktop.ini") returned -1 [0108.094] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="CONFIG.SYS") returned -1 [0108.094] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="RECYCLER") returned -1 [0108.094] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="BOOTSECT.BAK") returned -1 [0108.094] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="bootmgr") returned -1 [0108.094] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="programdata") returned -1 [0108.095] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="appdata") returned -1 [0108.095] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="program files") returned -1 [0108.095] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="program files (x86)") returned -1 [0108.095] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\" [0108.095] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\", lpString2="{8702d817-5aad-4674-9ef3-4d3decd87120}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}" [0108.095] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\" [0108.095] lstrcpyW (in: lpString1=0x24dd560, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\" [0108.095] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*" [0108.095] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6a0068, dwReserved1=0x24ddbe0, cFileName=".", cAlternateFileName="")) returned 0x50a9c0 [0108.095] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.095] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6a0068, dwReserved1=0x24ddbe0, cFileName="..", cAlternateFileName="")) returned 1 [0108.095] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.096] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.096] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c0af2f7, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0x9c0af2f7, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0x9c0af2f7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1fad1, dwReserved0=0x6a0068, dwReserved1=0x24ddbe0, cFileName="background.png", cAlternateFileName="")) returned 1 [0108.096] lstrcmpiW (lpString1="background.png", lpString2=".") returned 1 [0108.096] lstrcmpiW (lpString1="background.png", lpString2="..") returned 1 [0108.096] lstrcmpiW (lpString1="background.png", lpString2="...") returned 1 [0108.096] lstrcmpiW (lpString1="background.png", lpString2="windows") returned -1 [0108.096] lstrcmpiW (lpString1="background.png", lpString2="$RECYCLE.BIN") returned 1 [0108.096] lstrcmpiW (lpString1="background.png", lpString2="rsa") returned -1 [0108.096] lstrcmpiW (lpString1="background.png", lpString2="log") returned -1 [0108.096] lstrcmpiW (lpString1="background.png", lpString2="NTDETECT.COM") returned -1 [0108.096] lstrcmpiW (lpString1="background.png", lpString2="ntldr") returned -1 [0108.096] lstrcmpiW (lpString1="background.png", lpString2="MSDOS.SYS") returned -1 [0108.096] lstrcmpiW (lpString1="background.png", lpString2="IO.SYS") returned -1 [0108.096] lstrcmpiW (lpString1="background.png", lpString2="boot.ini") returned -1 [0108.096] lstrcmpiW (lpString1="background.png", lpString2="AUTOEXEC.BAT") returned 1 [0108.096] lstrcmpiW (lpString1="background.png", lpString2="ntuser.dat") returned -1 [0108.096] lstrcmpiW (lpString1="background.png", lpString2="desktop.ini") returned -1 [0108.096] lstrcmpiW (lpString1="background.png", lpString2="CONFIG.SYS") returned -1 [0108.096] lstrcmpiW (lpString1="background.png", lpString2="RECYCLER") returned -1 [0108.096] lstrcmpiW (lpString1="background.png", lpString2="BOOTSECT.BAK") returned -1 [0108.096] lstrcmpiW (lpString1="background.png", lpString2="bootmgr") returned -1 [0108.096] lstrcmpiW (lpString1="background.png", lpString2="programdata") returned -1 [0108.096] lstrcmpiW (lpString1="background.png", lpString2="appdata") returned 1 [0108.096] lstrcmpiW (lpString1="background.png", lpString2="program files") returned -1 [0108.096] lstrcmpiW (lpString1="background.png", lpString2="program files (x86)") returned -1 [0108.097] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\" [0108.097] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", lpString2="background.png" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png" [0108.097] PathFindExtensionW (pszPath="background.png") returned=".png" [0108.097] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0108.097] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0108.097] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0108.097] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0108.097] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0108.097] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0108.097] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0108.097] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0108.097] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0108.097] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0108.097] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0108.097] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0108.097] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0108.097] lstrcmpiW (lpString1=".png", lpString2=".NEPHILIM") returned 1 [0108.097] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0108.097] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0108.097] lstrcmpiW (lpString1="background.png", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0108.097] lstrlenA (lpString="NEPHILIM") returned 8 [0108.097] GetProcessHeap () returned 0x4e0000 [0108.097] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bb00 [0108.098] lstrlenA (lpString="NEPHILIM") returned 8 [0108.098] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0108.098] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=4294968320) returned 0 [0108.098] GetProcessHeap () returned 0x4e0000 [0108.098] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50cd70 [0108.098] GetProcessHeap () returned 0x4e0000 [0108.098] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50cd88 [0108.098] SystemFunction036 (in: RandomBuffer=0x50cd70, RandomBufferLength=0x10 | out: RandomBuffer=0x50cd70) returned 1 [0108.098] SystemFunction036 (in: RandomBuffer=0x50cd88, RandomBufferLength=0x10 | out: RandomBuffer=0x50cd88) returned 1 [0108.098] GetProcessHeap () returned 0x4e0000 [0108.098] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5101f8 [0108.098] GetProcessHeap () returned 0x4e0000 [0108.098] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x510300 [0108.098] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5101f8*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x5101f8*, pdwDataLen=0x24dce88*=0x100) returned 1 [0108.099] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x510300*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x510300*, pdwDataLen=0x24dce84*=0x100) returned 1 [0108.099] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0108.099] SetLastError (dwErrCode=0x0) [0108.099] WriteFile (in: hFile=0xffffffff, lpBuffer=0x5101f8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0) returned 0 [0108.099] GetLastError () returned 0x6 [0108.099] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2feb941, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2feb941, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x9c0d5455, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x769, dwReserved0=0x6a0068, dwReserved1=0x24ddbe0, cFileName="behavior.xml", cAlternateFileName="")) returned 1 [0108.099] lstrcmpiW (lpString1="behavior.xml", lpString2=".") returned 1 [0108.099] lstrcmpiW (lpString1="behavior.xml", lpString2="..") returned 1 [0108.099] lstrcmpiW (lpString1="behavior.xml", lpString2="...") returned 1 [0108.099] lstrcmpiW (lpString1="behavior.xml", lpString2="windows") returned -1 [0108.099] lstrcmpiW (lpString1="behavior.xml", lpString2="$RECYCLE.BIN") returned 1 [0108.099] lstrcmpiW (lpString1="behavior.xml", lpString2="rsa") returned -1 [0108.099] lstrcmpiW (lpString1="behavior.xml", lpString2="log") returned -1 [0108.099] lstrcmpiW (lpString1="behavior.xml", lpString2="NTDETECT.COM") returned -1 [0108.100] lstrcmpiW (lpString1="behavior.xml", lpString2="ntldr") returned -1 [0108.100] lstrcmpiW (lpString1="behavior.xml", lpString2="MSDOS.SYS") returned -1 [0108.100] lstrcmpiW (lpString1="behavior.xml", lpString2="IO.SYS") returned -1 [0108.100] lstrcmpiW (lpString1="behavior.xml", lpString2="boot.ini") returned -1 [0108.100] lstrcmpiW (lpString1="behavior.xml", lpString2="AUTOEXEC.BAT") returned 1 [0108.100] lstrcmpiW (lpString1="behavior.xml", lpString2="ntuser.dat") returned -1 [0108.100] lstrcmpiW (lpString1="behavior.xml", lpString2="desktop.ini") returned -1 [0108.100] lstrcmpiW (lpString1="behavior.xml", lpString2="CONFIG.SYS") returned -1 [0108.100] lstrcmpiW (lpString1="behavior.xml", lpString2="RECYCLER") returned -1 [0108.100] lstrcmpiW (lpString1="behavior.xml", lpString2="BOOTSECT.BAK") returned -1 [0108.100] lstrcmpiW (lpString1="behavior.xml", lpString2="bootmgr") returned -1 [0108.100] lstrcmpiW (lpString1="behavior.xml", lpString2="programdata") returned -1 [0108.100] lstrcmpiW (lpString1="behavior.xml", lpString2="appdata") returned 1 [0108.100] lstrcmpiW (lpString1="behavior.xml", lpString2="program files") returned -1 [0108.100] lstrcmpiW (lpString1="behavior.xml", lpString2="program files (x86)") returned -1 [0108.100] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\" [0108.100] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", lpString2="behavior.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml" [0108.100] PathFindExtensionW (pszPath="behavior.xml") returned=".xml" [0108.100] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0108.100] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0108.100] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0108.100] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0108.100] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0108.100] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0108.100] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0108.100] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0108.101] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0108.101] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0108.101] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0108.101] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0108.101] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0108.101] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0108.101] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0108.101] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0108.101] lstrcmpiW (lpString1="behavior.xml", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0108.101] lstrlenA (lpString="NEPHILIM") returned 8 [0108.101] GetProcessHeap () returned 0x4e0000 [0108.101] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bb10 [0108.101] lstrlenA (lpString="NEPHILIM") returned 8 [0108.101] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0108.101] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=4294968320) returned 0 [0108.101] GetProcessHeap () returned 0x4e0000 [0108.101] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50cda0 [0108.101] GetProcessHeap () returned 0x4e0000 [0108.101] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50cdb8 [0108.102] SystemFunction036 (in: RandomBuffer=0x50cda0, RandomBufferLength=0x10 | out: RandomBuffer=0x50cda0) returned 1 [0108.102] SystemFunction036 (in: RandomBuffer=0x50cdb8, RandomBufferLength=0x10 | out: RandomBuffer=0x50cdb8) returned 1 [0108.102] GetProcessHeap () returned 0x4e0000 [0108.102] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x510408 [0108.102] GetProcessHeap () returned 0x4e0000 [0108.102] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x510510 [0108.102] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x510408*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x510408*, pdwDataLen=0x24dce88*=0x100) returned 1 [0108.102] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x510510*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x510510*, pdwDataLen=0x24dce84*=0x100) returned 1 [0108.108] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0108.108] SetLastError (dwErrCode=0x0) [0108.108] WriteFile (in: hFile=0xffffffff, lpBuffer=0x510408, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0) returned 0 [0108.108] GetLastError () returned 0x6 [0108.108] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3011a9e, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd3011a9e, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x9c0d5455, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x6a0068, dwReserved1=0x24ddbe0, cFileName="watermark.png", cAlternateFileName="")) returned 1 [0108.108] lstrcmpiW (lpString1="watermark.png", lpString2=".") returned 1 [0108.108] lstrcmpiW (lpString1="watermark.png", lpString2="..") returned 1 [0108.108] lstrcmpiW (lpString1="watermark.png", lpString2="...") returned 1 [0108.108] lstrcmpiW (lpString1="watermark.png", lpString2="windows") returned -1 [0108.108] lstrcmpiW (lpString1="watermark.png", lpString2="$RECYCLE.BIN") returned 1 [0108.108] lstrcmpiW (lpString1="watermark.png", lpString2="rsa") returned 1 [0108.108] lstrcmpiW (lpString1="watermark.png", lpString2="log") returned 1 [0108.108] lstrcmpiW (lpString1="watermark.png", lpString2="NTDETECT.COM") returned 1 [0108.108] lstrcmpiW (lpString1="watermark.png", lpString2="ntldr") returned 1 [0108.108] lstrcmpiW (lpString1="watermark.png", lpString2="MSDOS.SYS") returned 1 [0108.108] lstrcmpiW (lpString1="watermark.png", lpString2="IO.SYS") returned 1 [0108.108] lstrcmpiW (lpString1="watermark.png", lpString2="boot.ini") returned 1 [0108.108] lstrcmpiW (lpString1="watermark.png", lpString2="AUTOEXEC.BAT") returned 1 [0108.108] lstrcmpiW (lpString1="watermark.png", lpString2="ntuser.dat") returned 1 [0108.108] lstrcmpiW (lpString1="watermark.png", lpString2="desktop.ini") returned 1 [0108.108] lstrcmpiW (lpString1="watermark.png", lpString2="CONFIG.SYS") returned 1 [0108.109] lstrcmpiW (lpString1="watermark.png", lpString2="RECYCLER") returned 1 [0108.109] lstrcmpiW (lpString1="watermark.png", lpString2="BOOTSECT.BAK") returned 1 [0108.109] lstrcmpiW (lpString1="watermark.png", lpString2="bootmgr") returned 1 [0108.109] lstrcmpiW (lpString1="watermark.png", lpString2="programdata") returned 1 [0108.109] lstrcmpiW (lpString1="watermark.png", lpString2="appdata") returned 1 [0108.109] lstrcmpiW (lpString1="watermark.png", lpString2="program files") returned 1 [0108.109] lstrcmpiW (lpString1="watermark.png", lpString2="program files (x86)") returned 1 [0108.109] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\" [0108.109] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", lpString2="watermark.png" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png" [0108.109] PathFindExtensionW (pszPath="watermark.png") returned=".png" [0108.109] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0108.109] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0108.109] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0108.109] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0108.109] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0108.109] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0108.109] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0108.109] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0108.109] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0108.109] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0108.109] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0108.109] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0108.109] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0108.109] lstrcmpiW (lpString1=".png", lpString2=".NEPHILIM") returned 1 [0108.110] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0108.110] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0108.110] lstrcmpiW (lpString1="watermark.png", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0108.110] lstrlenA (lpString="NEPHILIM") returned 8 [0108.110] GetProcessHeap () returned 0x4e0000 [0108.110] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bb20 [0108.110] lstrlenA (lpString="NEPHILIM") returned 8 [0108.110] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0108.110] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=4294968320) returned 0 [0108.110] GetProcessHeap () returned 0x4e0000 [0108.110] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50cdd0 [0108.110] GetProcessHeap () returned 0x4e0000 [0108.110] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50cde8 [0108.110] SystemFunction036 (in: RandomBuffer=0x50cdd0, RandomBufferLength=0x10 | out: RandomBuffer=0x50cdd0) returned 1 [0108.111] SystemFunction036 (in: RandomBuffer=0x50cde8, RandomBufferLength=0x10 | out: RandomBuffer=0x50cde8) returned 1 [0108.111] GetProcessHeap () returned 0x4e0000 [0108.111] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x510618 [0108.111] GetProcessHeap () returned 0x4e0000 [0108.111] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x510720 [0108.111] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x510618*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x510618*, pdwDataLen=0x24dce88*=0x100) returned 1 [0108.111] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x510720*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x510720*, pdwDataLen=0x24dce84*=0x100) returned 1 [0108.111] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0108.111] SetLastError (dwErrCode=0x0) [0108.111] WriteFile (in: hFile=0xffffffff, lpBuffer=0x510618, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0) returned 0 [0108.111] GetLastError () returned 0x6 [0108.112] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3011a9e, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd3011a9e, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x9c0d5455, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x6a0068, dwReserved1=0x24ddbe0, cFileName="watermark.png", cAlternateFileName="")) returned 0 [0108.112] FindClose (in: hFindFile=0x50a9c0 | out: hFindFile=0x50a9c0) returned 1 [0108.112] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c005a, dwReserved1=0x24de260, cFileName="{8702d817-5aad-4674-9ef3-4d3decd87120}", cAlternateFileName="{8702D~1")) returned 0 [0108.112] FindClose (in: hFindFile=0x50a980 | out: hFindFile=0x50a980) returned 1 [0108.112] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd98f9f8, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="Task", cAlternateFileName="")) returned 1 [0108.112] lstrcmpiW (lpString1="Task", lpString2=".") returned 1 [0108.112] lstrcmpiW (lpString1="Task", lpString2="..") returned 1 [0108.112] lstrcmpiW (lpString1="Task", lpString2="...") returned 1 [0108.112] lstrcmpiW (lpString1="Task", lpString2="windows") returned -1 [0108.112] lstrcmpiW (lpString1="Task", lpString2="$RECYCLE.BIN") returned 1 [0108.112] lstrcmpiW (lpString1="Task", lpString2="rsa") returned 1 [0108.112] lstrcmpiW (lpString1="Task", lpString2="log") returned 1 [0108.112] lstrcmpiW (lpString1="Task", lpString2="NTDETECT.COM") returned 1 [0108.112] lstrcmpiW (lpString1="Task", lpString2="ntldr") returned 1 [0108.112] lstrcmpiW (lpString1="Task", lpString2="MSDOS.SYS") returned 1 [0108.112] lstrcmpiW (lpString1="Task", lpString2="IO.SYS") returned 1 [0108.112] lstrcmpiW (lpString1="Task", lpString2="boot.ini") returned 1 [0108.112] lstrcmpiW (lpString1="Task", lpString2="AUTOEXEC.BAT") returned 1 [0108.113] lstrcmpiW (lpString1="Task", lpString2="ntuser.dat") returned 1 [0108.113] lstrcmpiW (lpString1="Task", lpString2="desktop.ini") returned 1 [0108.113] lstrcmpiW (lpString1="Task", lpString2="CONFIG.SYS") returned 1 [0108.113] lstrcmpiW (lpString1="Task", lpString2="RECYCLER") returned 1 [0108.113] lstrcmpiW (lpString1="Task", lpString2="BOOTSECT.BAK") returned 1 [0108.113] lstrcmpiW (lpString1="Task", lpString2="bootmgr") returned 1 [0108.113] lstrcmpiW (lpString1="Task", lpString2="programdata") returned 1 [0108.113] lstrcmpiW (lpString1="Task", lpString2="appdata") returned 1 [0108.113] lstrcmpiW (lpString1="Task", lpString2="program files") returned 1 [0108.113] lstrcmpiW (lpString1="Task", lpString2="program files (x86)") returned 1 [0108.113] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\" [0108.113] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\", lpString2="Task" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task" [0108.113] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\" [0108.113] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\" [0108.113] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*.*" [0108.113] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd98f9f8, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c005a, dwReserved1=0x24de260, cFileName=".", cAlternateFileName="")) returned 0x50a980 [0108.114] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.114] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd98f9f8, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c005a, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 1 [0108.114] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.114] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.114] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c005a, dwReserved1=0x24de260, cFileName="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", cAlternateFileName="{07DEB~1")) returned 1 [0108.114] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2=".") returned 1 [0108.114] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="..") returned 1 [0108.114] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="...") returned 1 [0108.114] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="windows") returned -1 [0108.114] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="$RECYCLE.BIN") returned 1 [0108.114] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="rsa") returned -1 [0108.114] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="log") returned -1 [0108.114] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="NTDETECT.COM") returned -1 [0108.114] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="ntldr") returned -1 [0108.114] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="MSDOS.SYS") returned -1 [0108.114] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="IO.SYS") returned -1 [0108.114] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="boot.ini") returned -1 [0108.114] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="AUTOEXEC.BAT") returned -1 [0108.114] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="ntuser.dat") returned -1 [0108.114] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="desktop.ini") returned -1 [0108.114] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="CONFIG.SYS") returned -1 [0108.114] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="RECYCLER") returned -1 [0108.115] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="BOOTSECT.BAK") returned -1 [0108.115] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="bootmgr") returned -1 [0108.115] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="programdata") returned -1 [0108.115] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="appdata") returned -1 [0108.115] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="program files") returned -1 [0108.115] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="program files (x86)") returned -1 [0108.115] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\" [0108.115] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\", lpString2="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}" [0108.115] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" [0108.115] lstrcpyW (in: lpString1=0x24dd560, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" [0108.115] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*" [0108.115] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName=".", cAlternateFileName="")) returned 0x50a9c0 [0108.128] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.128] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="..", cAlternateFileName="")) returned 1 [0108.128] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.128] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.128] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22f23962, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="en-US", cAlternateFileName="")) returned 1 [0108.128] lstrcmpiW (lpString1="en-US", lpString2=".") returned 1 [0108.128] lstrcmpiW (lpString1="en-US", lpString2="..") returned 1 [0108.128] lstrcmpiW (lpString1="en-US", lpString2="...") returned 1 [0108.128] lstrcmpiW (lpString1="en-US", lpString2="windows") returned -1 [0108.129] lstrcmpiW (lpString1="en-US", lpString2="$RECYCLE.BIN") returned 1 [0108.129] lstrcmpiW (lpString1="en-US", lpString2="rsa") returned -1 [0108.129] lstrcmpiW (lpString1="en-US", lpString2="log") returned -1 [0108.129] lstrcmpiW (lpString1="en-US", lpString2="NTDETECT.COM") returned -1 [0108.129] lstrcmpiW (lpString1="en-US", lpString2="ntldr") returned -1 [0108.129] lstrcmpiW (lpString1="en-US", lpString2="MSDOS.SYS") returned -1 [0108.129] lstrcmpiW (lpString1="en-US", lpString2="IO.SYS") returned -1 [0108.129] lstrcmpiW (lpString1="en-US", lpString2="boot.ini") returned 1 [0108.129] lstrcmpiW (lpString1="en-US", lpString2="AUTOEXEC.BAT") returned 1 [0108.129] lstrcmpiW (lpString1="en-US", lpString2="ntuser.dat") returned -1 [0108.129] lstrcmpiW (lpString1="en-US", lpString2="desktop.ini") returned 1 [0108.129] lstrcmpiW (lpString1="en-US", lpString2="CONFIG.SYS") returned 1 [0108.129] lstrcmpiW (lpString1="en-US", lpString2="RECYCLER") returned -1 [0108.129] lstrcmpiW (lpString1="en-US", lpString2="BOOTSECT.BAK") returned 1 [0108.129] lstrcmpiW (lpString1="en-US", lpString2="bootmgr") returned 1 [0108.129] lstrcmpiW (lpString1="en-US", lpString2="programdata") returned -1 [0108.129] lstrcmpiW (lpString1="en-US", lpString2="appdata") returned 1 [0108.129] lstrcmpiW (lpString1="en-US", lpString2="program files") returned -1 [0108.129] lstrcmpiW (lpString1="en-US", lpString2="program files (x86)") returned -1 [0108.129] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" [0108.129] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", lpString2="en-US" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US" [0108.129] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\" [0108.130] lstrcpyW (in: lpString1=0x24dcee0, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\" [0108.130] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*.*" [0108.130] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*.*", lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22f23962, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb400b2, dwReserved1=0x24dd560, cFileName=".", cAlternateFileName="")) returned 0x50aa00 [0108.130] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.130] FindNextFileW (in: hFindFile=0x50aa00, lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22f23962, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb400b2, dwReserved1=0x24dd560, cFileName="..", cAlternateFileName="")) returned 1 [0108.130] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.130] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.131] FindNextFileW (in: hFindFile=0x50aa00, lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x932b6af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x95b44f8, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x932b6af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x536, dwReserved0=0xb400b2, dwReserved1=0x24dd560, cFileName="resource.xml", cAlternateFileName="")) returned 1 [0108.131] lstrcmpiW (lpString1="resource.xml", lpString2=".") returned 1 [0108.131] lstrcmpiW (lpString1="resource.xml", lpString2="..") returned 1 [0108.131] lstrcmpiW (lpString1="resource.xml", lpString2="...") returned 1 [0108.131] lstrcmpiW (lpString1="resource.xml", lpString2="windows") returned -1 [0108.131] lstrcmpiW (lpString1="resource.xml", lpString2="$RECYCLE.BIN") returned 1 [0108.131] lstrcmpiW (lpString1="resource.xml", lpString2="rsa") returned -1 [0108.131] lstrcmpiW (lpString1="resource.xml", lpString2="log") returned 1 [0108.131] lstrcmpiW (lpString1="resource.xml", lpString2="NTDETECT.COM") returned 1 [0108.131] lstrcmpiW (lpString1="resource.xml", lpString2="ntldr") returned 1 [0108.131] lstrcmpiW (lpString1="resource.xml", lpString2="MSDOS.SYS") returned 1 [0108.131] lstrcmpiW (lpString1="resource.xml", lpString2="IO.SYS") returned 1 [0108.131] lstrcmpiW (lpString1="resource.xml", lpString2="boot.ini") returned 1 [0108.131] lstrcmpiW (lpString1="resource.xml", lpString2="AUTOEXEC.BAT") returned 1 [0108.131] lstrcmpiW (lpString1="resource.xml", lpString2="ntuser.dat") returned 1 [0108.131] lstrcmpiW (lpString1="resource.xml", lpString2="desktop.ini") returned 1 [0108.131] lstrcmpiW (lpString1="resource.xml", lpString2="CONFIG.SYS") returned 1 [0108.131] lstrcmpiW (lpString1="resource.xml", lpString2="RECYCLER") returned 1 [0108.131] lstrcmpiW (lpString1="resource.xml", lpString2="BOOTSECT.BAK") returned 1 [0108.131] lstrcmpiW (lpString1="resource.xml", lpString2="bootmgr") returned 1 [0108.131] lstrcmpiW (lpString1="resource.xml", lpString2="programdata") returned 1 [0108.131] lstrcmpiW (lpString1="resource.xml", lpString2="appdata") returned 1 [0108.132] lstrcmpiW (lpString1="resource.xml", lpString2="program files") returned 1 [0108.132] lstrcmpiW (lpString1="resource.xml", lpString2="program files (x86)") returned 1 [0108.132] lstrcpyW (in: lpString1=0x24dccd8, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\" [0108.132] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\", lpString2="resource.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml" [0108.132] PathFindExtensionW (pszPath="resource.xml") returned=".xml" [0108.132] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0108.132] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0108.132] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0108.132] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0108.132] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0108.132] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0108.132] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0108.132] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0108.132] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0108.132] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0108.132] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0108.132] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0108.132] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0108.132] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0108.132] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0108.132] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0108.133] lstrcmpiW (lpString1="resource.xml", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0108.133] lstrlenA (lpString="NEPHILIM") returned 8 [0108.133] GetProcessHeap () returned 0x4e0000 [0108.133] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bb30 [0108.133] lstrlenA (lpString="NEPHILIM") returned 8 [0108.133] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0108.134] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dca48 | out: lpFileSize=0x24dca48*=4294968320) returned 0 [0108.134] GetProcessHeap () returned 0x4e0000 [0108.134] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50ce00 [0108.135] GetProcessHeap () returned 0x4e0000 [0108.135] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50ce18 [0108.135] SystemFunction036 (in: RandomBuffer=0x50ce00, RandomBufferLength=0x10 | out: RandomBuffer=0x50ce00) returned 1 [0108.135] SystemFunction036 (in: RandomBuffer=0x50ce18, RandomBufferLength=0x10 | out: RandomBuffer=0x50ce18) returned 1 [0108.135] GetProcessHeap () returned 0x4e0000 [0108.135] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x510828 [0108.135] GetProcessHeap () returned 0x4e0000 [0108.135] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x510930 [0108.135] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x510828*, pdwDataLen=0x24dc808*=0x10, dwBufLen=0x100 | out: pbData=0x510828*, pdwDataLen=0x24dc808*=0x100) returned 1 [0108.135] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x510930*, pdwDataLen=0x24dc804*=0x10, dwBufLen=0x100 | out: pbData=0x510930*, pdwDataLen=0x24dc804*=0x100) returned 1 [0108.136] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0108.136] SetLastError (dwErrCode=0x0) [0108.136] WriteFile (in: hFile=0xffffffff, lpBuffer=0x510828, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0) returned 0 [0108.136] GetLastError () returned 0x6 [0108.136] FindNextFileW (in: hFindFile=0x50aa00, lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x932b6af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x95b44f8, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x932b6af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x536, dwReserved0=0xb400b2, dwReserved1=0x24dd560, cFileName="resource.xml", cAlternateFileName="")) returned 0 [0108.136] FindClose (in: hFindFile=0x50aa00 | out: hFindFile=0x50aa00) returned 1 [0108.136] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2c7f9e6, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2c7f9e6, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c0e93d7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xd0a3, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="folder.ico", cAlternateFileName="")) returned 1 [0108.136] lstrcmpiW (lpString1="folder.ico", lpString2=".") returned 1 [0108.136] lstrcmpiW (lpString1="folder.ico", lpString2="..") returned 1 [0108.136] lstrcmpiW (lpString1="folder.ico", lpString2="...") returned 1 [0108.136] lstrcmpiW (lpString1="folder.ico", lpString2="windows") returned -1 [0108.136] lstrcmpiW (lpString1="folder.ico", lpString2="$RECYCLE.BIN") returned 1 [0108.136] lstrcmpiW (lpString1="folder.ico", lpString2="rsa") returned -1 [0108.136] lstrcmpiW (lpString1="folder.ico", lpString2="log") returned -1 [0108.137] lstrcmpiW (lpString1="folder.ico", lpString2="NTDETECT.COM") returned -1 [0108.137] lstrcmpiW (lpString1="folder.ico", lpString2="ntldr") returned -1 [0108.137] lstrcmpiW (lpString1="folder.ico", lpString2="MSDOS.SYS") returned -1 [0108.137] lstrcmpiW (lpString1="folder.ico", lpString2="IO.SYS") returned -1 [0108.137] lstrcmpiW (lpString1="folder.ico", lpString2="boot.ini") returned 1 [0108.137] lstrcmpiW (lpString1="folder.ico", lpString2="AUTOEXEC.BAT") returned 1 [0108.137] lstrcmpiW (lpString1="folder.ico", lpString2="ntuser.dat") returned -1 [0108.137] lstrcmpiW (lpString1="folder.ico", lpString2="desktop.ini") returned 1 [0108.137] lstrcmpiW (lpString1="folder.ico", lpString2="CONFIG.SYS") returned 1 [0108.137] lstrcmpiW (lpString1="folder.ico", lpString2="RECYCLER") returned -1 [0108.137] lstrcmpiW (lpString1="folder.ico", lpString2="BOOTSECT.BAK") returned 1 [0108.137] lstrcmpiW (lpString1="folder.ico", lpString2="bootmgr") returned 1 [0108.137] lstrcmpiW (lpString1="folder.ico", lpString2="programdata") returned -1 [0108.137] lstrcmpiW (lpString1="folder.ico", lpString2="appdata") returned 1 [0108.137] lstrcmpiW (lpString1="folder.ico", lpString2="program files") returned -1 [0108.137] lstrcmpiW (lpString1="folder.ico", lpString2="program files (x86)") returned -1 [0108.137] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" [0108.137] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", lpString2="folder.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico" [0108.137] PathFindExtensionW (pszPath="folder.ico") returned=".ico" [0108.137] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0108.137] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0108.137] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0108.137] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0108.137] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0108.137] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0108.138] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0108.138] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0108.138] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0108.138] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0108.138] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0108.138] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0108.138] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0108.138] lstrcmpiW (lpString1=".ico", lpString2=".NEPHILIM") returned -1 [0108.138] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0108.138] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0108.138] lstrcmpiW (lpString1="folder.ico", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0108.138] lstrlenA (lpString="NEPHILIM") returned 8 [0108.138] GetProcessHeap () returned 0x4e0000 [0108.138] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bb40 [0108.138] lstrlenA (lpString="NEPHILIM") returned 8 [0108.138] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0108.139] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=4294968320) returned 0 [0108.139] GetProcessHeap () returned 0x4e0000 [0108.139] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50ce30 [0108.139] GetProcessHeap () returned 0x4e0000 [0108.139] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50ce48 [0108.139] SystemFunction036 (in: RandomBuffer=0x50ce30, RandomBufferLength=0x10 | out: RandomBuffer=0x50ce30) returned 1 [0108.139] SystemFunction036 (in: RandomBuffer=0x50ce48, RandomBufferLength=0x10 | out: RandomBuffer=0x50ce48) returned 1 [0108.139] GetProcessHeap () returned 0x4e0000 [0108.139] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x510a38 [0108.139] GetProcessHeap () returned 0x4e0000 [0108.139] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x510b40 [0108.139] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x510a38*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x510a38*, pdwDataLen=0x24dce88*=0x100) returned 1 [0108.139] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x510b40*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x510b40*, pdwDataLen=0x24dce84*=0x100) returned 1 [0108.140] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0108.140] SetLastError (dwErrCode=0x0) [0108.140] WriteFile (in: hFile=0xffffffff, lpBuffer=0x510a38, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0) returned 0 [0108.140] GetLastError () returned 0x6 [0108.140] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2db04ce, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2db04ce, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c0e93d7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x72ee, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="netfol.ico", cAlternateFileName="")) returned 1 [0108.140] lstrcmpiW (lpString1="netfol.ico", lpString2=".") returned 1 [0108.140] lstrcmpiW (lpString1="netfol.ico", lpString2="..") returned 1 [0108.140] lstrcmpiW (lpString1="netfol.ico", lpString2="...") returned 1 [0108.140] lstrcmpiW (lpString1="netfol.ico", lpString2="windows") returned -1 [0108.140] lstrcmpiW (lpString1="netfol.ico", lpString2="$RECYCLE.BIN") returned 1 [0108.140] lstrcmpiW (lpString1="netfol.ico", lpString2="rsa") returned -1 [0108.140] lstrcmpiW (lpString1="netfol.ico", lpString2="log") returned 1 [0108.140] lstrcmpiW (lpString1="netfol.ico", lpString2="NTDETECT.COM") returned -1 [0108.140] lstrcmpiW (lpString1="netfol.ico", lpString2="ntldr") returned -1 [0108.140] lstrcmpiW (lpString1="netfol.ico", lpString2="MSDOS.SYS") returned 1 [0108.140] lstrcmpiW (lpString1="netfol.ico", lpString2="IO.SYS") returned 1 [0108.140] lstrcmpiW (lpString1="netfol.ico", lpString2="boot.ini") returned 1 [0108.140] lstrcmpiW (lpString1="netfol.ico", lpString2="AUTOEXEC.BAT") returned 1 [0108.140] lstrcmpiW (lpString1="netfol.ico", lpString2="ntuser.dat") returned -1 [0108.140] lstrcmpiW (lpString1="netfol.ico", lpString2="desktop.ini") returned 1 [0108.140] lstrcmpiW (lpString1="netfol.ico", lpString2="CONFIG.SYS") returned 1 [0108.141] lstrcmpiW (lpString1="netfol.ico", lpString2="RECYCLER") returned -1 [0108.141] lstrcmpiW (lpString1="netfol.ico", lpString2="BOOTSECT.BAK") returned 1 [0108.141] lstrcmpiW (lpString1="netfol.ico", lpString2="bootmgr") returned 1 [0108.141] lstrcmpiW (lpString1="netfol.ico", lpString2="programdata") returned -1 [0108.141] lstrcmpiW (lpString1="netfol.ico", lpString2="appdata") returned 1 [0108.141] lstrcmpiW (lpString1="netfol.ico", lpString2="program files") returned -1 [0108.141] lstrcmpiW (lpString1="netfol.ico", lpString2="program files (x86)") returned -1 [0108.141] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" [0108.141] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", lpString2="netfol.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico" [0108.141] PathFindExtensionW (pszPath="netfol.ico") returned=".ico" [0108.141] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0108.141] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0108.141] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0108.141] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0108.141] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0108.141] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0108.141] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0108.141] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0108.141] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0108.141] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0108.141] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0108.141] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0108.142] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0108.142] lstrcmpiW (lpString1=".ico", lpString2=".NEPHILIM") returned -1 [0108.142] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0108.142] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0108.142] lstrcmpiW (lpString1="netfol.ico", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0108.142] lstrlenA (lpString="NEPHILIM") returned 8 [0108.142] GetProcessHeap () returned 0x4e0000 [0108.142] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bb50 [0108.142] lstrlenA (lpString="NEPHILIM") returned 8 [0108.142] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0108.142] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=4294968320) returned 0 [0108.142] GetProcessHeap () returned 0x4e0000 [0108.142] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50ce60 [0108.142] GetProcessHeap () returned 0x4e0000 [0108.142] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50ce78 [0108.143] SystemFunction036 (in: RandomBuffer=0x50ce60, RandomBufferLength=0x10 | out: RandomBuffer=0x50ce60) returned 1 [0108.143] SystemFunction036 (in: RandomBuffer=0x50ce78, RandomBufferLength=0x10 | out: RandomBuffer=0x50ce78) returned 1 [0108.143] GetProcessHeap () returned 0x4e0000 [0108.143] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x510c48 [0108.143] GetProcessHeap () returned 0x4e0000 [0108.143] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x510d50 [0108.143] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x510c48*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x510c48*, pdwDataLen=0x24dce88*=0x100) returned 1 [0108.143] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x510d50*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x510d50*, pdwDataLen=0x24dce84*=0x100) returned 1 [0108.143] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0108.143] SetLastError (dwErrCode=0x0) [0108.143] WriteFile (in: hFile=0xffffffff, lpBuffer=0x510c48, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0) returned 0 [0108.144] GetLastError () returned 0x6 [0108.144] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2ca5b43, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2ca5b43, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c10f535, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x14668, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="pictures.ico", cAlternateFileName="")) returned 1 [0108.144] lstrcmpiW (lpString1="pictures.ico", lpString2=".") returned 1 [0108.144] lstrcmpiW (lpString1="pictures.ico", lpString2="..") returned 1 [0108.144] lstrcmpiW (lpString1="pictures.ico", lpString2="...") returned 1 [0108.144] lstrcmpiW (lpString1="pictures.ico", lpString2="windows") returned -1 [0108.144] lstrcmpiW (lpString1="pictures.ico", lpString2="$RECYCLE.BIN") returned 1 [0108.144] lstrcmpiW (lpString1="pictures.ico", lpString2="rsa") returned -1 [0108.144] lstrcmpiW (lpString1="pictures.ico", lpString2="log") returned 1 [0108.144] lstrcmpiW (lpString1="pictures.ico", lpString2="NTDETECT.COM") returned 1 [0108.144] lstrcmpiW (lpString1="pictures.ico", lpString2="ntldr") returned 1 [0108.144] lstrcmpiW (lpString1="pictures.ico", lpString2="MSDOS.SYS") returned 1 [0108.144] lstrcmpiW (lpString1="pictures.ico", lpString2="IO.SYS") returned 1 [0108.144] lstrcmpiW (lpString1="pictures.ico", lpString2="boot.ini") returned 1 [0108.144] lstrcmpiW (lpString1="pictures.ico", lpString2="AUTOEXEC.BAT") returned 1 [0108.144] lstrcmpiW (lpString1="pictures.ico", lpString2="ntuser.dat") returned 1 [0108.144] lstrcmpiW (lpString1="pictures.ico", lpString2="desktop.ini") returned 1 [0108.144] lstrcmpiW (lpString1="pictures.ico", lpString2="CONFIG.SYS") returned 1 [0108.144] lstrcmpiW (lpString1="pictures.ico", lpString2="RECYCLER") returned -1 [0108.144] lstrcmpiW (lpString1="pictures.ico", lpString2="BOOTSECT.BAK") returned 1 [0108.145] lstrcmpiW (lpString1="pictures.ico", lpString2="bootmgr") returned 1 [0108.145] lstrcmpiW (lpString1="pictures.ico", lpString2="programdata") returned -1 [0108.145] lstrcmpiW (lpString1="pictures.ico", lpString2="appdata") returned 1 [0108.145] lstrcmpiW (lpString1="pictures.ico", lpString2="program files") returned -1 [0108.145] lstrcmpiW (lpString1="pictures.ico", lpString2="program files (x86)") returned -1 [0108.145] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" [0108.145] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", lpString2="pictures.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico" [0108.145] PathFindExtensionW (pszPath="pictures.ico") returned=".ico" [0108.145] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0108.145] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0108.145] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0108.145] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0108.145] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0108.145] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0108.145] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0108.145] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0108.145] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0108.145] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0108.145] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0108.145] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0108.145] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0108.146] lstrcmpiW (lpString1=".ico", lpString2=".NEPHILIM") returned -1 [0108.146] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0108.146] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0108.146] lstrcmpiW (lpString1="pictures.ico", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0108.146] lstrlenA (lpString="NEPHILIM") returned 8 [0108.146] GetProcessHeap () returned 0x4e0000 [0108.146] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bb60 [0108.146] lstrlenA (lpString="NEPHILIM") returned 8 [0108.146] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0108.146] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=4294968320) returned 0 [0108.146] GetProcessHeap () returned 0x4e0000 [0108.146] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50ce90 [0108.146] GetProcessHeap () returned 0x4e0000 [0108.147] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50cea8 [0108.147] SystemFunction036 (in: RandomBuffer=0x50ce90, RandomBufferLength=0x10 | out: RandomBuffer=0x50ce90) returned 1 [0108.147] SystemFunction036 (in: RandomBuffer=0x50cea8, RandomBufferLength=0x10 | out: RandomBuffer=0x50cea8) returned 1 [0108.147] GetProcessHeap () returned 0x4e0000 [0108.147] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x510e58 [0108.147] GetProcessHeap () returned 0x4e0000 [0108.147] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x510f60 [0108.147] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x510e58*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x510e58*, pdwDataLen=0x24dce88*=0x100) returned 1 [0108.147] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x510f60*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x510f60*, pdwDataLen=0x24dce84*=0x100) returned 1 [0108.147] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0108.148] SetLastError (dwErrCode=0x0) [0108.148] WriteFile (in: hFile=0xffffffff, lpBuffer=0x510e58, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0) returned 0 [0108.148] GetLastError () returned 0x6 [0108.148] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2c59889, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2c59889, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c1cdc0b, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x536, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="resource.xml", cAlternateFileName="")) returned 1 [0108.148] lstrcmpiW (lpString1="resource.xml", lpString2=".") returned 1 [0108.148] lstrcmpiW (lpString1="resource.xml", lpString2="..") returned 1 [0108.148] lstrcmpiW (lpString1="resource.xml", lpString2="...") returned 1 [0108.148] lstrcmpiW (lpString1="resource.xml", lpString2="windows") returned -1 [0108.148] lstrcmpiW (lpString1="resource.xml", lpString2="$RECYCLE.BIN") returned 1 [0108.148] lstrcmpiW (lpString1="resource.xml", lpString2="rsa") returned -1 [0108.148] lstrcmpiW (lpString1="resource.xml", lpString2="log") returned 1 [0108.148] lstrcmpiW (lpString1="resource.xml", lpString2="NTDETECT.COM") returned 1 [0108.148] lstrcmpiW (lpString1="resource.xml", lpString2="ntldr") returned 1 [0108.148] lstrcmpiW (lpString1="resource.xml", lpString2="MSDOS.SYS") returned 1 [0108.148] lstrcmpiW (lpString1="resource.xml", lpString2="IO.SYS") returned 1 [0108.148] lstrcmpiW (lpString1="resource.xml", lpString2="boot.ini") returned 1 [0108.148] lstrcmpiW (lpString1="resource.xml", lpString2="AUTOEXEC.BAT") returned 1 [0108.148] lstrcmpiW (lpString1="resource.xml", lpString2="ntuser.dat") returned 1 [0108.148] lstrcmpiW (lpString1="resource.xml", lpString2="desktop.ini") returned 1 [0108.148] lstrcmpiW (lpString1="resource.xml", lpString2="CONFIG.SYS") returned 1 [0108.148] lstrcmpiW (lpString1="resource.xml", lpString2="RECYCLER") returned 1 [0108.149] lstrcmpiW (lpString1="resource.xml", lpString2="BOOTSECT.BAK") returned 1 [0108.149] lstrcmpiW (lpString1="resource.xml", lpString2="bootmgr") returned 1 [0108.149] lstrcmpiW (lpString1="resource.xml", lpString2="programdata") returned 1 [0108.149] lstrcmpiW (lpString1="resource.xml", lpString2="appdata") returned 1 [0108.149] lstrcmpiW (lpString1="resource.xml", lpString2="program files") returned 1 [0108.149] lstrcmpiW (lpString1="resource.xml", lpString2="program files (x86)") returned 1 [0108.149] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" [0108.150] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", lpString2="resource.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml" [0108.150] PathFindExtensionW (pszPath="resource.xml") returned=".xml" [0108.150] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0108.150] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0108.150] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0108.150] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0108.150] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0108.150] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0108.150] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0108.150] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0108.150] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0108.151] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0108.151] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0108.151] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0108.151] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0108.151] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0108.151] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0108.151] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0108.151] lstrcmpiW (lpString1="resource.xml", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0108.151] lstrlenA (lpString="NEPHILIM") returned 8 [0108.151] GetProcessHeap () returned 0x4e0000 [0108.151] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bb70 [0108.151] lstrlenA (lpString="NEPHILIM") returned 8 [0108.151] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0108.155] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=4294968320) returned 0 [0108.155] GetProcessHeap () returned 0x4e0000 [0108.155] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50cec0 [0108.155] GetProcessHeap () returned 0x4e0000 [0108.155] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50ced8 [0108.155] SystemFunction036 (in: RandomBuffer=0x50cec0, RandomBufferLength=0x10 | out: RandomBuffer=0x50cec0) returned 1 [0108.155] SystemFunction036 (in: RandomBuffer=0x50ced8, RandomBufferLength=0x10 | out: RandomBuffer=0x50ced8) returned 1 [0108.155] GetProcessHeap () returned 0x4e0000 [0108.155] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x511068 [0108.155] GetProcessHeap () returned 0x4e0000 [0108.155] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x511170 [0108.155] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x511068*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x511068*, pdwDataLen=0x24dce88*=0x100) returned 1 [0108.156] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x511170*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x511170*, pdwDataLen=0x24dce84*=0x100) returned 1 [0108.156] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0108.156] SetLastError (dwErrCode=0x0) [0108.156] WriteFile (in: hFile=0xffffffff, lpBuffer=0x511068, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0) returned 0 [0108.156] GetLastError () returned 0x6 [0108.156] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2cf1dfd, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2cf1dfd, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c1f3d69, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xcaa9, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="ringtones.ico", cAlternateFileName="")) returned 1 [0108.156] lstrcmpiW (lpString1="ringtones.ico", lpString2=".") returned 1 [0108.156] lstrcmpiW (lpString1="ringtones.ico", lpString2="..") returned 1 [0108.156] lstrcmpiW (lpString1="ringtones.ico", lpString2="...") returned 1 [0108.156] lstrcmpiW (lpString1="ringtones.ico", lpString2="windows") returned -1 [0108.156] lstrcmpiW (lpString1="ringtones.ico", lpString2="$RECYCLE.BIN") returned 1 [0108.157] lstrcmpiW (lpString1="ringtones.ico", lpString2="rsa") returned -1 [0108.157] lstrcmpiW (lpString1="ringtones.ico", lpString2="log") returned 1 [0108.157] lstrcmpiW (lpString1="ringtones.ico", lpString2="NTDETECT.COM") returned 1 [0108.157] lstrcmpiW (lpString1="ringtones.ico", lpString2="ntldr") returned 1 [0108.157] lstrcmpiW (lpString1="ringtones.ico", lpString2="MSDOS.SYS") returned 1 [0108.157] lstrcmpiW (lpString1="ringtones.ico", lpString2="IO.SYS") returned 1 [0108.157] lstrcmpiW (lpString1="ringtones.ico", lpString2="boot.ini") returned 1 [0108.157] lstrcmpiW (lpString1="ringtones.ico", lpString2="AUTOEXEC.BAT") returned 1 [0108.157] lstrcmpiW (lpString1="ringtones.ico", lpString2="ntuser.dat") returned 1 [0108.157] lstrcmpiW (lpString1="ringtones.ico", lpString2="desktop.ini") returned 1 [0108.157] lstrcmpiW (lpString1="ringtones.ico", lpString2="CONFIG.SYS") returned 1 [0108.157] lstrcmpiW (lpString1="ringtones.ico", lpString2="RECYCLER") returned 1 [0108.157] lstrcmpiW (lpString1="ringtones.ico", lpString2="BOOTSECT.BAK") returned 1 [0108.157] lstrcmpiW (lpString1="ringtones.ico", lpString2="bootmgr") returned 1 [0108.157] lstrcmpiW (lpString1="ringtones.ico", lpString2="programdata") returned 1 [0108.157] lstrcmpiW (lpString1="ringtones.ico", lpString2="appdata") returned 1 [0108.157] lstrcmpiW (lpString1="ringtones.ico", lpString2="program files") returned 1 [0108.157] lstrcmpiW (lpString1="ringtones.ico", lpString2="program files (x86)") returned 1 [0108.157] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" [0108.158] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", lpString2="ringtones.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico" [0108.158] PathFindExtensionW (pszPath="ringtones.ico") returned=".ico" [0108.158] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0108.158] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0108.158] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0108.158] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0108.158] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0108.158] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0108.158] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0108.158] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0108.158] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0108.158] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0108.158] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0108.158] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0108.158] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0108.158] lstrcmpiW (lpString1=".ico", lpString2=".NEPHILIM") returned -1 [0108.158] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0108.158] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0108.158] lstrcmpiW (lpString1="ringtones.ico", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0108.158] lstrlenA (lpString="NEPHILIM") returned 8 [0108.158] GetProcessHeap () returned 0x4e0000 [0108.158] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bb80 [0108.159] lstrlenA (lpString="NEPHILIM") returned 8 [0108.159] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0108.159] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=4294968320) returned 0 [0108.159] GetProcessHeap () returned 0x4e0000 [0108.159] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50cef0 [0108.159] GetProcessHeap () returned 0x4e0000 [0108.159] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50cf08 [0108.159] SystemFunction036 (in: RandomBuffer=0x50cef0, RandomBufferLength=0x10 | out: RandomBuffer=0x50cef0) returned 1 [0108.159] SystemFunction036 (in: RandomBuffer=0x50cf08, RandomBufferLength=0x10 | out: RandomBuffer=0x50cf08) returned 1 [0108.159] GetProcessHeap () returned 0x4e0000 [0108.159] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x511278 [0108.159] GetProcessHeap () returned 0x4e0000 [0108.159] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x511380 [0108.159] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x511278*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x511278*, pdwDataLen=0x24dce88*=0x100) returned 1 [0108.160] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x511380*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x511380*, pdwDataLen=0x24dce84*=0x100) returned 1 [0108.160] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0108.160] SetLastError (dwErrCode=0x0) [0108.160] WriteFile (in: hFile=0xffffffff, lpBuffer=0x511278, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0) returned 0 [0108.160] GetLastError () returned 0x6 [0108.160] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2d17f5a, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2d17f5a, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c1f3d69, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x10850, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="settings.ico", cAlternateFileName="")) returned 1 [0108.160] lstrcmpiW (lpString1="settings.ico", lpString2=".") returned 1 [0108.160] lstrcmpiW (lpString1="settings.ico", lpString2="..") returned 1 [0108.160] lstrcmpiW (lpString1="settings.ico", lpString2="...") returned 1 [0108.160] lstrcmpiW (lpString1="settings.ico", lpString2="windows") returned -1 [0108.160] lstrcmpiW (lpString1="settings.ico", lpString2="$RECYCLE.BIN") returned 1 [0108.160] lstrcmpiW (lpString1="settings.ico", lpString2="rsa") returned 1 [0108.160] lstrcmpiW (lpString1="settings.ico", lpString2="log") returned 1 [0108.161] lstrcmpiW (lpString1="settings.ico", lpString2="NTDETECT.COM") returned 1 [0108.161] lstrcmpiW (lpString1="settings.ico", lpString2="ntldr") returned 1 [0108.161] lstrcmpiW (lpString1="settings.ico", lpString2="MSDOS.SYS") returned 1 [0108.161] lstrcmpiW (lpString1="settings.ico", lpString2="IO.SYS") returned 1 [0108.161] lstrcmpiW (lpString1="settings.ico", lpString2="boot.ini") returned 1 [0108.161] lstrcmpiW (lpString1="settings.ico", lpString2="AUTOEXEC.BAT") returned 1 [0108.161] lstrcmpiW (lpString1="settings.ico", lpString2="ntuser.dat") returned 1 [0108.161] lstrcmpiW (lpString1="settings.ico", lpString2="desktop.ini") returned 1 [0108.161] lstrcmpiW (lpString1="settings.ico", lpString2="CONFIG.SYS") returned 1 [0108.161] lstrcmpiW (lpString1="settings.ico", lpString2="RECYCLER") returned 1 [0108.161] lstrcmpiW (lpString1="settings.ico", lpString2="BOOTSECT.BAK") returned 1 [0108.161] lstrcmpiW (lpString1="settings.ico", lpString2="bootmgr") returned 1 [0108.161] lstrcmpiW (lpString1="settings.ico", lpString2="programdata") returned 1 [0108.161] lstrcmpiW (lpString1="settings.ico", lpString2="appdata") returned 1 [0108.161] lstrcmpiW (lpString1="settings.ico", lpString2="program files") returned 1 [0108.161] lstrcmpiW (lpString1="settings.ico", lpString2="program files (x86)") returned 1 [0108.161] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" [0108.161] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", lpString2="settings.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico" [0108.161] PathFindExtensionW (pszPath="settings.ico") returned=".ico" [0108.162] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0108.162] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0108.162] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0108.162] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0108.162] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0108.162] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0108.162] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0108.162] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0108.162] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0108.162] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0108.162] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0108.162] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0108.162] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0108.162] lstrcmpiW (lpString1=".ico", lpString2=".NEPHILIM") returned -1 [0108.162] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0108.162] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0108.162] lstrcmpiW (lpString1="settings.ico", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0108.162] lstrlenA (lpString="NEPHILIM") returned 8 [0108.162] GetProcessHeap () returned 0x4e0000 [0108.162] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bb90 [0108.163] lstrlenA (lpString="NEPHILIM") returned 8 [0108.163] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0108.163] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=4294968320) returned 0 [0108.163] GetProcessHeap () returned 0x4e0000 [0108.163] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50cf20 [0108.163] GetProcessHeap () returned 0x4e0000 [0108.163] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50cf38 [0108.163] SystemFunction036 (in: RandomBuffer=0x50cf20, RandomBufferLength=0x10 | out: RandomBuffer=0x50cf20) returned 1 [0108.163] SystemFunction036 (in: RandomBuffer=0x50cf38, RandomBufferLength=0x10 | out: RandomBuffer=0x50cf38) returned 1 [0108.163] GetProcessHeap () returned 0x4e0000 [0108.163] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x511488 [0108.163] GetProcessHeap () returned 0x4e0000 [0108.163] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x511590 [0108.163] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x511488*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x511488*, pdwDataLen=0x24dce88*=0x100) returned 1 [0108.164] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x511590*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x511590*, pdwDataLen=0x24dce84*=0x100) returned 1 [0108.164] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0108.164] SetLastError (dwErrCode=0x0) [0108.164] WriteFile (in: hFile=0xffffffff, lpBuffer=0x511488, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0) returned 0 [0108.164] GetLastError () returned 0x6 [0108.164] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2d3e0b7, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2d3e0b7, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c219ec7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xc04b, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="sync.ico", cAlternateFileName="")) returned 1 [0108.164] lstrcmpiW (lpString1="sync.ico", lpString2=".") returned 1 [0108.164] lstrcmpiW (lpString1="sync.ico", lpString2="..") returned 1 [0108.166] lstrcmpiW (lpString1="sync.ico", lpString2="...") returned 1 [0108.166] lstrcmpiW (lpString1="sync.ico", lpString2="windows") returned -1 [0108.166] lstrcmpiW (lpString1="sync.ico", lpString2="$RECYCLE.BIN") returned 1 [0108.166] lstrcmpiW (lpString1="sync.ico", lpString2="rsa") returned 1 [0108.166] lstrcmpiW (lpString1="sync.ico", lpString2="log") returned 1 [0108.166] lstrcmpiW (lpString1="sync.ico", lpString2="NTDETECT.COM") returned 1 [0108.166] lstrcmpiW (lpString1="sync.ico", lpString2="ntldr") returned 1 [0108.166] lstrcmpiW (lpString1="sync.ico", lpString2="MSDOS.SYS") returned 1 [0108.166] lstrcmpiW (lpString1="sync.ico", lpString2="IO.SYS") returned 1 [0108.166] lstrcmpiW (lpString1="sync.ico", lpString2="boot.ini") returned 1 [0108.166] lstrcmpiW (lpString1="sync.ico", lpString2="AUTOEXEC.BAT") returned 1 [0108.166] lstrcmpiW (lpString1="sync.ico", lpString2="ntuser.dat") returned 1 [0108.166] lstrcmpiW (lpString1="sync.ico", lpString2="desktop.ini") returned 1 [0108.166] lstrcmpiW (lpString1="sync.ico", lpString2="CONFIG.SYS") returned 1 [0108.166] lstrcmpiW (lpString1="sync.ico", lpString2="RECYCLER") returned 1 [0108.167] lstrcmpiW (lpString1="sync.ico", lpString2="BOOTSECT.BAK") returned 1 [0108.167] lstrcmpiW (lpString1="sync.ico", lpString2="bootmgr") returned 1 [0108.167] lstrcmpiW (lpString1="sync.ico", lpString2="programdata") returned 1 [0108.167] lstrcmpiW (lpString1="sync.ico", lpString2="appdata") returned 1 [0108.167] lstrcmpiW (lpString1="sync.ico", lpString2="program files") returned 1 [0108.167] lstrcmpiW (lpString1="sync.ico", lpString2="program files (x86)") returned 1 [0108.167] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" [0108.167] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", lpString2="sync.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico" [0108.167] PathFindExtensionW (pszPath="sync.ico") returned=".ico" [0108.167] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0108.167] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0108.167] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0108.167] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0108.167] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0108.167] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0108.167] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0108.167] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0108.167] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0108.167] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0108.167] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0108.167] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0108.167] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0108.168] lstrcmpiW (lpString1=".ico", lpString2=".NEPHILIM") returned -1 [0108.168] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0108.168] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0108.168] lstrcmpiW (lpString1="sync.ico", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0108.168] lstrlenA (lpString="NEPHILIM") returned 8 [0108.168] GetProcessHeap () returned 0x4e0000 [0108.168] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bba0 [0108.168] lstrlenA (lpString="NEPHILIM") returned 8 [0108.168] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0108.168] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=4294968320) returned 0 [0108.168] GetProcessHeap () returned 0x4e0000 [0108.168] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50cf50 [0108.168] GetProcessHeap () returned 0x4e0000 [0108.168] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50cf68 [0108.168] SystemFunction036 (in: RandomBuffer=0x50cf50, RandomBufferLength=0x10 | out: RandomBuffer=0x50cf50) returned 1 [0108.168] SystemFunction036 (in: RandomBuffer=0x50cf68, RandomBufferLength=0x10 | out: RandomBuffer=0x50cf68) returned 1 [0108.168] GetProcessHeap () returned 0x4e0000 [0108.168] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x511698 [0108.169] GetProcessHeap () returned 0x4e0000 [0108.169] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5117a0 [0108.169] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x511698*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x511698*, pdwDataLen=0x24dce88*=0x100) returned 1 [0108.169] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5117a0*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x5117a0*, pdwDataLen=0x24dce84*=0x100) returned 1 [0108.169] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0108.169] SetLastError (dwErrCode=0x0) [0108.169] WriteFile (in: hFile=0xffffffff, lpBuffer=0x511698, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0) returned 0 [0108.169] GetLastError () returned 0x6 [0108.169] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c219ec7, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0x7c219ec7, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0x7c219ec7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x3473, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="tasks.xml", cAlternateFileName="")) returned 1 [0108.169] lstrcmpiW (lpString1="tasks.xml", lpString2=".") returned 1 [0108.169] lstrcmpiW (lpString1="tasks.xml", lpString2="..") returned 1 [0108.169] lstrcmpiW (lpString1="tasks.xml", lpString2="...") returned 1 [0108.169] lstrcmpiW (lpString1="tasks.xml", lpString2="windows") returned -1 [0108.169] lstrcmpiW (lpString1="tasks.xml", lpString2="$RECYCLE.BIN") returned 1 [0108.170] lstrcmpiW (lpString1="tasks.xml", lpString2="rsa") returned 1 [0108.170] lstrcmpiW (lpString1="tasks.xml", lpString2="log") returned 1 [0108.170] lstrcmpiW (lpString1="tasks.xml", lpString2="NTDETECT.COM") returned 1 [0108.170] lstrcmpiW (lpString1="tasks.xml", lpString2="ntldr") returned 1 [0108.170] lstrcmpiW (lpString1="tasks.xml", lpString2="MSDOS.SYS") returned 1 [0108.170] lstrcmpiW (lpString1="tasks.xml", lpString2="IO.SYS") returned 1 [0108.170] lstrcmpiW (lpString1="tasks.xml", lpString2="boot.ini") returned 1 [0108.170] lstrcmpiW (lpString1="tasks.xml", lpString2="AUTOEXEC.BAT") returned 1 [0108.170] lstrcmpiW (lpString1="tasks.xml", lpString2="ntuser.dat") returned 1 [0108.170] lstrcmpiW (lpString1="tasks.xml", lpString2="desktop.ini") returned 1 [0108.170] lstrcmpiW (lpString1="tasks.xml", lpString2="CONFIG.SYS") returned 1 [0108.170] lstrcmpiW (lpString1="tasks.xml", lpString2="RECYCLER") returned 1 [0108.170] lstrcmpiW (lpString1="tasks.xml", lpString2="BOOTSECT.BAK") returned 1 [0108.170] lstrcmpiW (lpString1="tasks.xml", lpString2="bootmgr") returned 1 [0108.170] lstrcmpiW (lpString1="tasks.xml", lpString2="programdata") returned 1 [0108.170] lstrcmpiW (lpString1="tasks.xml", lpString2="appdata") returned 1 [0108.170] lstrcmpiW (lpString1="tasks.xml", lpString2="program files") returned 1 [0108.170] lstrcmpiW (lpString1="tasks.xml", lpString2="program files (x86)") returned 1 [0108.170] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" [0108.170] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", lpString2="tasks.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml" [0108.170] PathFindExtensionW (pszPath="tasks.xml") returned=".xml" [0108.170] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0108.170] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0108.170] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0108.171] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0108.171] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0108.171] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0108.171] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0108.171] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0108.171] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0108.171] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0108.171] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0108.171] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0108.171] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0108.171] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0108.171] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0108.171] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0108.171] lstrcmpiW (lpString1="tasks.xml", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0108.171] lstrlenA (lpString="NEPHILIM") returned 8 [0108.171] GetProcessHeap () returned 0x4e0000 [0108.171] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bbb0 [0108.171] lstrlenA (lpString="NEPHILIM") returned 8 [0108.171] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0108.177] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=4294968320) returned 0 [0108.177] GetProcessHeap () returned 0x4e0000 [0108.177] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50cf80 [0108.177] GetProcessHeap () returned 0x4e0000 [0108.177] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50cf98 [0108.177] SystemFunction036 (in: RandomBuffer=0x50cf80, RandomBufferLength=0x10 | out: RandomBuffer=0x50cf80) returned 1 [0108.177] SystemFunction036 (in: RandomBuffer=0x50cf98, RandomBufferLength=0x10 | out: RandomBuffer=0x50cf98) returned 1 [0108.177] GetProcessHeap () returned 0x4e0000 [0108.178] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5118a8 [0108.178] GetProcessHeap () returned 0x4e0000 [0108.178] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5119b0 [0108.178] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5118a8*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x5118a8*, pdwDataLen=0x24dce88*=0x100) returned 1 [0108.178] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5119b0*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x5119b0*, pdwDataLen=0x24dce84*=0x100) returned 1 [0108.178] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0108.178] SetLastError (dwErrCode=0x0) [0108.178] WriteFile (in: hFile=0xffffffff, lpBuffer=0x5118a8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0) returned 0 [0108.178] GetLastError () returned 0x6 [0108.178] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2d64214, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2d64214, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c219ec7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1b9f4, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="wmp.ico", cAlternateFileName="")) returned 1 [0108.178] lstrcmpiW (lpString1="wmp.ico", lpString2=".") returned 1 [0108.178] lstrcmpiW (lpString1="wmp.ico", lpString2="..") returned 1 [0108.179] lstrcmpiW (lpString1="wmp.ico", lpString2="...") returned 1 [0108.179] lstrcmpiW (lpString1="wmp.ico", lpString2="windows") returned 1 [0108.179] lstrcmpiW (lpString1="wmp.ico", lpString2="$RECYCLE.BIN") returned 1 [0108.179] lstrcmpiW (lpString1="wmp.ico", lpString2="rsa") returned 1 [0108.179] lstrcmpiW (lpString1="wmp.ico", lpString2="log") returned 1 [0108.179] lstrcmpiW (lpString1="wmp.ico", lpString2="NTDETECT.COM") returned 1 [0108.179] lstrcmpiW (lpString1="wmp.ico", lpString2="ntldr") returned 1 [0108.179] lstrcmpiW (lpString1="wmp.ico", lpString2="MSDOS.SYS") returned 1 [0108.179] lstrcmpiW (lpString1="wmp.ico", lpString2="IO.SYS") returned 1 [0108.179] lstrcmpiW (lpString1="wmp.ico", lpString2="boot.ini") returned 1 [0108.179] lstrcmpiW (lpString1="wmp.ico", lpString2="AUTOEXEC.BAT") returned 1 [0108.179] lstrcmpiW (lpString1="wmp.ico", lpString2="ntuser.dat") returned 1 [0108.179] lstrcmpiW (lpString1="wmp.ico", lpString2="desktop.ini") returned 1 [0108.179] lstrcmpiW (lpString1="wmp.ico", lpString2="CONFIG.SYS") returned 1 [0108.179] lstrcmpiW (lpString1="wmp.ico", lpString2="RECYCLER") returned 1 [0108.179] lstrcmpiW (lpString1="wmp.ico", lpString2="BOOTSECT.BAK") returned 1 [0108.179] lstrcmpiW (lpString1="wmp.ico", lpString2="bootmgr") returned 1 [0108.179] lstrcmpiW (lpString1="wmp.ico", lpString2="programdata") returned 1 [0108.179] lstrcmpiW (lpString1="wmp.ico", lpString2="appdata") returned 1 [0108.179] lstrcmpiW (lpString1="wmp.ico", lpString2="program files") returned 1 [0108.179] lstrcmpiW (lpString1="wmp.ico", lpString2="program files (x86)") returned 1 [0108.179] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" [0108.179] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", lpString2="wmp.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico" [0108.180] PathFindExtensionW (pszPath="wmp.ico") returned=".ico" [0108.180] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0108.180] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0108.180] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0108.180] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0108.180] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0108.180] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0108.180] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0108.180] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0108.180] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0108.180] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0108.180] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0108.180] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0108.180] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0108.180] lstrcmpiW (lpString1=".ico", lpString2=".NEPHILIM") returned -1 [0108.180] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0108.181] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0108.181] lstrcmpiW (lpString1="wmp.ico", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0108.181] lstrlenA (lpString="NEPHILIM") returned 8 [0108.181] GetProcessHeap () returned 0x4e0000 [0108.181] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bbc0 [0108.181] lstrlenA (lpString="NEPHILIM") returned 8 [0108.181] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0108.181] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=4294968320) returned 0 [0108.181] GetProcessHeap () returned 0x4e0000 [0108.181] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50cfb0 [0108.181] GetProcessHeap () returned 0x4e0000 [0108.181] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50cfc8 [0108.181] SystemFunction036 (in: RandomBuffer=0x50cfb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50cfb0) returned 1 [0108.181] SystemFunction036 (in: RandomBuffer=0x50cfc8, RandomBufferLength=0x10 | out: RandomBuffer=0x50cfc8) returned 1 [0108.181] GetProcessHeap () returned 0x4e0000 [0108.182] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x511ab8 [0108.182] GetProcessHeap () returned 0x4e0000 [0108.182] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x511bc0 [0108.182] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x511ab8*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x511ab8*, pdwDataLen=0x24dce88*=0x100) returned 1 [0108.182] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x511bc0*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x511bc0*, pdwDataLen=0x24dce84*=0x100) returned 1 [0108.182] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0108.182] SetLastError (dwErrCode=0x0) [0108.182] WriteFile (in: hFile=0xffffffff, lpBuffer=0x511ab8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0) returned 0 [0108.182] GetLastError () returned 0x6 [0108.182] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2d64214, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2d64214, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c219ec7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1b9f4, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="wmp.ico", cAlternateFileName="")) returned 0 [0108.182] FindClose (in: hFindFile=0x50a9c0 | out: hFindFile=0x50a9c0) returned 1 [0108.183] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c005a, dwReserved1=0x24de260, cFileName="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", cAlternateFileName="{E35BE~1")) returned 1 [0108.183] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2=".") returned 1 [0108.183] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="..") returned 1 [0108.183] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="...") returned 1 [0108.183] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="windows") returned -1 [0108.183] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="$RECYCLE.BIN") returned 1 [0108.183] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="rsa") returned -1 [0108.183] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="log") returned -1 [0108.183] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="NTDETECT.COM") returned -1 [0108.183] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="ntldr") returned -1 [0108.183] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="MSDOS.SYS") returned -1 [0108.183] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="IO.SYS") returned -1 [0108.183] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="boot.ini") returned -1 [0108.183] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="AUTOEXEC.BAT") returned -1 [0108.183] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="ntuser.dat") returned -1 [0108.183] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="desktop.ini") returned -1 [0108.183] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="CONFIG.SYS") returned -1 [0108.183] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="RECYCLER") returned -1 [0108.183] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="BOOTSECT.BAK") returned -1 [0108.183] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="bootmgr") returned -1 [0108.183] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="programdata") returned -1 [0108.183] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="appdata") returned -1 [0108.183] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="program files") returned -1 [0108.183] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="program files (x86)") returned -1 [0108.184] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\" [0108.184] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\", lpString2="{e35be42d-f742-4d96-a50a-1775fb1a7a42}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}" [0108.184] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" [0108.184] lstrcpyW (in: lpString1=0x24dd560, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" [0108.184] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*" [0108.184] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName=".", cAlternateFileName="")) returned 0x50a9c0 [0108.187] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.187] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="..", cAlternateFileName="")) returned 1 [0108.187] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.187] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.187] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22f23962, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="en-US", cAlternateFileName="")) returned 1 [0108.187] lstrcmpiW (lpString1="en-US", lpString2=".") returned 1 [0108.187] lstrcmpiW (lpString1="en-US", lpString2="..") returned 1 [0108.187] lstrcmpiW (lpString1="en-US", lpString2="...") returned 1 [0108.187] lstrcmpiW (lpString1="en-US", lpString2="windows") returned -1 [0108.187] lstrcmpiW (lpString1="en-US", lpString2="$RECYCLE.BIN") returned 1 [0108.187] lstrcmpiW (lpString1="en-US", lpString2="rsa") returned -1 [0108.187] lstrcmpiW (lpString1="en-US", lpString2="log") returned -1 [0108.187] lstrcmpiW (lpString1="en-US", lpString2="NTDETECT.COM") returned -1 [0108.187] lstrcmpiW (lpString1="en-US", lpString2="ntldr") returned -1 [0108.187] lstrcmpiW (lpString1="en-US", lpString2="MSDOS.SYS") returned -1 [0108.188] lstrcmpiW (lpString1="en-US", lpString2="IO.SYS") returned -1 [0108.188] lstrcmpiW (lpString1="en-US", lpString2="boot.ini") returned 1 [0108.188] lstrcmpiW (lpString1="en-US", lpString2="AUTOEXEC.BAT") returned 1 [0108.188] lstrcmpiW (lpString1="en-US", lpString2="ntuser.dat") returned -1 [0108.188] lstrcmpiW (lpString1="en-US", lpString2="desktop.ini") returned 1 [0108.188] lstrcmpiW (lpString1="en-US", lpString2="CONFIG.SYS") returned 1 [0108.188] lstrcmpiW (lpString1="en-US", lpString2="RECYCLER") returned -1 [0108.188] lstrcmpiW (lpString1="en-US", lpString2="BOOTSECT.BAK") returned 1 [0108.188] lstrcmpiW (lpString1="en-US", lpString2="bootmgr") returned 1 [0108.188] lstrcmpiW (lpString1="en-US", lpString2="programdata") returned -1 [0108.188] lstrcmpiW (lpString1="en-US", lpString2="appdata") returned 1 [0108.188] lstrcmpiW (lpString1="en-US", lpString2="program files") returned -1 [0108.188] lstrcmpiW (lpString1="en-US", lpString2="program files (x86)") returned -1 [0108.188] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" [0108.188] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", lpString2="en-US" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US" [0108.188] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\" [0108.188] lstrcpyW (in: lpString1=0x24dcee0, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\" [0108.188] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*.*" [0108.188] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*.*", lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22f23962, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb400b2, dwReserved1=0x24dd560, cFileName=".", cAlternateFileName="")) returned 0x50aa00 [0108.189] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.189] FindNextFileW (in: hFindFile=0x50aa00, lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22f23962, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb400b2, dwReserved1=0x24dd560, cFileName="..", cAlternateFileName="")) returned 1 [0108.189] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.189] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.189] FindNextFileW (in: hFindFile=0x50aa00, lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2a152a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xb5e9110, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xb2a152a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x5e8, dwReserved0=0xb400b2, dwReserved1=0x24dd560, cFileName="resource.xml", cAlternateFileName="")) returned 1 [0108.189] lstrcmpiW (lpString1="resource.xml", lpString2=".") returned 1 [0108.189] lstrcmpiW (lpString1="resource.xml", lpString2="..") returned 1 [0108.189] lstrcmpiW (lpString1="resource.xml", lpString2="...") returned 1 [0108.189] lstrcmpiW (lpString1="resource.xml", lpString2="windows") returned -1 [0108.189] lstrcmpiW (lpString1="resource.xml", lpString2="$RECYCLE.BIN") returned 1 [0108.189] lstrcmpiW (lpString1="resource.xml", lpString2="rsa") returned -1 [0108.189] lstrcmpiW (lpString1="resource.xml", lpString2="log") returned 1 [0108.189] lstrcmpiW (lpString1="resource.xml", lpString2="NTDETECT.COM") returned 1 [0108.189] lstrcmpiW (lpString1="resource.xml", lpString2="ntldr") returned 1 [0108.189] lstrcmpiW (lpString1="resource.xml", lpString2="MSDOS.SYS") returned 1 [0108.189] lstrcmpiW (lpString1="resource.xml", lpString2="IO.SYS") returned 1 [0108.189] lstrcmpiW (lpString1="resource.xml", lpString2="boot.ini") returned 1 [0108.189] lstrcmpiW (lpString1="resource.xml", lpString2="AUTOEXEC.BAT") returned 1 [0108.190] lstrcmpiW (lpString1="resource.xml", lpString2="ntuser.dat") returned 1 [0108.190] lstrcmpiW (lpString1="resource.xml", lpString2="desktop.ini") returned 1 [0108.190] lstrcmpiW (lpString1="resource.xml", lpString2="CONFIG.SYS") returned 1 [0108.190] lstrcmpiW (lpString1="resource.xml", lpString2="RECYCLER") returned 1 [0108.190] lstrcmpiW (lpString1="resource.xml", lpString2="BOOTSECT.BAK") returned 1 [0108.190] lstrcmpiW (lpString1="resource.xml", lpString2="bootmgr") returned 1 [0108.190] lstrcmpiW (lpString1="resource.xml", lpString2="programdata") returned 1 [0108.190] lstrcmpiW (lpString1="resource.xml", lpString2="appdata") returned 1 [0108.190] lstrcmpiW (lpString1="resource.xml", lpString2="program files") returned 1 [0108.190] lstrcmpiW (lpString1="resource.xml", lpString2="program files (x86)") returned 1 [0108.190] lstrcpyW (in: lpString1=0x24dccd8, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\" [0108.190] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\", lpString2="resource.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml" [0108.190] PathFindExtensionW (pszPath="resource.xml") returned=".xml" [0108.190] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0108.190] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0108.190] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0108.190] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0108.190] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0108.190] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0108.190] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0108.191] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0108.191] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0108.191] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0108.191] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0108.191] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0108.191] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0108.191] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0108.191] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0108.191] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0108.191] lstrcmpiW (lpString1="resource.xml", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0108.191] lstrlenA (lpString="NEPHILIM") returned 8 [0108.191] GetProcessHeap () returned 0x4e0000 [0108.191] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bbd0 [0108.191] lstrlenA (lpString="NEPHILIM") returned 8 [0108.191] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0108.193] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dca48 | out: lpFileSize=0x24dca48*=4294968320) returned 0 [0108.193] GetProcessHeap () returned 0x4e0000 [0108.193] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50cfe0 [0108.193] GetProcessHeap () returned 0x4e0000 [0108.193] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50cff8 [0108.193] SystemFunction036 (in: RandomBuffer=0x50cfe0, RandomBufferLength=0x10 | out: RandomBuffer=0x50cfe0) returned 1 [0108.193] SystemFunction036 (in: RandomBuffer=0x50cff8, RandomBufferLength=0x10 | out: RandomBuffer=0x50cff8) returned 1 [0108.193] GetProcessHeap () returned 0x4e0000 [0108.193] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x511cc8 [0108.193] GetProcessHeap () returned 0x4e0000 [0108.193] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x511dd0 [0108.193] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x511cc8*, pdwDataLen=0x24dc808*=0x10, dwBufLen=0x100 | out: pbData=0x511cc8*, pdwDataLen=0x24dc808*=0x100) returned 1 [0108.194] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x511dd0*, pdwDataLen=0x24dc804*=0x10, dwBufLen=0x100 | out: pbData=0x511dd0*, pdwDataLen=0x24dc804*=0x100) returned 1 [0108.194] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0108.194] SetLastError (dwErrCode=0x0) [0108.194] WriteFile (in: hFile=0xffffffff, lpBuffer=0x511cc8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0) returned 0 [0108.194] GetLastError () returned 0x6 [0108.194] FindNextFileW (in: hFindFile=0x50aa00, lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2a152a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xb5e9110, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xb2a152a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x5e8, dwReserved0=0xb400b2, dwReserved1=0x24dd560, cFileName="resource.xml", cAlternateFileName="")) returned 0 [0108.194] FindClose (in: hFindFile=0x50aa00 | out: hFindFile=0x50aa00) returned 1 [0108.194] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f15ee9d, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f15ee9d, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc78a2eab, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xd0a3, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="folder.ico", cAlternateFileName="")) returned 1 [0108.194] lstrcmpiW (lpString1="folder.ico", lpString2=".") returned 1 [0108.194] lstrcmpiW (lpString1="folder.ico", lpString2="..") returned 1 [0108.194] lstrcmpiW (lpString1="folder.ico", lpString2="...") returned 1 [0108.194] lstrcmpiW (lpString1="folder.ico", lpString2="windows") returned -1 [0108.195] lstrcmpiW (lpString1="folder.ico", lpString2="$RECYCLE.BIN") returned 1 [0108.195] lstrcmpiW (lpString1="folder.ico", lpString2="rsa") returned -1 [0108.195] lstrcmpiW (lpString1="folder.ico", lpString2="log") returned -1 [0108.195] lstrcmpiW (lpString1="folder.ico", lpString2="NTDETECT.COM") returned -1 [0108.195] lstrcmpiW (lpString1="folder.ico", lpString2="ntldr") returned -1 [0108.195] lstrcmpiW (lpString1="folder.ico", lpString2="MSDOS.SYS") returned -1 [0108.195] lstrcmpiW (lpString1="folder.ico", lpString2="IO.SYS") returned -1 [0108.195] lstrcmpiW (lpString1="folder.ico", lpString2="boot.ini") returned 1 [0108.195] lstrcmpiW (lpString1="folder.ico", lpString2="AUTOEXEC.BAT") returned 1 [0108.195] lstrcmpiW (lpString1="folder.ico", lpString2="ntuser.dat") returned -1 [0108.195] lstrcmpiW (lpString1="folder.ico", lpString2="desktop.ini") returned 1 [0108.195] lstrcmpiW (lpString1="folder.ico", lpString2="CONFIG.SYS") returned 1 [0108.195] lstrcmpiW (lpString1="folder.ico", lpString2="RECYCLER") returned -1 [0108.195] lstrcmpiW (lpString1="folder.ico", lpString2="BOOTSECT.BAK") returned 1 [0108.195] lstrcmpiW (lpString1="folder.ico", lpString2="bootmgr") returned 1 [0108.195] lstrcmpiW (lpString1="folder.ico", lpString2="programdata") returned -1 [0108.195] lstrcmpiW (lpString1="folder.ico", lpString2="appdata") returned 1 [0108.195] lstrcmpiW (lpString1="folder.ico", lpString2="program files") returned -1 [0108.195] lstrcmpiW (lpString1="folder.ico", lpString2="program files (x86)") returned -1 [0108.195] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" [0108.195] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", lpString2="folder.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico" [0108.195] PathFindExtensionW (pszPath="folder.ico") returned=".ico" [0108.195] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0108.196] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0108.196] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0108.196] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0108.196] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0108.196] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0108.196] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0108.196] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0108.196] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0108.196] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0108.196] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0108.197] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0108.197] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0108.197] lstrcmpiW (lpString1=".ico", lpString2=".NEPHILIM") returned -1 [0108.197] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0108.197] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0108.197] lstrcmpiW (lpString1="folder.ico", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0108.197] lstrlenA (lpString="NEPHILIM") returned 8 [0108.197] GetProcessHeap () returned 0x4e0000 [0108.197] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bbe0 [0108.197] lstrlenA (lpString="NEPHILIM") returned 8 [0108.197] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0108.197] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=4294968320) returned 0 [0108.197] GetProcessHeap () returned 0x4e0000 [0108.197] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d010 [0108.197] GetProcessHeap () returned 0x4e0000 [0108.198] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d028 [0108.198] SystemFunction036 (in: RandomBuffer=0x50d010, RandomBufferLength=0x10 | out: RandomBuffer=0x50d010) returned 1 [0108.198] SystemFunction036 (in: RandomBuffer=0x50d028, RandomBufferLength=0x10 | out: RandomBuffer=0x50d028) returned 1 [0108.198] GetProcessHeap () returned 0x4e0000 [0108.198] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x512ff0 [0108.198] GetProcessHeap () returned 0x4e0000 [0108.198] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5130f8 [0108.198] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x512ff0*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x512ff0*, pdwDataLen=0x24dce88*=0x100) returned 1 [0108.198] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5130f8*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x5130f8*, pdwDataLen=0x24dce84*=0x100) returned 1 [0108.198] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0108.198] SetLastError (dwErrCode=0x0) [0108.198] WriteFile (in: hFile=0xffffffff, lpBuffer=0x512ff0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0) returned 0 [0108.198] GetLastError () returned 0x6 [0108.199] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f0eca86, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f0eca86, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc78c9009, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xe3c8, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="print_pref.ico", cAlternateFileName="")) returned 1 [0108.199] lstrcmpiW (lpString1="print_pref.ico", lpString2=".") returned 1 [0108.199] lstrcmpiW (lpString1="print_pref.ico", lpString2="..") returned 1 [0108.199] lstrcmpiW (lpString1="print_pref.ico", lpString2="...") returned 1 [0108.199] lstrcmpiW (lpString1="print_pref.ico", lpString2="windows") returned -1 [0108.199] lstrcmpiW (lpString1="print_pref.ico", lpString2="$RECYCLE.BIN") returned 1 [0108.199] lstrcmpiW (lpString1="print_pref.ico", lpString2="rsa") returned -1 [0108.199] lstrcmpiW (lpString1="print_pref.ico", lpString2="log") returned 1 [0108.199] lstrcmpiW (lpString1="print_pref.ico", lpString2="NTDETECT.COM") returned 1 [0108.199] lstrcmpiW (lpString1="print_pref.ico", lpString2="ntldr") returned 1 [0108.199] lstrcmpiW (lpString1="print_pref.ico", lpString2="MSDOS.SYS") returned 1 [0108.199] lstrcmpiW (lpString1="print_pref.ico", lpString2="IO.SYS") returned 1 [0108.199] lstrcmpiW (lpString1="print_pref.ico", lpString2="boot.ini") returned 1 [0108.199] lstrcmpiW (lpString1="print_pref.ico", lpString2="AUTOEXEC.BAT") returned 1 [0108.199] lstrcmpiW (lpString1="print_pref.ico", lpString2="ntuser.dat") returned 1 [0108.199] lstrcmpiW (lpString1="print_pref.ico", lpString2="desktop.ini") returned 1 [0108.199] lstrcmpiW (lpString1="print_pref.ico", lpString2="CONFIG.SYS") returned 1 [0108.199] lstrcmpiW (lpString1="print_pref.ico", lpString2="RECYCLER") returned -1 [0108.199] lstrcmpiW (lpString1="print_pref.ico", lpString2="BOOTSECT.BAK") returned 1 [0108.199] lstrcmpiW (lpString1="print_pref.ico", lpString2="bootmgr") returned 1 [0108.199] lstrcmpiW (lpString1="print_pref.ico", lpString2="programdata") returned -1 [0108.199] lstrcmpiW (lpString1="print_pref.ico", lpString2="appdata") returned 1 [0108.200] lstrcmpiW (lpString1="print_pref.ico", lpString2="program files") returned -1 [0108.200] lstrcmpiW (lpString1="print_pref.ico", lpString2="program files (x86)") returned -1 [0108.200] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" [0108.200] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", lpString2="print_pref.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico" [0108.200] PathFindExtensionW (pszPath="print_pref.ico") returned=".ico" [0108.200] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0108.200] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0108.200] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0108.200] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0108.200] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0108.200] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0108.200] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0108.200] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0108.200] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0108.200] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0108.200] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0108.200] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0108.200] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0108.200] lstrcmpiW (lpString1=".ico", lpString2=".NEPHILIM") returned -1 [0108.200] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0108.200] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0108.200] lstrcmpiW (lpString1="print_pref.ico", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0108.200] lstrlenA (lpString="NEPHILIM") returned 8 [0108.201] GetProcessHeap () returned 0x4e0000 [0108.201] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bbf0 [0108.201] lstrlenA (lpString="NEPHILIM") returned 8 [0108.201] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0108.201] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=4294968320) returned 0 [0108.201] GetProcessHeap () returned 0x4e0000 [0108.201] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d040 [0108.201] GetProcessHeap () returned 0x4e0000 [0108.201] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d058 [0108.201] SystemFunction036 (in: RandomBuffer=0x50d040, RandomBufferLength=0x10 | out: RandomBuffer=0x50d040) returned 1 [0108.201] SystemFunction036 (in: RandomBuffer=0x50d058, RandomBufferLength=0x10 | out: RandomBuffer=0x50d058) returned 1 [0108.201] GetProcessHeap () returned 0x4e0000 [0108.201] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x513200 [0108.201] GetProcessHeap () returned 0x4e0000 [0108.202] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x513308 [0108.202] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x513200*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x513200*, pdwDataLen=0x24dce88*=0x100) returned 1 [0108.202] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x513308*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x513308*, pdwDataLen=0x24dce84*=0x100) returned 1 [0108.202] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0108.202] SetLastError (dwErrCode=0x0) [0108.202] WriteFile (in: hFile=0xffffffff, lpBuffer=0x513200, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0) returned 0 [0108.202] GetLastError () returned 0x6 [0108.202] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f0eca86, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f0eca86, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc78c9009, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xebb8, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="print_property.ico", cAlternateFileName="")) returned 1 [0108.202] lstrcmpiW (lpString1="print_property.ico", lpString2=".") returned 1 [0108.202] lstrcmpiW (lpString1="print_property.ico", lpString2="..") returned 1 [0108.202] lstrcmpiW (lpString1="print_property.ico", lpString2="...") returned 1 [0108.202] lstrcmpiW (lpString1="print_property.ico", lpString2="windows") returned -1 [0108.202] lstrcmpiW (lpString1="print_property.ico", lpString2="$RECYCLE.BIN") returned 1 [0108.203] lstrcmpiW (lpString1="print_property.ico", lpString2="rsa") returned -1 [0108.203] lstrcmpiW (lpString1="print_property.ico", lpString2="log") returned 1 [0108.203] lstrcmpiW (lpString1="print_property.ico", lpString2="NTDETECT.COM") returned 1 [0108.203] lstrcmpiW (lpString1="print_property.ico", lpString2="ntldr") returned 1 [0108.203] lstrcmpiW (lpString1="print_property.ico", lpString2="MSDOS.SYS") returned 1 [0108.203] lstrcmpiW (lpString1="print_property.ico", lpString2="IO.SYS") returned 1 [0108.203] lstrcmpiW (lpString1="print_property.ico", lpString2="boot.ini") returned 1 [0108.203] lstrcmpiW (lpString1="print_property.ico", lpString2="AUTOEXEC.BAT") returned 1 [0108.203] lstrcmpiW (lpString1="print_property.ico", lpString2="ntuser.dat") returned 1 [0108.203] lstrcmpiW (lpString1="print_property.ico", lpString2="desktop.ini") returned 1 [0108.203] lstrcmpiW (lpString1="print_property.ico", lpString2="CONFIG.SYS") returned 1 [0108.203] lstrcmpiW (lpString1="print_property.ico", lpString2="RECYCLER") returned -1 [0108.203] lstrcmpiW (lpString1="print_property.ico", lpString2="BOOTSECT.BAK") returned 1 [0108.203] lstrcmpiW (lpString1="print_property.ico", lpString2="bootmgr") returned 1 [0108.203] lstrcmpiW (lpString1="print_property.ico", lpString2="programdata") returned -1 [0108.203] lstrcmpiW (lpString1="print_property.ico", lpString2="appdata") returned 1 [0108.203] lstrcmpiW (lpString1="print_property.ico", lpString2="program files") returned -1 [0108.203] lstrcmpiW (lpString1="print_property.ico", lpString2="program files (x86)") returned -1 [0108.203] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" [0108.203] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", lpString2="print_property.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico" [0108.203] PathFindExtensionW (pszPath="print_property.ico") returned=".ico" [0108.203] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0108.204] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0108.204] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0108.204] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0108.204] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0108.204] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0108.204] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0108.204] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0108.204] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0108.204] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0108.204] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0108.204] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0108.204] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0108.204] lstrcmpiW (lpString1=".ico", lpString2=".NEPHILIM") returned -1 [0108.204] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0108.204] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0108.204] lstrcmpiW (lpString1="print_property.ico", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0108.204] lstrlenA (lpString="NEPHILIM") returned 8 [0108.204] GetProcessHeap () returned 0x4e0000 [0108.204] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bc00 [0108.204] lstrlenA (lpString="NEPHILIM") returned 8 [0108.204] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0108.205] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=4294968320) returned 0 [0108.205] GetProcessHeap () returned 0x4e0000 [0108.205] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d070 [0108.205] GetProcessHeap () returned 0x4e0000 [0108.205] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d088 [0108.205] SystemFunction036 (in: RandomBuffer=0x50d070, RandomBufferLength=0x10 | out: RandomBuffer=0x50d070) returned 1 [0108.205] SystemFunction036 (in: RandomBuffer=0x50d088, RandomBufferLength=0x10 | out: RandomBuffer=0x50d088) returned 1 [0108.205] GetProcessHeap () returned 0x4e0000 [0108.205] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x513410 [0108.205] GetProcessHeap () returned 0x4e0000 [0108.205] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x513518 [0108.205] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x513410*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x513410*, pdwDataLen=0x24dce88*=0x100) returned 1 [0108.205] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x513518*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x513518*, pdwDataLen=0x24dce84*=0x100) returned 1 [0108.206] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0108.206] SetLastError (dwErrCode=0x0) [0108.206] WriteFile (in: hFile=0xffffffff, lpBuffer=0x513410, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0) returned 0 [0108.206] GetLastError () returned 0x6 [0108.206] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f112be3, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f112be3, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc7be8cbf, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xdff5, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="print_queue.ico", cAlternateFileName="")) returned 1 [0108.206] lstrcmpiW (lpString1="print_queue.ico", lpString2=".") returned 1 [0108.206] lstrcmpiW (lpString1="print_queue.ico", lpString2="..") returned 1 [0108.206] lstrcmpiW (lpString1="print_queue.ico", lpString2="...") returned 1 [0108.206] lstrcmpiW (lpString1="print_queue.ico", lpString2="windows") returned -1 [0108.206] lstrcmpiW (lpString1="print_queue.ico", lpString2="$RECYCLE.BIN") returned 1 [0108.206] lstrcmpiW (lpString1="print_queue.ico", lpString2="rsa") returned -1 [0108.206] lstrcmpiW (lpString1="print_queue.ico", lpString2="log") returned 1 [0108.206] lstrcmpiW (lpString1="print_queue.ico", lpString2="NTDETECT.COM") returned 1 [0108.206] lstrcmpiW (lpString1="print_queue.ico", lpString2="ntldr") returned 1 [0108.206] lstrcmpiW (lpString1="print_queue.ico", lpString2="MSDOS.SYS") returned 1 [0108.206] lstrcmpiW (lpString1="print_queue.ico", lpString2="IO.SYS") returned 1 [0108.206] lstrcmpiW (lpString1="print_queue.ico", lpString2="boot.ini") returned 1 [0108.206] lstrcmpiW (lpString1="print_queue.ico", lpString2="AUTOEXEC.BAT") returned 1 [0108.206] lstrcmpiW (lpString1="print_queue.ico", lpString2="ntuser.dat") returned 1 [0108.206] lstrcmpiW (lpString1="print_queue.ico", lpString2="desktop.ini") returned 1 [0108.206] lstrcmpiW (lpString1="print_queue.ico", lpString2="CONFIG.SYS") returned 1 [0108.207] lstrcmpiW (lpString1="print_queue.ico", lpString2="RECYCLER") returned -1 [0108.207] lstrcmpiW (lpString1="print_queue.ico", lpString2="BOOTSECT.BAK") returned 1 [0108.207] lstrcmpiW (lpString1="print_queue.ico", lpString2="bootmgr") returned 1 [0108.207] lstrcmpiW (lpString1="print_queue.ico", lpString2="programdata") returned -1 [0108.207] lstrcmpiW (lpString1="print_queue.ico", lpString2="appdata") returned 1 [0108.207] lstrcmpiW (lpString1="print_queue.ico", lpString2="program files") returned -1 [0108.207] lstrcmpiW (lpString1="print_queue.ico", lpString2="program files (x86)") returned -1 [0108.207] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" [0108.207] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", lpString2="print_queue.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico" [0108.207] PathFindExtensionW (pszPath="print_queue.ico") returned=".ico" [0108.207] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0108.207] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0108.207] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0108.207] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0108.207] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0108.207] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0108.207] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0108.207] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0108.207] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0108.207] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0108.207] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0108.207] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0108.207] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0108.207] lstrcmpiW (lpString1=".ico", lpString2=".NEPHILIM") returned -1 [0108.207] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0108.207] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0108.208] lstrcmpiW (lpString1="print_queue.ico", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0108.208] lstrlenA (lpString="NEPHILIM") returned 8 [0108.208] GetProcessHeap () returned 0x4e0000 [0108.208] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bc10 [0108.208] lstrlenA (lpString="NEPHILIM") returned 8 [0108.208] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0108.210] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=4294968320) returned 0 [0108.210] GetProcessHeap () returned 0x4e0000 [0108.210] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d0c8 [0108.210] GetProcessHeap () returned 0x4e0000 [0108.210] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d0e0 [0108.210] SystemFunction036 (in: RandomBuffer=0x50d0c8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d0c8) returned 1 [0108.210] SystemFunction036 (in: RandomBuffer=0x50d0e0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d0e0) returned 1 [0108.210] GetProcessHeap () returned 0x4e0000 [0108.210] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x513620 [0108.210] GetProcessHeap () returned 0x4e0000 [0108.210] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x513728 [0108.210] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x513620*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x513620*, pdwDataLen=0x24dce88*=0x100) returned 1 [0108.210] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x513728*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x513728*, pdwDataLen=0x24dce84*=0x100) returned 1 [0108.211] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0108.211] SetLastError (dwErrCode=0x0) [0108.211] WriteFile (in: hFile=0xffffffff, lpBuffer=0x513620, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0) returned 0 [0108.211] GetLastError () returned 0x6 [0108.211] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f138d40, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f138d40, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc7c0ee1d, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xec75, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="scan_.ico", cAlternateFileName="")) returned 1 [0108.211] lstrcmpiW (lpString1="scan_.ico", lpString2=".") returned 1 [0108.211] lstrcmpiW (lpString1="scan_.ico", lpString2="..") returned 1 [0108.211] lstrcmpiW (lpString1="scan_.ico", lpString2="...") returned 1 [0108.211] lstrcmpiW (lpString1="scan_.ico", lpString2="windows") returned -1 [0108.211] lstrcmpiW (lpString1="scan_.ico", lpString2="$RECYCLE.BIN") returned 1 [0108.211] lstrcmpiW (lpString1="scan_.ico", lpString2="rsa") returned 1 [0108.211] lstrcmpiW (lpString1="scan_.ico", lpString2="log") returned 1 [0108.211] lstrcmpiW (lpString1="scan_.ico", lpString2="NTDETECT.COM") returned 1 [0108.211] lstrcmpiW (lpString1="scan_.ico", lpString2="ntldr") returned 1 [0108.211] lstrcmpiW (lpString1="scan_.ico", lpString2="MSDOS.SYS") returned 1 [0108.212] lstrcmpiW (lpString1="scan_.ico", lpString2="IO.SYS") returned 1 [0108.212] lstrcmpiW (lpString1="scan_.ico", lpString2="boot.ini") returned 1 [0108.212] lstrcmpiW (lpString1="scan_.ico", lpString2="AUTOEXEC.BAT") returned 1 [0108.212] lstrcmpiW (lpString1="scan_.ico", lpString2="ntuser.dat") returned 1 [0108.212] lstrcmpiW (lpString1="scan_.ico", lpString2="desktop.ini") returned 1 [0108.212] lstrcmpiW (lpString1="scan_.ico", lpString2="CONFIG.SYS") returned 1 [0108.212] lstrcmpiW (lpString1="scan_.ico", lpString2="RECYCLER") returned 1 [0108.212] lstrcmpiW (lpString1="scan_.ico", lpString2="BOOTSECT.BAK") returned 1 [0108.212] lstrcmpiW (lpString1="scan_.ico", lpString2="bootmgr") returned 1 [0108.212] lstrcmpiW (lpString1="scan_.ico", lpString2="programdata") returned 1 [0108.212] lstrcmpiW (lpString1="scan_.ico", lpString2="appdata") returned 1 [0108.212] lstrcmpiW (lpString1="scan_.ico", lpString2="program files") returned 1 [0108.212] lstrcmpiW (lpString1="scan_.ico", lpString2="program files (x86)") returned 1 [0108.212] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" [0108.212] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", lpString2="scan_.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico" [0108.212] PathFindExtensionW (pszPath="scan_.ico") returned=".ico" [0108.212] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0108.212] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0108.212] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0108.212] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0108.212] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0108.212] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0108.212] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0108.212] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0108.213] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0108.213] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0108.213] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0108.213] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0108.213] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0108.213] lstrcmpiW (lpString1=".ico", lpString2=".NEPHILIM") returned -1 [0108.213] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0108.213] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0108.213] lstrcmpiW (lpString1="scan_.ico", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0108.213] lstrlenA (lpString="NEPHILIM") returned 8 [0108.213] GetProcessHeap () returned 0x4e0000 [0108.213] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bc20 [0108.213] lstrlenA (lpString="NEPHILIM") returned 8 [0108.213] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0108.213] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=4294968320) returned 0 [0108.213] GetProcessHeap () returned 0x4e0000 [0108.213] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d0f8 [0108.213] GetProcessHeap () returned 0x4e0000 [0108.213] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d110 [0108.214] SystemFunction036 (in: RandomBuffer=0x50d0f8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d0f8) returned 1 [0108.214] SystemFunction036 (in: RandomBuffer=0x50d110, RandomBufferLength=0x10 | out: RandomBuffer=0x50d110) returned 1 [0108.214] GetProcessHeap () returned 0x4e0000 [0108.214] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x513830 [0108.214] GetProcessHeap () returned 0x4e0000 [0108.214] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x513938 [0108.214] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x513830*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x513830*, pdwDataLen=0x24dce88*=0x100) returned 1 [0108.214] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x513938*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x513938*, pdwDataLen=0x24dce84*=0x100) returned 1 [0108.214] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0108.214] SetLastError (dwErrCode=0x0) [0108.214] WriteFile (in: hFile=0xffffffff, lpBuffer=0x513830, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0) returned 0 [0108.214] GetLastError () returned 0x6 [0108.214] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f15ee9d, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f15ee9d, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc7c0ee1d, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x10654, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="scan_property.ico", cAlternateFileName="")) returned 1 [0108.214] lstrcmpiW (lpString1="scan_property.ico", lpString2=".") returned 1 [0108.214] lstrcmpiW (lpString1="scan_property.ico", lpString2="..") returned 1 [0108.215] lstrcmpiW (lpString1="scan_property.ico", lpString2="...") returned 1 [0108.215] lstrcmpiW (lpString1="scan_property.ico", lpString2="windows") returned -1 [0108.215] lstrcmpiW (lpString1="scan_property.ico", lpString2="$RECYCLE.BIN") returned 1 [0108.215] lstrcmpiW (lpString1="scan_property.ico", lpString2="rsa") returned 1 [0108.215] lstrcmpiW (lpString1="scan_property.ico", lpString2="log") returned 1 [0108.215] lstrcmpiW (lpString1="scan_property.ico", lpString2="NTDETECT.COM") returned 1 [0108.215] lstrcmpiW (lpString1="scan_property.ico", lpString2="ntldr") returned 1 [0108.215] lstrcmpiW (lpString1="scan_property.ico", lpString2="MSDOS.SYS") returned 1 [0108.215] lstrcmpiW (lpString1="scan_property.ico", lpString2="IO.SYS") returned 1 [0108.215] lstrcmpiW (lpString1="scan_property.ico", lpString2="boot.ini") returned 1 [0108.215] lstrcmpiW (lpString1="scan_property.ico", lpString2="AUTOEXEC.BAT") returned 1 [0108.215] lstrcmpiW (lpString1="scan_property.ico", lpString2="ntuser.dat") returned 1 [0108.215] lstrcmpiW (lpString1="scan_property.ico", lpString2="desktop.ini") returned 1 [0108.215] lstrcmpiW (lpString1="scan_property.ico", lpString2="CONFIG.SYS") returned 1 [0108.215] lstrcmpiW (lpString1="scan_property.ico", lpString2="RECYCLER") returned 1 [0108.215] lstrcmpiW (lpString1="scan_property.ico", lpString2="BOOTSECT.BAK") returned 1 [0108.215] lstrcmpiW (lpString1="scan_property.ico", lpString2="bootmgr") returned 1 [0108.215] lstrcmpiW (lpString1="scan_property.ico", lpString2="programdata") returned 1 [0108.215] lstrcmpiW (lpString1="scan_property.ico", lpString2="appdata") returned 1 [0108.215] lstrcmpiW (lpString1="scan_property.ico", lpString2="program files") returned 1 [0108.215] lstrcmpiW (lpString1="scan_property.ico", lpString2="program files (x86)") returned 1 [0108.215] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" [0108.216] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", lpString2="scan_property.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico" [0108.216] PathFindExtensionW (pszPath="scan_property.ico") returned=".ico" [0108.216] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0108.216] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0108.216] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0108.216] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0108.216] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0108.216] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0108.216] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0108.216] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0108.216] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0108.216] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0108.216] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0108.216] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0108.216] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0108.217] lstrcmpiW (lpString1=".ico", lpString2=".NEPHILIM") returned -1 [0108.217] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0108.217] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0108.217] lstrcmpiW (lpString1="scan_property.ico", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0108.217] lstrlenA (lpString="NEPHILIM") returned 8 [0108.217] GetProcessHeap () returned 0x4e0000 [0108.217] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bc30 [0108.217] lstrlenA (lpString="NEPHILIM") returned 8 [0108.217] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0108.217] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=4294968320) returned 0 [0108.217] GetProcessHeap () returned 0x4e0000 [0108.217] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d128 [0108.217] GetProcessHeap () returned 0x4e0000 [0108.218] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d140 [0108.218] SystemFunction036 (in: RandomBuffer=0x50d128, RandomBufferLength=0x10 | out: RandomBuffer=0x50d128) returned 1 [0108.218] SystemFunction036 (in: RandomBuffer=0x50d140, RandomBufferLength=0x10 | out: RandomBuffer=0x50d140) returned 1 [0108.218] GetProcessHeap () returned 0x4e0000 [0108.218] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x513a40 [0108.218] GetProcessHeap () returned 0x4e0000 [0108.218] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x513b48 [0108.218] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x513a40*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x513a40*, pdwDataLen=0x24dce88*=0x100) returned 1 [0108.218] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x513b48*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x513b48*, pdwDataLen=0x24dce84*=0x100) returned 1 [0108.218] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0108.219] SetLastError (dwErrCode=0x0) [0108.219] WriteFile (in: hFile=0xffffffff, lpBuffer=0x513a40, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0) returned 0 [0108.219] GetLastError () returned 0x6 [0108.219] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f138d40, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f138d40, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc7c34f7b, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xf8c2, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="scan_settings.ico", cAlternateFileName="")) returned 1 [0108.219] lstrcmpiW (lpString1="scan_settings.ico", lpString2=".") returned 1 [0108.219] lstrcmpiW (lpString1="scan_settings.ico", lpString2="..") returned 1 [0108.219] lstrcmpiW (lpString1="scan_settings.ico", lpString2="...") returned 1 [0108.219] lstrcmpiW (lpString1="scan_settings.ico", lpString2="windows") returned -1 [0108.219] lstrcmpiW (lpString1="scan_settings.ico", lpString2="$RECYCLE.BIN") returned 1 [0108.219] lstrcmpiW (lpString1="scan_settings.ico", lpString2="rsa") returned 1 [0108.219] lstrcmpiW (lpString1="scan_settings.ico", lpString2="log") returned 1 [0108.219] lstrcmpiW (lpString1="scan_settings.ico", lpString2="NTDETECT.COM") returned 1 [0108.219] lstrcmpiW (lpString1="scan_settings.ico", lpString2="ntldr") returned 1 [0108.220] lstrcmpiW (lpString1="scan_settings.ico", lpString2="MSDOS.SYS") returned 1 [0108.220] lstrcmpiW (lpString1="scan_settings.ico", lpString2="IO.SYS") returned 1 [0108.220] lstrcmpiW (lpString1="scan_settings.ico", lpString2="boot.ini") returned 1 [0108.220] lstrcmpiW (lpString1="scan_settings.ico", lpString2="AUTOEXEC.BAT") returned 1 [0108.220] lstrcmpiW (lpString1="scan_settings.ico", lpString2="ntuser.dat") returned 1 [0108.220] lstrcmpiW (lpString1="scan_settings.ico", lpString2="desktop.ini") returned 1 [0108.220] lstrcmpiW (lpString1="scan_settings.ico", lpString2="CONFIG.SYS") returned 1 [0108.220] lstrcmpiW (lpString1="scan_settings.ico", lpString2="RECYCLER") returned 1 [0108.220] lstrcmpiW (lpString1="scan_settings.ico", lpString2="BOOTSECT.BAK") returned 1 [0108.220] lstrcmpiW (lpString1="scan_settings.ico", lpString2="bootmgr") returned 1 [0108.220] lstrcmpiW (lpString1="scan_settings.ico", lpString2="programdata") returned 1 [0108.220] lstrcmpiW (lpString1="scan_settings.ico", lpString2="appdata") returned 1 [0108.220] lstrcmpiW (lpString1="scan_settings.ico", lpString2="program files") returned 1 [0108.220] lstrcmpiW (lpString1="scan_settings.ico", lpString2="program files (x86)") returned 1 [0108.220] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" [0108.220] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", lpString2="scan_settings.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico" [0108.221] PathFindExtensionW (pszPath="scan_settings.ico") returned=".ico" [0108.221] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0108.221] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0108.221] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0108.221] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0108.221] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0108.221] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0108.221] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0108.221] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0108.221] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0108.221] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0108.221] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0108.221] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0108.221] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0108.221] lstrcmpiW (lpString1=".ico", lpString2=".NEPHILIM") returned -1 [0108.221] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0108.221] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0108.221] lstrcmpiW (lpString1="scan_settings.ico", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0108.221] lstrlenA (lpString="NEPHILIM") returned 8 [0108.221] GetProcessHeap () returned 0x4e0000 [0108.221] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bc40 [0108.221] lstrlenA (lpString="NEPHILIM") returned 8 [0108.222] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0108.222] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=4294968320) returned 0 [0108.222] GetProcessHeap () returned 0x4e0000 [0108.222] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d158 [0108.222] GetProcessHeap () returned 0x4e0000 [0108.222] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d170 [0108.222] SystemFunction036 (in: RandomBuffer=0x50d158, RandomBufferLength=0x10 | out: RandomBuffer=0x50d158) returned 1 [0108.222] SystemFunction036 (in: RandomBuffer=0x50d170, RandomBufferLength=0x10 | out: RandomBuffer=0x50d170) returned 1 [0108.222] GetProcessHeap () returned 0x4e0000 [0108.222] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x513c50 [0108.222] GetProcessHeap () returned 0x4e0000 [0108.222] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x513d58 [0108.222] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x513c50*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x513c50*, pdwDataLen=0x24dce88*=0x100) returned 1 [0108.223] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x513d58*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x513d58*, pdwDataLen=0x24dce84*=0x100) returned 1 [0108.223] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0108.223] SetLastError (dwErrCode=0x0) [0108.223] WriteFile (in: hFile=0xffffffff, lpBuffer=0x513c50, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0) returned 0 [0108.223] GetLastError () returned 0x6 [0108.223] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f054512, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f054512, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc7d3f90d, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x2c64, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="tasks.xml", cAlternateFileName="")) returned 1 [0108.223] lstrcmpiW (lpString1="tasks.xml", lpString2=".") returned 1 [0108.223] lstrcmpiW (lpString1="tasks.xml", lpString2="..") returned 1 [0108.223] lstrcmpiW (lpString1="tasks.xml", lpString2="...") returned 1 [0108.223] lstrcmpiW (lpString1="tasks.xml", lpString2="windows") returned -1 [0108.223] lstrcmpiW (lpString1="tasks.xml", lpString2="$RECYCLE.BIN") returned 1 [0108.223] lstrcmpiW (lpString1="tasks.xml", lpString2="rsa") returned 1 [0108.223] lstrcmpiW (lpString1="tasks.xml", lpString2="log") returned 1 [0108.223] lstrcmpiW (lpString1="tasks.xml", lpString2="NTDETECT.COM") returned 1 [0108.223] lstrcmpiW (lpString1="tasks.xml", lpString2="ntldr") returned 1 [0108.223] lstrcmpiW (lpString1="tasks.xml", lpString2="MSDOS.SYS") returned 1 [0108.223] lstrcmpiW (lpString1="tasks.xml", lpString2="IO.SYS") returned 1 [0108.223] lstrcmpiW (lpString1="tasks.xml", lpString2="boot.ini") returned 1 [0108.223] lstrcmpiW (lpString1="tasks.xml", lpString2="AUTOEXEC.BAT") returned 1 [0108.224] lstrcmpiW (lpString1="tasks.xml", lpString2="ntuser.dat") returned 1 [0108.224] lstrcmpiW (lpString1="tasks.xml", lpString2="desktop.ini") returned 1 [0108.224] lstrcmpiW (lpString1="tasks.xml", lpString2="CONFIG.SYS") returned 1 [0108.224] lstrcmpiW (lpString1="tasks.xml", lpString2="RECYCLER") returned 1 [0108.224] lstrcmpiW (lpString1="tasks.xml", lpString2="BOOTSECT.BAK") returned 1 [0108.224] lstrcmpiW (lpString1="tasks.xml", lpString2="bootmgr") returned 1 [0108.224] lstrcmpiW (lpString1="tasks.xml", lpString2="programdata") returned 1 [0108.224] lstrcmpiW (lpString1="tasks.xml", lpString2="appdata") returned 1 [0108.224] lstrcmpiW (lpString1="tasks.xml", lpString2="program files") returned 1 [0108.224] lstrcmpiW (lpString1="tasks.xml", lpString2="program files (x86)") returned 1 [0108.224] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" [0108.224] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", lpString2="tasks.xml" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml") returned="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml" [0108.224] PathFindExtensionW (pszPath="tasks.xml") returned=".xml" [0108.224] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0108.224] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0108.224] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0108.224] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0108.224] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0108.224] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0108.224] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0108.224] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0108.224] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0108.225] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0108.225] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0108.225] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0108.225] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0108.225] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0108.225] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0108.225] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0108.225] lstrcmpiW (lpString1="tasks.xml", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0108.225] lstrlenA (lpString="NEPHILIM") returned 8 [0108.225] GetProcessHeap () returned 0x4e0000 [0108.225] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bc50 [0108.225] lstrlenA (lpString="NEPHILIM") returned 8 [0108.225] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0108.225] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=4294968320) returned 0 [0108.225] GetProcessHeap () returned 0x4e0000 [0108.225] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d188 [0108.225] GetProcessHeap () returned 0x4e0000 [0108.225] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1a0 [0108.226] SystemFunction036 (in: RandomBuffer=0x50d188, RandomBufferLength=0x10 | out: RandomBuffer=0x50d188) returned 1 [0108.226] SystemFunction036 (in: RandomBuffer=0x50d1a0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1a0) returned 1 [0108.226] GetProcessHeap () returned 0x4e0000 [0108.226] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x513e60 [0108.226] GetProcessHeap () returned 0x4e0000 [0108.226] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x513f68 [0108.226] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x513e60*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x513e60*, pdwDataLen=0x24dce88*=0x100) returned 1 [0108.226] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x513f68*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x513f68*, pdwDataLen=0x24dce84*=0x100) returned 1 [0108.226] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0108.226] SetLastError (dwErrCode=0x0) [0108.226] WriteFile (in: hFile=0xffffffff, lpBuffer=0x513e60, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0) returned 0 [0108.226] GetLastError () returned 0x6 [0108.226] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f054512, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f054512, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc7d3f90d, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x2c64, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="tasks.xml", cAlternateFileName="")) returned 0 [0108.227] FindClose (in: hFindFile=0x50a9c0 | out: hFindFile=0x50a9c0) returned 1 [0108.227] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c005a, dwReserved1=0x24de260, cFileName="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", cAlternateFileName="{E35BE~1")) returned 0 [0108.228] FindClose (in: hFindFile=0x50a980 | out: hFindFile=0x50a980) returned 1 [0108.228] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd98f9f8, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="Task", cAlternateFileName="")) returned 0 [0108.229] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0108.229] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd789d88f, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="DeviceSync", cAlternateFileName="DEVICE~2")) returned 1 [0108.229] lstrcmpiW (lpString1="DeviceSync", lpString2=".") returned 1 [0108.229] lstrcmpiW (lpString1="DeviceSync", lpString2="..") returned 1 [0108.229] lstrcmpiW (lpString1="DeviceSync", lpString2="...") returned 1 [0108.229] lstrcmpiW (lpString1="DeviceSync", lpString2="windows") returned -1 [0108.229] lstrcmpiW (lpString1="DeviceSync", lpString2="$RECYCLE.BIN") returned 1 [0108.229] lstrcmpiW (lpString1="DeviceSync", lpString2="rsa") returned -1 [0108.229] lstrcmpiW (lpString1="DeviceSync", lpString2="log") returned -1 [0108.229] lstrcmpiW (lpString1="DeviceSync", lpString2="NTDETECT.COM") returned -1 [0108.229] lstrcmpiW (lpString1="DeviceSync", lpString2="ntldr") returned -1 [0108.229] lstrcmpiW (lpString1="DeviceSync", lpString2="MSDOS.SYS") returned -1 [0108.229] lstrcmpiW (lpString1="DeviceSync", lpString2="IO.SYS") returned -1 [0108.229] lstrcmpiW (lpString1="DeviceSync", lpString2="boot.ini") returned 1 [0108.229] lstrcmpiW (lpString1="DeviceSync", lpString2="AUTOEXEC.BAT") returned 1 [0108.229] lstrcmpiW (lpString1="DeviceSync", lpString2="ntuser.dat") returned -1 [0108.229] lstrcmpiW (lpString1="DeviceSync", lpString2="desktop.ini") returned 1 [0108.229] lstrcmpiW (lpString1="DeviceSync", lpString2="CONFIG.SYS") returned 1 [0108.229] lstrcmpiW (lpString1="DeviceSync", lpString2="RECYCLER") returned -1 [0108.229] lstrcmpiW (lpString1="DeviceSync", lpString2="BOOTSECT.BAK") returned 1 [0108.229] lstrcmpiW (lpString1="DeviceSync", lpString2="bootmgr") returned 1 [0108.229] lstrcmpiW (lpString1="DeviceSync", lpString2="programdata") returned -1 [0108.229] lstrcmpiW (lpString1="DeviceSync", lpString2="appdata") returned 1 [0108.230] lstrcmpiW (lpString1="DeviceSync", lpString2="program files") returned -1 [0108.230] lstrcmpiW (lpString1="DeviceSync", lpString2="program files (x86)") returned -1 [0108.230] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\" [0108.230] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="DeviceSync" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DeviceSync") returned="C:\\Users\\All Users\\Microsoft\\DeviceSync" [0108.230] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\DeviceSync", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DeviceSync\\") returned="C:\\Users\\All Users\\Microsoft\\DeviceSync\\" [0108.230] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Microsoft\\DeviceSync\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DeviceSync\\") returned="C:\\Users\\All Users\\Microsoft\\DeviceSync\\" [0108.230] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\DeviceSync\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DeviceSync\\*.*") returned="C:\\Users\\All Users\\Microsoft\\DeviceSync\\*.*" [0108.230] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\DeviceSync\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd789d88f, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0108.236] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.236] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd789d88f, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0108.236] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.236] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.236] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd789d88f, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 0 [0108.236] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0108.236] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd98f9f8, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="DRM", cAlternateFileName="")) returned 1 [0108.236] lstrcmpiW (lpString1="DRM", lpString2=".") returned 1 [0108.237] lstrcmpiW (lpString1="DRM", lpString2="..") returned 1 [0108.237] lstrcmpiW (lpString1="DRM", lpString2="...") returned 1 [0108.237] lstrcmpiW (lpString1="DRM", lpString2="windows") returned -1 [0108.237] lstrcmpiW (lpString1="DRM", lpString2="$RECYCLE.BIN") returned 1 [0108.237] lstrcmpiW (lpString1="DRM", lpString2="rsa") returned -1 [0108.237] lstrcmpiW (lpString1="DRM", lpString2="log") returned -1 [0108.237] lstrcmpiW (lpString1="DRM", lpString2="NTDETECT.COM") returned -1 [0108.237] lstrcmpiW (lpString1="DRM", lpString2="ntldr") returned -1 [0108.237] lstrcmpiW (lpString1="DRM", lpString2="MSDOS.SYS") returned -1 [0108.237] lstrcmpiW (lpString1="DRM", lpString2="IO.SYS") returned -1 [0108.237] lstrcmpiW (lpString1="DRM", lpString2="boot.ini") returned 1 [0108.237] lstrcmpiW (lpString1="DRM", lpString2="AUTOEXEC.BAT") returned 1 [0108.237] lstrcmpiW (lpString1="DRM", lpString2="ntuser.dat") returned -1 [0108.237] lstrcmpiW (lpString1="DRM", lpString2="desktop.ini") returned 1 [0108.237] lstrcmpiW (lpString1="DRM", lpString2="CONFIG.SYS") returned 1 [0108.237] lstrcmpiW (lpString1="DRM", lpString2="RECYCLER") returned -1 [0108.237] lstrcmpiW (lpString1="DRM", lpString2="BOOTSECT.BAK") returned 1 [0108.238] lstrcmpiW (lpString1="DRM", lpString2="bootmgr") returned 1 [0108.238] lstrcmpiW (lpString1="DRM", lpString2="programdata") returned -1 [0108.238] lstrcmpiW (lpString1="DRM", lpString2="appdata") returned 1 [0108.238] lstrcmpiW (lpString1="DRM", lpString2="program files") returned -1 [0108.238] lstrcmpiW (lpString1="DRM", lpString2="program files (x86)") returned -1 [0108.238] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\" [0108.238] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="DRM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DRM") returned="C:\\Users\\All Users\\Microsoft\\DRM" [0108.238] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\DRM", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DRM\\") returned="C:\\Users\\All Users\\Microsoft\\DRM\\" [0108.238] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Microsoft\\DRM\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DRM\\") returned="C:\\Users\\All Users\\Microsoft\\DRM\\" [0108.238] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\DRM\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DRM\\*.*") returned="C:\\Users\\All Users\\Microsoft\\DRM\\*.*" [0108.238] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\DRM\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd98f9f8, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0108.238] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.238] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd98f9f8, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0108.239] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.239] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.239] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xba6f6d7d, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="Server", cAlternateFileName="")) returned 1 [0108.239] lstrcmpiW (lpString1="Server", lpString2=".") returned 1 [0108.239] lstrcmpiW (lpString1="Server", lpString2="..") returned 1 [0108.239] lstrcmpiW (lpString1="Server", lpString2="...") returned 1 [0108.239] lstrcmpiW (lpString1="Server", lpString2="windows") returned -1 [0108.239] lstrcmpiW (lpString1="Server", lpString2="$RECYCLE.BIN") returned 1 [0108.239] lstrcmpiW (lpString1="Server", lpString2="rsa") returned 1 [0108.239] lstrcmpiW (lpString1="Server", lpString2="log") returned 1 [0108.239] lstrcmpiW (lpString1="Server", lpString2="NTDETECT.COM") returned 1 [0108.239] lstrcmpiW (lpString1="Server", lpString2="ntldr") returned 1 [0108.239] lstrcmpiW (lpString1="Server", lpString2="MSDOS.SYS") returned 1 [0108.239] lstrcmpiW (lpString1="Server", lpString2="IO.SYS") returned 1 [0108.239] lstrcmpiW (lpString1="Server", lpString2="boot.ini") returned 1 [0108.239] lstrcmpiW (lpString1="Server", lpString2="AUTOEXEC.BAT") returned 1 [0108.239] lstrcmpiW (lpString1="Server", lpString2="ntuser.dat") returned 1 [0108.239] lstrcmpiW (lpString1="Server", lpString2="desktop.ini") returned 1 [0108.239] lstrcmpiW (lpString1="Server", lpString2="CONFIG.SYS") returned 1 [0108.239] lstrcmpiW (lpString1="Server", lpString2="RECYCLER") returned 1 [0108.239] lstrcmpiW (lpString1="Server", lpString2="BOOTSECT.BAK") returned 1 [0108.239] lstrcmpiW (lpString1="Server", lpString2="bootmgr") returned 1 [0108.239] lstrcmpiW (lpString1="Server", lpString2="programdata") returned 1 [0108.240] lstrcmpiW (lpString1="Server", lpString2="appdata") returned 1 [0108.240] lstrcmpiW (lpString1="Server", lpString2="program files") returned 1 [0108.240] lstrcmpiW (lpString1="Server", lpString2="program files (x86)") returned 1 [0108.240] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Microsoft\\DRM\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DRM\\") returned="C:\\Users\\All Users\\Microsoft\\DRM\\" [0108.240] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\DRM\\", lpString2="Server" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DRM\\Server") returned="C:\\Users\\All Users\\Microsoft\\DRM\\Server" [0108.240] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\DRM\\Server", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\") returned="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\" [0108.240] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\") returned="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\" [0108.240] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\*.*") returned="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\*.*" [0108.240] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\DRM\\Server\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xba6f6d7d, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de260, cFileName=".", cAlternateFileName="")) returned 0x50a980 [0108.240] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.240] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xba6f6d7d, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 1 [0108.240] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.240] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.240] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xba6f6d7d, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 0 [0108.240] FindClose (in: hFindFile=0x50a980 | out: hFindFile=0x50a980) returned 1 [0108.241] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xba6f6d7d, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="Server", cAlternateFileName="")) returned 0 [0108.241] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0108.241] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="eHome", cAlternateFileName="")) returned 1 [0108.241] lstrcmpiW (lpString1="eHome", lpString2=".") returned 1 [0108.241] lstrcmpiW (lpString1="eHome", lpString2="..") returned 1 [0108.241] lstrcmpiW (lpString1="eHome", lpString2="...") returned 1 [0108.241] lstrcmpiW (lpString1="eHome", lpString2="windows") returned -1 [0108.241] lstrcmpiW (lpString1="eHome", lpString2="$RECYCLE.BIN") returned 1 [0108.241] lstrcmpiW (lpString1="eHome", lpString2="rsa") returned -1 [0108.241] lstrcmpiW (lpString1="eHome", lpString2="log") returned -1 [0108.241] lstrcmpiW (lpString1="eHome", lpString2="NTDETECT.COM") returned -1 [0108.241] lstrcmpiW (lpString1="eHome", lpString2="ntldr") returned -1 [0108.241] lstrcmpiW (lpString1="eHome", lpString2="MSDOS.SYS") returned -1 [0108.241] lstrcmpiW (lpString1="eHome", lpString2="IO.SYS") returned -1 [0108.241] lstrcmpiW (lpString1="eHome", lpString2="boot.ini") returned 1 [0108.241] lstrcmpiW (lpString1="eHome", lpString2="AUTOEXEC.BAT") returned 1 [0108.241] lstrcmpiW (lpString1="eHome", lpString2="ntuser.dat") returned -1 [0108.241] lstrcmpiW (lpString1="eHome", lpString2="desktop.ini") returned 1 [0108.241] lstrcmpiW (lpString1="eHome", lpString2="CONFIG.SYS") returned 1 [0108.241] lstrcmpiW (lpString1="eHome", lpString2="RECYCLER") returned -1 [0108.242] lstrcmpiW (lpString1="eHome", lpString2="BOOTSECT.BAK") returned 1 [0108.242] lstrcmpiW (lpString1="eHome", lpString2="bootmgr") returned 1 [0108.242] lstrcmpiW (lpString1="eHome", lpString2="programdata") returned -1 [0108.242] lstrcmpiW (lpString1="eHome", lpString2="appdata") returned 1 [0108.242] lstrcmpiW (lpString1="eHome", lpString2="program files") returned -1 [0108.242] lstrcmpiW (lpString1="eHome", lpString2="program files (x86)") returned -1 [0108.242] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\" [0108.242] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="eHome" | out: lpString1="C:\\Users\\All Users\\Microsoft\\eHome") returned="C:\\Users\\All Users\\Microsoft\\eHome" [0108.242] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\eHome", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\eHome\\") returned="C:\\Users\\All Users\\Microsoft\\eHome\\" [0108.242] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Microsoft\\eHome\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\eHome\\") returned="C:\\Users\\All Users\\Microsoft\\eHome\\" [0108.242] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\eHome\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\eHome\\*.*") returned="C:\\Users\\All Users\\Microsoft\\eHome\\*.*" [0108.242] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\eHome\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0108.242] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.243] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0108.243] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.243] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.243] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="logs", cAlternateFileName="")) returned 1 [0108.243] lstrcmpiW (lpString1="logs", lpString2=".") returned 1 [0108.243] lstrcmpiW (lpString1="logs", lpString2="..") returned 1 [0108.243] lstrcmpiW (lpString1="logs", lpString2="...") returned 1 [0108.243] lstrcmpiW (lpString1="logs", lpString2="windows") returned -1 [0108.243] lstrcmpiW (lpString1="logs", lpString2="$RECYCLE.BIN") returned 1 [0108.243] lstrcmpiW (lpString1="logs", lpString2="rsa") returned -1 [0108.243] lstrcmpiW (lpString1="logs", lpString2="log") returned 1 [0108.243] lstrcmpiW (lpString1="logs", lpString2="NTDETECT.COM") returned -1 [0108.243] lstrcmpiW (lpString1="logs", lpString2="ntldr") returned -1 [0108.243] lstrcmpiW (lpString1="logs", lpString2="MSDOS.SYS") returned -1 [0108.243] lstrcmpiW (lpString1="logs", lpString2="IO.SYS") returned 1 [0108.243] lstrcmpiW (lpString1="logs", lpString2="boot.ini") returned 1 [0108.244] lstrcmpiW (lpString1="logs", lpString2="AUTOEXEC.BAT") returned 1 [0108.244] lstrcmpiW (lpString1="logs", lpString2="ntuser.dat") returned -1 [0108.244] lstrcmpiW (lpString1="logs", lpString2="desktop.ini") returned 1 [0108.244] lstrcmpiW (lpString1="logs", lpString2="CONFIG.SYS") returned 1 [0108.244] lstrcmpiW (lpString1="logs", lpString2="RECYCLER") returned -1 [0108.244] lstrcmpiW (lpString1="logs", lpString2="BOOTSECT.BAK") returned 1 [0108.244] lstrcmpiW (lpString1="logs", lpString2="bootmgr") returned 1 [0108.244] lstrcmpiW (lpString1="logs", lpString2="programdata") returned -1 [0108.244] lstrcmpiW (lpString1="logs", lpString2="appdata") returned 1 [0108.244] lstrcmpiW (lpString1="logs", lpString2="program files") returned -1 [0108.244] lstrcmpiW (lpString1="logs", lpString2="program files (x86)") returned -1 [0108.244] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Microsoft\\eHome\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\eHome\\") returned="C:\\Users\\All Users\\Microsoft\\eHome\\" [0108.244] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\eHome\\", lpString2="logs" | out: lpString1="C:\\Users\\All Users\\Microsoft\\eHome\\logs") returned="C:\\Users\\All Users\\Microsoft\\eHome\\logs" [0108.244] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\eHome\\logs", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\eHome\\logs\\") returned="C:\\Users\\All Users\\Microsoft\\eHome\\logs\\" [0108.244] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\All Users\\Microsoft\\eHome\\logs\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\eHome\\logs\\") returned="C:\\Users\\All Users\\Microsoft\\eHome\\logs\\" [0108.244] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\eHome\\logs\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\eHome\\logs\\*.*") returned="C:\\Users\\All Users\\Microsoft\\eHome\\logs\\*.*" [0108.244] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\eHome\\logs\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e004c, dwReserved1=0x24de260, cFileName=".", cAlternateFileName="")) returned 0x50a980 [0108.245] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.245] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e004c, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 1 [0108.245] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.245] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.245] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e004c, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 0 [0108.245] FindClose (in: hFindFile=0x50a980 | out: hFindFile=0x50a980) returned 1 [0108.245] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="logs", cAlternateFileName="")) returned 0 [0108.245] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0108.245] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3a6c7630, ftLastAccessTime.dwHighDateTime=0x1d3aaba, ftLastWriteTime.dwLowDateTime=0x3a6c7630, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="Event Viewer", cAlternateFileName="EVENTV~1")) returned 1 [0108.245] lstrcmpiW (lpString1="Event Viewer", lpString2=".") returned 1 [0108.245] lstrcmpiW (lpString1="Event Viewer", lpString2="..") returned 1 [0108.245] lstrcmpiW (lpString1="Event Viewer", lpString2="...") returned 1 [0108.245] lstrcmpiW (lpString1="Event Viewer", lpString2="windows") returned -1 [0108.245] lstrcmpiW (lpString1="Event Viewer", lpString2="$RECYCLE.BIN") returned 1 [0108.245] lstrcmpiW (lpString1="Event Viewer", lpString2="rsa") returned -1 [0108.245] lstrcmpiW (lpString1="Event Viewer", lpString2="log") returned -1 [0108.246] lstrcmpiW (lpString1="Event Viewer", lpString2="NTDETECT.COM") returned -1 [0108.246] lstrcmpiW (lpString1="Event Viewer", lpString2="ntldr") returned -1 [0108.246] lstrcmpiW (lpString1="Event Viewer", lpString2="MSDOS.SYS") returned -1 [0108.246] lstrcmpiW (lpString1="Event Viewer", lpString2="IO.SYS") returned -1 [0108.246] lstrcmpiW (lpString1="Event Viewer", lpString2="boot.ini") returned 1 [0108.246] lstrcmpiW (lpString1="Event Viewer", lpString2="AUTOEXEC.BAT") returned 1 [0108.246] lstrcmpiW (lpString1="Event Viewer", lpString2="ntuser.dat") returned -1 [0108.246] lstrcmpiW (lpString1="Event Viewer", lpString2="desktop.ini") returned 1 [0108.246] lstrcmpiW (lpString1="Event Viewer", lpString2="CONFIG.SYS") returned 1 [0108.246] lstrcmpiW (lpString1="Event Viewer", lpString2="RECYCLER") returned -1 [0108.246] lstrcmpiW (lpString1="Event Viewer", lpString2="BOOTSECT.BAK") returned 1 [0108.246] lstrcmpiW (lpString1="Event Viewer", lpString2="bootmgr") returned 1 [0108.246] lstrcmpiW (lpString1="Event Viewer", lpString2="programdata") returned -1 [0108.246] lstrcmpiW (lpString1="Event Viewer", lpString2="appdata") returned 1 [0108.246] lstrcmpiW (lpString1="Event Viewer", lpString2="program files") returned -1 [0108.246] lstrcmpiW (lpString1="Event Viewer", lpString2="program files (x86)") returned -1 [0108.246] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\" [0108.246] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="Event Viewer" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Event Viewer") returned="C:\\Users\\All Users\\Microsoft\\Event Viewer" [0108.246] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Event Viewer", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Event Viewer\\") returned="C:\\Users\\All Users\\Microsoft\\Event Viewer\\" [0108.246] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Microsoft\\Event Viewer\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Event Viewer\\") returned="C:\\Users\\All Users\\Microsoft\\Event Viewer\\" [0108.246] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Event Viewer\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Event Viewer\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Event Viewer\\*.*" [0108.246] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Event Viewer\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3a6c7630, ftLastAccessTime.dwHighDateTime=0x1d3aaba, ftLastWriteTime.dwLowDateTime=0x3a6c7630, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0108.250] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.250] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3a6c7630, ftLastAccessTime.dwHighDateTime=0x1d3aaba, ftLastWriteTime.dwLowDateTime=0x3a6c7630, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0108.250] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.250] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.250] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="Views", cAlternateFileName="")) returned 1 [0108.250] lstrcmpiW (lpString1="Views", lpString2=".") returned 1 [0108.250] lstrcmpiW (lpString1="Views", lpString2="..") returned 1 [0108.250] lstrcmpiW (lpString1="Views", lpString2="...") returned 1 [0108.250] lstrcmpiW (lpString1="Views", lpString2="windows") returned -1 [0108.250] lstrcmpiW (lpString1="Views", lpString2="$RECYCLE.BIN") returned 1 [0108.250] lstrcmpiW (lpString1="Views", lpString2="rsa") returned 1 [0108.250] lstrcmpiW (lpString1="Views", lpString2="log") returned 1 [0108.250] lstrcmpiW (lpString1="Views", lpString2="NTDETECT.COM") returned 1 [0108.250] lstrcmpiW (lpString1="Views", lpString2="ntldr") returned 1 [0108.250] lstrcmpiW (lpString1="Views", lpString2="MSDOS.SYS") returned 1 [0108.250] lstrcmpiW (lpString1="Views", lpString2="IO.SYS") returned 1 [0108.251] lstrcmpiW (lpString1="Views", lpString2="boot.ini") returned 1 [0108.251] lstrcmpiW (lpString1="Views", lpString2="AUTOEXEC.BAT") returned 1 [0108.251] lstrcmpiW (lpString1="Views", lpString2="ntuser.dat") returned 1 [0108.251] lstrcmpiW (lpString1="Views", lpString2="desktop.ini") returned 1 [0108.251] lstrcmpiW (lpString1="Views", lpString2="CONFIG.SYS") returned 1 [0108.251] lstrcmpiW (lpString1="Views", lpString2="RECYCLER") returned 1 [0108.251] lstrcmpiW (lpString1="Views", lpString2="BOOTSECT.BAK") returned 1 [0108.251] lstrcmpiW (lpString1="Views", lpString2="bootmgr") returned 1 [0108.251] lstrcmpiW (lpString1="Views", lpString2="programdata") returned 1 [0108.251] lstrcmpiW (lpString1="Views", lpString2="appdata") returned 1 [0108.251] lstrcmpiW (lpString1="Views", lpString2="program files") returned 1 [0108.251] lstrcmpiW (lpString1="Views", lpString2="program files (x86)") returned 1 [0108.251] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Microsoft\\Event Viewer\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Event Viewer\\") returned="C:\\Users\\All Users\\Microsoft\\Event Viewer\\" [0108.251] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Event Viewer\\", lpString2="Views" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views") returned="C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views" [0108.251] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\") returned="C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\" [0108.251] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\") returned="C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\" [0108.251] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\*.*" [0108.251] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c005a, dwReserved1=0x24de260, cFileName=".", cAlternateFileName="")) returned 0x50a980 [0108.252] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.252] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c005a, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 1 [0108.252] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.252] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.252] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c005a, dwReserved1=0x24de260, cFileName="ApplicationViewsRootNode", cAlternateFileName="APPLIC~1")) returned 1 [0108.252] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2=".") returned 1 [0108.252] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="..") returned 1 [0108.252] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="...") returned 1 [0108.252] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="windows") returned -1 [0108.252] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="$RECYCLE.BIN") returned 1 [0108.252] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="rsa") returned -1 [0108.252] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="log") returned -1 [0108.253] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="NTDETECT.COM") returned -1 [0108.253] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="ntldr") returned -1 [0108.253] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="MSDOS.SYS") returned -1 [0108.253] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="IO.SYS") returned -1 [0108.253] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="boot.ini") returned -1 [0108.253] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="AUTOEXEC.BAT") returned -1 [0108.253] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="ntuser.dat") returned -1 [0108.253] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="desktop.ini") returned -1 [0108.253] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="CONFIG.SYS") returned -1 [0108.253] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="RECYCLER") returned -1 [0108.253] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="BOOTSECT.BAK") returned -1 [0108.253] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="bootmgr") returned -1 [0108.253] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="programdata") returned -1 [0108.253] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="appdata") returned 1 [0108.253] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="program files") returned -1 [0108.253] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="program files (x86)") returned -1 [0108.253] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\") returned="C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\" [0108.253] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\", lpString2="ApplicationViewsRootNode" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode") returned="C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode" [0108.253] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\") returned="C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\" [0108.253] lstrcpyW (in: lpString1=0x24dd560, lpString2="C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\") returned="C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\" [0108.253] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\*.*" [0108.253] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\*.*", lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x680066, dwReserved1=0x24ddbe0, cFileName=".", cAlternateFileName="")) returned 0x50a9c0 [0108.254] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.254] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x680066, dwReserved1=0x24ddbe0, cFileName="..", cAlternateFileName="")) returned 1 [0108.254] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.254] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.254] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x680066, dwReserved1=0x24ddbe0, cFileName="..", cAlternateFileName="")) returned 0 [0108.254] FindClose (in: hFindFile=0x50a9c0 | out: hFindFile=0x50a9c0) returned 1 [0108.254] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c005a, dwReserved1=0x24de260, cFileName="ApplicationViewsRootNode", cAlternateFileName="APPLIC~1")) returned 0 [0108.254] FindClose (in: hFindFile=0x50a980 | out: hFindFile=0x50a980) returned 1 [0108.255] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="Views", cAlternateFileName="")) returned 0 [0108.255] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0108.255] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="IdentityCRL", cAlternateFileName="IDENTI~1")) returned 1 [0108.255] lstrcmpiW (lpString1="IdentityCRL", lpString2=".") returned 1 [0108.255] lstrcmpiW (lpString1="IdentityCRL", lpString2="..") returned 1 [0108.255] lstrcmpiW (lpString1="IdentityCRL", lpString2="...") returned 1 [0108.255] lstrcmpiW (lpString1="IdentityCRL", lpString2="windows") returned -1 [0108.255] lstrcmpiW (lpString1="IdentityCRL", lpString2="$RECYCLE.BIN") returned 1 [0108.255] lstrcmpiW (lpString1="IdentityCRL", lpString2="rsa") returned -1 [0108.255] lstrcmpiW (lpString1="IdentityCRL", lpString2="log") returned -1 [0108.255] lstrcmpiW (lpString1="IdentityCRL", lpString2="NTDETECT.COM") returned -1 [0108.255] lstrcmpiW (lpString1="IdentityCRL", lpString2="ntldr") returned -1 [0108.255] lstrcmpiW (lpString1="IdentityCRL", lpString2="MSDOS.SYS") returned -1 [0108.255] lstrcmpiW (lpString1="IdentityCRL", lpString2="IO.SYS") returned -1 [0108.255] lstrcmpiW (lpString1="IdentityCRL", lpString2="boot.ini") returned 1 [0108.255] lstrcmpiW (lpString1="IdentityCRL", lpString2="AUTOEXEC.BAT") returned 1 [0108.255] lstrcmpiW (lpString1="IdentityCRL", lpString2="ntuser.dat") returned -1 [0108.255] lstrcmpiW (lpString1="IdentityCRL", lpString2="desktop.ini") returned 1 [0108.255] lstrcmpiW (lpString1="IdentityCRL", lpString2="CONFIG.SYS") returned 1 [0108.255] lstrcmpiW (lpString1="IdentityCRL", lpString2="RECYCLER") returned -1 [0108.255] lstrcmpiW (lpString1="IdentityCRL", lpString2="BOOTSECT.BAK") returned 1 [0108.255] lstrcmpiW (lpString1="IdentityCRL", lpString2="bootmgr") returned 1 [0108.255] lstrcmpiW (lpString1="IdentityCRL", lpString2="programdata") returned -1 [0108.255] lstrcmpiW (lpString1="IdentityCRL", lpString2="appdata") returned 1 [0108.256] lstrcmpiW (lpString1="IdentityCRL", lpString2="program files") returned -1 [0108.256] lstrcmpiW (lpString1="IdentityCRL", lpString2="program files (x86)") returned -1 [0108.256] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\" [0108.256] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="IdentityCRL" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL" [0108.256] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\" [0108.256] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\" [0108.256] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*.*") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*.*" [0108.256] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0108.256] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.256] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0108.256] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.256] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.256] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd591378b, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xd591378b, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x6ac29de1, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x3d00, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="ppcrlconfig.dll", cAlternateFileName="PPCRLC~1.DLL")) returned 1 [0108.257] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2=".") returned 1 [0108.257] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="..") returned 1 [0108.257] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="...") returned 1 [0108.257] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="windows") returned -1 [0108.257] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="$RECYCLE.BIN") returned 1 [0108.257] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="rsa") returned -1 [0108.257] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="log") returned 1 [0108.257] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="NTDETECT.COM") returned 1 [0108.257] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="ntldr") returned 1 [0108.257] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="MSDOS.SYS") returned 1 [0108.257] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="IO.SYS") returned 1 [0108.257] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="boot.ini") returned 1 [0108.257] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="AUTOEXEC.BAT") returned 1 [0108.257] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="ntuser.dat") returned 1 [0108.257] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="desktop.ini") returned 1 [0108.257] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="CONFIG.SYS") returned 1 [0108.257] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="RECYCLER") returned -1 [0108.257] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="BOOTSECT.BAK") returned 1 [0108.257] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="bootmgr") returned 1 [0108.257] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="programdata") returned -1 [0108.257] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="appdata") returned 1 [0108.257] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="program files") returned -1 [0108.257] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="program files (x86)") returned -1 [0108.257] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\" [0108.258] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\", lpString2="ppcrlconfig.dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\ppcrlconfig.dll") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\ppcrlconfig.dll" [0108.258] PathFindExtensionW (pszPath="ppcrlconfig.dll") returned=".dll" [0108.258] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0108.258] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0108.258] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0108.258] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0108.258] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0108.258] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0108.258] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0108.258] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0108.258] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd582ef5d, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xd582ef5d, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x6ac4ff3f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x3e108, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="ppcrlui.dll", cAlternateFileName="")) returned 1 [0108.258] lstrcmpiW (lpString1="ppcrlui.dll", lpString2=".") returned 1 [0108.258] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="..") returned 1 [0108.258] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="...") returned 1 [0108.258] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="windows") returned -1 [0108.258] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="$RECYCLE.BIN") returned 1 [0108.258] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="rsa") returned -1 [0108.258] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="log") returned 1 [0108.258] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="NTDETECT.COM") returned 1 [0108.258] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="ntldr") returned 1 [0108.258] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="MSDOS.SYS") returned 1 [0108.258] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="IO.SYS") returned 1 [0108.258] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="boot.ini") returned 1 [0108.258] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="AUTOEXEC.BAT") returned 1 [0108.259] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="ntuser.dat") returned 1 [0108.259] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="desktop.ini") returned 1 [0108.259] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="CONFIG.SYS") returned 1 [0108.259] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="RECYCLER") returned -1 [0108.259] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="BOOTSECT.BAK") returned 1 [0108.259] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="bootmgr") returned 1 [0108.259] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="programdata") returned -1 [0108.259] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="appdata") returned 1 [0108.259] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="program files") returned -1 [0108.259] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="program files (x86)") returned -1 [0108.259] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\" [0108.259] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\", lpString2="ppcrlui.dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\ppcrlui.dll") returned="C:\\Users\\All Users\\Microsoft\\IdentityCRL\\ppcrlui.dll" [0108.259] PathFindExtensionW (pszPath="ppcrlui.dll") returned=".dll" [0108.259] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0108.259] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0108.259] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0108.259] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0108.259] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0108.259] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0108.259] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0108.259] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0108.259] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd582ef5d, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xd582ef5d, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x6ac4ff3f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x3e108, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="ppcrlui.dll", cAlternateFileName="")) returned 0 [0108.259] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0108.260] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ee349fc, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3ee349fc, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3ee349fc, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="Media Player", cAlternateFileName="MEDIAP~1")) returned 1 [0108.260] lstrcmpiW (lpString1="Media Player", lpString2=".") returned 1 [0108.260] lstrcmpiW (lpString1="Media Player", lpString2="..") returned 1 [0108.260] lstrcmpiW (lpString1="Media Player", lpString2="...") returned 1 [0108.260] lstrcmpiW (lpString1="Media Player", lpString2="windows") returned -1 [0108.260] lstrcmpiW (lpString1="Media Player", lpString2="$RECYCLE.BIN") returned 1 [0108.260] lstrcmpiW (lpString1="Media Player", lpString2="rsa") returned -1 [0108.260] lstrcmpiW (lpString1="Media Player", lpString2="log") returned 1 [0108.260] lstrcmpiW (lpString1="Media Player", lpString2="NTDETECT.COM") returned -1 [0108.260] lstrcmpiW (lpString1="Media Player", lpString2="ntldr") returned -1 [0108.260] lstrcmpiW (lpString1="Media Player", lpString2="MSDOS.SYS") returned -1 [0108.260] lstrcmpiW (lpString1="Media Player", lpString2="IO.SYS") returned 1 [0108.260] lstrcmpiW (lpString1="Media Player", lpString2="boot.ini") returned 1 [0108.260] lstrcmpiW (lpString1="Media Player", lpString2="AUTOEXEC.BAT") returned 1 [0108.260] lstrcmpiW (lpString1="Media Player", lpString2="ntuser.dat") returned -1 [0108.260] lstrcmpiW (lpString1="Media Player", lpString2="desktop.ini") returned 1 [0108.260] lstrcmpiW (lpString1="Media Player", lpString2="CONFIG.SYS") returned 1 [0108.260] lstrcmpiW (lpString1="Media Player", lpString2="RECYCLER") returned -1 [0108.260] lstrcmpiW (lpString1="Media Player", lpString2="BOOTSECT.BAK") returned 1 [0108.260] lstrcmpiW (lpString1="Media Player", lpString2="bootmgr") returned 1 [0108.260] lstrcmpiW (lpString1="Media Player", lpString2="programdata") returned -1 [0108.260] lstrcmpiW (lpString1="Media Player", lpString2="appdata") returned 1 [0108.260] lstrcmpiW (lpString1="Media Player", lpString2="program files") returned -1 [0108.261] lstrcmpiW (lpString1="Media Player", lpString2="program files (x86)") returned -1 [0108.261] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\" [0108.261] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="Media Player" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Media Player") returned="C:\\Users\\All Users\\Microsoft\\Media Player" [0108.261] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Media Player", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Media Player\\") returned="C:\\Users\\All Users\\Microsoft\\Media Player\\" [0108.261] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Microsoft\\Media Player\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Media Player\\") returned="C:\\Users\\All Users\\Microsoft\\Media Player\\" [0108.261] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Media Player\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Media Player\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Media Player\\*.*" [0108.261] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Media Player\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ee349fc, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3ee349fc, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3ee349fc, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0108.261] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.261] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ee349fc, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3ee349fc, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3ee349fc, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0108.261] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.261] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.262] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ee349fc, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3ee349fc, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3ee349fc, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 0 [0108.262] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0108.262] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80340916, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="MF", cAlternateFileName="")) returned 1 [0108.262] lstrcmpiW (lpString1="MF", lpString2=".") returned 1 [0108.262] lstrcmpiW (lpString1="MF", lpString2="..") returned 1 [0108.262] lstrcmpiW (lpString1="MF", lpString2="...") returned 1 [0108.262] lstrcmpiW (lpString1="MF", lpString2="windows") returned -1 [0108.262] lstrcmpiW (lpString1="MF", lpString2="$RECYCLE.BIN") returned 1 [0108.262] lstrcmpiW (lpString1="MF", lpString2="rsa") returned -1 [0108.262] lstrcmpiW (lpString1="MF", lpString2="log") returned 1 [0108.262] lstrcmpiW (lpString1="MF", lpString2="NTDETECT.COM") returned -1 [0108.262] lstrcmpiW (lpString1="MF", lpString2="ntldr") returned -1 [0108.262] lstrcmpiW (lpString1="MF", lpString2="MSDOS.SYS") returned -1 [0108.262] lstrcmpiW (lpString1="MF", lpString2="IO.SYS") returned 1 [0108.262] lstrcmpiW (lpString1="MF", lpString2="boot.ini") returned 1 [0108.262] lstrcmpiW (lpString1="MF", lpString2="AUTOEXEC.BAT") returned 1 [0108.262] lstrcmpiW (lpString1="MF", lpString2="ntuser.dat") returned -1 [0108.262] lstrcmpiW (lpString1="MF", lpString2="desktop.ini") returned 1 [0108.262] lstrcmpiW (lpString1="MF", lpString2="CONFIG.SYS") returned 1 [0108.262] lstrcmpiW (lpString1="MF", lpString2="RECYCLER") returned -1 [0108.263] lstrcmpiW (lpString1="MF", lpString2="BOOTSECT.BAK") returned 1 [0108.263] lstrcmpiW (lpString1="MF", lpString2="bootmgr") returned 1 [0108.263] lstrcmpiW (lpString1="MF", lpString2="programdata") returned -1 [0108.263] lstrcmpiW (lpString1="MF", lpString2="appdata") returned 1 [0108.263] lstrcmpiW (lpString1="MF", lpString2="program files") returned -1 [0108.263] lstrcmpiW (lpString1="MF", lpString2="program files (x86)") returned -1 [0108.263] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\" [0108.263] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="MF" | out: lpString1="C:\\Users\\All Users\\Microsoft\\MF") returned="C:\\Users\\All Users\\Microsoft\\MF" [0108.263] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\MF", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\MF\\") returned="C:\\Users\\All Users\\Microsoft\\MF\\" [0108.263] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Microsoft\\MF\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\MF\\") returned="C:\\Users\\All Users\\Microsoft\\MF\\" [0108.263] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\MF\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\MF\\*.*") returned="C:\\Users\\All Users\\Microsoft\\MF\\*.*" [0108.263] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\MF\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80340916, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0108.263] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.264] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80340916, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0108.264] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.264] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.264] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7beaaeb8, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7beaaeb8, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="Active.GRL", cAlternateFileName="")) returned 1 [0108.264] lstrcmpiW (lpString1="Active.GRL", lpString2=".") returned 1 [0108.264] lstrcmpiW (lpString1="Active.GRL", lpString2="..") returned 1 [0108.264] lstrcmpiW (lpString1="Active.GRL", lpString2="...") returned 1 [0108.264] lstrcmpiW (lpString1="Active.GRL", lpString2="windows") returned -1 [0108.264] lstrcmpiW (lpString1="Active.GRL", lpString2="$RECYCLE.BIN") returned 1 [0108.264] lstrcmpiW (lpString1="Active.GRL", lpString2="rsa") returned -1 [0108.264] lstrcmpiW (lpString1="Active.GRL", lpString2="log") returned -1 [0108.264] lstrcmpiW (lpString1="Active.GRL", lpString2="NTDETECT.COM") returned -1 [0108.264] lstrcmpiW (lpString1="Active.GRL", lpString2="ntldr") returned -1 [0108.264] lstrcmpiW (lpString1="Active.GRL", lpString2="MSDOS.SYS") returned -1 [0108.264] lstrcmpiW (lpString1="Active.GRL", lpString2="IO.SYS") returned -1 [0108.264] lstrcmpiW (lpString1="Active.GRL", lpString2="boot.ini") returned -1 [0108.264] lstrcmpiW (lpString1="Active.GRL", lpString2="AUTOEXEC.BAT") returned -1 [0108.264] lstrcmpiW (lpString1="Active.GRL", lpString2="ntuser.dat") returned -1 [0108.264] lstrcmpiW (lpString1="Active.GRL", lpString2="desktop.ini") returned -1 [0108.264] lstrcmpiW (lpString1="Active.GRL", lpString2="CONFIG.SYS") returned -1 [0108.264] lstrcmpiW (lpString1="Active.GRL", lpString2="RECYCLER") returned -1 [0108.264] lstrcmpiW (lpString1="Active.GRL", lpString2="BOOTSECT.BAK") returned -1 [0108.265] lstrcmpiW (lpString1="Active.GRL", lpString2="bootmgr") returned -1 [0108.265] lstrcmpiW (lpString1="Active.GRL", lpString2="programdata") returned -1 [0108.265] lstrcmpiW (lpString1="Active.GRL", lpString2="appdata") returned -1 [0108.265] lstrcmpiW (lpString1="Active.GRL", lpString2="program files") returned -1 [0108.265] lstrcmpiW (lpString1="Active.GRL", lpString2="program files (x86)") returned -1 [0108.265] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Microsoft\\MF\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\MF\\") returned="C:\\Users\\All Users\\Microsoft\\MF\\" [0108.265] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\MF\\", lpString2="Active.GRL" | out: lpString1="C:\\Users\\All Users\\Microsoft\\MF\\Active.GRL") returned="C:\\Users\\All Users\\Microsoft\\MF\\Active.GRL" [0108.265] PathFindExtensionW (pszPath="Active.GRL") returned=".GRL" [0108.265] lstrcmpiW (lpString1=".GRL", lpString2=".exe") returned 1 [0108.265] lstrcmpiW (lpString1=".GRL", lpString2=".log") returned -1 [0108.265] lstrcmpiW (lpString1=".GRL", lpString2=".cab") returned 1 [0108.265] lstrcmpiW (lpString1=".GRL", lpString2=".cmd") returned 1 [0108.265] lstrcmpiW (lpString1=".GRL", lpString2=".com") returned 1 [0108.265] lstrcmpiW (lpString1=".GRL", lpString2=".cpl") returned 1 [0108.265] lstrcmpiW (lpString1=".GRL", lpString2=".ini") returned -1 [0108.265] lstrcmpiW (lpString1=".GRL", lpString2=".dll") returned 1 [0108.265] lstrcmpiW (lpString1=".GRL", lpString2=".url") returned -1 [0108.265] lstrcmpiW (lpString1=".GRL", lpString2=".ttf") returned -1 [0108.265] lstrcmpiW (lpString1=".GRL", lpString2=".mp3") returned -1 [0108.265] lstrcmpiW (lpString1=".GRL", lpString2=".pif") returned -1 [0108.265] lstrcmpiW (lpString1=".GRL", lpString2=".mp4") returned -1 [0108.265] lstrcmpiW (lpString1=".GRL", lpString2=".NEPHILIM") returned -1 [0108.265] lstrcmpiW (lpString1=".GRL", lpString2=".msi") returned -1 [0108.265] lstrcmpiW (lpString1=".GRL", lpString2=".lnk") returned -1 [0108.265] lstrcmpiW (lpString1="Active.GRL", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0108.266] lstrlenA (lpString="NEPHILIM") returned 8 [0108.266] GetProcessHeap () returned 0x4e0000 [0108.266] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bc60 [0108.266] lstrlenA (lpString="NEPHILIM") returned 8 [0108.266] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\MF\\Active.GRL" (normalized: "c:\\users\\all users\\microsoft\\mf\\active.grl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0108.266] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=14972) returned 1 [0108.266] GetProcessHeap () returned 0x4e0000 [0108.266] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0108.266] GetProcessHeap () returned 0x4e0000 [0108.266] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0108.266] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0108.266] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0108.266] GetProcessHeap () returned 0x4e0000 [0108.266] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0108.266] GetProcessHeap () returned 0x4e0000 [0108.267] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0108.267] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0108.267] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0108.267] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x3a7c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.267] SetLastError (dwErrCode=0x0) [0108.267] WriteFile (in: hFile=0xf0, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0108.270] GetLastError () returned 0x0 [0108.270] GetLastError () returned 0x0 [0108.270] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x3b7c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.270] WriteFile (in: hFile=0xf0, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0108.271] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x3c7c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.271] lstrlenA (lpString="NEPHILIM") returned 8 [0108.271] WriteFile (in: hFile=0xf0, lpBuffer=0x50bc60*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50bc60*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0108.271] GetProcessHeap () returned 0x4e0000 [0108.271] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x3a7c) returned 0x514fd8 [0108.271] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.271] ReadFile (in: hFile=0xf0, lpBuffer=0x514fd8, nNumberOfBytesToRead=0x3a7c, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x514fd8*, lpNumberOfBytesRead=0x24dddb0*=0x3a7c, lpOverlapped=0x0) returned 1 [0108.273] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.273] WriteFile (in: hFile=0xf0, lpBuffer=0x514fd8*, nNumberOfBytesToWrite=0x3a7c, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x514fd8*, lpNumberOfBytesWritten=0x24dddbc*=0x3a7c, lpOverlapped=0x0) returned 1 [0108.274] GetProcessHeap () returned 0x4e0000 [0108.274] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514fd8 | out: hHeap=0x4e0000) returned 1 [0108.274] CloseHandle (hObject=0xf0) returned 1 [0108.275] GetProcessHeap () returned 0x4e0000 [0108.275] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0108.275] GetProcessHeap () returned 0x4e0000 [0108.275] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0108.275] GetProcessHeap () returned 0x4e0000 [0108.276] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0108.276] GetProcessHeap () returned 0x4e0000 [0108.276] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0108.276] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\All Users\\Microsoft\\MF\\Active.GRL" | out: lpString1="C:\\Users\\All Users\\Microsoft\\MF\\Active.GRL") returned="C:\\Users\\All Users\\Microsoft\\MF\\Active.GRL" [0108.276] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\MF\\Active.GRL", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\MF\\Active.GRL.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\MF\\Active.GRL.NEPHILIM" [0108.276] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\MF\\Active.GRL" (normalized: "c:\\users\\all users\\microsoft\\mf\\active.grl"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\MF\\Active.GRL.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\mf\\active.grl.nephilim")) returned 1 [0108.277] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bed1018, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7bed1018, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="Pending.GRL", cAlternateFileName="")) returned 1 [0108.277] lstrcmpiW (lpString1="Pending.GRL", lpString2=".") returned 1 [0108.277] lstrcmpiW (lpString1="Pending.GRL", lpString2="..") returned 1 [0108.277] lstrcmpiW (lpString1="Pending.GRL", lpString2="...") returned 1 [0108.277] lstrcmpiW (lpString1="Pending.GRL", lpString2="windows") returned -1 [0108.277] lstrcmpiW (lpString1="Pending.GRL", lpString2="$RECYCLE.BIN") returned 1 [0108.277] lstrcmpiW (lpString1="Pending.GRL", lpString2="rsa") returned -1 [0108.277] lstrcmpiW (lpString1="Pending.GRL", lpString2="log") returned 1 [0108.277] lstrcmpiW (lpString1="Pending.GRL", lpString2="NTDETECT.COM") returned 1 [0108.277] lstrcmpiW (lpString1="Pending.GRL", lpString2="ntldr") returned 1 [0108.277] lstrcmpiW (lpString1="Pending.GRL", lpString2="MSDOS.SYS") returned 1 [0108.277] lstrcmpiW (lpString1="Pending.GRL", lpString2="IO.SYS") returned 1 [0108.277] lstrcmpiW (lpString1="Pending.GRL", lpString2="boot.ini") returned 1 [0108.277] lstrcmpiW (lpString1="Pending.GRL", lpString2="AUTOEXEC.BAT") returned 1 [0108.277] lstrcmpiW (lpString1="Pending.GRL", lpString2="ntuser.dat") returned 1 [0108.277] lstrcmpiW (lpString1="Pending.GRL", lpString2="desktop.ini") returned 1 [0108.277] lstrcmpiW (lpString1="Pending.GRL", lpString2="CONFIG.SYS") returned 1 [0108.277] lstrcmpiW (lpString1="Pending.GRL", lpString2="RECYCLER") returned -1 [0108.277] lstrcmpiW (lpString1="Pending.GRL", lpString2="BOOTSECT.BAK") returned 1 [0108.277] lstrcmpiW (lpString1="Pending.GRL", lpString2="bootmgr") returned 1 [0108.277] lstrcmpiW (lpString1="Pending.GRL", lpString2="programdata") returned -1 [0108.278] lstrcmpiW (lpString1="Pending.GRL", lpString2="appdata") returned 1 [0108.278] lstrcmpiW (lpString1="Pending.GRL", lpString2="program files") returned -1 [0108.278] lstrcmpiW (lpString1="Pending.GRL", lpString2="program files (x86)") returned -1 [0108.278] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Microsoft\\MF\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\MF\\") returned="C:\\Users\\All Users\\Microsoft\\MF\\" [0108.278] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\MF\\", lpString2="Pending.GRL" | out: lpString1="C:\\Users\\All Users\\Microsoft\\MF\\Pending.GRL") returned="C:\\Users\\All Users\\Microsoft\\MF\\Pending.GRL" [0108.278] PathFindExtensionW (pszPath="Pending.GRL") returned=".GRL" [0108.278] lstrcmpiW (lpString1=".GRL", lpString2=".exe") returned 1 [0108.278] lstrcmpiW (lpString1=".GRL", lpString2=".log") returned -1 [0108.278] lstrcmpiW (lpString1=".GRL", lpString2=".cab") returned 1 [0108.278] lstrcmpiW (lpString1=".GRL", lpString2=".cmd") returned 1 [0108.278] lstrcmpiW (lpString1=".GRL", lpString2=".com") returned 1 [0108.278] lstrcmpiW (lpString1=".GRL", lpString2=".cpl") returned 1 [0108.278] lstrcmpiW (lpString1=".GRL", lpString2=".ini") returned -1 [0108.278] lstrcmpiW (lpString1=".GRL", lpString2=".dll") returned 1 [0108.278] lstrcmpiW (lpString1=".GRL", lpString2=".url") returned -1 [0108.278] lstrcmpiW (lpString1=".GRL", lpString2=".ttf") returned -1 [0108.278] lstrcmpiW (lpString1=".GRL", lpString2=".mp3") returned -1 [0108.278] lstrcmpiW (lpString1=".GRL", lpString2=".pif") returned -1 [0108.278] lstrcmpiW (lpString1=".GRL", lpString2=".mp4") returned -1 [0108.278] lstrcmpiW (lpString1=".GRL", lpString2=".NEPHILIM") returned -1 [0108.278] lstrcmpiW (lpString1=".GRL", lpString2=".msi") returned -1 [0108.278] lstrcmpiW (lpString1=".GRL", lpString2=".lnk") returned -1 [0108.278] lstrcmpiW (lpString1="Pending.GRL", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0108.278] lstrlenA (lpString="NEPHILIM") returned 8 [0108.278] GetProcessHeap () returned 0x4e0000 [0108.279] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bc70 [0108.279] lstrlenA (lpString="NEPHILIM") returned 8 [0108.279] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\MF\\Pending.GRL" (normalized: "c:\\users\\all users\\microsoft\\mf\\pending.grl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0108.280] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=14972) returned 1 [0108.280] GetProcessHeap () returned 0x4e0000 [0108.280] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0108.280] GetProcessHeap () returned 0x4e0000 [0108.280] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0108.280] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0108.280] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0108.280] GetProcessHeap () returned 0x4e0000 [0108.280] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0108.280] GetProcessHeap () returned 0x4e0000 [0108.280] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0108.280] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0108.281] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0108.281] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x3a7c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.281] SetLastError (dwErrCode=0x0) [0108.281] WriteFile (in: hFile=0xf0, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0108.284] GetLastError () returned 0x0 [0108.284] GetLastError () returned 0x0 [0108.284] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x3b7c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.284] WriteFile (in: hFile=0xf0, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0108.284] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x3c7c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.284] lstrlenA (lpString="NEPHILIM") returned 8 [0108.284] WriteFile (in: hFile=0xf0, lpBuffer=0x50bc70*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50bc70*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0108.284] GetProcessHeap () returned 0x4e0000 [0108.284] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x3a7c) returned 0x514fd8 [0108.284] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.284] ReadFile (in: hFile=0xf0, lpBuffer=0x514fd8, nNumberOfBytesToRead=0x3a7c, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x514fd8*, lpNumberOfBytesRead=0x24dddb0*=0x3a7c, lpOverlapped=0x0) returned 1 [0108.286] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.286] WriteFile (in: hFile=0xf0, lpBuffer=0x514fd8*, nNumberOfBytesToWrite=0x3a7c, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x514fd8*, lpNumberOfBytesWritten=0x24dddbc*=0x3a7c, lpOverlapped=0x0) returned 1 [0108.287] GetProcessHeap () returned 0x4e0000 [0108.287] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514fd8 | out: hHeap=0x4e0000) returned 1 [0108.287] CloseHandle (hObject=0xf0) returned 1 [0108.294] GetProcessHeap () returned 0x4e0000 [0108.294] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0108.294] GetProcessHeap () returned 0x4e0000 [0108.294] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0108.294] GetProcessHeap () returned 0x4e0000 [0108.294] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0108.294] GetProcessHeap () returned 0x4e0000 [0108.294] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0108.295] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\All Users\\Microsoft\\MF\\Pending.GRL" | out: lpString1="C:\\Users\\All Users\\Microsoft\\MF\\Pending.GRL") returned="C:\\Users\\All Users\\Microsoft\\MF\\Pending.GRL" [0108.295] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\MF\\Pending.GRL", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\MF\\Pending.GRL.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\MF\\Pending.GRL.NEPHILIM" [0108.295] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\MF\\Pending.GRL" (normalized: "c:\\users\\all users\\microsoft\\mf\\pending.grl"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\MF\\Pending.GRL.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\mf\\pending.grl.nephilim")) returned 1 [0108.298] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bed1018, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7bed1018, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="Pending.GRL", cAlternateFileName="")) returned 0 [0108.298] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0108.300] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="MSDN", cAlternateFileName="")) returned 1 [0108.300] lstrcmpiW (lpString1="MSDN", lpString2=".") returned 1 [0108.300] lstrcmpiW (lpString1="MSDN", lpString2="..") returned 1 [0108.300] lstrcmpiW (lpString1="MSDN", lpString2="...") returned 1 [0108.300] lstrcmpiW (lpString1="MSDN", lpString2="windows") returned -1 [0108.300] lstrcmpiW (lpString1="MSDN", lpString2="$RECYCLE.BIN") returned 1 [0108.300] lstrcmpiW (lpString1="MSDN", lpString2="rsa") returned -1 [0108.300] lstrcmpiW (lpString1="MSDN", lpString2="log") returned 1 [0108.300] lstrcmpiW (lpString1="MSDN", lpString2="NTDETECT.COM") returned -1 [0108.300] lstrcmpiW (lpString1="MSDN", lpString2="ntldr") returned -1 [0108.300] lstrcmpiW (lpString1="MSDN", lpString2="MSDOS.SYS") returned -1 [0108.300] lstrcmpiW (lpString1="MSDN", lpString2="IO.SYS") returned 1 [0108.300] lstrcmpiW (lpString1="MSDN", lpString2="boot.ini") returned 1 [0108.300] lstrcmpiW (lpString1="MSDN", lpString2="AUTOEXEC.BAT") returned 1 [0108.300] lstrcmpiW (lpString1="MSDN", lpString2="ntuser.dat") returned -1 [0108.300] lstrcmpiW (lpString1="MSDN", lpString2="desktop.ini") returned 1 [0108.300] lstrcmpiW (lpString1="MSDN", lpString2="CONFIG.SYS") returned 1 [0108.301] lstrcmpiW (lpString1="MSDN", lpString2="RECYCLER") returned -1 [0108.301] lstrcmpiW (lpString1="MSDN", lpString2="BOOTSECT.BAK") returned 1 [0108.302] lstrcmpiW (lpString1="MSDN", lpString2="bootmgr") returned 1 [0108.302] lstrcmpiW (lpString1="MSDN", lpString2="programdata") returned -1 [0108.302] lstrcmpiW (lpString1="MSDN", lpString2="appdata") returned 1 [0108.302] lstrcmpiW (lpString1="MSDN", lpString2="program files") returned -1 [0108.302] lstrcmpiW (lpString1="MSDN", lpString2="program files (x86)") returned -1 [0108.302] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\" [0108.302] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="MSDN" | out: lpString1="C:\\Users\\All Users\\Microsoft\\MSDN") returned="C:\\Users\\All Users\\Microsoft\\MSDN" [0108.302] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\MSDN", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\MSDN\\") returned="C:\\Users\\All Users\\Microsoft\\MSDN\\" [0108.303] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Microsoft\\MSDN\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\MSDN\\") returned="C:\\Users\\All Users\\Microsoft\\MSDN\\" [0108.303] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\MSDN\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\MSDN\\*.*") returned="C:\\Users\\All Users\\Microsoft\\MSDN\\*.*" [0108.303] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\MSDN\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0108.303] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.303] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0108.303] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.303] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.303] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="8.0", cAlternateFileName="")) returned 1 [0108.303] lstrcmpiW (lpString1="8.0", lpString2=".") returned 1 [0108.303] lstrcmpiW (lpString1="8.0", lpString2="..") returned 1 [0108.304] lstrcmpiW (lpString1="8.0", lpString2="...") returned 1 [0108.304] lstrcmpiW (lpString1="8.0", lpString2="windows") returned -1 [0108.304] lstrcmpiW (lpString1="8.0", lpString2="$RECYCLE.BIN") returned 1 [0108.304] lstrcmpiW (lpString1="8.0", lpString2="rsa") returned -1 [0108.304] lstrcmpiW (lpString1="8.0", lpString2="log") returned -1 [0108.304] lstrcmpiW (lpString1="8.0", lpString2="NTDETECT.COM") returned -1 [0108.304] lstrcmpiW (lpString1="8.0", lpString2="ntldr") returned -1 [0108.304] lstrcmpiW (lpString1="8.0", lpString2="MSDOS.SYS") returned -1 [0108.304] lstrcmpiW (lpString1="8.0", lpString2="IO.SYS") returned -1 [0108.304] lstrcmpiW (lpString1="8.0", lpString2="boot.ini") returned -1 [0108.304] lstrcmpiW (lpString1="8.0", lpString2="AUTOEXEC.BAT") returned -1 [0108.304] lstrcmpiW (lpString1="8.0", lpString2="ntuser.dat") returned -1 [0108.304] lstrcmpiW (lpString1="8.0", lpString2="desktop.ini") returned -1 [0108.304] lstrcmpiW (lpString1="8.0", lpString2="CONFIG.SYS") returned -1 [0108.304] lstrcmpiW (lpString1="8.0", lpString2="RECYCLER") returned -1 [0108.304] lstrcmpiW (lpString1="8.0", lpString2="BOOTSECT.BAK") returned -1 [0108.304] lstrcmpiW (lpString1="8.0", lpString2="bootmgr") returned -1 [0108.305] lstrcmpiW (lpString1="8.0", lpString2="programdata") returned -1 [0108.305] lstrcmpiW (lpString1="8.0", lpString2="appdata") returned -1 [0108.305] lstrcmpiW (lpString1="8.0", lpString2="program files") returned -1 [0108.305] lstrcmpiW (lpString1="8.0", lpString2="program files (x86)") returned -1 [0108.305] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Microsoft\\MSDN\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\MSDN\\") returned="C:\\Users\\All Users\\Microsoft\\MSDN\\" [0108.306] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\MSDN\\", lpString2="8.0" | out: lpString1="C:\\Users\\All Users\\Microsoft\\MSDN\\8.0") returned="C:\\Users\\All Users\\Microsoft\\MSDN\\8.0" [0108.306] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\MSDN\\8.0", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\MSDN\\8.0\\") returned="C:\\Users\\All Users\\Microsoft\\MSDN\\8.0\\" [0108.306] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\All Users\\Microsoft\\MSDN\\8.0\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\MSDN\\8.0\\") returned="C:\\Users\\All Users\\Microsoft\\MSDN\\8.0\\" [0108.306] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\MSDN\\8.0\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\MSDN\\8.0\\*.*") returned="C:\\Users\\All Users\\Microsoft\\MSDN\\8.0\\*.*" [0108.306] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\MSDN\\8.0\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4c004a, dwReserved1=0x24de260, cFileName=".", cAlternateFileName="")) returned 0x50a980 [0108.307] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.307] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4c004a, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 1 [0108.307] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.307] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.307] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4c004a, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 0 [0108.307] FindClose (in: hFindFile=0x50a980 | out: hFindFile=0x50a980) returned 1 [0108.308] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="8.0", cAlternateFileName="")) returned 0 [0108.308] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0108.308] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="NetFramework", cAlternateFileName="NETFRA~1")) returned 1 [0108.308] lstrcmpiW (lpString1="NetFramework", lpString2=".") returned 1 [0108.308] lstrcmpiW (lpString1="NetFramework", lpString2="..") returned 1 [0108.308] lstrcmpiW (lpString1="NetFramework", lpString2="...") returned 1 [0108.308] lstrcmpiW (lpString1="NetFramework", lpString2="windows") returned -1 [0108.308] lstrcmpiW (lpString1="NetFramework", lpString2="$RECYCLE.BIN") returned 1 [0108.308] lstrcmpiW (lpString1="NetFramework", lpString2="rsa") returned -1 [0108.308] lstrcmpiW (lpString1="NetFramework", lpString2="log") returned 1 [0108.308] lstrcmpiW (lpString1="NetFramework", lpString2="NTDETECT.COM") returned -1 [0108.308] lstrcmpiW (lpString1="NetFramework", lpString2="ntldr") returned -1 [0108.308] lstrcmpiW (lpString1="NetFramework", lpString2="MSDOS.SYS") returned 1 [0108.308] lstrcmpiW (lpString1="NetFramework", lpString2="IO.SYS") returned 1 [0108.308] lstrcmpiW (lpString1="NetFramework", lpString2="boot.ini") returned 1 [0108.308] lstrcmpiW (lpString1="NetFramework", lpString2="AUTOEXEC.BAT") returned 1 [0108.308] lstrcmpiW (lpString1="NetFramework", lpString2="ntuser.dat") returned -1 [0108.308] lstrcmpiW (lpString1="NetFramework", lpString2="desktop.ini") returned 1 [0108.308] lstrcmpiW (lpString1="NetFramework", lpString2="CONFIG.SYS") returned 1 [0108.308] lstrcmpiW (lpString1="NetFramework", lpString2="RECYCLER") returned -1 [0108.308] lstrcmpiW (lpString1="NetFramework", lpString2="BOOTSECT.BAK") returned 1 [0108.309] lstrcmpiW (lpString1="NetFramework", lpString2="bootmgr") returned 1 [0108.309] lstrcmpiW (lpString1="NetFramework", lpString2="programdata") returned -1 [0108.309] lstrcmpiW (lpString1="NetFramework", lpString2="appdata") returned 1 [0108.309] lstrcmpiW (lpString1="NetFramework", lpString2="program files") returned -1 [0108.309] lstrcmpiW (lpString1="NetFramework", lpString2="program files (x86)") returned -1 [0108.309] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\" [0108.309] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="NetFramework" | out: lpString1="C:\\Users\\All Users\\Microsoft\\NetFramework") returned="C:\\Users\\All Users\\Microsoft\\NetFramework" [0108.309] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\NetFramework", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\NetFramework\\") returned="C:\\Users\\All Users\\Microsoft\\NetFramework\\" [0108.309] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Microsoft\\NetFramework\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\NetFramework\\") returned="C:\\Users\\All Users\\Microsoft\\NetFramework\\" [0108.309] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\NetFramework\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\NetFramework\\*.*") returned="C:\\Users\\All Users\\Microsoft\\NetFramework\\*.*" [0108.309] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\NetFramework\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0108.315] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.315] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0108.315] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.315] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.315] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="BreadcrumbStore", cAlternateFileName="BREADC~1")) returned 1 [0108.315] lstrcmpiW (lpString1="BreadcrumbStore", lpString2=".") returned 1 [0108.315] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="..") returned 1 [0108.315] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="...") returned 1 [0108.315] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="windows") returned -1 [0108.315] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="$RECYCLE.BIN") returned 1 [0108.315] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="rsa") returned -1 [0108.315] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="log") returned -1 [0108.315] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="NTDETECT.COM") returned -1 [0108.315] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="ntldr") returned -1 [0108.315] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="MSDOS.SYS") returned -1 [0108.315] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="IO.SYS") returned -1 [0108.315] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="boot.ini") returned 1 [0108.315] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="AUTOEXEC.BAT") returned 1 [0108.315] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="ntuser.dat") returned -1 [0108.315] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="desktop.ini") returned -1 [0108.315] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="CONFIG.SYS") returned -1 [0108.315] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="RECYCLER") returned -1 [0108.315] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="BOOTSECT.BAK") returned 1 [0108.315] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="bootmgr") returned 1 [0108.315] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="programdata") returned -1 [0108.315] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="appdata") returned 1 [0108.315] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="program files") returned -1 [0108.316] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="program files (x86)") returned -1 [0108.316] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Microsoft\\NetFramework\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\NetFramework\\") returned="C:\\Users\\All Users\\Microsoft\\NetFramework\\" [0108.316] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\NetFramework\\", lpString2="BreadcrumbStore" | out: lpString1="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore") returned="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore" [0108.316] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\") returned="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\" [0108.316] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\") returned="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\" [0108.316] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\*.*") returned="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\*.*" [0108.316] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c005a, dwReserved1=0x24de260, cFileName=".", cAlternateFileName="")) returned 0x50a980 [0108.316] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.316] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c005a, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 1 [0108.316] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.316] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.316] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c005a, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 0 [0108.316] FindClose (in: hFindFile=0x50a980 | out: hFindFile=0x50a980) returned 1 [0108.317] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="BreadcrumbStore", cAlternateFileName="BREADC~1")) returned 0 [0108.317] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0108.317] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="Network", cAlternateFileName="")) returned 1 [0108.317] lstrcmpiW (lpString1="Network", lpString2=".") returned 1 [0108.317] lstrcmpiW (lpString1="Network", lpString2="..") returned 1 [0108.317] lstrcmpiW (lpString1="Network", lpString2="...") returned 1 [0108.317] lstrcmpiW (lpString1="Network", lpString2="windows") returned -1 [0108.317] lstrcmpiW (lpString1="Network", lpString2="$RECYCLE.BIN") returned 1 [0108.317] lstrcmpiW (lpString1="Network", lpString2="rsa") returned -1 [0108.317] lstrcmpiW (lpString1="Network", lpString2="log") returned 1 [0108.317] lstrcmpiW (lpString1="Network", lpString2="NTDETECT.COM") returned -1 [0108.317] lstrcmpiW (lpString1="Network", lpString2="ntldr") returned -1 [0108.317] lstrcmpiW (lpString1="Network", lpString2="MSDOS.SYS") returned 1 [0108.317] lstrcmpiW (lpString1="Network", lpString2="IO.SYS") returned 1 [0108.317] lstrcmpiW (lpString1="Network", lpString2="boot.ini") returned 1 [0108.317] lstrcmpiW (lpString1="Network", lpString2="AUTOEXEC.BAT") returned 1 [0108.317] lstrcmpiW (lpString1="Network", lpString2="ntuser.dat") returned -1 [0108.317] lstrcmpiW (lpString1="Network", lpString2="desktop.ini") returned 1 [0108.318] lstrcmpiW (lpString1="Network", lpString2="CONFIG.SYS") returned 1 [0108.318] lstrcmpiW (lpString1="Network", lpString2="RECYCLER") returned -1 [0108.318] lstrcmpiW (lpString1="Network", lpString2="BOOTSECT.BAK") returned 1 [0108.318] lstrcmpiW (lpString1="Network", lpString2="bootmgr") returned 1 [0108.318] lstrcmpiW (lpString1="Network", lpString2="programdata") returned -1 [0108.318] lstrcmpiW (lpString1="Network", lpString2="appdata") returned 1 [0108.318] lstrcmpiW (lpString1="Network", lpString2="program files") returned -1 [0108.318] lstrcmpiW (lpString1="Network", lpString2="program files (x86)") returned -1 [0108.318] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\" [0108.318] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="Network" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network") returned="C:\\Users\\All Users\\Microsoft\\Network" [0108.318] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Network", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\") returned="C:\\Users\\All Users\\Microsoft\\Network\\" [0108.318] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Microsoft\\Network\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\") returned="C:\\Users\\All Users\\Microsoft\\Network\\" [0108.318] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Network\\*.*" [0108.318] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Network\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0108.318] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.319] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0108.319] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.319] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.319] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xa68726b4, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="Connections", cAlternateFileName="CONNEC~1")) returned 1 [0108.319] lstrcmpiW (lpString1="Connections", lpString2=".") returned 1 [0108.319] lstrcmpiW (lpString1="Connections", lpString2="..") returned 1 [0108.319] lstrcmpiW (lpString1="Connections", lpString2="...") returned 1 [0108.319] lstrcmpiW (lpString1="Connections", lpString2="windows") returned -1 [0108.319] lstrcmpiW (lpString1="Connections", lpString2="$RECYCLE.BIN") returned 1 [0108.319] lstrcmpiW (lpString1="Connections", lpString2="rsa") returned -1 [0108.319] lstrcmpiW (lpString1="Connections", lpString2="log") returned -1 [0108.319] lstrcmpiW (lpString1="Connections", lpString2="NTDETECT.COM") returned -1 [0108.319] lstrcmpiW (lpString1="Connections", lpString2="ntldr") returned -1 [0108.319] lstrcmpiW (lpString1="Connections", lpString2="MSDOS.SYS") returned -1 [0108.319] lstrcmpiW (lpString1="Connections", lpString2="IO.SYS") returned -1 [0108.319] lstrcmpiW (lpString1="Connections", lpString2="boot.ini") returned 1 [0108.319] lstrcmpiW (lpString1="Connections", lpString2="AUTOEXEC.BAT") returned 1 [0108.319] lstrcmpiW (lpString1="Connections", lpString2="ntuser.dat") returned -1 [0108.319] lstrcmpiW (lpString1="Connections", lpString2="desktop.ini") returned -1 [0108.319] lstrcmpiW (lpString1="Connections", lpString2="CONFIG.SYS") returned 1 [0108.319] lstrcmpiW (lpString1="Connections", lpString2="RECYCLER") returned -1 [0108.319] lstrcmpiW (lpString1="Connections", lpString2="BOOTSECT.BAK") returned 1 [0108.320] lstrcmpiW (lpString1="Connections", lpString2="bootmgr") returned 1 [0108.320] lstrcmpiW (lpString1="Connections", lpString2="programdata") returned -1 [0108.320] lstrcmpiW (lpString1="Connections", lpString2="appdata") returned 1 [0108.320] lstrcmpiW (lpString1="Connections", lpString2="program files") returned -1 [0108.320] lstrcmpiW (lpString1="Connections", lpString2="program files (x86)") returned -1 [0108.320] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Microsoft\\Network\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\") returned="C:\\Users\\All Users\\Microsoft\\Network\\" [0108.320] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\", lpString2="Connections" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Connections") returned="C:\\Users\\All Users\\Microsoft\\Network\\Connections" [0108.320] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Connections", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Connections\\") returned="C:\\Users\\All Users\\Microsoft\\Network\\Connections\\" [0108.320] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\All Users\\Microsoft\\Network\\Connections\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Connections\\") returned="C:\\Users\\All Users\\Microsoft\\Network\\Connections\\" [0108.320] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Connections\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Connections\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Network\\Connections\\*.*" [0108.320] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Network\\Connections\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xa68726b4, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x520050, dwReserved1=0x24de260, cFileName=".", cAlternateFileName="")) returned 0x50a980 [0108.321] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.321] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xa68726b4, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x520050, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 1 [0108.321] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.321] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.321] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xa68726b4, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x520050, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 0 [0108.321] FindClose (in: hFindFile=0x50a980 | out: hFindFile=0x50a980) returned 1 [0108.321] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x7606ea15, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x7606ea15, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="Downloader", cAlternateFileName="DOWNLO~1")) returned 1 [0108.321] lstrcmpiW (lpString1="Downloader", lpString2=".") returned 1 [0108.321] lstrcmpiW (lpString1="Downloader", lpString2="..") returned 1 [0108.321] lstrcmpiW (lpString1="Downloader", lpString2="...") returned 1 [0108.321] lstrcmpiW (lpString1="Downloader", lpString2="windows") returned -1 [0108.321] lstrcmpiW (lpString1="Downloader", lpString2="$RECYCLE.BIN") returned 1 [0108.321] lstrcmpiW (lpString1="Downloader", lpString2="rsa") returned -1 [0108.321] lstrcmpiW (lpString1="Downloader", lpString2="log") returned -1 [0108.321] lstrcmpiW (lpString1="Downloader", lpString2="NTDETECT.COM") returned -1 [0108.322] lstrcmpiW (lpString1="Downloader", lpString2="ntldr") returned -1 [0108.322] lstrcmpiW (lpString1="Downloader", lpString2="MSDOS.SYS") returned -1 [0108.322] lstrcmpiW (lpString1="Downloader", lpString2="IO.SYS") returned -1 [0108.322] lstrcmpiW (lpString1="Downloader", lpString2="boot.ini") returned 1 [0108.322] lstrcmpiW (lpString1="Downloader", lpString2="AUTOEXEC.BAT") returned 1 [0108.322] lstrcmpiW (lpString1="Downloader", lpString2="ntuser.dat") returned -1 [0108.322] lstrcmpiW (lpString1="Downloader", lpString2="desktop.ini") returned 1 [0108.322] lstrcmpiW (lpString1="Downloader", lpString2="CONFIG.SYS") returned 1 [0108.322] lstrcmpiW (lpString1="Downloader", lpString2="RECYCLER") returned -1 [0108.322] lstrcmpiW (lpString1="Downloader", lpString2="BOOTSECT.BAK") returned 1 [0108.322] lstrcmpiW (lpString1="Downloader", lpString2="bootmgr") returned 1 [0108.322] lstrcmpiW (lpString1="Downloader", lpString2="programdata") returned -1 [0108.322] lstrcmpiW (lpString1="Downloader", lpString2="appdata") returned 1 [0108.322] lstrcmpiW (lpString1="Downloader", lpString2="program files") returned -1 [0108.322] lstrcmpiW (lpString1="Downloader", lpString2="program files (x86)") returned -1 [0108.322] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Microsoft\\Network\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\") returned="C:\\Users\\All Users\\Microsoft\\Network\\" [0108.322] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\", lpString2="Downloader" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Downloader") returned="C:\\Users\\All Users\\Microsoft\\Network\\Downloader" [0108.322] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Downloader", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\") returned="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\" [0108.322] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\") returned="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\" [0108.322] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*.*" [0108.322] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x7606ea15, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x7606ea15, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x520050, dwReserved1=0x24de260, cFileName=".", cAlternateFileName="")) returned 0x50a980 [0108.323] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.323] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x7606ea15, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x7606ea15, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x520050, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 1 [0108.323] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.323] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.323] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x7606ea15, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x7606ea15, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0xe0118910, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x400000, dwReserved0=0x520050, dwReserved1=0x24de260, cFileName="qmgr0.dat", cAlternateFileName="")) returned 1 [0108.323] lstrcmpiW (lpString1="qmgr0.dat", lpString2=".") returned 1 [0108.323] lstrcmpiW (lpString1="qmgr0.dat", lpString2="..") returned 1 [0108.323] lstrcmpiW (lpString1="qmgr0.dat", lpString2="...") returned 1 [0108.323] lstrcmpiW (lpString1="qmgr0.dat", lpString2="windows") returned -1 [0108.323] lstrcmpiW (lpString1="qmgr0.dat", lpString2="$RECYCLE.BIN") returned 1 [0108.323] lstrcmpiW (lpString1="qmgr0.dat", lpString2="rsa") returned -1 [0108.323] lstrcmpiW (lpString1="qmgr0.dat", lpString2="log") returned 1 [0108.323] lstrcmpiW (lpString1="qmgr0.dat", lpString2="NTDETECT.COM") returned 1 [0108.323] lstrcmpiW (lpString1="qmgr0.dat", lpString2="ntldr") returned 1 [0108.323] lstrcmpiW (lpString1="qmgr0.dat", lpString2="MSDOS.SYS") returned 1 [0108.323] lstrcmpiW (lpString1="qmgr0.dat", lpString2="IO.SYS") returned 1 [0108.323] lstrcmpiW (lpString1="qmgr0.dat", lpString2="boot.ini") returned 1 [0108.323] lstrcmpiW (lpString1="qmgr0.dat", lpString2="AUTOEXEC.BAT") returned 1 [0108.323] lstrcmpiW (lpString1="qmgr0.dat", lpString2="ntuser.dat") returned 1 [0108.323] lstrcmpiW (lpString1="qmgr0.dat", lpString2="desktop.ini") returned 1 [0108.323] lstrcmpiW (lpString1="qmgr0.dat", lpString2="CONFIG.SYS") returned 1 [0108.324] lstrcmpiW (lpString1="qmgr0.dat", lpString2="RECYCLER") returned -1 [0108.324] lstrcmpiW (lpString1="qmgr0.dat", lpString2="BOOTSECT.BAK") returned 1 [0108.324] lstrcmpiW (lpString1="qmgr0.dat", lpString2="bootmgr") returned 1 [0108.324] lstrcmpiW (lpString1="qmgr0.dat", lpString2="programdata") returned 1 [0108.324] lstrcmpiW (lpString1="qmgr0.dat", lpString2="appdata") returned 1 [0108.324] lstrcmpiW (lpString1="qmgr0.dat", lpString2="program files") returned 1 [0108.324] lstrcmpiW (lpString1="qmgr0.dat", lpString2="program files (x86)") returned 1 [0108.324] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\") returned="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\" [0108.324] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\", lpString2="qmgr0.dat" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr0.dat") returned="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr0.dat" [0108.324] PathFindExtensionW (pszPath="qmgr0.dat") returned=".dat" [0108.324] lstrcmpiW (lpString1=".dat", lpString2=".exe") returned -1 [0108.324] lstrcmpiW (lpString1=".dat", lpString2=".log") returned -1 [0108.324] lstrcmpiW (lpString1=".dat", lpString2=".cab") returned 1 [0108.324] lstrcmpiW (lpString1=".dat", lpString2=".cmd") returned 1 [0108.324] lstrcmpiW (lpString1=".dat", lpString2=".com") returned 1 [0108.324] lstrcmpiW (lpString1=".dat", lpString2=".cpl") returned 1 [0108.324] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0108.324] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0108.324] lstrcmpiW (lpString1=".dat", lpString2=".url") returned -1 [0108.324] lstrcmpiW (lpString1=".dat", lpString2=".ttf") returned -1 [0108.324] lstrcmpiW (lpString1=".dat", lpString2=".mp3") returned -1 [0108.324] lstrcmpiW (lpString1=".dat", lpString2=".pif") returned -1 [0108.324] lstrcmpiW (lpString1=".dat", lpString2=".mp4") returned -1 [0108.324] lstrcmpiW (lpString1=".dat", lpString2=".NEPHILIM") returned -1 [0108.324] lstrcmpiW (lpString1=".dat", lpString2=".msi") returned -1 [0108.325] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0108.325] lstrcmpiW (lpString1="qmgr0.dat", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0108.325] lstrlenA (lpString="NEPHILIM") returned 8 [0108.325] GetProcessHeap () returned 0x4e0000 [0108.325] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bc80 [0108.325] lstrlenA (lpString="NEPHILIM") returned 8 [0108.325] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr0.dat" (normalized: "c:\\users\\all users\\microsoft\\network\\downloader\\qmgr0.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0108.325] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=4194304) returned 1 [0108.325] GetProcessHeap () returned 0x4e0000 [0108.325] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0108.326] GetProcessHeap () returned 0x4e0000 [0108.326] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0108.326] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0108.326] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0108.326] GetProcessHeap () returned 0x4e0000 [0108.326] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0108.326] GetProcessHeap () returned 0x4e0000 [0108.326] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0108.326] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dd508*=0x100) returned 1 [0108.326] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dd504*=0x100) returned 1 [0108.326] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x400000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.327] SetLastError (dwErrCode=0x0) [0108.327] WriteFile (in: hFile=0xf4, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0108.328] GetLastError () returned 0x0 [0108.328] GetLastError () returned 0x0 [0108.328] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x400100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.328] WriteFile (in: hFile=0xf4, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0108.329] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x400200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.329] lstrlenA (lpString="NEPHILIM") returned 8 [0108.329] WriteFile (in: hFile=0xf4, lpBuffer=0x50bc80*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50bc80*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0108.329] GetProcessHeap () returned 0x4e0000 [0108.329] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x927c0) returned 0x2110020 [0108.329] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.329] ReadFile (in: hFile=0xf4, lpBuffer=0x2110020, nNumberOfBytesToRead=0x927c0, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x2110020*, lpNumberOfBytesRead=0x24dd730*=0x927c0, lpOverlapped=0x0) returned 1 [0108.440] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.440] WriteFile (in: hFile=0xf4, lpBuffer=0x2110020*, nNumberOfBytesToWrite=0x927c0, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x2110020*, lpNumberOfBytesWritten=0x24dd73c*=0x927c0, lpOverlapped=0x0) returned 1 [0108.442] GetProcessHeap () returned 0x4e0000 [0108.442] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x2110020 | out: hHeap=0x4e0000) returned 1 [0108.448] CloseHandle (hObject=0xf4) returned 1 [0108.658] GetProcessHeap () returned 0x4e0000 [0108.658] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0108.658] GetProcessHeap () returned 0x4e0000 [0108.658] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0108.658] GetProcessHeap () returned 0x4e0000 [0108.658] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0108.658] GetProcessHeap () returned 0x4e0000 [0108.658] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0108.658] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr0.dat" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr0.dat") returned="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr0.dat" [0108.658] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr0.dat", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr0.dat.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr0.dat.NEPHILIM" [0108.658] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr0.dat" (normalized: "c:\\users\\all users\\microsoft\\network\\downloader\\qmgr0.dat"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr0.dat.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\network\\downloader\\qmgr0.dat.nephilim")) returned 1 [0108.659] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x7606ea15, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x7606ea15, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0xdd404870, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x400000, dwReserved0=0x520050, dwReserved1=0x24de260, cFileName="qmgr1.dat", cAlternateFileName="")) returned 1 [0108.659] lstrcmpiW (lpString1="qmgr1.dat", lpString2=".") returned 1 [0108.659] lstrcmpiW (lpString1="qmgr1.dat", lpString2="..") returned 1 [0108.659] lstrcmpiW (lpString1="qmgr1.dat", lpString2="...") returned 1 [0108.659] lstrcmpiW (lpString1="qmgr1.dat", lpString2="windows") returned -1 [0108.660] lstrcmpiW (lpString1="qmgr1.dat", lpString2="$RECYCLE.BIN") returned 1 [0108.660] lstrcmpiW (lpString1="qmgr1.dat", lpString2="rsa") returned -1 [0108.660] lstrcmpiW (lpString1="qmgr1.dat", lpString2="log") returned 1 [0108.660] lstrcmpiW (lpString1="qmgr1.dat", lpString2="NTDETECT.COM") returned 1 [0108.660] lstrcmpiW (lpString1="qmgr1.dat", lpString2="ntldr") returned 1 [0108.660] lstrcmpiW (lpString1="qmgr1.dat", lpString2="MSDOS.SYS") returned 1 [0108.660] lstrcmpiW (lpString1="qmgr1.dat", lpString2="IO.SYS") returned 1 [0108.660] lstrcmpiW (lpString1="qmgr1.dat", lpString2="boot.ini") returned 1 [0108.660] lstrcmpiW (lpString1="qmgr1.dat", lpString2="AUTOEXEC.BAT") returned 1 [0108.660] lstrcmpiW (lpString1="qmgr1.dat", lpString2="ntuser.dat") returned 1 [0108.660] lstrcmpiW (lpString1="qmgr1.dat", lpString2="desktop.ini") returned 1 [0108.660] lstrcmpiW (lpString1="qmgr1.dat", lpString2="CONFIG.SYS") returned 1 [0108.660] lstrcmpiW (lpString1="qmgr1.dat", lpString2="RECYCLER") returned -1 [0108.660] lstrcmpiW (lpString1="qmgr1.dat", lpString2="BOOTSECT.BAK") returned 1 [0108.660] lstrcmpiW (lpString1="qmgr1.dat", lpString2="bootmgr") returned 1 [0108.660] lstrcmpiW (lpString1="qmgr1.dat", lpString2="programdata") returned 1 [0108.660] lstrcmpiW (lpString1="qmgr1.dat", lpString2="appdata") returned 1 [0108.660] lstrcmpiW (lpString1="qmgr1.dat", lpString2="program files") returned 1 [0108.660] lstrcmpiW (lpString1="qmgr1.dat", lpString2="program files (x86)") returned 1 [0108.660] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\") returned="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\" [0108.660] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\", lpString2="qmgr1.dat" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr1.dat") returned="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr1.dat" [0108.660] PathFindExtensionW (pszPath="qmgr1.dat") returned=".dat" [0108.660] lstrcmpiW (lpString1=".dat", lpString2=".exe") returned -1 [0108.660] lstrcmpiW (lpString1=".dat", lpString2=".log") returned -1 [0108.660] lstrcmpiW (lpString1=".dat", lpString2=".cab") returned 1 [0108.661] lstrcmpiW (lpString1=".dat", lpString2=".cmd") returned 1 [0108.661] lstrcmpiW (lpString1=".dat", lpString2=".com") returned 1 [0108.661] lstrcmpiW (lpString1=".dat", lpString2=".cpl") returned 1 [0108.661] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0108.661] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0108.661] lstrcmpiW (lpString1=".dat", lpString2=".url") returned -1 [0108.661] lstrcmpiW (lpString1=".dat", lpString2=".ttf") returned -1 [0108.661] lstrcmpiW (lpString1=".dat", lpString2=".mp3") returned -1 [0108.661] lstrcmpiW (lpString1=".dat", lpString2=".pif") returned -1 [0108.661] lstrcmpiW (lpString1=".dat", lpString2=".mp4") returned -1 [0108.661] lstrcmpiW (lpString1=".dat", lpString2=".NEPHILIM") returned -1 [0108.661] lstrcmpiW (lpString1=".dat", lpString2=".msi") returned -1 [0108.661] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0108.661] lstrcmpiW (lpString1="qmgr1.dat", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0108.661] lstrlenA (lpString="NEPHILIM") returned 8 [0108.661] GetProcessHeap () returned 0x4e0000 [0108.661] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bc90 [0108.661] lstrlenA (lpString="NEPHILIM") returned 8 [0108.661] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr1.dat" (normalized: "c:\\users\\all users\\microsoft\\network\\downloader\\qmgr1.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0108.662] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=4194304) returned 1 [0108.662] GetProcessHeap () returned 0x4e0000 [0108.662] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0108.662] GetProcessHeap () returned 0x4e0000 [0108.662] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0108.662] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0108.662] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0108.662] GetProcessHeap () returned 0x4e0000 [0108.662] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0108.662] GetProcessHeap () returned 0x4e0000 [0108.662] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0108.662] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dd508*=0x100) returned 1 [0108.663] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dd504*=0x100) returned 1 [0108.663] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x400000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.663] SetLastError (dwErrCode=0x0) [0108.663] WriteFile (in: hFile=0xf4, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0108.664] GetLastError () returned 0x0 [0108.664] GetLastError () returned 0x0 [0108.664] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x400100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.665] WriteFile (in: hFile=0xf4, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0108.665] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x400200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.665] lstrlenA (lpString="NEPHILIM") returned 8 [0108.665] WriteFile (in: hFile=0xf4, lpBuffer=0x50bc90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50bc90*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0108.665] GetProcessHeap () returned 0x4e0000 [0108.665] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x927c0) returned 0x2110020 [0108.665] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.665] ReadFile (in: hFile=0xf4, lpBuffer=0x2110020, nNumberOfBytesToRead=0x927c0, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x2110020*, lpNumberOfBytesRead=0x24dd730*=0x927c0, lpOverlapped=0x0) returned 1 [0108.735] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.735] WriteFile (in: hFile=0xf4, lpBuffer=0x2110020*, nNumberOfBytesToWrite=0x927c0, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x2110020*, lpNumberOfBytesWritten=0x24dd73c*=0x927c0, lpOverlapped=0x0) returned 1 [0108.737] GetProcessHeap () returned 0x4e0000 [0108.737] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x2110020 | out: hHeap=0x4e0000) returned 1 [0108.742] CloseHandle (hObject=0xf4) returned 1 [0109.151] GetProcessHeap () returned 0x4e0000 [0109.152] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0109.152] GetProcessHeap () returned 0x4e0000 [0109.152] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0109.152] GetProcessHeap () returned 0x4e0000 [0109.152] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0109.152] GetProcessHeap () returned 0x4e0000 [0109.152] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0109.152] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr1.dat" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr1.dat") returned="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr1.dat" [0109.152] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr1.dat", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr1.dat.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr1.dat.NEPHILIM" [0109.152] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr1.dat" (normalized: "c:\\users\\all users\\microsoft\\network\\downloader\\qmgr1.dat"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr1.dat.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\network\\downloader\\qmgr1.dat.nephilim")) returned 1 [0109.153] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x7606ea15, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x7606ea15, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0xdd404870, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x400000, dwReserved0=0x520050, dwReserved1=0x24de260, cFileName="qmgr1.dat", cAlternateFileName="")) returned 0 [0109.153] FindClose (in: hFindFile=0x50a980 | out: hFindFile=0x50a980) returned 1 [0109.154] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x7606ea15, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x7606ea15, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="Downloader", cAlternateFileName="DOWNLO~1")) returned 0 [0109.154] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0109.154] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x6d3a4910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3a4910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="OFFICE", cAlternateFileName="")) returned 1 [0109.154] lstrcmpiW (lpString1="OFFICE", lpString2=".") returned 1 [0109.154] lstrcmpiW (lpString1="OFFICE", lpString2="..") returned 1 [0109.154] lstrcmpiW (lpString1="OFFICE", lpString2="...") returned 1 [0109.154] lstrcmpiW (lpString1="OFFICE", lpString2="windows") returned -1 [0109.154] lstrcmpiW (lpString1="OFFICE", lpString2="$RECYCLE.BIN") returned 1 [0109.154] lstrcmpiW (lpString1="OFFICE", lpString2="rsa") returned -1 [0109.154] lstrcmpiW (lpString1="OFFICE", lpString2="log") returned 1 [0109.154] lstrcmpiW (lpString1="OFFICE", lpString2="NTDETECT.COM") returned 1 [0109.154] lstrcmpiW (lpString1="OFFICE", lpString2="ntldr") returned 1 [0109.154] lstrcmpiW (lpString1="OFFICE", lpString2="MSDOS.SYS") returned 1 [0109.155] lstrcmpiW (lpString1="OFFICE", lpString2="IO.SYS") returned 1 [0109.155] lstrcmpiW (lpString1="OFFICE", lpString2="boot.ini") returned 1 [0109.155] lstrcmpiW (lpString1="OFFICE", lpString2="AUTOEXEC.BAT") returned 1 [0109.155] lstrcmpiW (lpString1="OFFICE", lpString2="ntuser.dat") returned 1 [0109.155] lstrcmpiW (lpString1="OFFICE", lpString2="desktop.ini") returned 1 [0109.155] lstrcmpiW (lpString1="OFFICE", lpString2="CONFIG.SYS") returned 1 [0109.155] lstrcmpiW (lpString1="OFFICE", lpString2="RECYCLER") returned -1 [0109.155] lstrcmpiW (lpString1="OFFICE", lpString2="BOOTSECT.BAK") returned 1 [0109.155] lstrcmpiW (lpString1="OFFICE", lpString2="bootmgr") returned 1 [0109.155] lstrcmpiW (lpString1="OFFICE", lpString2="programdata") returned -1 [0109.155] lstrcmpiW (lpString1="OFFICE", lpString2="appdata") returned 1 [0109.155] lstrcmpiW (lpString1="OFFICE", lpString2="program files") returned -1 [0109.155] lstrcmpiW (lpString1="OFFICE", lpString2="program files (x86)") returned -1 [0109.155] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\" [0109.155] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="OFFICE" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE") returned="C:\\Users\\All Users\\Microsoft\\OFFICE" [0109.155] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\" [0109.156] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\" [0109.156] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\*.*") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\*.*" [0109.156] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x6d3a4910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3a4910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0109.219] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0109.219] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x6d3a4910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3a4910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0109.219] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0109.220] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0109.220] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5011dd00, ftCreationTime.dwHighDateTime=0x1ca04ff, ftLastAccessTime.dwLowDateTime=0x5f409670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5011dd00, ftLastWriteTime.dwHighDateTime=0x1ca04ff, nFileSizeHigh=0x0, nFileSizeLow=0x1536, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="AssetLibrary.ico", cAlternateFileName="ASSETL~1.ICO")) returned 1 [0109.220] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2=".") returned 1 [0109.220] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="..") returned 1 [0109.220] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="...") returned 1 [0109.220] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="windows") returned -1 [0109.220] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="$RECYCLE.BIN") returned 1 [0109.220] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="rsa") returned -1 [0109.220] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="log") returned -1 [0109.220] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="NTDETECT.COM") returned -1 [0109.220] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="ntldr") returned -1 [0109.220] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="MSDOS.SYS") returned -1 [0109.220] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="IO.SYS") returned -1 [0109.220] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="boot.ini") returned -1 [0109.220] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="AUTOEXEC.BAT") returned -1 [0109.220] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="ntuser.dat") returned -1 [0109.220] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="desktop.ini") returned -1 [0109.220] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="CONFIG.SYS") returned -1 [0109.220] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="RECYCLER") returned -1 [0109.220] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="BOOTSECT.BAK") returned -1 [0109.220] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="bootmgr") returned -1 [0109.220] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="programdata") returned -1 [0109.220] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="appdata") returned 1 [0109.220] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="program files") returned -1 [0109.220] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="program files (x86)") returned -1 [0109.221] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\" [0109.221] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\", lpString2="AssetLibrary.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\AssetLibrary.ico") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\AssetLibrary.ico" [0109.221] PathFindExtensionW (pszPath="AssetLibrary.ico") returned=".ico" [0109.221] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0109.221] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0109.221] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0109.221] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0109.221] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0109.221] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0109.221] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0109.221] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0109.221] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0109.221] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0109.221] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0109.221] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0109.221] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0109.221] lstrcmpiW (lpString1=".ico", lpString2=".NEPHILIM") returned -1 [0109.221] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0109.221] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0109.222] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0109.222] lstrlenA (lpString="NEPHILIM") returned 8 [0109.222] GetProcessHeap () returned 0x4e0000 [0109.222] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d4c8 [0109.222] lstrlenA (lpString="NEPHILIM") returned 8 [0109.222] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\AssetLibrary.ico" (normalized: "c:\\users\\all users\\microsoft\\office\\assetlibrary.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0109.273] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=5430) returned 1 [0109.273] GetProcessHeap () returned 0x4e0000 [0109.273] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0109.274] GetProcessHeap () returned 0x4e0000 [0109.274] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0109.274] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0109.274] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0109.274] GetProcessHeap () returned 0x4e0000 [0109.274] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0109.274] GetProcessHeap () returned 0x4e0000 [0109.274] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0109.274] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0109.274] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0109.275] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x1536, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.275] SetLastError (dwErrCode=0x0) [0109.275] WriteFile (in: hFile=0xf0, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0109.296] GetLastError () returned 0x0 [0109.296] GetLastError () returned 0x0 [0109.296] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x1636, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.296] WriteFile (in: hFile=0xf0, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0109.296] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x1736, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.296] lstrlenA (lpString="NEPHILIM") returned 8 [0109.296] WriteFile (in: hFile=0xf0, lpBuffer=0x50d4c8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50d4c8*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0109.297] GetProcessHeap () returned 0x4e0000 [0109.297] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1536) returned 0x50dcb8 [0109.297] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.297] ReadFile (in: hFile=0xf0, lpBuffer=0x50dcb8, nNumberOfBytesToRead=0x1536, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesRead=0x24dddb0*=0x1536, lpOverlapped=0x0) returned 1 [0109.299] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.299] WriteFile (in: hFile=0xf0, lpBuffer=0x50dcb8*, nNumberOfBytesToWrite=0x1536, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50dcb8*, lpNumberOfBytesWritten=0x24dddbc*=0x1536, lpOverlapped=0x0) returned 1 [0109.299] GetProcessHeap () returned 0x4e0000 [0109.299] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dcb8 | out: hHeap=0x4e0000) returned 1 [0109.299] CloseHandle (hObject=0xf0) returned 1 [0109.304] GetProcessHeap () returned 0x4e0000 [0109.304] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0109.304] GetProcessHeap () returned 0x4e0000 [0109.305] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0109.305] GetProcessHeap () returned 0x4e0000 [0109.305] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0109.305] GetProcessHeap () returned 0x4e0000 [0109.305] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0109.305] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\AssetLibrary.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\AssetLibrary.ico") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\AssetLibrary.ico" [0109.305] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\AssetLibrary.ico", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\AssetLibrary.ico.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\AssetLibrary.ico.NEPHILIM" [0109.305] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\AssetLibrary.ico" (normalized: "c:\\users\\all users\\microsoft\\office\\assetlibrary.ico"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\AssetLibrary.ico.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\assetlibrary.ico.nephilim")) returned 1 [0109.306] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xabeeea00, ftCreationTime.dwHighDateTime=0x1c63848, ftLastAccessTime.dwLowDateTime=0x51e19d30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xabeeea00, ftLastWriteTime.dwHighDateTime=0x1c63848, nFileSizeHigh=0x0, nFileSizeLow=0x627e, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="DocumentRepository.ico", cAlternateFileName="DOCUME~1.ICO")) returned 1 [0109.306] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2=".") returned 1 [0109.306] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="..") returned 1 [0109.306] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="...") returned 1 [0109.306] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="windows") returned -1 [0109.306] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="$RECYCLE.BIN") returned 1 [0109.306] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="rsa") returned -1 [0109.306] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="log") returned -1 [0109.306] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="NTDETECT.COM") returned -1 [0109.306] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="ntldr") returned -1 [0109.306] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="MSDOS.SYS") returned -1 [0109.306] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="IO.SYS") returned -1 [0109.306] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="boot.ini") returned 1 [0109.306] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="AUTOEXEC.BAT") returned 1 [0109.307] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="ntuser.dat") returned -1 [0109.307] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="desktop.ini") returned 1 [0109.307] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="CONFIG.SYS") returned 1 [0109.307] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="RECYCLER") returned -1 [0109.307] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="BOOTSECT.BAK") returned 1 [0109.307] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="bootmgr") returned 1 [0109.307] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="programdata") returned -1 [0109.307] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="appdata") returned 1 [0109.307] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="program files") returned -1 [0109.307] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="program files (x86)") returned -1 [0109.307] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\" [0109.307] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\", lpString2="DocumentRepository.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\DocumentRepository.ico") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\DocumentRepository.ico" [0109.307] PathFindExtensionW (pszPath="DocumentRepository.ico") returned=".ico" [0109.307] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0109.307] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0109.307] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0109.307] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0109.307] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0109.307] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0109.307] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0109.307] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0109.307] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0109.307] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0109.308] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0109.308] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0109.308] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0109.308] lstrcmpiW (lpString1=".ico", lpString2=".NEPHILIM") returned -1 [0109.308] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0109.308] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0109.308] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0109.308] lstrlenA (lpString="NEPHILIM") returned 8 [0109.308] GetProcessHeap () returned 0x4e0000 [0109.308] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d4d8 [0109.308] lstrlenA (lpString="NEPHILIM") returned 8 [0109.308] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\DocumentRepository.ico" (normalized: "c:\\users\\all users\\microsoft\\office\\documentrepository.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0109.309] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=25214) returned 1 [0109.309] GetProcessHeap () returned 0x4e0000 [0109.310] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0109.310] GetProcessHeap () returned 0x4e0000 [0109.310] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0109.310] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0109.310] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0109.310] GetProcessHeap () returned 0x4e0000 [0109.310] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0109.310] GetProcessHeap () returned 0x4e0000 [0109.310] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0109.310] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0109.310] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0109.310] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x627e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.311] SetLastError (dwErrCode=0x0) [0109.311] WriteFile (in: hFile=0xf0, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0109.313] GetLastError () returned 0x0 [0109.313] GetLastError () returned 0x0 [0109.313] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x637e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.313] WriteFile (in: hFile=0xf0, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0109.314] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x647e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.314] lstrlenA (lpString="NEPHILIM") returned 8 [0109.314] WriteFile (in: hFile=0xf0, lpBuffer=0x50d4d8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50d4d8*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0109.314] GetProcessHeap () returned 0x4e0000 [0109.314] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x627e) returned 0x514fd8 [0109.314] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.314] ReadFile (in: hFile=0xf0, lpBuffer=0x514fd8, nNumberOfBytesToRead=0x627e, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x514fd8*, lpNumberOfBytesRead=0x24dddb0*=0x627e, lpOverlapped=0x0) returned 1 [0109.317] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.317] WriteFile (in: hFile=0xf0, lpBuffer=0x514fd8*, nNumberOfBytesToWrite=0x627e, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x514fd8*, lpNumberOfBytesWritten=0x24dddbc*=0x627e, lpOverlapped=0x0) returned 1 [0109.317] GetProcessHeap () returned 0x4e0000 [0109.318] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514fd8 | out: hHeap=0x4e0000) returned 1 [0109.318] CloseHandle (hObject=0xf0) returned 1 [0109.319] GetProcessHeap () returned 0x4e0000 [0109.319] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0109.319] GetProcessHeap () returned 0x4e0000 [0109.319] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0109.319] GetProcessHeap () returned 0x4e0000 [0109.319] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0109.319] GetProcessHeap () returned 0x4e0000 [0109.320] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0109.320] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\DocumentRepository.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\DocumentRepository.ico") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\DocumentRepository.ico" [0109.320] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\DocumentRepository.ico", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\DocumentRepository.ico.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\DocumentRepository.ico.NEPHILIM" [0109.320] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\DocumentRepository.ico" (normalized: "c:\\users\\all users\\microsoft\\office\\documentrepository.ico"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\DocumentRepository.ico.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\documentrepository.ico.nephilim")) returned 1 [0109.321] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2bfbd800, ftCreationTime.dwHighDateTime=0x1c9facb, ftLastAccessTime.dwLowDateTime=0x6a3248d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2bfbd800, ftLastWriteTime.dwHighDateTime=0x1c9facb, nFileSizeHigh=0x0, nFileSizeLow=0x5532e, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="MySharePoints.ico", cAlternateFileName="MYSHAR~1.ICO")) returned 1 [0109.321] lstrcmpiW (lpString1="MySharePoints.ico", lpString2=".") returned 1 [0109.321] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="..") returned 1 [0109.321] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="...") returned 1 [0109.321] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="windows") returned -1 [0109.321] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="$RECYCLE.BIN") returned 1 [0109.321] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="rsa") returned -1 [0109.321] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="log") returned 1 [0109.321] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="NTDETECT.COM") returned -1 [0109.321] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="ntldr") returned -1 [0109.321] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="MSDOS.SYS") returned 1 [0109.321] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="IO.SYS") returned 1 [0109.321] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="boot.ini") returned 1 [0109.321] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="AUTOEXEC.BAT") returned 1 [0109.322] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="ntuser.dat") returned -1 [0109.322] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="desktop.ini") returned 1 [0109.322] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="CONFIG.SYS") returned 1 [0109.322] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="RECYCLER") returned -1 [0109.322] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="BOOTSECT.BAK") returned 1 [0109.322] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="bootmgr") returned 1 [0109.322] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="programdata") returned -1 [0109.322] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="appdata") returned 1 [0109.322] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="program files") returned -1 [0109.322] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="program files (x86)") returned -1 [0109.322] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\" [0109.322] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\", lpString2="MySharePoints.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\MySharePoints.ico") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\MySharePoints.ico" [0109.322] PathFindExtensionW (pszPath="MySharePoints.ico") returned=".ico" [0109.322] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0109.322] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0109.322] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0109.322] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0109.322] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0109.322] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0109.322] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0109.322] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0109.322] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0109.323] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0109.323] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0109.323] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0109.323] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0109.323] lstrcmpiW (lpString1=".ico", lpString2=".NEPHILIM") returned -1 [0109.323] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0109.323] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0109.323] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0109.323] lstrlenA (lpString="NEPHILIM") returned 8 [0109.323] GetProcessHeap () returned 0x4e0000 [0109.323] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d4e8 [0109.323] lstrlenA (lpString="NEPHILIM") returned 8 [0109.323] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\MySharePoints.ico" (normalized: "c:\\users\\all users\\microsoft\\office\\mysharepoints.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0109.328] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=348974) returned 1 [0109.328] GetProcessHeap () returned 0x4e0000 [0109.328] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0109.328] GetProcessHeap () returned 0x4e0000 [0109.328] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0109.328] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0109.328] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0109.328] GetProcessHeap () returned 0x4e0000 [0109.328] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0109.328] GetProcessHeap () returned 0x4e0000 [0109.328] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0109.328] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0109.329] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0109.329] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x5532e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.329] SetLastError (dwErrCode=0x0) [0109.329] WriteFile (in: hFile=0xf0, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0109.397] GetLastError () returned 0x0 [0109.397] GetLastError () returned 0x0 [0109.397] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x5542e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.398] WriteFile (in: hFile=0xf0, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0109.398] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x5552e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.398] lstrlenA (lpString="NEPHILIM") returned 8 [0109.399] WriteFile (in: hFile=0xf0, lpBuffer=0x50d4e8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50d4e8*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0109.399] GetProcessHeap () returned 0x4e0000 [0109.399] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x5532e) returned 0x514fd8 [0109.399] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.399] ReadFile (in: hFile=0xf0, lpBuffer=0x514fd8, nNumberOfBytesToRead=0x5532e, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x514fd8*, lpNumberOfBytesRead=0x24dddb0*=0x5532e, lpOverlapped=0x0) returned 1 [0109.426] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.426] WriteFile (in: hFile=0xf0, lpBuffer=0x514fd8*, nNumberOfBytesToWrite=0x5532e, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x514fd8*, lpNumberOfBytesWritten=0x24dddbc*=0x5532e, lpOverlapped=0x0) returned 1 [0109.428] GetProcessHeap () returned 0x4e0000 [0109.428] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514fd8 | out: hHeap=0x4e0000) returned 1 [0109.434] CloseHandle (hObject=0xf0) returned 1 [0109.440] GetProcessHeap () returned 0x4e0000 [0109.440] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0109.440] GetProcessHeap () returned 0x4e0000 [0109.440] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0109.440] GetProcessHeap () returned 0x4e0000 [0109.441] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0109.441] GetProcessHeap () returned 0x4e0000 [0109.441] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0109.441] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\MySharePoints.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\MySharePoints.ico") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\MySharePoints.ico" [0109.441] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\MySharePoints.ico", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\MySharePoints.ico.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\MySharePoints.ico.NEPHILIM" [0109.441] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\MySharePoints.ico" (normalized: "c:\\users\\all users\\microsoft\\office\\mysharepoints.ico"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\MySharePoints.ico.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\mysharepoints.ico.nephilim")) returned 1 [0109.442] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc92d1d00, ftCreationTime.dwHighDateTime=0x1c627a2, ftLastAccessTime.dwLowDateTime=0x594ac510, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc92d1d00, ftLastWriteTime.dwHighDateTime=0x1c627a2, nFileSizeHigh=0x0, nFileSizeLow=0x627e, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="MySite.ico", cAlternateFileName="")) returned 1 [0109.442] lstrcmpiW (lpString1="MySite.ico", lpString2=".") returned 1 [0109.442] lstrcmpiW (lpString1="MySite.ico", lpString2="..") returned 1 [0109.442] lstrcmpiW (lpString1="MySite.ico", lpString2="...") returned 1 [0109.442] lstrcmpiW (lpString1="MySite.ico", lpString2="windows") returned -1 [0109.442] lstrcmpiW (lpString1="MySite.ico", lpString2="$RECYCLE.BIN") returned 1 [0109.442] lstrcmpiW (lpString1="MySite.ico", lpString2="rsa") returned -1 [0109.442] lstrcmpiW (lpString1="MySite.ico", lpString2="log") returned 1 [0109.442] lstrcmpiW (lpString1="MySite.ico", lpString2="NTDETECT.COM") returned -1 [0109.442] lstrcmpiW (lpString1="MySite.ico", lpString2="ntldr") returned -1 [0109.442] lstrcmpiW (lpString1="MySite.ico", lpString2="MSDOS.SYS") returned 1 [0109.442] lstrcmpiW (lpString1="MySite.ico", lpString2="IO.SYS") returned 1 [0109.442] lstrcmpiW (lpString1="MySite.ico", lpString2="boot.ini") returned 1 [0109.442] lstrcmpiW (lpString1="MySite.ico", lpString2="AUTOEXEC.BAT") returned 1 [0109.443] lstrcmpiW (lpString1="MySite.ico", lpString2="ntuser.dat") returned -1 [0109.443] lstrcmpiW (lpString1="MySite.ico", lpString2="desktop.ini") returned 1 [0109.443] lstrcmpiW (lpString1="MySite.ico", lpString2="CONFIG.SYS") returned 1 [0109.443] lstrcmpiW (lpString1="MySite.ico", lpString2="RECYCLER") returned -1 [0109.443] lstrcmpiW (lpString1="MySite.ico", lpString2="BOOTSECT.BAK") returned 1 [0109.443] lstrcmpiW (lpString1="MySite.ico", lpString2="bootmgr") returned 1 [0109.443] lstrcmpiW (lpString1="MySite.ico", lpString2="programdata") returned -1 [0109.443] lstrcmpiW (lpString1="MySite.ico", lpString2="appdata") returned 1 [0109.443] lstrcmpiW (lpString1="MySite.ico", lpString2="program files") returned -1 [0109.443] lstrcmpiW (lpString1="MySite.ico", lpString2="program files (x86)") returned -1 [0109.443] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\" [0109.443] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\", lpString2="MySite.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\MySite.ico") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\MySite.ico" [0109.443] PathFindExtensionW (pszPath="MySite.ico") returned=".ico" [0109.443] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0109.443] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0109.443] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0109.443] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0109.443] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0109.444] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0109.444] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0109.444] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0109.444] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0109.444] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0109.444] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0109.444] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0109.444] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0109.444] lstrcmpiW (lpString1=".ico", lpString2=".NEPHILIM") returned -1 [0109.444] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0109.444] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0109.444] lstrcmpiW (lpString1="MySite.ico", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0109.444] lstrlenA (lpString="NEPHILIM") returned 8 [0109.444] GetProcessHeap () returned 0x4e0000 [0109.444] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d4f8 [0109.444] lstrlenA (lpString="NEPHILIM") returned 8 [0109.444] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\MySite.ico" (normalized: "c:\\users\\all users\\microsoft\\office\\mysite.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0109.449] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=25214) returned 1 [0109.449] GetProcessHeap () returned 0x4e0000 [0109.449] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0109.449] GetProcessHeap () returned 0x4e0000 [0109.449] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0109.449] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0109.449] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0109.449] GetProcessHeap () returned 0x4e0000 [0109.449] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0109.449] GetProcessHeap () returned 0x4e0000 [0109.449] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0109.449] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0109.450] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0109.450] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x627e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.450] SetLastError (dwErrCode=0x0) [0109.450] WriteFile (in: hFile=0xf0, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0109.454] GetLastError () returned 0x0 [0109.454] GetLastError () returned 0x0 [0109.454] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x637e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.454] WriteFile (in: hFile=0xf0, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0109.454] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x647e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.455] lstrlenA (lpString="NEPHILIM") returned 8 [0109.455] WriteFile (in: hFile=0xf0, lpBuffer=0x50d4f8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50d4f8*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0109.455] GetProcessHeap () returned 0x4e0000 [0109.455] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x627e) returned 0x514fd8 [0109.455] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.455] ReadFile (in: hFile=0xf0, lpBuffer=0x514fd8, nNumberOfBytesToRead=0x627e, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x514fd8*, lpNumberOfBytesRead=0x24dddb0*=0x627e, lpOverlapped=0x0) returned 1 [0109.458] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.458] WriteFile (in: hFile=0xf0, lpBuffer=0x514fd8*, nNumberOfBytesToWrite=0x627e, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x514fd8*, lpNumberOfBytesWritten=0x24dddbc*=0x627e, lpOverlapped=0x0) returned 1 [0109.458] GetProcessHeap () returned 0x4e0000 [0109.458] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514fd8 | out: hHeap=0x4e0000) returned 1 [0109.458] CloseHandle (hObject=0xf0) returned 1 [0109.460] GetProcessHeap () returned 0x4e0000 [0109.460] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0109.460] GetProcessHeap () returned 0x4e0000 [0109.460] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0109.460] GetProcessHeap () returned 0x4e0000 [0109.461] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0109.461] GetProcessHeap () returned 0x4e0000 [0109.461] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0109.461] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\MySite.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\MySite.ico") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\MySite.ico" [0109.461] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\MySite.ico", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\MySite.ico.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\MySite.ico.NEPHILIM" [0109.461] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\MySite.ico" (normalized: "c:\\users\\all users\\microsoft\\office\\mysite.ico"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\MySite.ico.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\mysite.ico.nephilim")) returned 1 [0109.462] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf2444900, ftCreationTime.dwHighDateTime=0x1c63848, ftLastAccessTime.dwLowDateTime=0x5ab49610, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf2444900, ftLastWriteTime.dwHighDateTime=0x1c63848, nFileSizeHigh=0x0, nFileSizeLow=0x627e, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="SharePointPortalSite.ico", cAlternateFileName="SHAREP~1.ICO")) returned 1 [0109.462] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2=".") returned 1 [0109.462] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="..") returned 1 [0109.462] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="...") returned 1 [0109.462] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="windows") returned -1 [0109.462] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="$RECYCLE.BIN") returned 1 [0109.462] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="rsa") returned 1 [0109.462] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="log") returned 1 [0109.462] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="NTDETECT.COM") returned 1 [0109.462] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="ntldr") returned 1 [0109.462] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="MSDOS.SYS") returned 1 [0109.462] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="IO.SYS") returned 1 [0109.462] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="boot.ini") returned 1 [0109.462] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="AUTOEXEC.BAT") returned 1 [0109.462] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="ntuser.dat") returned 1 [0109.462] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="desktop.ini") returned 1 [0109.462] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="CONFIG.SYS") returned 1 [0109.462] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="RECYCLER") returned 1 [0109.462] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="BOOTSECT.BAK") returned 1 [0109.462] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="bootmgr") returned 1 [0109.462] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="programdata") returned 1 [0109.463] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="appdata") returned 1 [0109.463] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="program files") returned 1 [0109.463] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="program files (x86)") returned 1 [0109.463] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\" [0109.463] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\", lpString2="SharePointPortalSite.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\SharePointPortalSite.ico") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\SharePointPortalSite.ico" [0109.463] PathFindExtensionW (pszPath="SharePointPortalSite.ico") returned=".ico" [0109.463] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0109.463] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0109.463] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0109.463] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0109.463] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0109.463] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0109.463] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0109.463] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0109.463] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0109.463] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0109.463] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0109.463] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0109.463] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0109.463] lstrcmpiW (lpString1=".ico", lpString2=".NEPHILIM") returned -1 [0109.463] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0109.463] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0109.463] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0109.463] lstrlenA (lpString="NEPHILIM") returned 8 [0109.463] GetProcessHeap () returned 0x4e0000 [0109.464] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d508 [0109.464] lstrlenA (lpString="NEPHILIM") returned 8 [0109.464] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\SharePointPortalSite.ico" (normalized: "c:\\users\\all users\\microsoft\\office\\sharepointportalsite.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0109.465] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=25214) returned 1 [0109.465] GetProcessHeap () returned 0x4e0000 [0109.465] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0109.465] GetProcessHeap () returned 0x4e0000 [0109.465] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0109.465] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0109.465] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0109.465] GetProcessHeap () returned 0x4e0000 [0109.465] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0109.465] GetProcessHeap () returned 0x4e0000 [0109.465] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0109.465] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0109.465] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0109.466] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x627e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.466] SetLastError (dwErrCode=0x0) [0109.466] WriteFile (in: hFile=0xf0, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0109.467] GetLastError () returned 0x0 [0109.467] GetLastError () returned 0x0 [0109.468] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x637e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.468] WriteFile (in: hFile=0xf0, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0109.468] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x647e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.468] lstrlenA (lpString="NEPHILIM") returned 8 [0109.468] WriteFile (in: hFile=0xf0, lpBuffer=0x50d508*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50d508*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0109.468] GetProcessHeap () returned 0x4e0000 [0109.468] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x627e) returned 0x514fd8 [0109.468] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.468] ReadFile (in: hFile=0xf0, lpBuffer=0x514fd8, nNumberOfBytesToRead=0x627e, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x514fd8*, lpNumberOfBytesRead=0x24dddb0*=0x627e, lpOverlapped=0x0) returned 1 [0109.471] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.471] WriteFile (in: hFile=0xf0, lpBuffer=0x514fd8*, nNumberOfBytesToWrite=0x627e, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x514fd8*, lpNumberOfBytesWritten=0x24dddbc*=0x627e, lpOverlapped=0x0) returned 1 [0109.471] GetProcessHeap () returned 0x4e0000 [0109.471] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514fd8 | out: hHeap=0x4e0000) returned 1 [0109.471] CloseHandle (hObject=0xf0) returned 1 [0109.478] GetProcessHeap () returned 0x4e0000 [0109.478] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0109.478] GetProcessHeap () returned 0x4e0000 [0109.478] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0109.478] GetProcessHeap () returned 0x4e0000 [0109.478] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0109.478] GetProcessHeap () returned 0x4e0000 [0109.478] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0109.478] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\SharePointPortalSite.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\SharePointPortalSite.ico") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\SharePointPortalSite.ico" [0109.478] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\SharePointPortalSite.ico", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\SharePointPortalSite.ico.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\SharePointPortalSite.ico.NEPHILIM" [0109.478] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\SharePointPortalSite.ico" (normalized: "c:\\users\\all users\\microsoft\\office\\sharepointportalsite.ico"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\SharePointPortalSite.ico.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\sharepointportalsite.ico.nephilim")) returned 1 [0109.479] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xad743900, ftCreationTime.dwHighDateTime=0x1c62706, ftLastAccessTime.dwLowDateTime=0x6d3a4910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xad743900, ftLastWriteTime.dwHighDateTime=0x1c62706, nFileSizeHigh=0x0, nFileSizeLow=0x627e, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="SharePointTeamSite.ico", cAlternateFileName="SHAREP~2.ICO")) returned 1 [0109.479] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2=".") returned 1 [0109.479] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="..") returned 1 [0109.479] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="...") returned 1 [0109.479] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="windows") returned -1 [0109.479] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="$RECYCLE.BIN") returned 1 [0109.479] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="rsa") returned 1 [0109.479] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="log") returned 1 [0109.479] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="NTDETECT.COM") returned 1 [0109.479] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="ntldr") returned 1 [0109.479] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="MSDOS.SYS") returned 1 [0109.479] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="IO.SYS") returned 1 [0109.480] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="boot.ini") returned 1 [0109.480] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="AUTOEXEC.BAT") returned 1 [0109.480] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="ntuser.dat") returned 1 [0109.480] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="desktop.ini") returned 1 [0109.480] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="CONFIG.SYS") returned 1 [0109.480] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="RECYCLER") returned 1 [0109.480] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="BOOTSECT.BAK") returned 1 [0109.480] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="bootmgr") returned 1 [0109.480] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="programdata") returned 1 [0109.480] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="appdata") returned 1 [0109.480] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="program files") returned 1 [0109.480] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="program files (x86)") returned 1 [0109.480] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\" [0109.480] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\", lpString2="SharePointTeamSite.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\SharePointTeamSite.ico") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\SharePointTeamSite.ico" [0109.480] PathFindExtensionW (pszPath="SharePointTeamSite.ico") returned=".ico" [0109.480] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0109.480] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0109.480] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0109.480] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0109.480] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0109.480] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0109.480] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0109.480] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0109.480] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0109.480] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0109.480] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0109.481] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0109.481] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0109.481] lstrcmpiW (lpString1=".ico", lpString2=".NEPHILIM") returned -1 [0109.481] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0109.481] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0109.481] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0109.481] lstrlenA (lpString="NEPHILIM") returned 8 [0109.481] GetProcessHeap () returned 0x4e0000 [0109.481] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d518 [0109.481] lstrlenA (lpString="NEPHILIM") returned 8 [0109.481] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\SharePointTeamSite.ico" (normalized: "c:\\users\\all users\\microsoft\\office\\sharepointteamsite.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0109.483] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=25214) returned 1 [0109.484] GetProcessHeap () returned 0x4e0000 [0109.484] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0109.484] GetProcessHeap () returned 0x4e0000 [0109.484] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0109.484] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0109.484] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0109.484] GetProcessHeap () returned 0x4e0000 [0109.484] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0109.484] GetProcessHeap () returned 0x4e0000 [0109.484] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0109.484] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0109.485] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0109.485] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x627e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.485] SetLastError (dwErrCode=0x0) [0109.485] WriteFile (in: hFile=0xf0, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0109.489] GetLastError () returned 0x0 [0109.489] GetLastError () returned 0x0 [0109.489] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x637e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.489] WriteFile (in: hFile=0xf0, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0109.489] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x647e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.489] lstrlenA (lpString="NEPHILIM") returned 8 [0109.489] WriteFile (in: hFile=0xf0, lpBuffer=0x50d518*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50d518*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0109.489] GetProcessHeap () returned 0x4e0000 [0109.490] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x627e) returned 0x514fd8 [0109.490] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.490] ReadFile (in: hFile=0xf0, lpBuffer=0x514fd8, nNumberOfBytesToRead=0x627e, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x514fd8*, lpNumberOfBytesRead=0x24dddb0*=0x627e, lpOverlapped=0x0) returned 1 [0109.493] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.493] WriteFile (in: hFile=0xf0, lpBuffer=0x514fd8*, nNumberOfBytesToWrite=0x627e, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x514fd8*, lpNumberOfBytesWritten=0x24dddbc*=0x627e, lpOverlapped=0x0) returned 1 [0109.494] GetProcessHeap () returned 0x4e0000 [0109.494] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514fd8 | out: hHeap=0x4e0000) returned 1 [0109.494] CloseHandle (hObject=0xf0) returned 1 [0109.494] GetProcessHeap () returned 0x4e0000 [0109.494] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0109.494] GetProcessHeap () returned 0x4e0000 [0109.494] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0109.494] GetProcessHeap () returned 0x4e0000 [0109.494] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0109.494] GetProcessHeap () returned 0x4e0000 [0109.494] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0109.494] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\SharePointTeamSite.ico" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\SharePointTeamSite.ico") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\SharePointTeamSite.ico" [0109.494] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\SharePointTeamSite.ico", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\SharePointTeamSite.ico.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\SharePointTeamSite.ico.NEPHILIM" [0109.494] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\SharePointTeamSite.ico" (normalized: "c:\\users\\all users\\microsoft\\office\\sharepointteamsite.ico"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\SharePointTeamSite.ico.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\sharepointteamsite.ico.nephilim")) returned 1 [0109.495] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed38550, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="UICaptions", cAlternateFileName="UICAPT~1")) returned 1 [0109.495] lstrcmpiW (lpString1="UICaptions", lpString2=".") returned 1 [0109.495] lstrcmpiW (lpString1="UICaptions", lpString2="..") returned 1 [0109.495] lstrcmpiW (lpString1="UICaptions", lpString2="...") returned 1 [0109.495] lstrcmpiW (lpString1="UICaptions", lpString2="windows") returned -1 [0109.495] lstrcmpiW (lpString1="UICaptions", lpString2="$RECYCLE.BIN") returned 1 [0109.495] lstrcmpiW (lpString1="UICaptions", lpString2="rsa") returned 1 [0109.495] lstrcmpiW (lpString1="UICaptions", lpString2="log") returned 1 [0109.495] lstrcmpiW (lpString1="UICaptions", lpString2="NTDETECT.COM") returned 1 [0109.495] lstrcmpiW (lpString1="UICaptions", lpString2="ntldr") returned 1 [0109.495] lstrcmpiW (lpString1="UICaptions", lpString2="MSDOS.SYS") returned 1 [0109.495] lstrcmpiW (lpString1="UICaptions", lpString2="IO.SYS") returned 1 [0109.495] lstrcmpiW (lpString1="UICaptions", lpString2="boot.ini") returned 1 [0109.495] lstrcmpiW (lpString1="UICaptions", lpString2="AUTOEXEC.BAT") returned 1 [0109.495] lstrcmpiW (lpString1="UICaptions", lpString2="ntuser.dat") returned 1 [0109.495] lstrcmpiW (lpString1="UICaptions", lpString2="desktop.ini") returned 1 [0109.495] lstrcmpiW (lpString1="UICaptions", lpString2="CONFIG.SYS") returned 1 [0109.495] lstrcmpiW (lpString1="UICaptions", lpString2="RECYCLER") returned 1 [0109.495] lstrcmpiW (lpString1="UICaptions", lpString2="BOOTSECT.BAK") returned 1 [0109.495] lstrcmpiW (lpString1="UICaptions", lpString2="bootmgr") returned 1 [0109.496] lstrcmpiW (lpString1="UICaptions", lpString2="programdata") returned 1 [0109.496] lstrcmpiW (lpString1="UICaptions", lpString2="appdata") returned 1 [0109.496] lstrcmpiW (lpString1="UICaptions", lpString2="program files") returned 1 [0109.496] lstrcmpiW (lpString1="UICaptions", lpString2="program files (x86)") returned 1 [0109.496] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\" [0109.496] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\", lpString2="UICaptions" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions" [0109.496] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\" [0109.496] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\" [0109.496] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\*.*") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\*.*" [0109.496] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed38550, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24dd72c, dwReserved1=0x3cadb4a3, cFileName=".", cAlternateFileName="")) returned 0x50a980 [0109.497] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0109.497] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed38550, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24dd72c, dwReserved1=0x3cadb4a3, cFileName="..", cAlternateFileName="")) returned 1 [0109.497] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0109.497] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0109.497] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef116910, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24dd72c, dwReserved1=0x3cadb4a3, cFileName="1036", cAlternateFileName="")) returned 1 [0109.497] lstrcmpiW (lpString1="1036", lpString2=".") returned 1 [0109.497] lstrcmpiW (lpString1="1036", lpString2="..") returned 1 [0109.497] lstrcmpiW (lpString1="1036", lpString2="...") returned 1 [0109.497] lstrcmpiW (lpString1="1036", lpString2="windows") returned -1 [0109.497] lstrcmpiW (lpString1="1036", lpString2="$RECYCLE.BIN") returned 1 [0109.497] lstrcmpiW (lpString1="1036", lpString2="rsa") returned -1 [0109.497] lstrcmpiW (lpString1="1036", lpString2="log") returned -1 [0109.497] lstrcmpiW (lpString1="1036", lpString2="NTDETECT.COM") returned -1 [0109.497] lstrcmpiW (lpString1="1036", lpString2="ntldr") returned -1 [0109.497] lstrcmpiW (lpString1="1036", lpString2="MSDOS.SYS") returned -1 [0109.498] lstrcmpiW (lpString1="1036", lpString2="IO.SYS") returned -1 [0109.498] lstrcmpiW (lpString1="1036", lpString2="boot.ini") returned -1 [0109.498] lstrcmpiW (lpString1="1036", lpString2="AUTOEXEC.BAT") returned -1 [0109.498] lstrcmpiW (lpString1="1036", lpString2="ntuser.dat") returned -1 [0109.498] lstrcmpiW (lpString1="1036", lpString2="desktop.ini") returned -1 [0109.498] lstrcmpiW (lpString1="1036", lpString2="CONFIG.SYS") returned -1 [0109.498] lstrcmpiW (lpString1="1036", lpString2="RECYCLER") returned -1 [0109.498] lstrcmpiW (lpString1="1036", lpString2="BOOTSECT.BAK") returned -1 [0109.498] lstrcmpiW (lpString1="1036", lpString2="bootmgr") returned -1 [0109.498] lstrcmpiW (lpString1="1036", lpString2="programdata") returned -1 [0109.498] lstrcmpiW (lpString1="1036", lpString2="appdata") returned -1 [0109.498] lstrcmpiW (lpString1="1036", lpString2="program files") returned -1 [0109.498] lstrcmpiW (lpString1="1036", lpString2="program files (x86)") returned -1 [0109.498] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\" [0109.498] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\", lpString2="1036" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036" [0109.498] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0109.498] lstrcpyW (in: lpString1=0x24dd560, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0109.498] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\*.*") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\*.*" [0109.498] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\*.*", lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef116910, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName=".", cAlternateFileName="")) returned 0x50a9c0 [0109.500] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0109.500] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef116910, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="..", cAlternateFileName="")) returned 1 [0109.506] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0109.506] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0109.506] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1be9a700, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x1be9a700, ftLastWriteTime.dwHighDateTime=0x1caca12, nFileSizeHigh=0x0, nFileSizeLow=0x3960, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="ENVELOPR.DLL.trx_dll", cAlternateFileName="ENVELO~1.TRX")) returned 1 [0109.506] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2=".") returned 1 [0109.506] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="..") returned 1 [0109.506] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="...") returned 1 [0109.506] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="windows") returned -1 [0109.506] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0109.506] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="rsa") returned -1 [0109.506] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="log") returned -1 [0109.506] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="NTDETECT.COM") returned -1 [0109.506] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="ntldr") returned -1 [0109.506] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="MSDOS.SYS") returned -1 [0109.506] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="IO.SYS") returned -1 [0109.506] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="boot.ini") returned 1 [0109.507] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0109.507] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="ntuser.dat") returned -1 [0109.507] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="desktop.ini") returned 1 [0109.507] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="CONFIG.SYS") returned 1 [0109.507] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="RECYCLER") returned -1 [0109.507] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0109.507] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="bootmgr") returned 1 [0109.507] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="programdata") returned -1 [0109.507] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="appdata") returned 1 [0109.507] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="program files") returned -1 [0109.507] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="program files (x86)") returned -1 [0109.507] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0109.507] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="ENVELOPR.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll" [0109.507] PathFindExtensionW (pszPath="ENVELOPR.DLL.trx_dll") returned=".trx_dll" [0109.507] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0109.507] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0109.507] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0109.507] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0109.507] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0109.507] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0109.507] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0109.508] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0109.508] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0109.508] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0109.508] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0109.508] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0109.508] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0109.508] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0109.508] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0109.508] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0109.508] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0109.508] lstrlenA (lpString="NEPHILIM") returned 8 [0109.508] GetProcessHeap () returned 0x4e0000 [0109.508] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d528 [0109.508] lstrlenA (lpString="NEPHILIM") returned 8 [0109.508] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\envelopr.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0109.509] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=14688) returned 1 [0109.509] GetProcessHeap () returned 0x4e0000 [0109.509] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0109.509] GetProcessHeap () returned 0x4e0000 [0109.509] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0109.509] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0109.509] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0109.509] GetProcessHeap () returned 0x4e0000 [0109.510] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0109.510] GetProcessHeap () returned 0x4e0000 [0109.510] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0109.510] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce88*=0x100) returned 1 [0109.510] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce84*=0x100) returned 1 [0109.510] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x3960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.510] SetLastError (dwErrCode=0x0) [0109.510] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0109.515] GetLastError () returned 0x0 [0109.515] GetLastError () returned 0x0 [0109.515] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x3a60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.515] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0109.515] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x3b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.515] lstrlenA (lpString="NEPHILIM") returned 8 [0109.516] WriteFile (in: hFile=0xf8, lpBuffer=0x50d528*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d528*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0109.516] GetProcessHeap () returned 0x4e0000 [0109.516] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x3960) returned 0x514fd8 [0109.516] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.516] ReadFile (in: hFile=0xf8, lpBuffer=0x514fd8, nNumberOfBytesToRead=0x3960, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x514fd8*, lpNumberOfBytesRead=0x24dd0b0*=0x3960, lpOverlapped=0x0) returned 1 [0109.520] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.520] WriteFile (in: hFile=0xf8, lpBuffer=0x514fd8*, nNumberOfBytesToWrite=0x3960, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514fd8*, lpNumberOfBytesWritten=0x24dd0bc*=0x3960, lpOverlapped=0x0) returned 1 [0109.521] GetProcessHeap () returned 0x4e0000 [0109.521] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514fd8 | out: hHeap=0x4e0000) returned 1 [0109.521] CloseHandle (hObject=0xf8) returned 1 [0109.521] GetProcessHeap () returned 0x4e0000 [0109.521] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0109.521] GetProcessHeap () returned 0x4e0000 [0109.521] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0109.521] GetProcessHeap () returned 0x4e0000 [0109.521] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0109.521] GetProcessHeap () returned 0x4e0000 [0109.521] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0109.521] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll" [0109.521] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll.NEPHILIM" [0109.521] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\envelopr.dll.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\envelopr.dll.trx_dll.nephilim")) returned 1 [0109.522] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd48e100, ftCreationTime.dwHighDateTime=0x1cac7f7, ftLastAccessTime.dwLowDateTime=0xeedf6c30, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xbd48e100, ftLastWriteTime.dwHighDateTime=0x1cac7f7, nFileSizeHigh=0x0, nFileSizeLow=0xbf60, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="GRINTL32.DLL.trx_dll", cAlternateFileName="GRINTL~1.TRX")) returned 1 [0109.522] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2=".") returned 1 [0109.523] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="..") returned 1 [0109.523] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="...") returned 1 [0109.523] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="windows") returned -1 [0109.523] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0109.523] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="rsa") returned -1 [0109.523] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="log") returned -1 [0109.523] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="NTDETECT.COM") returned -1 [0109.523] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="ntldr") returned -1 [0109.523] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="MSDOS.SYS") returned -1 [0109.523] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="IO.SYS") returned -1 [0109.523] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="boot.ini") returned 1 [0109.523] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0109.523] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="ntuser.dat") returned -1 [0109.523] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="desktop.ini") returned 1 [0109.523] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="CONFIG.SYS") returned 1 [0109.523] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="RECYCLER") returned -1 [0109.523] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0109.523] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="bootmgr") returned 1 [0109.523] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="programdata") returned -1 [0109.523] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="appdata") returned 1 [0109.524] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="program files") returned -1 [0109.524] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="program files (x86)") returned -1 [0109.524] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0109.524] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="GRINTL32.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll" [0109.524] PathFindExtensionW (pszPath="GRINTL32.DLL.trx_dll") returned=".trx_dll" [0109.524] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0109.524] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0109.524] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0109.524] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0109.524] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0109.524] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0109.524] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0109.524] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0109.524] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0109.524] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0109.524] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0109.524] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0109.524] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0109.524] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0109.524] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0109.524] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0109.524] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0109.525] lstrlenA (lpString="NEPHILIM") returned 8 [0109.525] GetProcessHeap () returned 0x4e0000 [0109.525] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d538 [0109.525] lstrlenA (lpString="NEPHILIM") returned 8 [0109.525] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\grintl32.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0109.526] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=48992) returned 1 [0109.526] GetProcessHeap () returned 0x4e0000 [0109.526] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0109.526] GetProcessHeap () returned 0x4e0000 [0109.526] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0109.526] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0109.526] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0109.526] GetProcessHeap () returned 0x4e0000 [0109.526] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0109.526] GetProcessHeap () returned 0x4e0000 [0109.526] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0109.526] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce88*=0x100) returned 1 [0109.526] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce84*=0x100) returned 1 [0109.526] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0xbf60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.527] SetLastError (dwErrCode=0x0) [0109.527] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0109.535] GetLastError () returned 0x0 [0109.535] GetLastError () returned 0x0 [0109.535] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0xc060, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.535] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0109.535] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0xc160, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.535] lstrlenA (lpString="NEPHILIM") returned 8 [0109.536] WriteFile (in: hFile=0xf8, lpBuffer=0x50d538*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d538*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0109.536] GetProcessHeap () returned 0x4e0000 [0109.536] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xbf60) returned 0x516fd8 [0109.536] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.536] ReadFile (in: hFile=0xf8, lpBuffer=0x516fd8, nNumberOfBytesToRead=0xbf60, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x516fd8*, lpNumberOfBytesRead=0x24dd0b0*=0xbf60, lpOverlapped=0x0) returned 1 [0109.557] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.557] WriteFile (in: hFile=0xf8, lpBuffer=0x516fd8*, nNumberOfBytesToWrite=0xbf60, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x516fd8*, lpNumberOfBytesWritten=0x24dd0bc*=0xbf60, lpOverlapped=0x0) returned 1 [0109.558] GetProcessHeap () returned 0x4e0000 [0109.558] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x516fd8 | out: hHeap=0x4e0000) returned 1 [0109.558] CloseHandle (hObject=0xf8) returned 1 [0109.558] GetProcessHeap () returned 0x4e0000 [0109.558] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0109.558] GetProcessHeap () returned 0x4e0000 [0109.558] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0109.558] GetProcessHeap () returned 0x4e0000 [0109.558] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0109.558] GetProcessHeap () returned 0x4e0000 [0109.558] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0109.559] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll" [0109.559] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll.NEPHILIM" [0109.559] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\grintl32.dll.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\grintl32.dll.trx_dll.nephilim")) returned 1 [0109.560] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd48e100, ftCreationTime.dwHighDateTime=0x1cac7f7, ftLastAccessTime.dwLowDateTime=0xeedf6c30, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xbd48e100, ftLastWriteTime.dwHighDateTime=0x1cac7f7, nFileSizeHigh=0x0, nFileSizeLow=0x3d960, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="GRINTL32.REST.trx_dll", cAlternateFileName="GRINTL~2.TRX")) returned 1 [0109.560] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2=".") returned 1 [0109.560] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="..") returned 1 [0109.560] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="...") returned 1 [0109.560] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="windows") returned -1 [0109.560] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0109.560] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="rsa") returned -1 [0109.560] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="log") returned -1 [0109.560] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="NTDETECT.COM") returned -1 [0109.560] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="ntldr") returned -1 [0109.560] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="MSDOS.SYS") returned -1 [0109.560] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="IO.SYS") returned -1 [0109.560] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="boot.ini") returned 1 [0109.560] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0109.560] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="ntuser.dat") returned -1 [0109.560] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="desktop.ini") returned 1 [0109.560] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="CONFIG.SYS") returned 1 [0109.560] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="RECYCLER") returned -1 [0109.560] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0109.560] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="bootmgr") returned 1 [0109.560] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="programdata") returned -1 [0109.561] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="appdata") returned 1 [0109.561] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="program files") returned -1 [0109.561] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="program files (x86)") returned -1 [0109.561] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0109.561] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="GRINTL32.REST.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll" [0109.561] PathFindExtensionW (pszPath="GRINTL32.REST.trx_dll") returned=".trx_dll" [0109.561] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0109.561] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0109.561] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0109.561] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0109.561] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0109.561] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0109.561] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0109.561] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0109.561] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0109.561] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0109.561] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0109.561] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0109.561] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0109.561] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0109.561] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0109.561] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0109.561] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0109.562] lstrlenA (lpString="NEPHILIM") returned 8 [0109.562] GetProcessHeap () returned 0x4e0000 [0109.562] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d548 [0109.562] lstrlenA (lpString="NEPHILIM") returned 8 [0109.562] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\grintl32.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0109.563] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=252256) returned 1 [0109.563] GetProcessHeap () returned 0x4e0000 [0109.563] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0109.563] GetProcessHeap () returned 0x4e0000 [0109.563] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0109.563] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0109.563] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0109.563] GetProcessHeap () returned 0x4e0000 [0109.563] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0109.563] GetProcessHeap () returned 0x4e0000 [0109.563] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0109.563] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce88*=0x100) returned 1 [0109.564] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce84*=0x100) returned 1 [0109.564] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x3d960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.564] SetLastError (dwErrCode=0x0) [0109.564] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0109.580] GetLastError () returned 0x0 [0109.580] GetLastError () returned 0x0 [0109.580] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x3da60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.580] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0109.580] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x3db60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.580] lstrlenA (lpString="NEPHILIM") returned 8 [0109.580] WriteFile (in: hFile=0xf8, lpBuffer=0x50d548*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d548*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0109.580] GetProcessHeap () returned 0x4e0000 [0109.580] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x3d960) returned 0x516fd8 [0109.581] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.581] ReadFile (in: hFile=0xf8, lpBuffer=0x516fd8, nNumberOfBytesToRead=0x3d960, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x516fd8*, lpNumberOfBytesRead=0x24dd0b0*=0x3d960, lpOverlapped=0x0) returned 1 [0109.613] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.613] WriteFile (in: hFile=0xf8, lpBuffer=0x516fd8*, nNumberOfBytesToWrite=0x3d960, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x516fd8*, lpNumberOfBytesWritten=0x24dd0bc*=0x3d960, lpOverlapped=0x0) returned 1 [0109.614] GetProcessHeap () returned 0x4e0000 [0109.614] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x516fd8 | out: hHeap=0x4e0000) returned 1 [0109.614] CloseHandle (hObject=0xf8) returned 1 [0109.615] GetProcessHeap () returned 0x4e0000 [0109.615] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0109.615] GetProcessHeap () returned 0x4e0000 [0109.615] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0109.615] GetProcessHeap () returned 0x4e0000 [0109.615] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0109.615] GetProcessHeap () returned 0x4e0000 [0109.615] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0109.615] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll" [0109.615] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll.NEPHILIM" [0109.616] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\grintl32.rest.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\grintl32.rest.trx_dll.nephilim")) returned 1 [0109.617] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1be9a700, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeee1cd90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x1be9a700, ftLastWriteTime.dwHighDateTime=0x1caca12, nFileSizeHigh=0x0, nFileSizeLow=0x49f60, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="MAPIR.DLL.trx_dll", cAlternateFileName="MAPIRD~1.TRX")) returned 1 [0109.617] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2=".") returned 1 [0109.617] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="..") returned 1 [0109.617] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="...") returned 1 [0109.617] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="windows") returned -1 [0109.617] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0109.617] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="rsa") returned -1 [0109.617] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="log") returned 1 [0109.617] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="NTDETECT.COM") returned -1 [0109.617] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="ntldr") returned -1 [0109.617] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="MSDOS.SYS") returned -1 [0109.617] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="IO.SYS") returned 1 [0109.617] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="boot.ini") returned 1 [0109.617] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0109.617] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="ntuser.dat") returned -1 [0109.618] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="desktop.ini") returned 1 [0109.618] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="CONFIG.SYS") returned 1 [0109.618] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="RECYCLER") returned -1 [0109.618] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0109.618] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="bootmgr") returned 1 [0109.618] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="programdata") returned -1 [0109.618] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="appdata") returned 1 [0109.618] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="program files") returned -1 [0109.618] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="program files (x86)") returned -1 [0109.618] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0109.618] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="MAPIR.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll" [0109.618] PathFindExtensionW (pszPath="MAPIR.DLL.trx_dll") returned=".trx_dll" [0109.618] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0109.618] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0109.618] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0109.618] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0109.618] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0109.618] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0109.618] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0109.618] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0109.618] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0109.619] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0109.619] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0109.619] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0109.619] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0109.619] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0109.619] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0109.619] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0109.619] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0109.619] lstrlenA (lpString="NEPHILIM") returned 8 [0109.619] GetProcessHeap () returned 0x4e0000 [0109.619] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d558 [0109.619] lstrlenA (lpString="NEPHILIM") returned 8 [0109.619] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\mapir.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0109.620] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=302944) returned 1 [0109.620] GetProcessHeap () returned 0x4e0000 [0109.621] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0109.621] GetProcessHeap () returned 0x4e0000 [0109.621] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0109.621] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0109.621] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0109.621] GetProcessHeap () returned 0x4e0000 [0109.621] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0109.621] GetProcessHeap () returned 0x4e0000 [0109.621] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0109.621] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce88*=0x100) returned 1 [0109.621] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce84*=0x100) returned 1 [0109.621] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x49f60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.622] SetLastError (dwErrCode=0x0) [0109.622] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0109.751] GetLastError () returned 0x0 [0109.751] GetLastError () returned 0x0 [0109.751] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x4a060, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.751] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0109.751] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x4a160, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.751] lstrlenA (lpString="NEPHILIM") returned 8 [0109.751] WriteFile (in: hFile=0xf8, lpBuffer=0x50d558*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d558*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0109.751] GetProcessHeap () returned 0x4e0000 [0109.751] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x49f60) returned 0x516fd8 [0109.752] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.752] ReadFile (in: hFile=0xf8, lpBuffer=0x516fd8, nNumberOfBytesToRead=0x49f60, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x516fd8*, lpNumberOfBytesRead=0x24dd0b0*=0x49f60, lpOverlapped=0x0) returned 1 [0109.833] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.833] WriteFile (in: hFile=0xf8, lpBuffer=0x516fd8*, nNumberOfBytesToWrite=0x49f60, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x516fd8*, lpNumberOfBytesWritten=0x24dd0bc*=0x49f60, lpOverlapped=0x0) returned 1 [0109.835] GetProcessHeap () returned 0x4e0000 [0109.835] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x516fd8 | out: hHeap=0x4e0000) returned 1 [0109.835] CloseHandle (hObject=0xf8) returned 1 [0109.836] GetProcessHeap () returned 0x4e0000 [0109.836] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0109.836] GetProcessHeap () returned 0x4e0000 [0109.836] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0109.836] GetProcessHeap () returned 0x4e0000 [0109.836] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0109.836] GetProcessHeap () returned 0x4e0000 [0109.836] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0109.836] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll" [0109.836] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll.NEPHILIM" [0109.836] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\mapir.dll.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\mapir.dll.trx_dll.nephilim")) returned 1 [0109.837] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa27f6800, ftCreationTime.dwHighDateTime=0x1cac809, ftLastAccessTime.dwLowDateTime=0xeee1cd90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xa27f6800, ftLastWriteTime.dwHighDateTime=0x1cac809, nFileSizeHigh=0x0, nFileSizeLow=0xc160, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="MOR6INT.REST.trx_dll", cAlternateFileName="MOR6IN~1.TRX")) returned 1 [0109.837] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2=".") returned 1 [0109.837] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="..") returned 1 [0109.837] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="...") returned 1 [0109.837] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="windows") returned -1 [0109.837] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0109.837] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="rsa") returned -1 [0109.837] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="log") returned 1 [0109.837] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="NTDETECT.COM") returned -1 [0109.837] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="ntldr") returned -1 [0109.837] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="MSDOS.SYS") returned -1 [0109.837] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="IO.SYS") returned 1 [0109.837] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="boot.ini") returned 1 [0109.837] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0109.837] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="ntuser.dat") returned -1 [0109.837] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="desktop.ini") returned 1 [0109.837] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="CONFIG.SYS") returned 1 [0109.837] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="RECYCLER") returned -1 [0109.837] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0109.837] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="bootmgr") returned 1 [0109.837] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="programdata") returned -1 [0109.837] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="appdata") returned 1 [0109.837] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="program files") returned -1 [0109.837] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="program files (x86)") returned -1 [0109.837] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0109.837] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="MOR6INT.REST.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll" [0109.837] PathFindExtensionW (pszPath="MOR6INT.REST.trx_dll") returned=".trx_dll" [0109.837] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0109.837] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0109.838] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0109.838] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0109.838] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0109.838] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0109.838] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0109.838] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0109.838] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0109.838] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0109.838] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0109.838] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0109.838] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0109.838] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0109.838] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0109.838] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0109.838] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0109.838] lstrlenA (lpString="NEPHILIM") returned 8 [0109.838] GetProcessHeap () returned 0x4e0000 [0109.838] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d568 [0109.838] lstrlenA (lpString="NEPHILIM") returned 8 [0109.838] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\mor6int.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0109.839] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=49504) returned 1 [0109.839] GetProcessHeap () returned 0x4e0000 [0109.839] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0109.839] GetProcessHeap () returned 0x4e0000 [0109.839] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0109.839] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0109.839] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0109.839] GetProcessHeap () returned 0x4e0000 [0109.839] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0109.839] GetProcessHeap () returned 0x4e0000 [0109.839] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0109.839] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce88*=0x100) returned 1 [0109.839] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce84*=0x100) returned 1 [0109.840] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0xc160, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.840] SetLastError (dwErrCode=0x0) [0109.840] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0110.199] GetLastError () returned 0x0 [0110.199] GetLastError () returned 0x0 [0110.199] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0xc260, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.199] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0110.199] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0xc360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.199] lstrlenA (lpString="NEPHILIM") returned 8 [0110.199] WriteFile (in: hFile=0xf8, lpBuffer=0x50d568*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d568*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0110.199] GetProcessHeap () returned 0x4e0000 [0110.199] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xc160) returned 0x516fd8 [0110.199] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.199] ReadFile (in: hFile=0xf8, lpBuffer=0x516fd8, nNumberOfBytesToRead=0xc160, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x516fd8*, lpNumberOfBytesRead=0x24dd0b0*=0xc160, lpOverlapped=0x0) returned 1 [0110.344] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.344] WriteFile (in: hFile=0xf8, lpBuffer=0x516fd8*, nNumberOfBytesToWrite=0xc160, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x516fd8*, lpNumberOfBytesWritten=0x24dd0bc*=0xc160, lpOverlapped=0x0) returned 1 [0110.345] GetProcessHeap () returned 0x4e0000 [0110.345] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x516fd8 | out: hHeap=0x4e0000) returned 1 [0110.345] CloseHandle (hObject=0xf8) returned 1 [0110.345] GetProcessHeap () returned 0x4e0000 [0110.345] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0110.345] GetProcessHeap () returned 0x4e0000 [0110.345] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0110.345] GetProcessHeap () returned 0x4e0000 [0110.345] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0110.345] GetProcessHeap () returned 0x4e0000 [0110.345] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0110.345] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll" [0110.345] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll.NEPHILIM" [0110.345] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\mor6int.rest.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\mor6int.rest.trx_dll.nephilim")) returned 1 [0110.346] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9f53ca00, ftCreationTime.dwHighDateTime=0x1caca0b, ftLastAccessTime.dwLowDateTime=0xeee42ef0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x9f53ca00, ftLastWriteTime.dwHighDateTime=0x1caca0b, nFileSizeHigh=0x0, nFileSizeLow=0x17960, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="MSOINTL.DLL.trx_dll", cAlternateFileName="MSOINT~1.TRX")) returned 1 [0110.346] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2=".") returned 1 [0110.346] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="..") returned 1 [0110.346] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="...") returned 1 [0110.346] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="windows") returned -1 [0110.346] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0110.347] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="rsa") returned -1 [0110.347] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="log") returned 1 [0110.347] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="NTDETECT.COM") returned -1 [0110.347] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="ntldr") returned -1 [0110.347] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="MSDOS.SYS") returned 1 [0110.347] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="IO.SYS") returned 1 [0110.347] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="boot.ini") returned 1 [0110.347] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0110.347] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="ntuser.dat") returned -1 [0110.347] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="desktop.ini") returned 1 [0110.347] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="CONFIG.SYS") returned 1 [0110.347] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="RECYCLER") returned -1 [0110.347] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0110.347] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="bootmgr") returned 1 [0110.347] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="programdata") returned -1 [0110.347] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="appdata") returned 1 [0110.347] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="program files") returned -1 [0110.347] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="program files (x86)") returned -1 [0110.347] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0110.347] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="MSOINTL.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll" [0110.347] PathFindExtensionW (pszPath="MSOINTL.DLL.trx_dll") returned=".trx_dll" [0110.347] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0110.347] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0110.347] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0110.347] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0110.347] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0110.347] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0110.348] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0110.348] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0110.348] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0110.348] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0110.348] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0110.348] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0110.348] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0110.348] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0110.348] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0110.348] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0110.348] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0110.348] lstrlenA (lpString="NEPHILIM") returned 8 [0110.348] GetProcessHeap () returned 0x4e0000 [0110.348] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d578 [0110.348] lstrlenA (lpString="NEPHILIM") returned 8 [0110.348] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\msointl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0110.349] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=96608) returned 1 [0110.349] GetProcessHeap () returned 0x4e0000 [0110.349] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0110.349] GetProcessHeap () returned 0x4e0000 [0110.349] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0110.349] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0110.349] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0110.349] GetProcessHeap () returned 0x4e0000 [0110.349] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0110.349] GetProcessHeap () returned 0x4e0000 [0110.349] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0110.349] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce88*=0x100) returned 1 [0110.349] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce84*=0x100) returned 1 [0110.349] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x17960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.349] SetLastError (dwErrCode=0x0) [0110.350] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0110.354] GetLastError () returned 0x0 [0110.354] GetLastError () returned 0x0 [0110.354] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x17a60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.354] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0110.354] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x17b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.354] lstrlenA (lpString="NEPHILIM") returned 8 [0110.354] WriteFile (in: hFile=0xf8, lpBuffer=0x50d578*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d578*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0110.355] GetProcessHeap () returned 0x4e0000 [0110.355] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x17960) returned 0x516fd8 [0110.355] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.355] ReadFile (in: hFile=0xf8, lpBuffer=0x516fd8, nNumberOfBytesToRead=0x17960, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x516fd8*, lpNumberOfBytesRead=0x24dd0b0*=0x17960, lpOverlapped=0x0) returned 1 [0110.381] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.381] WriteFile (in: hFile=0xf8, lpBuffer=0x516fd8*, nNumberOfBytesToWrite=0x17960, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x516fd8*, lpNumberOfBytesWritten=0x24dd0bc*=0x17960, lpOverlapped=0x0) returned 1 [0110.382] GetProcessHeap () returned 0x4e0000 [0110.382] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x516fd8 | out: hHeap=0x4e0000) returned 1 [0110.382] CloseHandle (hObject=0xf8) returned 1 [0110.382] GetProcessHeap () returned 0x4e0000 [0110.382] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0110.382] GetProcessHeap () returned 0x4e0000 [0110.382] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0110.382] GetProcessHeap () returned 0x4e0000 [0110.382] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0110.382] GetProcessHeap () returned 0x4e0000 [0110.382] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0110.383] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll" [0110.383] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll.NEPHILIM" [0110.383] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\msointl.dll.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\msointl.dll.trx_dll.nephilim")) returned 1 [0110.383] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9f53ca00, ftCreationTime.dwHighDateTime=0x1caca0b, ftLastAccessTime.dwLowDateTime=0xeeeb5310, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x9f53ca00, ftLastWriteTime.dwHighDateTime=0x1caca0b, nFileSizeHigh=0x0, nFileSizeLow=0x2ced60, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="MSOINTL.REST.trx_dll", cAlternateFileName="MSOINT~2.TRX")) returned 1 [0110.383] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2=".") returned 1 [0110.384] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="..") returned 1 [0110.384] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="...") returned 1 [0110.384] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="windows") returned -1 [0110.384] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0110.384] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="rsa") returned -1 [0110.384] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="log") returned 1 [0110.384] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="NTDETECT.COM") returned -1 [0110.384] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="ntldr") returned -1 [0110.384] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="MSDOS.SYS") returned 1 [0110.384] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="IO.SYS") returned 1 [0110.384] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="boot.ini") returned 1 [0110.384] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0110.384] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="ntuser.dat") returned -1 [0110.384] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="desktop.ini") returned 1 [0110.384] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="CONFIG.SYS") returned 1 [0110.384] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="RECYCLER") returned -1 [0110.384] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0110.384] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="bootmgr") returned 1 [0110.384] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="programdata") returned -1 [0110.384] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="appdata") returned 1 [0110.384] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="program files") returned -1 [0110.384] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="program files (x86)") returned -1 [0110.384] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0110.384] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="MSOINTL.REST.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll" [0110.385] PathFindExtensionW (pszPath="MSOINTL.REST.trx_dll") returned=".trx_dll" [0110.385] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0110.385] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0110.385] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0110.385] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0110.385] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0110.385] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0110.385] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0110.385] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0110.385] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0110.385] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0110.385] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0110.385] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0110.385] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0110.385] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0110.385] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0110.385] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0110.385] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0110.385] lstrlenA (lpString="NEPHILIM") returned 8 [0110.385] GetProcessHeap () returned 0x4e0000 [0110.385] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d588 [0110.385] lstrlenA (lpString="NEPHILIM") returned 8 [0110.385] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\msointl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0110.398] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=2944352) returned 1 [0110.398] GetProcessHeap () returned 0x4e0000 [0110.398] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0110.398] GetProcessHeap () returned 0x4e0000 [0110.398] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0110.398] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0110.398] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0110.398] GetProcessHeap () returned 0x4e0000 [0110.398] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0110.398] GetProcessHeap () returned 0x4e0000 [0110.398] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0110.398] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce88*=0x100) returned 1 [0110.399] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce84*=0x100) returned 1 [0110.399] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x2ced60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.399] SetLastError (dwErrCode=0x0) [0110.399] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0110.410] GetLastError () returned 0x0 [0110.410] GetLastError () returned 0x0 [0110.410] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x2cee60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.410] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0110.410] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x2cef60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.410] lstrlenA (lpString="NEPHILIM") returned 8 [0110.410] WriteFile (in: hFile=0xf8, lpBuffer=0x50d588*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d588*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0110.410] GetProcessHeap () returned 0x4e0000 [0110.410] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x927c0) returned 0x2110020 [0110.411] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.411] ReadFile (in: hFile=0xf8, lpBuffer=0x2110020, nNumberOfBytesToRead=0x927c0, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x2110020*, lpNumberOfBytesRead=0x24dd0b0*=0x927c0, lpOverlapped=0x0) returned 1 [0110.488] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.488] WriteFile (in: hFile=0xf8, lpBuffer=0x2110020*, nNumberOfBytesToWrite=0x927c0, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x2110020*, lpNumberOfBytesWritten=0x24dd0bc*=0x927c0, lpOverlapped=0x0) returned 1 [0110.490] GetProcessHeap () returned 0x4e0000 [0110.490] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x2110020 | out: hHeap=0x4e0000) returned 1 [0110.494] CloseHandle (hObject=0xf8) returned 1 [0110.630] GetProcessHeap () returned 0x4e0000 [0110.630] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0110.630] GetProcessHeap () returned 0x4e0000 [0110.630] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0110.630] GetProcessHeap () returned 0x4e0000 [0110.630] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0110.630] GetProcessHeap () returned 0x4e0000 [0110.630] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0110.631] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll" [0110.631] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll.NEPHILIM" [0110.631] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\msointl.rest.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\msointl.rest.trx_dll.nephilim")) returned 1 [0110.633] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaa381000, ftCreationTime.dwHighDateTime=0x1cac7fb, ftLastAccessTime.dwLowDateTime=0xeef27730, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xaa381000, ftLastWriteTime.dwHighDateTime=0x1cac7fb, nFileSizeHigh=0x0, nFileSizeLow=0xb360, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="OMSINTL.DLL.trx_dll", cAlternateFileName="OMSINT~1.TRX")) returned 1 [0110.633] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2=".") returned 1 [0110.633] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="..") returned 1 [0110.633] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="...") returned 1 [0110.633] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="windows") returned -1 [0110.633] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0110.633] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="rsa") returned -1 [0110.633] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="log") returned 1 [0110.633] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="NTDETECT.COM") returned 1 [0110.633] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="ntldr") returned 1 [0110.633] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="MSDOS.SYS") returned 1 [0110.633] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="IO.SYS") returned 1 [0110.633] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="boot.ini") returned 1 [0110.633] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0110.633] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0110.633] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="desktop.ini") returned 1 [0110.633] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="CONFIG.SYS") returned 1 [0110.633] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="RECYCLER") returned -1 [0110.633] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0110.633] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="bootmgr") returned 1 [0110.633] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="programdata") returned -1 [0110.634] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="appdata") returned 1 [0110.634] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="program files") returned -1 [0110.634] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="program files (x86)") returned -1 [0110.634] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0110.634] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="OMSINTL.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll" [0110.634] PathFindExtensionW (pszPath="OMSINTL.DLL.trx_dll") returned=".trx_dll" [0110.634] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0110.634] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0110.634] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0110.634] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0110.634] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0110.634] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0110.634] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0110.634] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0110.634] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0110.634] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0110.634] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0110.634] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0110.634] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0110.634] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0110.634] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0110.635] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0110.635] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0110.635] lstrlenA (lpString="NEPHILIM") returned 8 [0110.635] GetProcessHeap () returned 0x4e0000 [0110.635] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d598 [0110.635] lstrlenA (lpString="NEPHILIM") returned 8 [0110.635] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\omsintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0110.637] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=45920) returned 1 [0110.637] GetProcessHeap () returned 0x4e0000 [0110.637] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0110.637] GetProcessHeap () returned 0x4e0000 [0110.637] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0110.637] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0110.637] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0110.637] GetProcessHeap () returned 0x4e0000 [0110.637] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0110.637] GetProcessHeap () returned 0x4e0000 [0110.637] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0110.637] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce88*=0x100) returned 1 [0110.637] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce84*=0x100) returned 1 [0110.638] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0xb360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.638] SetLastError (dwErrCode=0x0) [0110.638] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0110.842] GetLastError () returned 0x0 [0110.842] GetLastError () returned 0x0 [0110.842] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0xb460, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.842] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0110.842] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0xb560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.842] lstrlenA (lpString="NEPHILIM") returned 8 [0110.842] WriteFile (in: hFile=0xf8, lpBuffer=0x50d598*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d598*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0110.842] GetProcessHeap () returned 0x4e0000 [0110.842] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xb360) returned 0x516fd8 [0110.842] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.842] ReadFile (in: hFile=0xf8, lpBuffer=0x516fd8, nNumberOfBytesToRead=0xb360, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x516fd8*, lpNumberOfBytesRead=0x24dd0b0*=0xb360, lpOverlapped=0x0) returned 1 [0110.871] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.871] WriteFile (in: hFile=0xf8, lpBuffer=0x516fd8*, nNumberOfBytesToWrite=0xb360, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x516fd8*, lpNumberOfBytesWritten=0x24dd0bc*=0xb360, lpOverlapped=0x0) returned 1 [0110.872] GetProcessHeap () returned 0x4e0000 [0110.872] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x516fd8 | out: hHeap=0x4e0000) returned 1 [0110.872] CloseHandle (hObject=0xf8) returned 1 [0110.872] GetProcessHeap () returned 0x4e0000 [0110.872] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0110.872] GetProcessHeap () returned 0x4e0000 [0110.872] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0110.872] GetProcessHeap () returned 0x4e0000 [0110.872] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0110.872] GetProcessHeap () returned 0x4e0000 [0110.872] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0110.872] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll" [0110.872] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll.NEPHILIM" [0110.872] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\omsintl.dll.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\omsintl.dll.trx_dll.nephilim")) returned 1 [0110.873] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7337cc00, ftCreationTime.dwHighDateTime=0x1cacf6a, ftLastAccessTime.dwLowDateTime=0xeef27730, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x7337cc00, ftLastWriteTime.dwHighDateTime=0x1cacf6a, nFileSizeHigh=0x0, nFileSizeLow=0x7b60, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="ONINTL.DLL.trx_dll", cAlternateFileName="ONINTL~1.TRX")) returned 1 [0110.873] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2=".") returned 1 [0110.873] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="..") returned 1 [0110.873] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="...") returned 1 [0110.873] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="windows") returned -1 [0110.873] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0110.873] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="rsa") returned -1 [0110.874] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="log") returned 1 [0110.874] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="NTDETECT.COM") returned 1 [0110.874] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="ntldr") returned 1 [0110.874] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="MSDOS.SYS") returned 1 [0110.874] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="IO.SYS") returned 1 [0110.874] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="boot.ini") returned 1 [0110.874] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0110.874] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0110.874] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="desktop.ini") returned 1 [0110.874] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="CONFIG.SYS") returned 1 [0110.874] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="RECYCLER") returned -1 [0110.874] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0110.874] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="bootmgr") returned 1 [0110.874] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="programdata") returned -1 [0110.874] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="appdata") returned 1 [0110.874] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="program files") returned -1 [0110.874] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="program files (x86)") returned -1 [0110.874] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0110.874] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="ONINTL.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll" [0110.874] PathFindExtensionW (pszPath="ONINTL.DLL.trx_dll") returned=".trx_dll" [0110.874] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0110.874] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0110.874] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0110.874] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0110.874] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0110.874] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0110.874] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0110.875] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0110.875] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0110.875] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0110.875] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0110.875] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0110.875] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0110.875] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0110.875] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0110.875] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0110.875] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0110.875] lstrlenA (lpString="NEPHILIM") returned 8 [0110.875] GetProcessHeap () returned 0x4e0000 [0110.875] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d5a8 [0110.875] lstrlenA (lpString="NEPHILIM") returned 8 [0110.875] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\onintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0110.878] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=31584) returned 1 [0110.878] GetProcessHeap () returned 0x4e0000 [0110.878] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0110.878] GetProcessHeap () returned 0x4e0000 [0110.878] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0110.878] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0110.878] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0110.878] GetProcessHeap () returned 0x4e0000 [0110.878] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0110.878] GetProcessHeap () returned 0x4e0000 [0110.878] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0110.878] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce88*=0x100) returned 1 [0110.879] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce84*=0x100) returned 1 [0110.879] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x7b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.879] SetLastError (dwErrCode=0x0) [0110.879] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0110.933] GetLastError () returned 0x0 [0110.933] GetLastError () returned 0x0 [0110.933] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x7c60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.933] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0110.933] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x7d60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.933] lstrlenA (lpString="NEPHILIM") returned 8 [0110.933] WriteFile (in: hFile=0xf8, lpBuffer=0x50d5a8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d5a8*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0110.933] GetProcessHeap () returned 0x4e0000 [0110.933] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x7b60) returned 0x516fd8 [0110.933] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.933] ReadFile (in: hFile=0xf8, lpBuffer=0x516fd8, nNumberOfBytesToRead=0x7b60, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x516fd8*, lpNumberOfBytesRead=0x24dd0b0*=0x7b60, lpOverlapped=0x0) returned 1 [0110.975] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.975] WriteFile (in: hFile=0xf8, lpBuffer=0x516fd8*, nNumberOfBytesToWrite=0x7b60, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x516fd8*, lpNumberOfBytesWritten=0x24dd0bc*=0x7b60, lpOverlapped=0x0) returned 1 [0110.975] GetProcessHeap () returned 0x4e0000 [0110.975] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x516fd8 | out: hHeap=0x4e0000) returned 1 [0110.975] CloseHandle (hObject=0xf8) returned 1 [0110.975] GetProcessHeap () returned 0x4e0000 [0110.975] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0110.975] GetProcessHeap () returned 0x4e0000 [0110.975] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0110.976] GetProcessHeap () returned 0x4e0000 [0110.976] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0110.976] GetProcessHeap () returned 0x4e0000 [0110.976] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0110.976] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll" [0110.976] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll.NEPHILIM" [0110.976] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\onintl.dll.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\onintl.dll.trx_dll.nephilim")) returned 1 [0110.977] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7337cc00, ftCreationTime.dwHighDateTime=0x1cacf6a, ftLastAccessTime.dwLowDateTime=0xeef4d890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x7337cc00, ftLastWriteTime.dwHighDateTime=0x1cacf6a, nFileSizeHigh=0x0, nFileSizeLow=0x3fb60, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="ONINTL.REST.trx_dll", cAlternateFileName="ONINTL~2.TRX")) returned 1 [0110.977] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2=".") returned 1 [0110.977] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="..") returned 1 [0110.977] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="...") returned 1 [0110.977] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="windows") returned -1 [0110.977] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0110.977] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="rsa") returned -1 [0110.977] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="log") returned 1 [0110.977] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="NTDETECT.COM") returned 1 [0110.977] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="ntldr") returned 1 [0110.977] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="MSDOS.SYS") returned 1 [0110.977] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="IO.SYS") returned 1 [0110.977] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="boot.ini") returned 1 [0110.977] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0110.977] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="ntuser.dat") returned 1 [0110.977] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="desktop.ini") returned 1 [0110.977] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="CONFIG.SYS") returned 1 [0110.977] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="RECYCLER") returned -1 [0110.977] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0110.977] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="bootmgr") returned 1 [0110.977] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="programdata") returned -1 [0110.977] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="appdata") returned 1 [0110.977] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="program files") returned -1 [0110.978] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="program files (x86)") returned -1 [0110.978] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0110.978] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="ONINTL.REST.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll" [0110.978] PathFindExtensionW (pszPath="ONINTL.REST.trx_dll") returned=".trx_dll" [0110.978] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0110.978] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0110.978] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0110.978] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0110.978] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0110.978] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0110.978] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0110.978] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0110.978] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0110.978] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0110.978] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0110.978] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0110.978] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0110.978] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0110.978] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0110.978] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0110.978] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0110.978] lstrlenA (lpString="NEPHILIM") returned 8 [0110.978] GetProcessHeap () returned 0x4e0000 [0110.978] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d5b8 [0110.979] lstrlenA (lpString="NEPHILIM") returned 8 [0110.979] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\onintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0110.981] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=260960) returned 1 [0110.981] GetProcessHeap () returned 0x4e0000 [0110.981] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0110.982] GetProcessHeap () returned 0x4e0000 [0110.982] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0110.982] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0110.982] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0110.982] GetProcessHeap () returned 0x4e0000 [0110.982] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0110.982] GetProcessHeap () returned 0x4e0000 [0110.982] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0110.982] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce88*=0x100) returned 1 [0110.982] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce84*=0x100) returned 1 [0110.982] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x3fb60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.983] SetLastError (dwErrCode=0x0) [0110.983] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0111.141] GetLastError () returned 0x0 [0111.141] GetLastError () returned 0x0 [0111.142] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x3fc60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.142] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0111.142] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x3fd60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.142] lstrlenA (lpString="NEPHILIM") returned 8 [0111.142] WriteFile (in: hFile=0xf8, lpBuffer=0x50d5b8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d5b8*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0111.142] GetProcessHeap () returned 0x4e0000 [0111.142] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x3fb60) returned 0x516fd8 [0111.142] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.142] ReadFile (in: hFile=0xf8, lpBuffer=0x516fd8, nNumberOfBytesToRead=0x3fb60, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x516fd8*, lpNumberOfBytesRead=0x24dd0b0*=0x3fb60, lpOverlapped=0x0) returned 1 [0111.277] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.277] WriteFile (in: hFile=0xf8, lpBuffer=0x516fd8*, nNumberOfBytesToWrite=0x3fb60, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x516fd8*, lpNumberOfBytesWritten=0x24dd0bc*=0x3fb60, lpOverlapped=0x0) returned 1 [0111.278] GetProcessHeap () returned 0x4e0000 [0111.278] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x516fd8 | out: hHeap=0x4e0000) returned 1 [0111.278] CloseHandle (hObject=0xf8) returned 1 [0111.278] GetProcessHeap () returned 0x4e0000 [0111.278] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0111.278] GetProcessHeap () returned 0x4e0000 [0111.278] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0111.278] GetProcessHeap () returned 0x4e0000 [0111.278] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0111.278] GetProcessHeap () returned 0x4e0000 [0111.278] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0111.279] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll" [0111.279] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll.NEPHILIM" [0111.279] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\onintl.rest.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\onintl.rest.trx_dll.nephilim")) returned 1 [0111.280] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1ab87a00, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeef4d890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x1ab87a00, ftLastWriteTime.dwHighDateTime=0x1caca12, nFileSizeHigh=0x0, nFileSizeLow=0x37560, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="OUTLLIBR.DLL.trx_dll", cAlternateFileName="OUTLLI~1.TRX")) returned 1 [0111.280] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2=".") returned 1 [0111.280] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="..") returned 1 [0111.280] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="...") returned 1 [0111.280] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="windows") returned -1 [0111.280] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0111.280] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="rsa") returned -1 [0111.280] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="log") returned 1 [0111.280] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="NTDETECT.COM") returned 1 [0111.280] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="ntldr") returned 1 [0111.280] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="MSDOS.SYS") returned 1 [0111.280] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="IO.SYS") returned 1 [0111.280] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="boot.ini") returned 1 [0111.280] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0111.280] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0111.280] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="desktop.ini") returned 1 [0111.280] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="CONFIG.SYS") returned 1 [0111.280] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="RECYCLER") returned -1 [0111.280] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0111.280] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="bootmgr") returned 1 [0111.280] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="programdata") returned -1 [0111.280] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="appdata") returned 1 [0111.281] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="program files") returned -1 [0111.281] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="program files (x86)") returned -1 [0111.281] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0111.281] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="OUTLLIBR.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll" [0111.281] PathFindExtensionW (pszPath="OUTLLIBR.DLL.trx_dll") returned=".trx_dll" [0111.281] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0111.281] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0111.281] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0111.281] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0111.281] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0111.281] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0111.281] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0111.281] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0111.281] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0111.281] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0111.281] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0111.281] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0111.281] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0111.281] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0111.281] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0111.281] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0111.281] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0111.281] lstrlenA (lpString="NEPHILIM") returned 8 [0111.281] GetProcessHeap () returned 0x4e0000 [0111.281] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d5c8 [0111.282] lstrlenA (lpString="NEPHILIM") returned 8 [0111.282] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\outllibr.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0111.283] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=226656) returned 1 [0111.283] GetProcessHeap () returned 0x4e0000 [0111.283] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0111.283] GetProcessHeap () returned 0x4e0000 [0111.283] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0111.283] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0111.283] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0111.283] GetProcessHeap () returned 0x4e0000 [0111.283] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0111.283] GetProcessHeap () returned 0x4e0000 [0111.283] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0111.283] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce88*=0x100) returned 1 [0111.284] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce84*=0x100) returned 1 [0111.284] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x37560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.284] SetLastError (dwErrCode=0x0) [0111.284] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0111.374] GetLastError () returned 0x0 [0111.374] GetLastError () returned 0x0 [0111.374] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x37660, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.374] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0111.374] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x37760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.374] lstrlenA (lpString="NEPHILIM") returned 8 [0111.374] WriteFile (in: hFile=0xf8, lpBuffer=0x50d5c8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d5c8*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0111.374] GetProcessHeap () returned 0x4e0000 [0111.374] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x37560) returned 0x516fd8 [0111.375] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.375] ReadFile (in: hFile=0xf8, lpBuffer=0x516fd8, nNumberOfBytesToRead=0x37560, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x516fd8*, lpNumberOfBytesRead=0x24dd0b0*=0x37560, lpOverlapped=0x0) returned 1 [0111.732] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.732] WriteFile (in: hFile=0xf8, lpBuffer=0x516fd8*, nNumberOfBytesToWrite=0x37560, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x516fd8*, lpNumberOfBytesWritten=0x24dd0bc*=0x37560, lpOverlapped=0x0) returned 1 [0111.733] GetProcessHeap () returned 0x4e0000 [0111.733] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x516fd8 | out: hHeap=0x4e0000) returned 1 [0111.734] CloseHandle (hObject=0xf8) returned 1 [0111.734] GetProcessHeap () returned 0x4e0000 [0111.734] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0111.734] GetProcessHeap () returned 0x4e0000 [0111.734] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0111.734] GetProcessHeap () returned 0x4e0000 [0111.734] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0111.734] GetProcessHeap () returned 0x4e0000 [0111.734] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0111.734] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll" [0111.734] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll.NEPHILIM" [0111.734] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\outllibr.dll.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\outllibr.dll.trx_dll.nephilim")) returned 1 [0111.736] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1ab87a00, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeef739f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x1ab87a00, ftLastWriteTime.dwHighDateTime=0x1caca12, nFileSizeHigh=0x0, nFileSizeLow=0xa6560, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="OUTLLIBR.REST.trx_dll", cAlternateFileName="OUTLLI~2.TRX")) returned 1 [0111.736] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2=".") returned 1 [0111.736] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="..") returned 1 [0111.736] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="...") returned 1 [0111.736] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="windows") returned -1 [0111.736] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0111.736] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="rsa") returned -1 [0111.736] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="log") returned 1 [0111.736] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="NTDETECT.COM") returned 1 [0111.736] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="ntldr") returned 1 [0111.736] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="MSDOS.SYS") returned 1 [0111.736] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="IO.SYS") returned 1 [0111.736] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="boot.ini") returned 1 [0111.737] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0111.737] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="ntuser.dat") returned 1 [0111.737] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="desktop.ini") returned 1 [0111.737] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="CONFIG.SYS") returned 1 [0111.737] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="RECYCLER") returned -1 [0111.737] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0111.737] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="bootmgr") returned 1 [0111.737] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="programdata") returned -1 [0111.737] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="appdata") returned 1 [0111.737] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="program files") returned -1 [0111.737] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="program files (x86)") returned -1 [0111.737] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0111.737] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="OUTLLIBR.REST.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll" [0111.737] PathFindExtensionW (pszPath="OUTLLIBR.REST.trx_dll") returned=".trx_dll" [0111.737] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0111.738] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0111.738] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0111.738] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0111.738] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0111.738] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0111.738] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0111.738] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0111.738] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0111.738] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0111.738] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0111.738] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0111.738] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0111.738] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0111.738] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0111.738] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0111.738] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0111.738] lstrlenA (lpString="NEPHILIM") returned 8 [0111.738] GetProcessHeap () returned 0x4e0000 [0111.739] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d5d8 [0111.739] lstrlenA (lpString="NEPHILIM") returned 8 [0111.739] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\outllibr.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0111.740] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=681312) returned 1 [0111.740] GetProcessHeap () returned 0x4e0000 [0111.740] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0111.740] GetProcessHeap () returned 0x4e0000 [0111.740] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0111.740] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0111.740] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0111.740] GetProcessHeap () returned 0x4e0000 [0111.740] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0111.740] GetProcessHeap () returned 0x4e0000 [0111.740] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0111.741] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce88*=0x100) returned 1 [0111.741] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce84*=0x100) returned 1 [0111.741] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0xa6560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.741] SetLastError (dwErrCode=0x0) [0111.741] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0111.809] GetLastError () returned 0x0 [0111.809] GetLastError () returned 0x0 [0111.809] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0xa6660, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.810] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0111.810] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0xa6760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.810] lstrlenA (lpString="NEPHILIM") returned 8 [0111.810] WriteFile (in: hFile=0xf8, lpBuffer=0x50d5d8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d5d8*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0111.810] GetProcessHeap () returned 0x4e0000 [0111.810] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xa6560) returned 0x22b0020 [0111.810] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.810] ReadFile (in: hFile=0xf8, lpBuffer=0x22b0020, nNumberOfBytesToRead=0xa6560, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x22b0020*, lpNumberOfBytesRead=0x24dd0b0*=0xa6560, lpOverlapped=0x0) returned 1 [0112.119] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.119] WriteFile (in: hFile=0xf8, lpBuffer=0x22b0020*, nNumberOfBytesToWrite=0xa6560, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x22b0020*, lpNumberOfBytesWritten=0x24dd0bc*=0xa6560, lpOverlapped=0x0) returned 1 [0112.121] GetProcessHeap () returned 0x4e0000 [0112.121] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x22b0020 | out: hHeap=0x4e0000) returned 1 [0112.125] CloseHandle (hObject=0xf8) returned 1 [0112.125] GetProcessHeap () returned 0x4e0000 [0112.125] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0112.125] GetProcessHeap () returned 0x4e0000 [0112.125] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0112.125] GetProcessHeap () returned 0x4e0000 [0112.125] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0112.125] GetProcessHeap () returned 0x4e0000 [0112.125] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0112.126] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll" [0112.126] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll.NEPHILIM" [0112.126] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\outllibr.rest.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\outllibr.rest.trx_dll.nephilim")) returned 1 [0112.127] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1be9a700, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeef739f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x1be9a700, ftLastWriteTime.dwHighDateTime=0x1caca12, nFileSizeHigh=0x0, nFileSizeLow=0x2b60, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="OUTLWVW.DLL.trx_dll", cAlternateFileName="OUTLWV~1.TRX")) returned 1 [0112.127] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2=".") returned 1 [0112.127] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="..") returned 1 [0112.127] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="...") returned 1 [0112.127] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="windows") returned -1 [0112.127] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0112.127] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="rsa") returned -1 [0112.127] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="log") returned 1 [0112.127] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="NTDETECT.COM") returned 1 [0112.127] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="ntldr") returned 1 [0112.127] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="MSDOS.SYS") returned 1 [0112.127] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="IO.SYS") returned 1 [0112.127] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="boot.ini") returned 1 [0112.128] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0112.128] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0112.128] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="desktop.ini") returned 1 [0112.128] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="CONFIG.SYS") returned 1 [0112.128] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="RECYCLER") returned -1 [0112.128] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0112.128] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="bootmgr") returned 1 [0112.128] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="programdata") returned -1 [0112.128] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="appdata") returned 1 [0112.128] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="program files") returned -1 [0112.128] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="program files (x86)") returned -1 [0112.128] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0112.128] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="OUTLWVW.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll" [0112.128] PathFindExtensionW (pszPath="OUTLWVW.DLL.trx_dll") returned=".trx_dll" [0112.128] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0112.128] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0112.128] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0112.128] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0112.128] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0112.128] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0112.128] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0112.128] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0112.128] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0112.128] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0112.128] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0112.128] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0112.128] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0112.129] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0112.129] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0112.129] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0112.129] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0112.129] lstrlenA (lpString="NEPHILIM") returned 8 [0112.129] GetProcessHeap () returned 0x4e0000 [0112.129] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d5e8 [0112.129] lstrlenA (lpString="NEPHILIM") returned 8 [0112.129] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\outlwvw.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0112.129] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=11104) returned 1 [0112.129] GetProcessHeap () returned 0x4e0000 [0112.129] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0112.129] GetProcessHeap () returned 0x4e0000 [0112.129] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0112.129] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0112.130] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0112.130] GetProcessHeap () returned 0x4e0000 [0112.130] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0112.130] GetProcessHeap () returned 0x4e0000 [0112.130] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0112.130] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce88*=0x100) returned 1 [0112.130] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce84*=0x100) returned 1 [0112.130] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x2b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.130] SetLastError (dwErrCode=0x0) [0112.130] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0112.579] GetLastError () returned 0x0 [0112.579] GetLastError () returned 0x0 [0112.579] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x2c60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.579] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0112.579] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x2d60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.579] lstrlenA (lpString="NEPHILIM") returned 8 [0112.580] WriteFile (in: hFile=0xf8, lpBuffer=0x50d5e8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d5e8*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0112.580] GetProcessHeap () returned 0x4e0000 [0112.580] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x2b60) returned 0x516fd8 [0112.580] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.580] ReadFile (in: hFile=0xf8, lpBuffer=0x516fd8, nNumberOfBytesToRead=0x2b60, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x516fd8*, lpNumberOfBytesRead=0x24dd0b0*=0x2b60, lpOverlapped=0x0) returned 1 [0112.612] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.612] WriteFile (in: hFile=0xf8, lpBuffer=0x516fd8*, nNumberOfBytesToWrite=0x2b60, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x516fd8*, lpNumberOfBytesWritten=0x24dd0bc*=0x2b60, lpOverlapped=0x0) returned 1 [0112.612] GetProcessHeap () returned 0x4e0000 [0112.612] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x516fd8 | out: hHeap=0x4e0000) returned 1 [0112.612] CloseHandle (hObject=0xf8) returned 1 [0112.612] GetProcessHeap () returned 0x4e0000 [0112.612] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0112.612] GetProcessHeap () returned 0x4e0000 [0112.612] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0112.612] GetProcessHeap () returned 0x4e0000 [0112.612] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0112.612] GetProcessHeap () returned 0x4e0000 [0112.612] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0112.612] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll" [0112.612] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll.NEPHILIM" [0112.612] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\outlwvw.dll.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\outlwvw.dll.trx_dll.nephilim")) returned 1 [0112.613] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7cef6000, ftCreationTime.dwHighDateTime=0x1cac803, ftLastAccessTime.dwLowDateTime=0xef00bf70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x7cef6000, ftLastWriteTime.dwHighDateTime=0x1cac803, nFileSizeHigh=0x0, nFileSizeLow=0xcd60, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="PPINTL.DLL.trx_dll", cAlternateFileName="PPINTL~1.TRX")) returned 1 [0112.613] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2=".") returned 1 [0112.613] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="..") returned 1 [0112.613] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="...") returned 1 [0112.613] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="windows") returned -1 [0112.613] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0112.613] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="rsa") returned -1 [0112.613] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="log") returned 1 [0112.613] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="NTDETECT.COM") returned 1 [0112.613] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="ntldr") returned 1 [0112.613] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="MSDOS.SYS") returned 1 [0112.613] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="IO.SYS") returned 1 [0112.613] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="boot.ini") returned 1 [0112.613] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0112.613] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0112.613] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="desktop.ini") returned 1 [0112.614] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="CONFIG.SYS") returned 1 [0112.614] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="RECYCLER") returned -1 [0112.614] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0112.614] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="bootmgr") returned 1 [0112.614] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="programdata") returned -1 [0112.614] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="appdata") returned 1 [0112.614] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="program files") returned -1 [0112.614] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="program files (x86)") returned -1 [0112.614] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0112.614] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="PPINTL.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll" [0112.614] PathFindExtensionW (pszPath="PPINTL.DLL.trx_dll") returned=".trx_dll" [0112.614] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0112.614] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0112.614] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0112.614] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0112.614] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0112.614] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0112.614] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0112.614] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0112.614] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0112.614] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0112.614] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0112.614] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0112.614] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0112.614] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0112.614] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0112.614] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0112.614] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0112.614] lstrlenA (lpString="NEPHILIM") returned 8 [0112.614] GetProcessHeap () returned 0x4e0000 [0112.614] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d5f8 [0112.614] lstrlenA (lpString="NEPHILIM") returned 8 [0112.615] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\ppintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0112.615] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=52576) returned 1 [0112.615] GetProcessHeap () returned 0x4e0000 [0112.616] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0112.616] GetProcessHeap () returned 0x4e0000 [0112.616] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0112.616] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0112.616] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0112.616] GetProcessHeap () returned 0x4e0000 [0112.616] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0112.616] GetProcessHeap () returned 0x4e0000 [0112.616] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0112.616] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce88*=0x100) returned 1 [0112.616] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce84*=0x100) returned 1 [0112.616] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0xcd60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.616] SetLastError (dwErrCode=0x0) [0112.616] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0112.659] GetLastError () returned 0x0 [0112.659] GetLastError () returned 0x0 [0112.659] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0xce60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.659] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0112.659] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0xcf60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.659] lstrlenA (lpString="NEPHILIM") returned 8 [0112.659] WriteFile (in: hFile=0xf8, lpBuffer=0x50d5f8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d5f8*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0112.660] GetProcessHeap () returned 0x4e0000 [0112.660] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xcd60) returned 0x516fd8 [0112.660] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.660] ReadFile (in: hFile=0xf8, lpBuffer=0x516fd8, nNumberOfBytesToRead=0xcd60, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x516fd8*, lpNumberOfBytesRead=0x24dd0b0*=0xcd60, lpOverlapped=0x0) returned 1 [0112.778] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.778] WriteFile (in: hFile=0xf8, lpBuffer=0x516fd8*, nNumberOfBytesToWrite=0xcd60, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x516fd8*, lpNumberOfBytesWritten=0x24dd0bc*=0xcd60, lpOverlapped=0x0) returned 1 [0112.779] GetProcessHeap () returned 0x4e0000 [0112.779] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x516fd8 | out: hHeap=0x4e0000) returned 1 [0112.779] CloseHandle (hObject=0xf8) returned 1 [0112.783] GetProcessHeap () returned 0x4e0000 [0112.783] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0112.783] GetProcessHeap () returned 0x4e0000 [0112.783] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0112.783] GetProcessHeap () returned 0x4e0000 [0112.783] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0112.783] GetProcessHeap () returned 0x4e0000 [0112.783] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0112.783] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll" [0112.783] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll.NEPHILIM" [0112.783] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\ppintl.dll.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\ppintl.dll.trx_dll.nephilim")) returned 1 [0112.784] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7cef6000, ftCreationTime.dwHighDateTime=0x1cac803, ftLastAccessTime.dwLowDateTime=0xef00bf70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x7cef6000, ftLastWriteTime.dwHighDateTime=0x1cac803, nFileSizeHigh=0x0, nFileSizeLow=0x45f60, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="PPINTL.REST.trx_dll", cAlternateFileName="PPINTL~2.TRX")) returned 1 [0112.784] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2=".") returned 1 [0112.784] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="..") returned 1 [0112.784] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="...") returned 1 [0112.784] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="windows") returned -1 [0112.784] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0112.784] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="rsa") returned -1 [0112.784] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="log") returned 1 [0112.785] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="NTDETECT.COM") returned 1 [0112.785] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="ntldr") returned 1 [0112.785] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="MSDOS.SYS") returned 1 [0112.785] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="IO.SYS") returned 1 [0112.785] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="boot.ini") returned 1 [0112.785] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0112.785] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="ntuser.dat") returned 1 [0112.785] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="desktop.ini") returned 1 [0112.785] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="CONFIG.SYS") returned 1 [0112.785] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="RECYCLER") returned -1 [0112.785] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0112.785] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="bootmgr") returned 1 [0112.785] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="programdata") returned -1 [0112.785] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="appdata") returned 1 [0112.785] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="program files") returned -1 [0112.785] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="program files (x86)") returned -1 [0112.785] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0112.785] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="PPINTL.REST.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll" [0112.785] PathFindExtensionW (pszPath="PPINTL.REST.trx_dll") returned=".trx_dll" [0112.785] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0112.785] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0112.785] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0112.785] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0112.785] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0112.785] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0112.785] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0112.786] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0112.786] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0112.786] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0112.786] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0112.786] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0112.786] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0112.786] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0112.786] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0112.786] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0112.786] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0112.786] lstrlenA (lpString="NEPHILIM") returned 8 [0112.786] GetProcessHeap () returned 0x4e0000 [0112.786] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d608 [0112.786] lstrlenA (lpString="NEPHILIM") returned 8 [0112.786] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\ppintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0112.790] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=286560) returned 1 [0112.790] GetProcessHeap () returned 0x4e0000 [0112.790] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0112.790] GetProcessHeap () returned 0x4e0000 [0112.790] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0112.790] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0112.790] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0112.790] GetProcessHeap () returned 0x4e0000 [0112.790] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0112.790] GetProcessHeap () returned 0x4e0000 [0112.790] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0112.790] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce88*=0x100) returned 1 [0112.790] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce84*=0x100) returned 1 [0112.791] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x45f60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.791] SetLastError (dwErrCode=0x0) [0112.791] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0112.912] GetLastError () returned 0x0 [0112.912] GetLastError () returned 0x0 [0112.912] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x46060, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.912] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0112.913] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x46160, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.913] lstrlenA (lpString="NEPHILIM") returned 8 [0112.913] WriteFile (in: hFile=0xf8, lpBuffer=0x50d608*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d608*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0112.913] GetProcessHeap () returned 0x4e0000 [0112.913] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x45f60) returned 0x516fd8 [0112.913] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.913] ReadFile (in: hFile=0xf8, lpBuffer=0x516fd8, nNumberOfBytesToRead=0x45f60, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x516fd8*, lpNumberOfBytesRead=0x24dd0b0*=0x45f60, lpOverlapped=0x0) returned 1 [0112.942] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.942] WriteFile (in: hFile=0xf8, lpBuffer=0x516fd8*, nNumberOfBytesToWrite=0x45f60, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x516fd8*, lpNumberOfBytesWritten=0x24dd0bc*=0x45f60, lpOverlapped=0x0) returned 1 [0112.943] GetProcessHeap () returned 0x4e0000 [0112.944] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x516fd8 | out: hHeap=0x4e0000) returned 1 [0112.944] CloseHandle (hObject=0xf8) returned 1 [0112.944] GetProcessHeap () returned 0x4e0000 [0112.944] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0112.944] GetProcessHeap () returned 0x4e0000 [0112.944] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0112.944] GetProcessHeap () returned 0x4e0000 [0112.944] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0112.944] GetProcessHeap () returned 0x4e0000 [0112.944] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0112.944] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll" [0112.944] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll.NEPHILIM" [0112.944] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\ppintl.rest.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\ppintl.rest.trx_dll.nephilim")) returned 1 [0112.945] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa3b09500, ftCreationTime.dwHighDateTime=0x1cac809, ftLastAccessTime.dwLowDateTime=0xef00bf70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xa3b09500, ftLastWriteTime.dwHighDateTime=0x1cac809, nFileSizeHigh=0x0, nFileSizeLow=0x1a360, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="PUB6INTL.DLL.trx_dll", cAlternateFileName="PUB6IN~1.TRX")) returned 1 [0112.945] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2=".") returned 1 [0112.945] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="..") returned 1 [0112.945] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="...") returned 1 [0112.945] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="windows") returned -1 [0112.945] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0112.945] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="rsa") returned -1 [0112.946] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="log") returned 1 [0112.946] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="NTDETECT.COM") returned 1 [0112.946] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="ntldr") returned 1 [0112.946] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="MSDOS.SYS") returned 1 [0112.946] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="IO.SYS") returned 1 [0112.946] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="boot.ini") returned 1 [0112.946] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0112.946] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0112.946] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="desktop.ini") returned 1 [0112.946] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="CONFIG.SYS") returned 1 [0112.946] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="RECYCLER") returned -1 [0112.946] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0112.946] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="bootmgr") returned 1 [0112.946] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="programdata") returned 1 [0112.946] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="appdata") returned 1 [0112.946] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="program files") returned 1 [0112.946] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="program files (x86)") returned 1 [0112.946] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0112.946] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="PUB6INTL.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll" [0112.946] PathFindExtensionW (pszPath="PUB6INTL.DLL.trx_dll") returned=".trx_dll" [0112.946] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0112.946] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0112.947] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0112.947] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0112.947] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0112.947] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0112.947] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0112.947] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0112.947] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0112.947] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0112.947] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0112.947] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0112.947] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0112.947] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0112.947] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0112.947] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0112.947] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0112.947] lstrlenA (lpString="NEPHILIM") returned 8 [0112.947] GetProcessHeap () returned 0x4e0000 [0112.947] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d618 [0112.947] lstrlenA (lpString="NEPHILIM") returned 8 [0112.947] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\pub6intl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0112.949] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=107360) returned 1 [0112.949] GetProcessHeap () returned 0x4e0000 [0112.949] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0112.949] GetProcessHeap () returned 0x4e0000 [0112.949] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0112.949] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0112.949] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0112.949] GetProcessHeap () returned 0x4e0000 [0112.949] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0112.949] GetProcessHeap () returned 0x4e0000 [0112.949] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0112.949] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce88*=0x100) returned 1 [0112.949] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce84*=0x100) returned 1 [0112.950] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x1a360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.950] SetLastError (dwErrCode=0x0) [0112.950] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0112.953] GetLastError () returned 0x0 [0112.953] GetLastError () returned 0x0 [0112.953] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x1a460, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.953] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0112.953] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x1a560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.953] lstrlenA (lpString="NEPHILIM") returned 8 [0112.953] WriteFile (in: hFile=0xf8, lpBuffer=0x50d618*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d618*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0112.954] GetProcessHeap () returned 0x4e0000 [0112.954] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1a360) returned 0x516fd8 [0112.954] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.954] ReadFile (in: hFile=0xf8, lpBuffer=0x516fd8, nNumberOfBytesToRead=0x1a360, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x516fd8*, lpNumberOfBytesRead=0x24dd0b0*=0x1a360, lpOverlapped=0x0) returned 1 [0112.962] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.962] WriteFile (in: hFile=0xf8, lpBuffer=0x516fd8*, nNumberOfBytesToWrite=0x1a360, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x516fd8*, lpNumberOfBytesWritten=0x24dd0bc*=0x1a360, lpOverlapped=0x0) returned 1 [0112.962] GetProcessHeap () returned 0x4e0000 [0112.962] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x516fd8 | out: hHeap=0x4e0000) returned 1 [0112.962] CloseHandle (hObject=0xf8) returned 1 [0112.963] GetProcessHeap () returned 0x4e0000 [0112.963] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0112.963] GetProcessHeap () returned 0x4e0000 [0112.963] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0112.963] GetProcessHeap () returned 0x4e0000 [0112.963] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0112.963] GetProcessHeap () returned 0x4e0000 [0112.963] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0112.963] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll" [0112.963] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll.NEPHILIM" [0112.963] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\pub6intl.dll.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\pub6intl.dll.trx_dll.nephilim")) returned 1 [0112.964] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa27f6800, ftCreationTime.dwHighDateTime=0x1cac809, ftLastAccessTime.dwLowDateTime=0xef0320d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xa27f6800, ftLastWriteTime.dwHighDateTime=0x1cac809, nFileSizeHigh=0x0, nFileSizeLow=0x8e160, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="PUB6INTL.REST.trx_dll", cAlternateFileName="PUB6IN~2.TRX")) returned 1 [0112.964] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2=".") returned 1 [0112.964] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="..") returned 1 [0112.964] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="...") returned 1 [0112.964] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="windows") returned -1 [0112.964] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0112.964] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="rsa") returned -1 [0112.964] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="log") returned 1 [0112.964] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="NTDETECT.COM") returned 1 [0112.964] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="ntldr") returned 1 [0112.964] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="MSDOS.SYS") returned 1 [0112.965] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="IO.SYS") returned 1 [0112.965] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="boot.ini") returned 1 [0112.965] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0112.965] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="ntuser.dat") returned 1 [0112.965] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="desktop.ini") returned 1 [0112.965] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="CONFIG.SYS") returned 1 [0112.965] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="RECYCLER") returned -1 [0112.965] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0112.965] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="bootmgr") returned 1 [0112.965] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="programdata") returned 1 [0112.965] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="appdata") returned 1 [0112.965] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="program files") returned 1 [0112.965] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="program files (x86)") returned 1 [0112.965] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0112.965] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="PUB6INTL.REST.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll" [0112.965] PathFindExtensionW (pszPath="PUB6INTL.REST.trx_dll") returned=".trx_dll" [0112.965] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0112.965] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0112.965] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0112.965] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0112.965] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0112.965] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0112.965] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0112.965] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0112.965] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0112.966] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0112.966] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0112.966] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0112.966] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0112.966] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0112.966] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0112.966] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0112.966] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0112.966] lstrlenA (lpString="NEPHILIM") returned 8 [0112.966] GetProcessHeap () returned 0x4e0000 [0112.966] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d628 [0112.966] lstrlenA (lpString="NEPHILIM") returned 8 [0112.966] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\pub6intl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0112.966] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=581984) returned 1 [0112.967] GetProcessHeap () returned 0x4e0000 [0112.967] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0112.967] GetProcessHeap () returned 0x4e0000 [0112.967] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0112.967] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0112.967] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0112.967] GetProcessHeap () returned 0x4e0000 [0112.967] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0112.967] GetProcessHeap () returned 0x4e0000 [0112.967] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0112.967] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce88*=0x100) returned 1 [0112.967] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce84*=0x100) returned 1 [0112.967] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x8e160, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.967] SetLastError (dwErrCode=0x0) [0112.967] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0112.970] GetLastError () returned 0x0 [0112.970] GetLastError () returned 0x0 [0112.970] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x8e260, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.970] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0112.970] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x8e360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.970] lstrlenA (lpString="NEPHILIM") returned 8 [0112.970] WriteFile (in: hFile=0xf8, lpBuffer=0x50d628*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d628*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0112.971] GetProcessHeap () returned 0x4e0000 [0112.971] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8e160) returned 0x2110020 [0112.971] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.971] ReadFile (in: hFile=0xf8, lpBuffer=0x2110020, nNumberOfBytesToRead=0x8e160, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x2110020*, lpNumberOfBytesRead=0x24dd0b0*=0x8e160, lpOverlapped=0x0) returned 1 [0113.024] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.024] WriteFile (in: hFile=0xf8, lpBuffer=0x2110020*, nNumberOfBytesToWrite=0x8e160, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x2110020*, lpNumberOfBytesWritten=0x24dd0bc*=0x8e160, lpOverlapped=0x0) returned 1 [0113.026] GetProcessHeap () returned 0x4e0000 [0113.026] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x2110020 | out: hHeap=0x4e0000) returned 1 [0113.030] CloseHandle (hObject=0xf8) returned 1 [0113.030] GetProcessHeap () returned 0x4e0000 [0113.030] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0113.030] GetProcessHeap () returned 0x4e0000 [0113.030] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0113.030] GetProcessHeap () returned 0x4e0000 [0113.030] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0113.030] GetProcessHeap () returned 0x4e0000 [0113.030] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0113.030] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll" [0113.030] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll.NEPHILIM" [0113.030] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\pub6intl.rest.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\pub6intl.rest.trx_dll.nephilim")) returned 1 [0113.031] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x749d2200, ftCreationTime.dwHighDateTime=0x1cac80f, ftLastAccessTime.dwLowDateTime=0xef0320d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x749d2200, ftLastWriteTime.dwHighDateTime=0x1cac80f, nFileSizeHigh=0x0, nFileSizeLow=0x5ab60, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="PUBWZINT.REST.trx_dll", cAlternateFileName="PUBWZI~1.TRX")) returned 1 [0113.032] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2=".") returned 1 [0113.032] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="..") returned 1 [0113.032] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="...") returned 1 [0113.032] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="windows") returned -1 [0113.032] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0113.032] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="rsa") returned -1 [0113.032] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="log") returned 1 [0113.032] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="NTDETECT.COM") returned 1 [0113.032] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="ntldr") returned 1 [0113.032] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="MSDOS.SYS") returned 1 [0113.032] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="IO.SYS") returned 1 [0113.032] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="boot.ini") returned 1 [0113.032] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0113.032] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="ntuser.dat") returned 1 [0113.032] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="desktop.ini") returned 1 [0113.033] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="CONFIG.SYS") returned 1 [0113.033] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="RECYCLER") returned -1 [0113.033] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0113.033] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="bootmgr") returned 1 [0113.033] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="programdata") returned 1 [0113.033] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="appdata") returned 1 [0113.033] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="program files") returned 1 [0113.033] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="program files (x86)") returned 1 [0113.033] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0113.033] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="PUBWZINT.REST.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll" [0113.033] PathFindExtensionW (pszPath="PUBWZINT.REST.trx_dll") returned=".trx_dll" [0113.033] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0113.033] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0113.033] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0113.033] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0113.033] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0113.033] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0113.033] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0113.033] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0113.033] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0113.033] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0113.033] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0113.033] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0113.033] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0113.034] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0113.034] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0113.034] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0113.034] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0113.034] lstrlenA (lpString="NEPHILIM") returned 8 [0113.034] GetProcessHeap () returned 0x4e0000 [0113.034] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d638 [0113.034] lstrlenA (lpString="NEPHILIM") returned 8 [0113.034] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\pubwzint.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0113.038] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=371552) returned 1 [0113.038] GetProcessHeap () returned 0x4e0000 [0113.038] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0113.038] GetProcessHeap () returned 0x4e0000 [0113.038] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0113.038] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0113.038] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0113.038] GetProcessHeap () returned 0x4e0000 [0113.038] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0113.038] GetProcessHeap () returned 0x4e0000 [0113.038] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0113.038] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce88*=0x100) returned 1 [0113.038] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce84*=0x100) returned 1 [0113.039] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x5ab60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.039] SetLastError (dwErrCode=0x0) [0113.039] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.043] GetLastError () returned 0x0 [0113.043] GetLastError () returned 0x0 [0113.043] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x5ac60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.043] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.043] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x5ad60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.043] lstrlenA (lpString="NEPHILIM") returned 8 [0113.043] WriteFile (in: hFile=0xf8, lpBuffer=0x50d638*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d638*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0113.044] GetProcessHeap () returned 0x4e0000 [0113.044] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x5ab60) returned 0x516fd8 [0113.044] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.044] ReadFile (in: hFile=0xf8, lpBuffer=0x516fd8, nNumberOfBytesToRead=0x5ab60, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x516fd8*, lpNumberOfBytesRead=0x24dd0b0*=0x5ab60, lpOverlapped=0x0) returned 1 [0113.075] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.075] WriteFile (in: hFile=0xf8, lpBuffer=0x516fd8*, nNumberOfBytesToWrite=0x5ab60, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x516fd8*, lpNumberOfBytesWritten=0x24dd0bc*=0x5ab60, lpOverlapped=0x0) returned 1 [0113.077] GetProcessHeap () returned 0x4e0000 [0113.077] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x516fd8 | out: hHeap=0x4e0000) returned 1 [0113.077] CloseHandle (hObject=0xf8) returned 1 [0113.077] GetProcessHeap () returned 0x4e0000 [0113.077] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0113.077] GetProcessHeap () returned 0x4e0000 [0113.077] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0113.077] GetProcessHeap () returned 0x4e0000 [0113.077] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0113.077] GetProcessHeap () returned 0x4e0000 [0113.077] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0113.077] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll" [0113.077] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll.NEPHILIM" [0113.077] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\pubwzint.rest.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\pubwzint.rest.trx_dll.nephilim")) returned 1 [0113.078] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6d7a1200, ftCreationTime.dwHighDateTime=0x1cac817, ftLastAccessTime.dwLowDateTime=0xef058230, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x6d7a1200, ftLastWriteTime.dwHighDateTime=0x1cac817, nFileSizeHigh=0x0, nFileSizeLow=0x3360, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="SGRES.DLL.trx_dll", cAlternateFileName="SGRESD~1.TRX")) returned 1 [0113.078] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2=".") returned 1 [0113.078] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="..") returned 1 [0113.078] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="...") returned 1 [0113.078] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="windows") returned -1 [0113.079] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0113.079] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="rsa") returned 1 [0113.079] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="log") returned 1 [0113.079] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="NTDETECT.COM") returned 1 [0113.079] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="ntldr") returned 1 [0113.079] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="MSDOS.SYS") returned 1 [0113.079] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="IO.SYS") returned 1 [0113.079] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="boot.ini") returned 1 [0113.079] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0113.079] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0113.079] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="desktop.ini") returned 1 [0113.079] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="CONFIG.SYS") returned 1 [0113.079] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="RECYCLER") returned 1 [0113.079] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0113.079] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="bootmgr") returned 1 [0113.079] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="programdata") returned 1 [0113.079] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="appdata") returned 1 [0113.079] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="program files") returned 1 [0113.079] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="program files (x86)") returned 1 [0113.079] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0113.079] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="SGRES.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll" [0113.079] PathFindExtensionW (pszPath="SGRES.DLL.trx_dll") returned=".trx_dll" [0113.079] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0113.080] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0113.080] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0113.080] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0113.080] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0113.080] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0113.080] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0113.080] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0113.080] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0113.080] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0113.080] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0113.080] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0113.080] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0113.080] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0113.080] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0113.080] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0113.080] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0113.080] lstrlenA (lpString="NEPHILIM") returned 8 [0113.080] GetProcessHeap () returned 0x4e0000 [0113.080] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d648 [0113.080] lstrlenA (lpString="NEPHILIM") returned 8 [0113.080] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\sgres.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0113.083] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=13152) returned 1 [0113.083] GetProcessHeap () returned 0x4e0000 [0113.084] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0113.084] GetProcessHeap () returned 0x4e0000 [0113.084] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0113.084] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0113.084] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0113.084] GetProcessHeap () returned 0x4e0000 [0113.084] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0113.084] GetProcessHeap () returned 0x4e0000 [0113.084] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0113.084] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce88*=0x100) returned 1 [0113.084] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce84*=0x100) returned 1 [0113.085] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x3360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.085] SetLastError (dwErrCode=0x0) [0113.085] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.087] GetLastError () returned 0x0 [0113.087] GetLastError () returned 0x0 [0113.087] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x3460, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.087] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.088] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x3560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.088] lstrlenA (lpString="NEPHILIM") returned 8 [0113.088] WriteFile (in: hFile=0xf8, lpBuffer=0x50d648*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d648*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0113.089] GetProcessHeap () returned 0x4e0000 [0113.089] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x3360) returned 0x516fd8 [0113.089] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.089] ReadFile (in: hFile=0xf8, lpBuffer=0x516fd8, nNumberOfBytesToRead=0x3360, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x516fd8*, lpNumberOfBytesRead=0x24dd0b0*=0x3360, lpOverlapped=0x0) returned 1 [0113.091] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.091] WriteFile (in: hFile=0xf8, lpBuffer=0x516fd8*, nNumberOfBytesToWrite=0x3360, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x516fd8*, lpNumberOfBytesWritten=0x24dd0bc*=0x3360, lpOverlapped=0x0) returned 1 [0113.091] GetProcessHeap () returned 0x4e0000 [0113.091] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x516fd8 | out: hHeap=0x4e0000) returned 1 [0113.091] CloseHandle (hObject=0xf8) returned 1 [0113.092] GetProcessHeap () returned 0x4e0000 [0113.092] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0113.092] GetProcessHeap () returned 0x4e0000 [0113.092] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0113.092] GetProcessHeap () returned 0x4e0000 [0113.092] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0113.092] GetProcessHeap () returned 0x4e0000 [0113.092] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0113.092] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll" [0113.092] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll.NEPHILIM" [0113.092] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\sgres.dll.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\sgres.dll.trx_dll.nephilim")) returned 1 [0113.093] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc8e7d800, ftCreationTime.dwHighDateTime=0x1cac7f6, ftLastAccessTime.dwLowDateTime=0xef058230, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc8e7d800, ftLastWriteTime.dwHighDateTime=0x1cac7f6, nFileSizeHigh=0x0, nFileSizeLow=0x4160, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="STINTL.DLL.trx_dll", cAlternateFileName="STINTL~1.TRX")) returned 1 [0113.093] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2=".") returned 1 [0113.093] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="..") returned 1 [0113.093] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="...") returned 1 [0113.093] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="windows") returned -1 [0113.093] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0113.093] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="rsa") returned 1 [0113.093] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="log") returned 1 [0113.093] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="NTDETECT.COM") returned 1 [0113.093] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="ntldr") returned 1 [0113.093] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="MSDOS.SYS") returned 1 [0113.093] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="IO.SYS") returned 1 [0113.093] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="boot.ini") returned 1 [0113.093] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0113.093] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0113.093] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="desktop.ini") returned 1 [0113.093] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="CONFIG.SYS") returned 1 [0113.094] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="RECYCLER") returned 1 [0113.094] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0113.094] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="bootmgr") returned 1 [0113.094] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="programdata") returned 1 [0113.094] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="appdata") returned 1 [0113.094] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="program files") returned 1 [0113.094] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="program files (x86)") returned 1 [0113.094] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0113.094] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="STINTL.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll" [0113.094] PathFindExtensionW (pszPath="STINTL.DLL.trx_dll") returned=".trx_dll" [0113.094] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0113.094] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0113.094] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0113.094] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0113.094] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0113.094] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0113.094] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0113.094] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0113.094] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0113.094] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0113.095] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0113.095] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0113.095] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0113.095] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0113.095] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0113.095] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0113.095] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0113.095] lstrlenA (lpString="NEPHILIM") returned 8 [0113.095] GetProcessHeap () returned 0x4e0000 [0113.095] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d658 [0113.095] lstrlenA (lpString="NEPHILIM") returned 8 [0113.095] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\stintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0113.096] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=16736) returned 1 [0113.096] GetProcessHeap () returned 0x4e0000 [0113.096] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0113.096] GetProcessHeap () returned 0x4e0000 [0113.096] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0113.096] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0113.096] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0113.096] GetProcessHeap () returned 0x4e0000 [0113.097] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0113.097] GetProcessHeap () returned 0x4e0000 [0113.097] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0113.097] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce88*=0x100) returned 1 [0113.097] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce84*=0x100) returned 1 [0113.097] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x4160, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.097] SetLastError (dwErrCode=0x0) [0113.097] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.099] GetLastError () returned 0x0 [0113.099] GetLastError () returned 0x0 [0113.099] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x4260, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.099] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.099] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x4360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.100] lstrlenA (lpString="NEPHILIM") returned 8 [0113.100] WriteFile (in: hFile=0xf8, lpBuffer=0x50d658*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d658*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0113.100] GetProcessHeap () returned 0x4e0000 [0113.100] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x4160) returned 0x516fd8 [0113.100] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.100] ReadFile (in: hFile=0xf8, lpBuffer=0x516fd8, nNumberOfBytesToRead=0x4160, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x516fd8*, lpNumberOfBytesRead=0x24dd0b0*=0x4160, lpOverlapped=0x0) returned 1 [0113.102] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.102] WriteFile (in: hFile=0xf8, lpBuffer=0x516fd8*, nNumberOfBytesToWrite=0x4160, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x516fd8*, lpNumberOfBytesWritten=0x24dd0bc*=0x4160, lpOverlapped=0x0) returned 1 [0113.102] GetProcessHeap () returned 0x4e0000 [0113.102] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x516fd8 | out: hHeap=0x4e0000) returned 1 [0113.102] CloseHandle (hObject=0xf8) returned 1 [0113.102] GetProcessHeap () returned 0x4e0000 [0113.102] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0113.103] GetProcessHeap () returned 0x4e0000 [0113.103] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0113.103] GetProcessHeap () returned 0x4e0000 [0113.103] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0113.103] GetProcessHeap () returned 0x4e0000 [0113.103] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0113.103] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll" [0113.103] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll.NEPHILIM" [0113.103] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\stintl.dll.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\stintl.dll.trx_dll.nephilim")) returned 1 [0113.104] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbf706700, ftCreationTime.dwHighDateTime=0x1cac81a, ftLastAccessTime.dwLowDateTime=0xef0a44f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xbf706700, ftLastWriteTime.dwHighDateTime=0x1cac81a, nFileSizeHigh=0x0, nFileSizeLow=0x6960, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="VISBRRES.DLL.trx_dll", cAlternateFileName="VISBRR~1.TRX")) returned 1 [0113.104] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2=".") returned 1 [0113.104] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="..") returned 1 [0113.104] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="...") returned 1 [0113.104] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="windows") returned -1 [0113.104] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0113.104] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="rsa") returned 1 [0113.104] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="log") returned 1 [0113.104] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="NTDETECT.COM") returned 1 [0113.104] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="ntldr") returned 1 [0113.104] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="MSDOS.SYS") returned 1 [0113.104] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="IO.SYS") returned 1 [0113.104] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="boot.ini") returned 1 [0113.104] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0113.104] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0113.104] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="desktop.ini") returned 1 [0113.104] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="CONFIG.SYS") returned 1 [0113.104] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="RECYCLER") returned 1 [0113.104] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0113.104] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="bootmgr") returned 1 [0113.104] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="programdata") returned 1 [0113.104] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="appdata") returned 1 [0113.105] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="program files") returned 1 [0113.105] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="program files (x86)") returned 1 [0113.105] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0113.105] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="VISBRRES.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll" [0113.105] PathFindExtensionW (pszPath="VISBRRES.DLL.trx_dll") returned=".trx_dll" [0113.105] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0113.105] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0113.105] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0113.105] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0113.105] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0113.105] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0113.105] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0113.105] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0113.105] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0113.105] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0113.105] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0113.105] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0113.105] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0113.105] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0113.105] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0113.105] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0113.105] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0113.105] lstrlenA (lpString="NEPHILIM") returned 8 [0113.105] GetProcessHeap () returned 0x4e0000 [0113.105] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d668 [0113.106] lstrlenA (lpString="NEPHILIM") returned 8 [0113.106] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\visbrres.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0113.108] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=26976) returned 1 [0113.108] GetProcessHeap () returned 0x4e0000 [0113.108] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0113.108] GetProcessHeap () returned 0x4e0000 [0113.108] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0113.108] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0113.109] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0113.109] GetProcessHeap () returned 0x4e0000 [0113.109] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0113.109] GetProcessHeap () returned 0x4e0000 [0113.109] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0113.109] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce88*=0x100) returned 1 [0113.109] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce84*=0x100) returned 1 [0113.109] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x6960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.109] SetLastError (dwErrCode=0x0) [0113.109] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.117] GetLastError () returned 0x0 [0113.117] GetLastError () returned 0x0 [0113.117] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x6a60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.117] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.117] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x6b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.117] lstrlenA (lpString="NEPHILIM") returned 8 [0113.117] WriteFile (in: hFile=0xf8, lpBuffer=0x50d668*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d668*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0113.117] GetProcessHeap () returned 0x4e0000 [0113.117] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x6960) returned 0x516fd8 [0113.118] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.118] ReadFile (in: hFile=0xf8, lpBuffer=0x516fd8, nNumberOfBytesToRead=0x6960, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x516fd8*, lpNumberOfBytesRead=0x24dd0b0*=0x6960, lpOverlapped=0x0) returned 1 [0113.122] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.122] WriteFile (in: hFile=0xf8, lpBuffer=0x516fd8*, nNumberOfBytesToWrite=0x6960, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x516fd8*, lpNumberOfBytesWritten=0x24dd0bc*=0x6960, lpOverlapped=0x0) returned 1 [0113.122] GetProcessHeap () returned 0x4e0000 [0113.122] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x516fd8 | out: hHeap=0x4e0000) returned 1 [0113.122] CloseHandle (hObject=0xf8) returned 1 [0113.122] GetProcessHeap () returned 0x4e0000 [0113.122] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0113.122] GetProcessHeap () returned 0x4e0000 [0113.123] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0113.123] GetProcessHeap () returned 0x4e0000 [0113.123] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0113.123] GetProcessHeap () returned 0x4e0000 [0113.123] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0113.123] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll" [0113.123] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll.NEPHILIM" [0113.123] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\visbrres.dll.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\visbrres.dll.trx_dll.nephilim")) returned 1 [0113.124] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6a315700, ftCreationTime.dwHighDateTime=0x1cac814, ftLastAccessTime.dwLowDateTime=0xef0a44f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x6a315700, ftLastWriteTime.dwHighDateTime=0x1cac814, nFileSizeHigh=0x0, nFileSizeLow=0x77560, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="VISINTL.DLL.trx_dll", cAlternateFileName="VISINT~1.TRX")) returned 1 [0113.124] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2=".") returned 1 [0113.124] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="..") returned 1 [0113.124] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="...") returned 1 [0113.124] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="windows") returned -1 [0113.124] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0113.124] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="rsa") returned 1 [0113.124] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="log") returned 1 [0113.124] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="NTDETECT.COM") returned 1 [0113.124] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="ntldr") returned 1 [0113.125] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="MSDOS.SYS") returned 1 [0113.125] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="IO.SYS") returned 1 [0113.125] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="boot.ini") returned 1 [0113.125] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0113.125] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0113.125] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="desktop.ini") returned 1 [0113.125] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="CONFIG.SYS") returned 1 [0113.125] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="RECYCLER") returned 1 [0113.125] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0113.125] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="bootmgr") returned 1 [0113.125] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="programdata") returned 1 [0113.125] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="appdata") returned 1 [0113.125] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="program files") returned 1 [0113.126] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="program files (x86)") returned 1 [0113.126] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0113.126] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="VISINTL.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll" [0113.126] PathFindExtensionW (pszPath="VISINTL.DLL.trx_dll") returned=".trx_dll" [0113.126] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0113.126] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0113.126] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0113.126] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0113.126] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0113.126] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0113.126] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0113.126] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0113.126] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0113.126] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0113.126] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0113.126] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0113.126] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0113.126] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0113.126] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0113.126] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0113.127] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0113.127] lstrlenA (lpString="NEPHILIM") returned 8 [0113.127] GetProcessHeap () returned 0x4e0000 [0113.127] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d678 [0113.127] lstrlenA (lpString="NEPHILIM") returned 8 [0113.127] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\visintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0113.127] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=488800) returned 1 [0113.128] GetProcessHeap () returned 0x4e0000 [0113.128] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0113.128] GetProcessHeap () returned 0x4e0000 [0113.128] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0113.128] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0113.128] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0113.128] GetProcessHeap () returned 0x4e0000 [0113.128] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0113.128] GetProcessHeap () returned 0x4e0000 [0113.128] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0113.128] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce88*=0x100) returned 1 [0113.128] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce84*=0x100) returned 1 [0113.128] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x77560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.128] SetLastError (dwErrCode=0x0) [0113.129] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.134] GetLastError () returned 0x0 [0113.134] GetLastError () returned 0x0 [0113.134] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x77660, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.134] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.135] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x77760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.135] lstrlenA (lpString="NEPHILIM") returned 8 [0113.135] WriteFile (in: hFile=0xf8, lpBuffer=0x50d678*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d678*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0113.135] GetProcessHeap () returned 0x4e0000 [0113.135] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x77560) returned 0x2010048 [0113.135] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.135] ReadFile (in: hFile=0xf8, lpBuffer=0x2010048, nNumberOfBytesToRead=0x77560, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x2010048*, lpNumberOfBytesRead=0x24dd0b0*=0x77560, lpOverlapped=0x0) returned 1 [0113.168] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.168] WriteFile (in: hFile=0xf8, lpBuffer=0x2010048*, nNumberOfBytesToWrite=0x77560, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x2010048*, lpNumberOfBytesWritten=0x24dd0bc*=0x77560, lpOverlapped=0x0) returned 1 [0113.170] GetProcessHeap () returned 0x4e0000 [0113.170] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x2010048 | out: hHeap=0x4e0000) returned 1 [0113.170] CloseHandle (hObject=0xf8) returned 1 [0113.170] GetProcessHeap () returned 0x4e0000 [0113.170] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0113.170] GetProcessHeap () returned 0x4e0000 [0113.170] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0113.170] GetProcessHeap () returned 0x4e0000 [0113.170] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0113.170] GetProcessHeap () returned 0x4e0000 [0113.170] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0113.170] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll" [0113.170] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll.NEPHILIM" [0113.170] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\visintl.dll.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\visintl.dll.trx_dll.nephilim")) returned 1 [0113.171] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcb31c100, ftCreationTime.dwHighDateTime=0x1cacd25, ftLastAccessTime.dwLowDateTime=0xef0ca650, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xcb31c100, ftLastWriteTime.dwHighDateTime=0x1cacd25, nFileSizeHigh=0x0, nFileSizeLow=0x25b60, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="WWINTL.DLL.trx_dll", cAlternateFileName="WWINTL~1.TRX")) returned 1 [0113.171] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2=".") returned 1 [0113.171] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="..") returned 1 [0113.171] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="...") returned 1 [0113.171] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="windows") returned 1 [0113.172] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0113.172] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="rsa") returned 1 [0113.172] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="log") returned 1 [0113.172] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="NTDETECT.COM") returned 1 [0113.172] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="ntldr") returned 1 [0113.172] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="MSDOS.SYS") returned 1 [0113.172] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="IO.SYS") returned 1 [0113.172] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="boot.ini") returned 1 [0113.172] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0113.172] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0113.172] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="desktop.ini") returned 1 [0113.172] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="CONFIG.SYS") returned 1 [0113.172] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="RECYCLER") returned 1 [0113.172] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0113.172] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="bootmgr") returned 1 [0113.172] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="programdata") returned 1 [0113.172] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="appdata") returned 1 [0113.172] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="program files") returned 1 [0113.172] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="program files (x86)") returned 1 [0113.172] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0113.172] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="WWINTL.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll" [0113.172] PathFindExtensionW (pszPath="WWINTL.DLL.trx_dll") returned=".trx_dll" [0113.172] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0113.172] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0113.172] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0113.173] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0113.173] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0113.173] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0113.173] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0113.173] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0113.173] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0113.173] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0113.173] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0113.173] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0113.173] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0113.173] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0113.173] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0113.173] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0113.173] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0113.173] lstrlenA (lpString="NEPHILIM") returned 8 [0113.173] GetProcessHeap () returned 0x4e0000 [0113.173] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d688 [0113.173] lstrlenA (lpString="NEPHILIM") returned 8 [0113.173] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\wwintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0113.173] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=154464) returned 1 [0113.174] GetProcessHeap () returned 0x4e0000 [0113.174] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0113.174] GetProcessHeap () returned 0x4e0000 [0113.174] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0113.174] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0113.174] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0113.174] GetProcessHeap () returned 0x4e0000 [0113.174] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0113.174] GetProcessHeap () returned 0x4e0000 [0113.174] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0113.174] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce88*=0x100) returned 1 [0113.174] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce84*=0x100) returned 1 [0113.174] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x25b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.174] SetLastError (dwErrCode=0x0) [0113.174] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.184] GetLastError () returned 0x0 [0113.184] GetLastError () returned 0x0 [0113.184] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x25c60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.184] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.185] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x25d60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.185] lstrlenA (lpString="NEPHILIM") returned 8 [0113.185] WriteFile (in: hFile=0xf8, lpBuffer=0x50d688*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d688*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0113.185] GetProcessHeap () returned 0x4e0000 [0113.185] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x25b60) returned 0x516fd8 [0113.185] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.185] ReadFile (in: hFile=0xf8, lpBuffer=0x516fd8, nNumberOfBytesToRead=0x25b60, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x516fd8*, lpNumberOfBytesRead=0x24dd0b0*=0x25b60, lpOverlapped=0x0) returned 1 [0113.196] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.196] WriteFile (in: hFile=0xf8, lpBuffer=0x516fd8*, nNumberOfBytesToWrite=0x25b60, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x516fd8*, lpNumberOfBytesWritten=0x24dd0bc*=0x25b60, lpOverlapped=0x0) returned 1 [0113.197] GetProcessHeap () returned 0x4e0000 [0113.197] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x516fd8 | out: hHeap=0x4e0000) returned 1 [0113.197] CloseHandle (hObject=0xf8) returned 1 [0113.197] GetProcessHeap () returned 0x4e0000 [0113.197] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0113.197] GetProcessHeap () returned 0x4e0000 [0113.198] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0113.198] GetProcessHeap () returned 0x4e0000 [0113.198] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0113.198] GetProcessHeap () returned 0x4e0000 [0113.198] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0113.198] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll" [0113.198] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll.NEPHILIM" [0113.198] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\wwintl.dll.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\wwintl.dll.trx_dll.nephilim")) returned 1 [0113.198] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcb31c100, ftCreationTime.dwHighDateTime=0x1cacd25, ftLastAccessTime.dwLowDateTime=0xef0f07b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xcb31c100, ftLastWriteTime.dwHighDateTime=0x1cacd25, nFileSizeHigh=0x0, nFileSizeLow=0x115b60, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="WWINTL.REST.trx_dll", cAlternateFileName="WWINTL~2.TRX")) returned 1 [0113.198] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2=".") returned 1 [0113.199] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="..") returned 1 [0113.199] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="...") returned 1 [0113.199] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="windows") returned 1 [0113.199] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0113.199] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="rsa") returned 1 [0113.199] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="log") returned 1 [0113.199] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="NTDETECT.COM") returned 1 [0113.199] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="ntldr") returned 1 [0113.199] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="MSDOS.SYS") returned 1 [0113.199] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="IO.SYS") returned 1 [0113.199] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="boot.ini") returned 1 [0113.199] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0113.199] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="ntuser.dat") returned 1 [0113.199] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="desktop.ini") returned 1 [0113.199] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="CONFIG.SYS") returned 1 [0113.199] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="RECYCLER") returned 1 [0113.199] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0113.199] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="bootmgr") returned 1 [0113.199] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="programdata") returned 1 [0113.199] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="appdata") returned 1 [0113.199] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="program files") returned 1 [0113.199] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="program files (x86)") returned 1 [0113.199] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0113.199] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="WWINTL.REST.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll" [0113.199] PathFindExtensionW (pszPath="WWINTL.REST.trx_dll") returned=".trx_dll" [0113.199] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0113.199] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0113.200] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0113.200] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0113.200] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0113.200] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0113.200] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0113.200] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0113.200] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0113.200] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0113.200] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0113.200] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0113.200] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0113.200] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0113.200] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0113.200] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0113.200] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0113.200] lstrlenA (lpString="NEPHILIM") returned 8 [0113.200] GetProcessHeap () returned 0x4e0000 [0113.200] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d698 [0113.200] lstrlenA (lpString="NEPHILIM") returned 8 [0113.200] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\wwintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0113.201] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=1137504) returned 1 [0113.201] GetProcessHeap () returned 0x4e0000 [0113.201] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0113.201] GetProcessHeap () returned 0x4e0000 [0113.201] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0113.201] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0113.201] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0113.201] GetProcessHeap () returned 0x4e0000 [0113.201] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0113.201] GetProcessHeap () returned 0x4e0000 [0113.201] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0113.201] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce88*=0x100) returned 1 [0113.202] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce84*=0x100) returned 1 [0113.202] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x115b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.202] SetLastError (dwErrCode=0x0) [0113.202] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.206] GetLastError () returned 0x0 [0113.206] GetLastError () returned 0x0 [0113.206] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x115c60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.206] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.206] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x115d60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.206] lstrlenA (lpString="NEPHILIM") returned 8 [0113.206] WriteFile (in: hFile=0xf8, lpBuffer=0x50d698*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d698*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0113.206] GetProcessHeap () returned 0x4e0000 [0113.206] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x115b60) returned 0x22b0020 [0113.207] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.207] ReadFile (in: hFile=0xf8, lpBuffer=0x22b0020, nNumberOfBytesToRead=0x115b60, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x22b0020*, lpNumberOfBytesRead=0x24dd0b0*=0x115b60, lpOverlapped=0x0) returned 1 [0113.301] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.301] WriteFile (in: hFile=0xf8, lpBuffer=0x22b0020*, nNumberOfBytesToWrite=0x115b60, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x22b0020*, lpNumberOfBytesWritten=0x24dd0bc*=0x115b60, lpOverlapped=0x0) returned 1 [0113.304] GetProcessHeap () returned 0x4e0000 [0113.304] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x22b0020 | out: hHeap=0x4e0000) returned 1 [0113.312] CloseHandle (hObject=0xf8) returned 1 [0113.313] GetProcessHeap () returned 0x4e0000 [0113.313] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0113.313] GetProcessHeap () returned 0x4e0000 [0113.313] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0113.313] GetProcessHeap () returned 0x4e0000 [0113.313] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0113.313] GetProcessHeap () returned 0x4e0000 [0113.313] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0113.313] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll" [0113.313] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll.NEPHILIM" [0113.314] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\wwintl.rest.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\wwintl.rest.trx_dll.nephilim")) returned 1 [0113.314] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6b688100, ftCreationTime.dwHighDateTime=0x1cac820, ftLastAccessTime.dwLowDateTime=0xef0f07b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x6b688100, ftLastWriteTime.dwHighDateTime=0x1cac820, nFileSizeHigh=0x0, nFileSizeLow=0x25360, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="XLINTL32.DLL.trx_dll", cAlternateFileName="XLINTL~1.TRX")) returned 1 [0113.314] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2=".") returned 1 [0113.314] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="..") returned 1 [0113.314] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="...") returned 1 [0113.314] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="windows") returned 1 [0113.314] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0113.315] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="rsa") returned 1 [0113.315] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="log") returned 1 [0113.315] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="NTDETECT.COM") returned 1 [0113.315] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="ntldr") returned 1 [0113.315] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="MSDOS.SYS") returned 1 [0113.315] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="IO.SYS") returned 1 [0113.315] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="boot.ini") returned 1 [0113.315] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0113.315] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0113.315] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="desktop.ini") returned 1 [0113.315] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="CONFIG.SYS") returned 1 [0113.315] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="RECYCLER") returned 1 [0113.315] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0113.315] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="bootmgr") returned 1 [0113.315] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="programdata") returned 1 [0113.315] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="appdata") returned 1 [0113.315] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="program files") returned 1 [0113.315] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="program files (x86)") returned 1 [0113.315] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0113.315] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="XLINTL32.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll" [0113.315] PathFindExtensionW (pszPath="XLINTL32.DLL.trx_dll") returned=".trx_dll" [0113.315] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0113.315] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0113.316] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0113.316] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0113.316] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0113.316] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0113.316] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0113.316] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0113.316] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0113.316] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0113.316] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0113.316] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0113.316] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0113.316] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0113.316] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0113.316] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0113.316] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0113.316] lstrlenA (lpString="NEPHILIM") returned 8 [0113.316] GetProcessHeap () returned 0x4e0000 [0113.316] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d6a8 [0113.316] lstrlenA (lpString="NEPHILIM") returned 8 [0113.316] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\xlintl32.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0113.322] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=152416) returned 1 [0113.322] GetProcessHeap () returned 0x4e0000 [0113.322] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0113.322] GetProcessHeap () returned 0x4e0000 [0113.322] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0113.322] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0113.323] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0113.323] GetProcessHeap () returned 0x4e0000 [0113.323] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0113.323] GetProcessHeap () returned 0x4e0000 [0113.323] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0113.323] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce88*=0x100) returned 1 [0113.323] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce84*=0x100) returned 1 [0113.323] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x25360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.323] SetLastError (dwErrCode=0x0) [0113.323] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.326] GetLastError () returned 0x0 [0113.326] GetLastError () returned 0x0 [0113.326] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x25460, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.326] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.327] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x25560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.327] lstrlenA (lpString="NEPHILIM") returned 8 [0113.327] WriteFile (in: hFile=0xf8, lpBuffer=0x50d6a8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d6a8*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0113.327] GetProcessHeap () returned 0x4e0000 [0113.327] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x25360) returned 0x518fd8 [0113.327] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.327] ReadFile (in: hFile=0xf8, lpBuffer=0x518fd8, nNumberOfBytesToRead=0x25360, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesRead=0x24dd0b0*=0x25360, lpOverlapped=0x0) returned 1 [0113.338] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.338] WriteFile (in: hFile=0xf8, lpBuffer=0x518fd8*, nNumberOfBytesToWrite=0x25360, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesWritten=0x24dd0bc*=0x25360, lpOverlapped=0x0) returned 1 [0113.339] GetProcessHeap () returned 0x4e0000 [0113.339] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x518fd8 | out: hHeap=0x4e0000) returned 1 [0113.339] CloseHandle (hObject=0xf8) returned 1 [0113.339] GetProcessHeap () returned 0x4e0000 [0113.339] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0113.339] GetProcessHeap () returned 0x4e0000 [0113.339] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0113.339] GetProcessHeap () returned 0x4e0000 [0113.339] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0113.339] GetProcessHeap () returned 0x4e0000 [0113.339] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0113.339] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll" [0113.339] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll.NEPHILIM" [0113.339] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\xlintl32.dll.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\xlintl32.dll.trx_dll.nephilim")) returned 1 [0113.340] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6a375400, ftCreationTime.dwHighDateTime=0x1cac820, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x6a375400, ftLastWriteTime.dwHighDateTime=0x1cac820, nFileSizeHigh=0x0, nFileSizeLow=0x137960, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="XLINTL32.REST.trx_dll", cAlternateFileName="XLINTL~2.TRX")) returned 1 [0113.340] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2=".") returned 1 [0113.340] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="..") returned 1 [0113.340] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="...") returned 1 [0113.340] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="windows") returned 1 [0113.340] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0113.340] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="rsa") returned 1 [0113.340] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="log") returned 1 [0113.340] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="NTDETECT.COM") returned 1 [0113.340] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="ntldr") returned 1 [0113.340] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="MSDOS.SYS") returned 1 [0113.340] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="IO.SYS") returned 1 [0113.340] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="boot.ini") returned 1 [0113.340] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0113.340] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="ntuser.dat") returned 1 [0113.341] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="desktop.ini") returned 1 [0113.341] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="CONFIG.SYS") returned 1 [0113.341] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="RECYCLER") returned 1 [0113.341] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0113.341] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="bootmgr") returned 1 [0113.341] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="programdata") returned 1 [0113.341] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="appdata") returned 1 [0113.341] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="program files") returned 1 [0113.341] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="program files (x86)") returned 1 [0113.341] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0113.341] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="XLINTL32.REST.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll" [0113.341] PathFindExtensionW (pszPath="XLINTL32.REST.trx_dll") returned=".trx_dll" [0113.341] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0113.341] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0113.341] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0113.341] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0113.341] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0113.341] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0113.341] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0113.341] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0113.341] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0113.341] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0113.341] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0113.341] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0113.341] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0113.341] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0113.341] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0113.341] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0113.341] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0113.341] lstrlenA (lpString="NEPHILIM") returned 8 [0113.341] GetProcessHeap () returned 0x4e0000 [0113.341] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d6b8 [0113.342] lstrlenA (lpString="NEPHILIM") returned 8 [0113.342] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\xlintl32.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0113.342] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=1276256) returned 1 [0113.342] GetProcessHeap () returned 0x4e0000 [0113.342] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0113.342] GetProcessHeap () returned 0x4e0000 [0113.342] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0113.342] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0113.342] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0113.342] GetProcessHeap () returned 0x4e0000 [0113.342] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0113.342] GetProcessHeap () returned 0x4e0000 [0113.342] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0113.342] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce88*=0x100) returned 1 [0113.342] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce84*=0x100) returned 1 [0113.343] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x137960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.343] SetLastError (dwErrCode=0x0) [0113.343] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.348] GetLastError () returned 0x0 [0113.348] GetLastError () returned 0x0 [0113.348] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x137a60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.349] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.349] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x137b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.349] lstrlenA (lpString="NEPHILIM") returned 8 [0113.349] WriteFile (in: hFile=0xf8, lpBuffer=0x50d6b8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d6b8*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0113.349] GetProcessHeap () returned 0x4e0000 [0113.349] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x927c0) returned 0x2110020 [0113.349] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.349] ReadFile (in: hFile=0xf8, lpBuffer=0x2110020, nNumberOfBytesToRead=0x927c0, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x2110020*, lpNumberOfBytesRead=0x24dd0b0*=0x927c0, lpOverlapped=0x0) returned 1 [0113.420] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.421] WriteFile (in: hFile=0xf8, lpBuffer=0x2110020*, nNumberOfBytesToWrite=0x927c0, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x2110020*, lpNumberOfBytesWritten=0x24dd0bc*=0x927c0, lpOverlapped=0x0) returned 1 [0113.423] GetProcessHeap () returned 0x4e0000 [0113.423] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x2110020 | out: hHeap=0x4e0000) returned 1 [0113.426] CloseHandle (hObject=0xf8) returned 1 [0113.427] GetProcessHeap () returned 0x4e0000 [0113.427] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0113.427] GetProcessHeap () returned 0x4e0000 [0113.427] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0113.427] GetProcessHeap () returned 0x4e0000 [0113.427] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0113.427] GetProcessHeap () returned 0x4e0000 [0113.427] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0113.427] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll" [0113.427] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll.NEPHILIM" [0113.427] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\xlintl32.rest.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\xlintl32.rest.trx_dll.nephilim")) returned 1 [0113.428] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xfe092000, ftCreationTime.dwHighDateTime=0x1cac820, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfe092000, ftLastWriteTime.dwHighDateTime=0x1cac820, nFileSizeHigh=0x0, nFileSizeLow=0x3d60, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="XLSLICER.DLL.trx_dll", cAlternateFileName="XLSLIC~1.TRX")) returned 1 [0113.428] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2=".") returned 1 [0113.428] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="..") returned 1 [0113.428] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="...") returned 1 [0113.428] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="windows") returned 1 [0113.428] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0113.428] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="rsa") returned 1 [0113.428] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="log") returned 1 [0113.428] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="NTDETECT.COM") returned 1 [0113.428] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="ntldr") returned 1 [0113.428] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="MSDOS.SYS") returned 1 [0113.429] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="IO.SYS") returned 1 [0113.429] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="boot.ini") returned 1 [0113.429] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0113.429] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0113.429] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="desktop.ini") returned 1 [0113.429] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="CONFIG.SYS") returned 1 [0113.429] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="RECYCLER") returned 1 [0113.429] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0113.429] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="bootmgr") returned 1 [0113.429] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="programdata") returned 1 [0113.429] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="appdata") returned 1 [0113.429] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="program files") returned 1 [0113.429] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="program files (x86)") returned 1 [0113.429] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0113.429] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="XLSLICER.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll" [0113.429] PathFindExtensionW (pszPath="XLSLICER.DLL.trx_dll") returned=".trx_dll" [0113.429] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0113.429] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0113.430] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0113.430] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0113.430] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0113.430] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0113.430] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0113.430] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0113.430] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0113.430] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0113.430] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0113.430] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0113.430] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0113.430] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0113.430] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0113.430] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0113.430] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0113.430] lstrlenA (lpString="NEPHILIM") returned 8 [0113.430] GetProcessHeap () returned 0x4e0000 [0113.430] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d6c8 [0113.430] lstrlenA (lpString="NEPHILIM") returned 8 [0113.430] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\xlslicer.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0113.431] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=15712) returned 1 [0113.431] GetProcessHeap () returned 0x4e0000 [0113.431] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0113.431] GetProcessHeap () returned 0x4e0000 [0113.431] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0113.431] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0113.431] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0113.431] GetProcessHeap () returned 0x4e0000 [0113.431] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0113.431] GetProcessHeap () returned 0x4e0000 [0113.431] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0113.431] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce88*=0x100) returned 1 [0113.432] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce84*=0x100) returned 1 [0113.432] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x3d60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.432] SetLastError (dwErrCode=0x0) [0113.432] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.436] GetLastError () returned 0x0 [0113.436] GetLastError () returned 0x0 [0113.436] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x3e60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.436] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.436] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x3f60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.436] lstrlenA (lpString="NEPHILIM") returned 8 [0113.436] WriteFile (in: hFile=0xf8, lpBuffer=0x50d6c8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d6c8*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0113.436] GetProcessHeap () returned 0x4e0000 [0113.436] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x3d60) returned 0x518fd8 [0113.436] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.436] ReadFile (in: hFile=0xf8, lpBuffer=0x518fd8, nNumberOfBytesToRead=0x3d60, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesRead=0x24dd0b0*=0x3d60, lpOverlapped=0x0) returned 1 [0113.442] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.442] WriteFile (in: hFile=0xf8, lpBuffer=0x518fd8*, nNumberOfBytesToWrite=0x3d60, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesWritten=0x24dd0bc*=0x3d60, lpOverlapped=0x0) returned 1 [0113.442] GetProcessHeap () returned 0x4e0000 [0113.442] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x518fd8 | out: hHeap=0x4e0000) returned 1 [0113.442] CloseHandle (hObject=0xf8) returned 1 [0113.442] GetProcessHeap () returned 0x4e0000 [0113.442] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0113.442] GetProcessHeap () returned 0x4e0000 [0113.442] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0113.442] GetProcessHeap () returned 0x4e0000 [0113.443] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0113.443] GetProcessHeap () returned 0x4e0000 [0113.443] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0113.443] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll" [0113.443] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll.NEPHILIM" [0113.443] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\xlslicer.dll.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\xlslicer.dll.trx_dll.nephilim")) returned 1 [0113.444] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xfe092000, ftCreationTime.dwHighDateTime=0x1cac820, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfe092000, ftLastWriteTime.dwHighDateTime=0x1cac820, nFileSizeHigh=0x0, nFileSizeLow=0x3d60, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="XLSLICER.DLL.trx_dll", cAlternateFileName="XLSLIC~1.TRX")) returned 0 [0113.444] FindClose (in: hFindFile=0x50a9c0 | out: hFindFile=0x50a9c0) returned 1 [0113.444] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef116910, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24dd72c, dwReserved1=0x3cadb4a3, cFileName="3082", cAlternateFileName="")) returned 1 [0113.444] lstrcmpiW (lpString1="3082", lpString2=".") returned 1 [0113.444] lstrcmpiW (lpString1="3082", lpString2="..") returned 1 [0113.444] lstrcmpiW (lpString1="3082", lpString2="...") returned 1 [0113.444] lstrcmpiW (lpString1="3082", lpString2="windows") returned -1 [0113.444] lstrcmpiW (lpString1="3082", lpString2="$RECYCLE.BIN") returned 1 [0113.444] lstrcmpiW (lpString1="3082", lpString2="rsa") returned -1 [0113.444] lstrcmpiW (lpString1="3082", lpString2="log") returned -1 [0113.444] lstrcmpiW (lpString1="3082", lpString2="NTDETECT.COM") returned -1 [0113.444] lstrcmpiW (lpString1="3082", lpString2="ntldr") returned -1 [0113.444] lstrcmpiW (lpString1="3082", lpString2="MSDOS.SYS") returned -1 [0113.444] lstrcmpiW (lpString1="3082", lpString2="IO.SYS") returned -1 [0113.444] lstrcmpiW (lpString1="3082", lpString2="boot.ini") returned -1 [0113.444] lstrcmpiW (lpString1="3082", lpString2="AUTOEXEC.BAT") returned -1 [0113.444] lstrcmpiW (lpString1="3082", lpString2="ntuser.dat") returned -1 [0113.444] lstrcmpiW (lpString1="3082", lpString2="desktop.ini") returned -1 [0113.444] lstrcmpiW (lpString1="3082", lpString2="CONFIG.SYS") returned -1 [0113.444] lstrcmpiW (lpString1="3082", lpString2="RECYCLER") returned -1 [0113.444] lstrcmpiW (lpString1="3082", lpString2="BOOTSECT.BAK") returned -1 [0113.444] lstrcmpiW (lpString1="3082", lpString2="bootmgr") returned -1 [0113.444] lstrcmpiW (lpString1="3082", lpString2="programdata") returned -1 [0113.444] lstrcmpiW (lpString1="3082", lpString2="appdata") returned -1 [0113.444] lstrcmpiW (lpString1="3082", lpString2="program files") returned -1 [0113.445] lstrcmpiW (lpString1="3082", lpString2="program files (x86)") returned -1 [0113.445] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\" [0113.445] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\", lpString2="3082" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082" [0113.445] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0113.445] lstrcpyW (in: lpString1=0x24dd560, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0113.445] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\*.*") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\*.*" [0113.445] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\*.*", lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef116910, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName=".", cAlternateFileName="")) returned 0x50a9c0 [0113.449] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0113.449] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef116910, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="..", cAlternateFileName="")) returned 1 [0113.461] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0113.461] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0113.461] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x302da400, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x302da400, ftLastWriteTime.dwHighDateTime=0x1caca12, nFileSizeHigh=0x0, nFileSizeLow=0x3760, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="ENVELOPR.DLL.trx_dll", cAlternateFileName="ENVELO~1.TRX")) returned 1 [0113.461] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2=".") returned 1 [0113.461] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="..") returned 1 [0113.461] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="...") returned 1 [0113.461] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="windows") returned -1 [0113.461] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0113.461] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="rsa") returned -1 [0113.461] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="log") returned -1 [0113.461] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="NTDETECT.COM") returned -1 [0113.461] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="ntldr") returned -1 [0113.461] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="MSDOS.SYS") returned -1 [0113.461] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="IO.SYS") returned -1 [0113.461] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="boot.ini") returned 1 [0113.461] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0113.461] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="ntuser.dat") returned -1 [0113.461] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="desktop.ini") returned 1 [0113.461] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="CONFIG.SYS") returned 1 [0113.461] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="RECYCLER") returned -1 [0113.461] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0113.461] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="bootmgr") returned 1 [0113.461] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="programdata") returned -1 [0113.462] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="appdata") returned 1 [0113.462] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="program files") returned -1 [0113.462] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="program files (x86)") returned -1 [0113.462] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0113.462] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="ENVELOPR.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll" [0113.462] PathFindExtensionW (pszPath="ENVELOPR.DLL.trx_dll") returned=".trx_dll" [0113.462] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0113.462] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0113.462] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0113.462] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0113.462] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0113.462] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0113.462] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0113.462] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0113.462] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0113.462] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0113.462] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0113.462] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0113.462] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0113.462] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0113.462] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0113.462] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0113.462] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0113.463] lstrlenA (lpString="NEPHILIM") returned 8 [0113.463] GetProcessHeap () returned 0x4e0000 [0113.463] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d6d8 [0113.463] lstrlenA (lpString="NEPHILIM") returned 8 [0113.463] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\envelopr.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0113.465] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=14176) returned 1 [0113.466] GetProcessHeap () returned 0x4e0000 [0113.466] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0113.466] GetProcessHeap () returned 0x4e0000 [0113.466] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0113.466] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0113.466] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0113.466] GetProcessHeap () returned 0x4e0000 [0113.466] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0113.466] GetProcessHeap () returned 0x4e0000 [0113.466] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0113.466] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce88*=0x100) returned 1 [0113.467] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce84*=0x100) returned 1 [0113.467] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x3760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.467] SetLastError (dwErrCode=0x0) [0113.467] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.471] GetLastError () returned 0x0 [0113.471] GetLastError () returned 0x0 [0113.472] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x3860, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.472] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.472] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x3960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.472] lstrlenA (lpString="NEPHILIM") returned 8 [0113.472] WriteFile (in: hFile=0xf8, lpBuffer=0x50d6d8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d6d8*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0113.472] GetProcessHeap () returned 0x4e0000 [0113.472] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x3760) returned 0x518fd8 [0113.472] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.472] ReadFile (in: hFile=0xf8, lpBuffer=0x518fd8, nNumberOfBytesToRead=0x3760, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesRead=0x24dd0b0*=0x3760, lpOverlapped=0x0) returned 1 [0113.475] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.475] WriteFile (in: hFile=0xf8, lpBuffer=0x518fd8*, nNumberOfBytesToWrite=0x3760, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesWritten=0x24dd0bc*=0x3760, lpOverlapped=0x0) returned 1 [0113.476] GetProcessHeap () returned 0x4e0000 [0113.476] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x518fd8 | out: hHeap=0x4e0000) returned 1 [0113.476] CloseHandle (hObject=0xf8) returned 1 [0113.476] GetProcessHeap () returned 0x4e0000 [0113.476] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0113.476] GetProcessHeap () returned 0x4e0000 [0113.476] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0113.476] GetProcessHeap () returned 0x4e0000 [0113.476] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0113.476] GetProcessHeap () returned 0x4e0000 [0113.476] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0113.476] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll" [0113.476] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll.NEPHILIM" [0113.476] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\envelopr.dll.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\envelopr.dll.trx_dll.nephilim")) returned 1 [0113.477] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x74912800, ftCreationTime.dwHighDateTime=0x1cac7f7, ftLastAccessTime.dwLowDateTime=0xeedf6c30, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x74912800, ftLastWriteTime.dwHighDateTime=0x1cac7f7, nFileSizeHigh=0x0, nFileSizeLow=0xb960, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="GRINTL32.DLL.trx_dll", cAlternateFileName="GRINTL~1.TRX")) returned 1 [0113.477] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2=".") returned 1 [0113.477] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="..") returned 1 [0113.477] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="...") returned 1 [0113.477] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="windows") returned -1 [0113.478] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0113.478] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="rsa") returned -1 [0113.478] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="log") returned -1 [0113.478] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="NTDETECT.COM") returned -1 [0113.478] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="ntldr") returned -1 [0113.478] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="MSDOS.SYS") returned -1 [0113.478] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="IO.SYS") returned -1 [0113.478] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="boot.ini") returned 1 [0113.478] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0113.478] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="ntuser.dat") returned -1 [0113.478] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="desktop.ini") returned 1 [0113.478] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="CONFIG.SYS") returned 1 [0113.478] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="RECYCLER") returned -1 [0113.478] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0113.478] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="bootmgr") returned 1 [0113.478] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="programdata") returned -1 [0113.478] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="appdata") returned 1 [0113.478] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="program files") returned -1 [0113.478] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="program files (x86)") returned -1 [0113.478] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0113.478] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="GRINTL32.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll" [0113.478] PathFindExtensionW (pszPath="GRINTL32.DLL.trx_dll") returned=".trx_dll" [0113.478] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0113.478] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0113.478] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0113.479] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0113.479] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0113.479] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0113.479] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0113.479] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0113.479] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0113.479] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0113.479] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0113.479] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0113.479] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0113.479] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0113.479] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0113.479] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0113.479] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0113.479] lstrlenA (lpString="NEPHILIM") returned 8 [0113.479] GetProcessHeap () returned 0x4e0000 [0113.479] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d6e8 [0113.479] lstrlenA (lpString="NEPHILIM") returned 8 [0113.479] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\grintl32.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0113.480] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=47456) returned 1 [0113.480] GetProcessHeap () returned 0x4e0000 [0113.480] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0113.480] GetProcessHeap () returned 0x4e0000 [0113.480] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0113.480] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0113.480] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0113.480] GetProcessHeap () returned 0x4e0000 [0113.480] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0113.480] GetProcessHeap () returned 0x4e0000 [0113.480] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0113.480] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce88*=0x100) returned 1 [0113.481] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce84*=0x100) returned 1 [0113.481] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0xb960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.481] SetLastError (dwErrCode=0x0) [0113.481] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.483] GetLastError () returned 0x0 [0113.483] GetLastError () returned 0x0 [0113.483] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0xba60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.483] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.484] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0xbb60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.484] lstrlenA (lpString="NEPHILIM") returned 8 [0113.484] WriteFile (in: hFile=0xf8, lpBuffer=0x50d6e8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d6e8*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0113.484] GetProcessHeap () returned 0x4e0000 [0113.484] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xb960) returned 0x518fd8 [0113.484] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.484] ReadFile (in: hFile=0xf8, lpBuffer=0x518fd8, nNumberOfBytesToRead=0xb960, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesRead=0x24dd0b0*=0xb960, lpOverlapped=0x0) returned 1 [0113.488] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.488] WriteFile (in: hFile=0xf8, lpBuffer=0x518fd8*, nNumberOfBytesToWrite=0xb960, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesWritten=0x24dd0bc*=0xb960, lpOverlapped=0x0) returned 1 [0113.489] GetProcessHeap () returned 0x4e0000 [0113.489] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x518fd8 | out: hHeap=0x4e0000) returned 1 [0113.489] CloseHandle (hObject=0xf8) returned 1 [0113.489] GetProcessHeap () returned 0x4e0000 [0113.489] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0113.489] GetProcessHeap () returned 0x4e0000 [0113.489] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0113.489] GetProcessHeap () returned 0x4e0000 [0113.489] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0113.489] GetProcessHeap () returned 0x4e0000 [0113.489] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0113.489] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll" [0113.489] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll.NEPHILIM" [0113.489] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\grintl32.dll.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\grintl32.dll.trx_dll.nephilim")) returned 1 [0113.490] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x74912800, ftCreationTime.dwHighDateTime=0x1cac7f7, ftLastAccessTime.dwLowDateTime=0xeedf6c30, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x74912800, ftLastWriteTime.dwHighDateTime=0x1cac7f7, nFileSizeHigh=0x0, nFileSizeLow=0x39960, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="GRINTL32.REST.trx_dll", cAlternateFileName="GRINTL~2.TRX")) returned 1 [0113.490] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2=".") returned 1 [0113.491] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="..") returned 1 [0113.491] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="...") returned 1 [0113.491] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="windows") returned -1 [0113.491] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0113.491] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="rsa") returned -1 [0113.491] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="log") returned -1 [0113.491] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="NTDETECT.COM") returned -1 [0113.491] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="ntldr") returned -1 [0113.491] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="MSDOS.SYS") returned -1 [0113.491] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="IO.SYS") returned -1 [0113.491] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="boot.ini") returned 1 [0113.491] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0113.491] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="ntuser.dat") returned -1 [0113.491] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="desktop.ini") returned 1 [0113.491] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="CONFIG.SYS") returned 1 [0113.491] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="RECYCLER") returned -1 [0113.491] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0113.491] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="bootmgr") returned 1 [0113.491] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="programdata") returned -1 [0113.491] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="appdata") returned 1 [0113.491] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="program files") returned -1 [0113.491] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="program files (x86)") returned -1 [0113.492] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0113.492] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="GRINTL32.REST.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll" [0113.492] PathFindExtensionW (pszPath="GRINTL32.REST.trx_dll") returned=".trx_dll" [0113.492] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0113.492] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0113.492] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0113.492] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0113.492] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0113.492] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0113.492] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0113.492] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0113.492] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0113.492] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0113.492] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0113.492] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0113.492] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0113.492] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0113.492] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0113.492] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0113.492] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0113.492] lstrlenA (lpString="NEPHILIM") returned 8 [0113.492] GetProcessHeap () returned 0x4e0000 [0113.492] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d6f8 [0113.492] lstrlenA (lpString="NEPHILIM") returned 8 [0113.493] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\grintl32.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0113.493] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=235872) returned 1 [0113.493] GetProcessHeap () returned 0x4e0000 [0113.493] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0113.493] GetProcessHeap () returned 0x4e0000 [0113.493] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0113.493] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0113.494] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0113.494] GetProcessHeap () returned 0x4e0000 [0113.494] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0113.494] GetProcessHeap () returned 0x4e0000 [0113.494] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0113.494] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce88*=0x100) returned 1 [0113.494] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce84*=0x100) returned 1 [0113.494] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x39960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.494] SetLastError (dwErrCode=0x0) [0113.494] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.497] GetLastError () returned 0x0 [0113.497] GetLastError () returned 0x0 [0113.497] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x39a60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.497] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.497] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x39b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.497] lstrlenA (lpString="NEPHILIM") returned 8 [0113.497] WriteFile (in: hFile=0xf8, lpBuffer=0x50d6f8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d6f8*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0113.497] GetProcessHeap () returned 0x4e0000 [0113.497] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x39960) returned 0x518fd8 [0113.497] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.498] ReadFile (in: hFile=0xf8, lpBuffer=0x518fd8, nNumberOfBytesToRead=0x39960, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesRead=0x24dd0b0*=0x39960, lpOverlapped=0x0) returned 1 [0113.515] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.515] WriteFile (in: hFile=0xf8, lpBuffer=0x518fd8*, nNumberOfBytesToWrite=0x39960, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesWritten=0x24dd0bc*=0x39960, lpOverlapped=0x0) returned 1 [0113.516] GetProcessHeap () returned 0x4e0000 [0113.517] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x518fd8 | out: hHeap=0x4e0000) returned 1 [0113.517] CloseHandle (hObject=0xf8) returned 1 [0113.517] GetProcessHeap () returned 0x4e0000 [0113.517] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0113.517] GetProcessHeap () returned 0x4e0000 [0113.517] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0113.517] GetProcessHeap () returned 0x4e0000 [0113.517] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0113.517] GetProcessHeap () returned 0x4e0000 [0113.517] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0113.517] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll" [0113.517] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll.NEPHILIM" [0113.517] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\grintl32.rest.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\grintl32.rest.trx_dll.nephilim")) returned 1 [0113.519] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x302da400, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeee1cd90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x302da400, ftLastWriteTime.dwHighDateTime=0x1caca12, nFileSizeHigh=0x0, nFileSizeLow=0x47d60, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="MAPIR.DLL.trx_dll", cAlternateFileName="MAPIRD~1.TRX")) returned 1 [0113.519] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2=".") returned 1 [0113.519] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="..") returned 1 [0113.519] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="...") returned 1 [0113.519] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="windows") returned -1 [0113.519] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0113.519] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="rsa") returned -1 [0113.519] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="log") returned 1 [0113.519] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="NTDETECT.COM") returned -1 [0113.519] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="ntldr") returned -1 [0113.519] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="MSDOS.SYS") returned -1 [0113.519] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="IO.SYS") returned 1 [0113.519] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="boot.ini") returned 1 [0113.519] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0113.520] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="ntuser.dat") returned -1 [0113.520] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="desktop.ini") returned 1 [0113.520] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="CONFIG.SYS") returned 1 [0113.520] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="RECYCLER") returned -1 [0113.520] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0113.520] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="bootmgr") returned 1 [0113.520] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="programdata") returned -1 [0113.520] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="appdata") returned 1 [0113.520] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="program files") returned -1 [0113.520] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="program files (x86)") returned -1 [0113.520] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0113.520] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="MAPIR.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll" [0113.520] PathFindExtensionW (pszPath="MAPIR.DLL.trx_dll") returned=".trx_dll" [0113.520] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0113.520] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0113.520] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0113.520] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0113.520] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0113.520] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0113.520] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0113.520] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0113.520] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0113.520] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0113.521] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0113.521] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0113.521] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0113.521] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0113.521] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0113.521] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0113.521] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0113.521] lstrlenA (lpString="NEPHILIM") returned 8 [0113.521] GetProcessHeap () returned 0x4e0000 [0113.521] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d708 [0113.525] lstrlenA (lpString="NEPHILIM") returned 8 [0113.525] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\mapir.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0113.525] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=294240) returned 1 [0113.525] GetProcessHeap () returned 0x4e0000 [0113.525] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0113.526] GetProcessHeap () returned 0x4e0000 [0113.526] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0113.526] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0113.526] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0113.526] GetProcessHeap () returned 0x4e0000 [0113.526] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0113.526] GetProcessHeap () returned 0x4e0000 [0113.526] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0113.526] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce88*=0x100) returned 1 [0113.526] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce84*=0x100) returned 1 [0113.527] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x47d60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.527] SetLastError (dwErrCode=0x0) [0113.527] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.531] GetLastError () returned 0x0 [0113.531] GetLastError () returned 0x0 [0113.531] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x47e60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.531] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.532] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x47f60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.532] lstrlenA (lpString="NEPHILIM") returned 8 [0113.532] WriteFile (in: hFile=0xf8, lpBuffer=0x50d708*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d708*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0113.532] GetProcessHeap () returned 0x4e0000 [0113.532] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x47d60) returned 0x518fd8 [0113.532] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.532] ReadFile (in: hFile=0xf8, lpBuffer=0x518fd8, nNumberOfBytesToRead=0x47d60, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesRead=0x24dd0b0*=0x47d60, lpOverlapped=0x0) returned 1 [0113.556] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.556] WriteFile (in: hFile=0xf8, lpBuffer=0x518fd8*, nNumberOfBytesToWrite=0x47d60, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesWritten=0x24dd0bc*=0x47d60, lpOverlapped=0x0) returned 1 [0113.557] GetProcessHeap () returned 0x4e0000 [0113.558] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x518fd8 | out: hHeap=0x4e0000) returned 1 [0113.558] CloseHandle (hObject=0xf8) returned 1 [0113.558] GetProcessHeap () returned 0x4e0000 [0113.558] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0113.558] GetProcessHeap () returned 0x4e0000 [0113.558] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0113.558] GetProcessHeap () returned 0x4e0000 [0113.558] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0113.558] GetProcessHeap () returned 0x4e0000 [0113.558] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0113.558] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll" [0113.558] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll.NEPHILIM" [0113.558] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\mapir.dll.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\mapir.dll.trx_dll.nephilim")) returned 1 [0113.559] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x58968200, ftCreationTime.dwHighDateTime=0x1cac809, ftLastAccessTime.dwLowDateTime=0xeee1cd90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x58968200, ftLastWriteTime.dwHighDateTime=0x1cac809, nFileSizeHigh=0x0, nFileSizeLow=0xc160, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="MOR6INT.REST.trx_dll", cAlternateFileName="MOR6IN~1.TRX")) returned 1 [0113.559] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2=".") returned 1 [0113.559] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="..") returned 1 [0113.559] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="...") returned 1 [0113.560] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="windows") returned -1 [0113.560] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0113.560] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="rsa") returned -1 [0113.560] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="log") returned 1 [0113.560] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="NTDETECT.COM") returned -1 [0113.560] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="ntldr") returned -1 [0113.560] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="MSDOS.SYS") returned -1 [0113.560] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="IO.SYS") returned 1 [0113.560] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="boot.ini") returned 1 [0113.560] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0113.560] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="ntuser.dat") returned -1 [0113.560] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="desktop.ini") returned 1 [0113.560] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="CONFIG.SYS") returned 1 [0113.560] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="RECYCLER") returned -1 [0113.560] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0113.560] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="bootmgr") returned 1 [0113.560] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="programdata") returned -1 [0113.560] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="appdata") returned 1 [0113.560] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="program files") returned -1 [0113.560] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="program files (x86)") returned -1 [0113.560] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0113.560] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="MOR6INT.REST.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll" [0113.560] PathFindExtensionW (pszPath="MOR6INT.REST.trx_dll") returned=".trx_dll" [0113.560] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0113.561] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0113.561] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0113.561] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0113.561] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0113.561] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0113.561] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0113.561] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0113.561] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0113.561] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0113.561] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0113.561] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0113.561] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0113.561] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0113.561] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0113.561] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0113.561] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0113.561] lstrlenA (lpString="NEPHILIM") returned 8 [0113.561] GetProcessHeap () returned 0x4e0000 [0113.561] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d718 [0113.561] lstrlenA (lpString="NEPHILIM") returned 8 [0113.561] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\mor6int.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0113.563] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=49504) returned 1 [0113.563] GetProcessHeap () returned 0x4e0000 [0113.563] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0113.563] GetProcessHeap () returned 0x4e0000 [0113.563] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0113.564] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0113.564] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0113.564] GetProcessHeap () returned 0x4e0000 [0113.564] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0113.564] GetProcessHeap () returned 0x4e0000 [0113.564] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0113.564] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce88*=0x100) returned 1 [0113.564] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce84*=0x100) returned 1 [0113.564] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0xc160, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.564] SetLastError (dwErrCode=0x0) [0113.564] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.567] GetLastError () returned 0x0 [0113.567] GetLastError () returned 0x0 [0113.567] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0xc260, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.567] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.567] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0xc360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.567] lstrlenA (lpString="NEPHILIM") returned 8 [0113.567] WriteFile (in: hFile=0xf8, lpBuffer=0x50d718*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d718*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0113.567] GetProcessHeap () returned 0x4e0000 [0113.567] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xc160) returned 0x518fd8 [0113.567] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.568] ReadFile (in: hFile=0xf8, lpBuffer=0x518fd8, nNumberOfBytesToRead=0xc160, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesRead=0x24dd0b0*=0xc160, lpOverlapped=0x0) returned 1 [0113.576] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.576] WriteFile (in: hFile=0xf8, lpBuffer=0x518fd8*, nNumberOfBytesToWrite=0xc160, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesWritten=0x24dd0bc*=0xc160, lpOverlapped=0x0) returned 1 [0113.576] GetProcessHeap () returned 0x4e0000 [0113.576] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x518fd8 | out: hHeap=0x4e0000) returned 1 [0113.576] CloseHandle (hObject=0xf8) returned 1 [0113.577] GetProcessHeap () returned 0x4e0000 [0113.577] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0113.577] GetProcessHeap () returned 0x4e0000 [0113.577] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0113.577] GetProcessHeap () returned 0x4e0000 [0113.577] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0113.577] GetProcessHeap () returned 0x4e0000 [0113.577] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0113.577] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll" [0113.577] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll.NEPHILIM" [0113.577] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\mor6int.rest.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\mor6int.rest.trx_dll.nephilim")) returned 1 [0113.581] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x248aaf00, ftCreationTime.dwHighDateTime=0x1caca0b, ftLastAccessTime.dwLowDateTime=0xeee42ef0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x248aaf00, ftLastWriteTime.dwHighDateTime=0x1caca0b, nFileSizeHigh=0x0, nFileSizeLow=0x16f60, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="MSOINTL.DLL.trx_dll", cAlternateFileName="MSOINT~1.TRX")) returned 1 [0113.581] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2=".") returned 1 [0113.581] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="..") returned 1 [0113.581] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="...") returned 1 [0113.581] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="windows") returned -1 [0113.581] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0113.581] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="rsa") returned -1 [0113.581] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="log") returned 1 [0113.581] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="NTDETECT.COM") returned -1 [0113.581] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="ntldr") returned -1 [0113.581] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="MSDOS.SYS") returned 1 [0113.581] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="IO.SYS") returned 1 [0113.581] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="boot.ini") returned 1 [0113.581] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0113.581] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="ntuser.dat") returned -1 [0113.581] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="desktop.ini") returned 1 [0113.582] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="CONFIG.SYS") returned 1 [0113.582] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="RECYCLER") returned -1 [0113.582] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0113.582] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="bootmgr") returned 1 [0113.582] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="programdata") returned -1 [0113.582] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="appdata") returned 1 [0113.582] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="program files") returned -1 [0113.582] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="program files (x86)") returned -1 [0113.582] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0113.582] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="MSOINTL.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll" [0113.582] PathFindExtensionW (pszPath="MSOINTL.DLL.trx_dll") returned=".trx_dll" [0113.582] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0113.582] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0113.582] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0113.582] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0113.582] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0113.582] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0113.583] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0113.583] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0113.583] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0113.583] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0113.583] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0113.583] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0113.583] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0113.583] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0113.583] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0113.583] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0113.583] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0113.583] lstrlenA (lpString="NEPHILIM") returned 8 [0113.583] GetProcessHeap () returned 0x4e0000 [0113.583] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d728 [0113.583] lstrlenA (lpString="NEPHILIM") returned 8 [0113.583] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\msointl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0113.584] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=94048) returned 1 [0113.584] GetProcessHeap () returned 0x4e0000 [0113.584] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0113.584] GetProcessHeap () returned 0x4e0000 [0113.584] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0113.584] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0113.585] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0113.585] GetProcessHeap () returned 0x4e0000 [0113.585] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0113.585] GetProcessHeap () returned 0x4e0000 [0113.585] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0113.585] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce88*=0x100) returned 1 [0113.585] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce84*=0x100) returned 1 [0113.585] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x16f60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.585] SetLastError (dwErrCode=0x0) [0113.586] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.590] GetLastError () returned 0x0 [0113.590] GetLastError () returned 0x0 [0113.590] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x17060, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.590] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.590] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x17160, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.590] lstrlenA (lpString="NEPHILIM") returned 8 [0113.590] WriteFile (in: hFile=0xf8, lpBuffer=0x50d728*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d728*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0113.591] GetProcessHeap () returned 0x4e0000 [0113.591] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x16f60) returned 0x518fd8 [0113.591] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.591] ReadFile (in: hFile=0xf8, lpBuffer=0x518fd8, nNumberOfBytesToRead=0x16f60, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesRead=0x24dd0b0*=0x16f60, lpOverlapped=0x0) returned 1 [0113.599] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.599] WriteFile (in: hFile=0xf8, lpBuffer=0x518fd8*, nNumberOfBytesToWrite=0x16f60, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesWritten=0x24dd0bc*=0x16f60, lpOverlapped=0x0) returned 1 [0113.600] GetProcessHeap () returned 0x4e0000 [0113.600] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x518fd8 | out: hHeap=0x4e0000) returned 1 [0113.600] CloseHandle (hObject=0xf8) returned 1 [0113.600] GetProcessHeap () returned 0x4e0000 [0113.600] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0113.600] GetProcessHeap () returned 0x4e0000 [0113.600] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0113.600] GetProcessHeap () returned 0x4e0000 [0113.600] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0113.600] GetProcessHeap () returned 0x4e0000 [0113.600] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0113.600] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll" [0113.600] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll.NEPHILIM" [0113.600] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\msointl.dll.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\msointl.dll.trx_dll.nephilim")) returned 1 [0113.601] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x25bbdc00, ftCreationTime.dwHighDateTime=0x1caca0b, ftLastAccessTime.dwLowDateTime=0xeeeb5310, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x25bbdc00, ftLastWriteTime.dwHighDateTime=0x1caca0b, nFileSizeHigh=0x0, nFileSizeLow=0x2b2560, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="MSOINTL.REST.trx_dll", cAlternateFileName="MSOINT~2.TRX")) returned 1 [0113.601] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2=".") returned 1 [0113.602] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="..") returned 1 [0113.602] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="...") returned 1 [0113.602] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="windows") returned -1 [0113.602] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0113.602] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="rsa") returned -1 [0113.602] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="log") returned 1 [0113.602] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="NTDETECT.COM") returned -1 [0113.602] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="ntldr") returned -1 [0113.602] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="MSDOS.SYS") returned 1 [0113.602] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="IO.SYS") returned 1 [0113.602] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="boot.ini") returned 1 [0113.602] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0113.602] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="ntuser.dat") returned -1 [0113.602] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="desktop.ini") returned 1 [0113.602] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="CONFIG.SYS") returned 1 [0113.602] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="RECYCLER") returned -1 [0113.602] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0113.602] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="bootmgr") returned 1 [0113.602] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="programdata") returned -1 [0113.602] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="appdata") returned 1 [0113.603] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="program files") returned -1 [0113.603] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="program files (x86)") returned -1 [0113.603] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0113.603] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="MSOINTL.REST.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll" [0113.603] PathFindExtensionW (pszPath="MSOINTL.REST.trx_dll") returned=".trx_dll" [0113.603] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0113.603] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0113.603] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0113.603] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0113.603] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0113.603] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0113.603] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0113.603] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0113.603] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0113.603] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0113.603] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0113.603] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0113.603] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0113.603] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0113.603] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0113.603] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0113.603] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0113.603] lstrlenA (lpString="NEPHILIM") returned 8 [0113.603] GetProcessHeap () returned 0x4e0000 [0113.604] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d738 [0113.604] lstrlenA (lpString="NEPHILIM") returned 8 [0113.604] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\msointl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0113.604] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=2827616) returned 1 [0113.604] GetProcessHeap () returned 0x4e0000 [0113.604] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0113.604] GetProcessHeap () returned 0x4e0000 [0113.604] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0113.604] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0113.604] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0113.604] GetProcessHeap () returned 0x4e0000 [0113.604] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0113.604] GetProcessHeap () returned 0x4e0000 [0113.604] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0113.604] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce88*=0x100) returned 1 [0113.605] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce84*=0x100) returned 1 [0113.605] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x2b2560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.605] SetLastError (dwErrCode=0x0) [0113.605] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.607] GetLastError () returned 0x0 [0113.607] GetLastError () returned 0x0 [0113.608] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x2b2660, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.608] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.608] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x2b2760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.608] lstrlenA (lpString="NEPHILIM") returned 8 [0113.608] WriteFile (in: hFile=0xf8, lpBuffer=0x50d738*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d738*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0113.608] GetProcessHeap () returned 0x4e0000 [0113.608] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x927c0) returned 0x2110020 [0113.608] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.608] ReadFile (in: hFile=0xf8, lpBuffer=0x2110020, nNumberOfBytesToRead=0x927c0, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x2110020*, lpNumberOfBytesRead=0x24dd0b0*=0x927c0, lpOverlapped=0x0) returned 1 [0113.679] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.679] WriteFile (in: hFile=0xf8, lpBuffer=0x2110020*, nNumberOfBytesToWrite=0x927c0, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x2110020*, lpNumberOfBytesWritten=0x24dd0bc*=0x927c0, lpOverlapped=0x0) returned 1 [0113.681] GetProcessHeap () returned 0x4e0000 [0113.681] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x2110020 | out: hHeap=0x4e0000) returned 1 [0113.685] CloseHandle (hObject=0xf8) returned 1 [0113.685] GetProcessHeap () returned 0x4e0000 [0113.685] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0113.685] GetProcessHeap () returned 0x4e0000 [0113.685] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0113.685] GetProcessHeap () returned 0x4e0000 [0113.685] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0113.685] GetProcessHeap () returned 0x4e0000 [0113.685] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0113.686] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll" [0113.686] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll.NEPHILIM" [0113.686] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\msointl.rest.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\msointl.rest.trx_dll.nephilim")) returned 1 [0113.687] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3564d600, ftCreationTime.dwHighDateTime=0x1cac7fb, ftLastAccessTime.dwLowDateTime=0xeef27730, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x3564d600, ftLastWriteTime.dwHighDateTime=0x1cac7fb, nFileSizeHigh=0x0, nFileSizeLow=0xb360, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="OMSINTL.DLL.trx_dll", cAlternateFileName="OMSINT~1.TRX")) returned 1 [0113.687] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2=".") returned 1 [0113.687] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="..") returned 1 [0113.687] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="...") returned 1 [0113.687] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="windows") returned -1 [0113.687] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0113.687] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="rsa") returned -1 [0113.687] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="log") returned 1 [0113.687] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="NTDETECT.COM") returned 1 [0113.687] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="ntldr") returned 1 [0113.687] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="MSDOS.SYS") returned 1 [0113.687] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="IO.SYS") returned 1 [0113.687] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="boot.ini") returned 1 [0113.687] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0113.687] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0113.687] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="desktop.ini") returned 1 [0113.687] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="CONFIG.SYS") returned 1 [0113.687] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="RECYCLER") returned -1 [0113.687] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0113.687] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="bootmgr") returned 1 [0113.687] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="programdata") returned -1 [0113.687] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="appdata") returned 1 [0113.687] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="program files") returned -1 [0113.687] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="program files (x86)") returned -1 [0113.688] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0113.688] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="OMSINTL.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll" [0113.688] PathFindExtensionW (pszPath="OMSINTL.DLL.trx_dll") returned=".trx_dll" [0113.688] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0113.688] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0113.688] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0113.688] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0113.688] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0113.688] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0113.688] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0113.688] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0113.688] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0113.688] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0113.688] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0113.688] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0113.688] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0113.688] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0113.688] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0113.688] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0113.688] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0113.688] lstrlenA (lpString="NEPHILIM") returned 8 [0113.688] GetProcessHeap () returned 0x4e0000 [0113.688] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d748 [0113.688] lstrlenA (lpString="NEPHILIM") returned 8 [0113.688] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\omsintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0113.689] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=45920) returned 1 [0113.689] GetProcessHeap () returned 0x4e0000 [0113.689] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0113.689] GetProcessHeap () returned 0x4e0000 [0113.689] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0113.689] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0113.689] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0113.689] GetProcessHeap () returned 0x4e0000 [0113.689] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0113.689] GetProcessHeap () returned 0x4e0000 [0113.689] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0113.689] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce88*=0x100) returned 1 [0113.690] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce84*=0x100) returned 1 [0113.690] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0xb360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.690] SetLastError (dwErrCode=0x0) [0113.690] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.696] GetLastError () returned 0x0 [0113.696] GetLastError () returned 0x0 [0113.696] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0xb460, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.696] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.696] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0xb560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.696] lstrlenA (lpString="NEPHILIM") returned 8 [0113.696] WriteFile (in: hFile=0xf8, lpBuffer=0x50d748*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d748*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0113.697] GetProcessHeap () returned 0x4e0000 [0113.697] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xb360) returned 0x518fd8 [0113.697] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.697] ReadFile (in: hFile=0xf8, lpBuffer=0x518fd8, nNumberOfBytesToRead=0xb360, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesRead=0x24dd0b0*=0xb360, lpOverlapped=0x0) returned 1 [0113.700] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.701] WriteFile (in: hFile=0xf8, lpBuffer=0x518fd8*, nNumberOfBytesToWrite=0xb360, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesWritten=0x24dd0bc*=0xb360, lpOverlapped=0x0) returned 1 [0113.701] GetProcessHeap () returned 0x4e0000 [0113.701] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x518fd8 | out: hHeap=0x4e0000) returned 1 [0113.701] CloseHandle (hObject=0xf8) returned 1 [0113.701] GetProcessHeap () returned 0x4e0000 [0113.701] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0113.701] GetProcessHeap () returned 0x4e0000 [0113.701] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0113.701] GetProcessHeap () returned 0x4e0000 [0113.701] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0113.701] GetProcessHeap () returned 0x4e0000 [0113.701] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0113.702] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll" [0113.702] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll.NEPHILIM" [0113.702] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\omsintl.dll.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\omsintl.dll.trx_dll.nephilim")) returned 1 [0113.702] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x63b88300, ftCreationTime.dwHighDateTime=0x1cacf6a, ftLastAccessTime.dwLowDateTime=0xeef27730, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x63b88300, ftLastWriteTime.dwHighDateTime=0x1cacf6a, nFileSizeHigh=0x0, nFileSizeLow=0x7b60, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="ONINTL.DLL.trx_dll", cAlternateFileName="ONINTL~1.TRX")) returned 1 [0113.703] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2=".") returned 1 [0113.703] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="..") returned 1 [0113.703] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="...") returned 1 [0113.703] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="windows") returned -1 [0113.703] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0113.703] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="rsa") returned -1 [0113.703] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="log") returned 1 [0113.703] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="NTDETECT.COM") returned 1 [0113.703] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="ntldr") returned 1 [0113.703] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="MSDOS.SYS") returned 1 [0113.703] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="IO.SYS") returned 1 [0113.703] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="boot.ini") returned 1 [0113.703] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0113.703] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0113.703] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="desktop.ini") returned 1 [0113.703] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="CONFIG.SYS") returned 1 [0113.703] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="RECYCLER") returned -1 [0113.703] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0113.703] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="bootmgr") returned 1 [0113.703] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="programdata") returned -1 [0113.703] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="appdata") returned 1 [0113.703] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="program files") returned -1 [0113.704] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="program files (x86)") returned -1 [0113.704] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0113.704] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="ONINTL.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll" [0113.704] PathFindExtensionW (pszPath="ONINTL.DLL.trx_dll") returned=".trx_dll" [0113.704] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0113.704] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0113.704] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0113.704] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0113.704] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0113.704] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0113.704] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0113.704] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0113.704] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0113.704] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0113.704] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0113.704] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0113.704] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0113.704] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0113.704] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0113.704] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0113.704] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0113.704] lstrlenA (lpString="NEPHILIM") returned 8 [0113.704] GetProcessHeap () returned 0x4e0000 [0113.704] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d758 [0113.705] lstrlenA (lpString="NEPHILIM") returned 8 [0113.705] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\onintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0113.705] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=31584) returned 1 [0113.705] GetProcessHeap () returned 0x4e0000 [0113.705] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0113.705] GetProcessHeap () returned 0x4e0000 [0113.705] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0113.705] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0113.705] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0113.705] GetProcessHeap () returned 0x4e0000 [0113.705] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0113.705] GetProcessHeap () returned 0x4e0000 [0113.706] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0113.706] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce88*=0x100) returned 1 [0113.706] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce84*=0x100) returned 1 [0113.706] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x7b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.706] SetLastError (dwErrCode=0x0) [0113.706] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.708] GetLastError () returned 0x0 [0113.709] GetLastError () returned 0x0 [0113.709] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x7c60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.709] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.709] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x7d60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.709] lstrlenA (lpString="NEPHILIM") returned 8 [0113.709] WriteFile (in: hFile=0xf8, lpBuffer=0x50d758*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d758*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0113.709] GetProcessHeap () returned 0x4e0000 [0113.709] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x7b60) returned 0x518fd8 [0113.709] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.709] ReadFile (in: hFile=0xf8, lpBuffer=0x518fd8, nNumberOfBytesToRead=0x7b60, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesRead=0x24dd0b0*=0x7b60, lpOverlapped=0x0) returned 1 [0113.712] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.712] WriteFile (in: hFile=0xf8, lpBuffer=0x518fd8*, nNumberOfBytesToWrite=0x7b60, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesWritten=0x24dd0bc*=0x7b60, lpOverlapped=0x0) returned 1 [0113.712] GetProcessHeap () returned 0x4e0000 [0113.712] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x518fd8 | out: hHeap=0x4e0000) returned 1 [0113.712] CloseHandle (hObject=0xf8) returned 1 [0113.713] GetProcessHeap () returned 0x4e0000 [0113.713] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0113.713] GetProcessHeap () returned 0x4e0000 [0113.713] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0113.713] GetProcessHeap () returned 0x4e0000 [0113.713] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0113.713] GetProcessHeap () returned 0x4e0000 [0113.713] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0113.713] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll" [0113.713] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll.NEPHILIM" [0113.713] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\onintl.dll.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\onintl.dll.trx_dll.nephilim")) returned 1 [0113.714] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x62875600, ftCreationTime.dwHighDateTime=0x1cacf6a, ftLastAccessTime.dwLowDateTime=0xeef4d890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x62875600, ftLastWriteTime.dwHighDateTime=0x1cacf6a, nFileSizeHigh=0x0, nFileSizeLow=0x3d960, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="ONINTL.REST.trx_dll", cAlternateFileName="ONINTL~2.TRX")) returned 1 [0113.714] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2=".") returned 1 [0113.714] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="..") returned 1 [0113.714] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="...") returned 1 [0113.714] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="windows") returned -1 [0113.714] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0113.714] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="rsa") returned -1 [0113.714] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="log") returned 1 [0113.714] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="NTDETECT.COM") returned 1 [0113.714] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="ntldr") returned 1 [0113.714] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="MSDOS.SYS") returned 1 [0113.714] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="IO.SYS") returned 1 [0113.714] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="boot.ini") returned 1 [0113.715] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0113.715] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="ntuser.dat") returned 1 [0113.715] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="desktop.ini") returned 1 [0113.715] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="CONFIG.SYS") returned 1 [0113.715] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="RECYCLER") returned -1 [0113.715] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0113.715] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="bootmgr") returned 1 [0113.715] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="programdata") returned -1 [0113.715] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="appdata") returned 1 [0113.715] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="program files") returned -1 [0113.715] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="program files (x86)") returned -1 [0113.715] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0113.715] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="ONINTL.REST.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll" [0113.715] PathFindExtensionW (pszPath="ONINTL.REST.trx_dll") returned=".trx_dll" [0113.715] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0113.715] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0113.715] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0113.715] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0113.715] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0113.715] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0113.715] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0113.715] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0113.715] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0113.715] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0113.715] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0113.716] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0113.716] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0113.716] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0113.716] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0113.716] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0113.716] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0113.716] lstrlenA (lpString="NEPHILIM") returned 8 [0113.716] GetProcessHeap () returned 0x4e0000 [0113.716] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d768 [0113.716] lstrlenA (lpString="NEPHILIM") returned 8 [0113.716] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\onintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0113.716] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=252256) returned 1 [0113.716] GetProcessHeap () returned 0x4e0000 [0113.717] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0113.717] GetProcessHeap () returned 0x4e0000 [0113.717] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0113.717] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0113.717] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0113.717] GetProcessHeap () returned 0x4e0000 [0113.717] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0113.717] GetProcessHeap () returned 0x4e0000 [0113.717] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0113.717] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce88*=0x100) returned 1 [0113.717] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce84*=0x100) returned 1 [0113.717] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x3d960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.717] SetLastError (dwErrCode=0x0) [0113.717] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.720] GetLastError () returned 0x0 [0113.720] GetLastError () returned 0x0 [0113.720] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x3da60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.720] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.720] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x3db60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.720] lstrlenA (lpString="NEPHILIM") returned 8 [0113.720] WriteFile (in: hFile=0xf8, lpBuffer=0x50d768*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d768*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0113.720] GetProcessHeap () returned 0x4e0000 [0113.720] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x3d960) returned 0x518fd8 [0113.720] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.720] ReadFile (in: hFile=0xf8, lpBuffer=0x518fd8, nNumberOfBytesToRead=0x3d960, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesRead=0x24dd0b0*=0x3d960, lpOverlapped=0x0) returned 1 [0113.744] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.744] WriteFile (in: hFile=0xf8, lpBuffer=0x518fd8*, nNumberOfBytesToWrite=0x3d960, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesWritten=0x24dd0bc*=0x3d960, lpOverlapped=0x0) returned 1 [0113.746] GetProcessHeap () returned 0x4e0000 [0113.746] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x518fd8 | out: hHeap=0x4e0000) returned 1 [0113.746] CloseHandle (hObject=0xf8) returned 1 [0113.746] GetProcessHeap () returned 0x4e0000 [0113.746] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0113.746] GetProcessHeap () returned 0x4e0000 [0113.746] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0113.746] GetProcessHeap () returned 0x4e0000 [0113.746] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0113.746] GetProcessHeap () returned 0x4e0000 [0113.746] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0113.746] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll" [0113.746] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll.NEPHILIM" [0113.746] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\onintl.rest.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\onintl.rest.trx_dll.nephilim")) returned 1 [0113.747] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x302da400, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeef4d890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x302da400, ftLastWriteTime.dwHighDateTime=0x1caca12, nFileSizeHigh=0x0, nFileSizeLow=0x35960, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="OUTLLIBR.DLL.trx_dll", cAlternateFileName="OUTLLI~1.TRX")) returned 1 [0113.747] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2=".") returned 1 [0113.747] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="..") returned 1 [0113.747] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="...") returned 1 [0113.747] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="windows") returned -1 [0113.747] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0113.747] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="rsa") returned -1 [0113.748] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="log") returned 1 [0113.748] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="NTDETECT.COM") returned 1 [0113.748] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="ntldr") returned 1 [0113.748] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="MSDOS.SYS") returned 1 [0113.748] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="IO.SYS") returned 1 [0113.748] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="boot.ini") returned 1 [0113.748] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0113.748] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0113.748] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="desktop.ini") returned 1 [0113.748] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="CONFIG.SYS") returned 1 [0113.748] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="RECYCLER") returned -1 [0113.748] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0113.748] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="bootmgr") returned 1 [0113.748] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="programdata") returned -1 [0113.748] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="appdata") returned 1 [0113.748] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="program files") returned -1 [0113.748] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="program files (x86)") returned -1 [0113.748] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0113.748] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="OUTLLIBR.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll" [0113.748] PathFindExtensionW (pszPath="OUTLLIBR.DLL.trx_dll") returned=".trx_dll" [0113.748] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0113.748] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0113.748] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0113.748] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0113.749] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0113.749] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0113.749] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0113.749] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0113.749] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0113.749] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0113.749] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0113.749] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0113.749] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0113.749] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0113.749] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0113.749] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0113.749] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0113.749] lstrlenA (lpString="NEPHILIM") returned 8 [0113.749] GetProcessHeap () returned 0x4e0000 [0113.749] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d778 [0113.749] lstrlenA (lpString="NEPHILIM") returned 8 [0113.750] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\outllibr.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0113.751] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=219488) returned 1 [0113.751] GetProcessHeap () returned 0x4e0000 [0113.751] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0113.751] GetProcessHeap () returned 0x4e0000 [0113.751] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0113.751] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0113.751] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0113.751] GetProcessHeap () returned 0x4e0000 [0113.751] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0113.751] GetProcessHeap () returned 0x4e0000 [0113.751] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0113.751] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce88*=0x100) returned 1 [0113.752] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce84*=0x100) returned 1 [0113.752] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x35960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.752] SetLastError (dwErrCode=0x0) [0113.752] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.755] GetLastError () returned 0x0 [0113.755] GetLastError () returned 0x0 [0113.755] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x35a60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.755] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.756] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x35b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.756] lstrlenA (lpString="NEPHILIM") returned 8 [0113.756] WriteFile (in: hFile=0xf8, lpBuffer=0x50d778*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d778*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0113.756] GetProcessHeap () returned 0x4e0000 [0113.756] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x35960) returned 0x518fd8 [0113.756] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.756] ReadFile (in: hFile=0xf8, lpBuffer=0x518fd8, nNumberOfBytesToRead=0x35960, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesRead=0x24dd0b0*=0x35960, lpOverlapped=0x0) returned 1 [0113.775] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.775] WriteFile (in: hFile=0xf8, lpBuffer=0x518fd8*, nNumberOfBytesToWrite=0x35960, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesWritten=0x24dd0bc*=0x35960, lpOverlapped=0x0) returned 1 [0113.776] GetProcessHeap () returned 0x4e0000 [0113.776] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x518fd8 | out: hHeap=0x4e0000) returned 1 [0113.776] CloseHandle (hObject=0xf8) returned 1 [0113.776] GetProcessHeap () returned 0x4e0000 [0113.776] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0113.776] GetProcessHeap () returned 0x4e0000 [0113.776] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0113.776] GetProcessHeap () returned 0x4e0000 [0113.776] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0113.776] GetProcessHeap () returned 0x4e0000 [0113.776] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0113.777] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll" [0113.777] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll.NEPHILIM" [0113.777] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\outllibr.dll.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\outllibr.dll.trx_dll.nephilim")) returned 1 [0113.778] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x302da400, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeef739f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x302da400, ftLastWriteTime.dwHighDateTime=0x1caca12, nFileSizeHigh=0x0, nFileSizeLow=0x9f560, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="OUTLLIBR.REST.trx_dll", cAlternateFileName="OUTLLI~2.TRX")) returned 1 [0113.778] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2=".") returned 1 [0113.778] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="..") returned 1 [0113.778] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="...") returned 1 [0113.778] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="windows") returned -1 [0113.778] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0113.778] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="rsa") returned -1 [0113.778] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="log") returned 1 [0113.778] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="NTDETECT.COM") returned 1 [0113.778] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="ntldr") returned 1 [0113.778] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="MSDOS.SYS") returned 1 [0113.778] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="IO.SYS") returned 1 [0113.778] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="boot.ini") returned 1 [0113.778] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0113.778] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="ntuser.dat") returned 1 [0113.778] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="desktop.ini") returned 1 [0113.778] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="CONFIG.SYS") returned 1 [0113.778] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="RECYCLER") returned -1 [0113.778] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0113.778] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="bootmgr") returned 1 [0113.778] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="programdata") returned -1 [0113.778] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="appdata") returned 1 [0113.778] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="program files") returned -1 [0113.779] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="program files (x86)") returned -1 [0113.779] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0113.779] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="OUTLLIBR.REST.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll" [0113.779] PathFindExtensionW (pszPath="OUTLLIBR.REST.trx_dll") returned=".trx_dll" [0113.779] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0113.779] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0113.779] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0113.779] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0113.779] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0113.779] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0113.779] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0113.779] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0113.779] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0113.779] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0113.779] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0113.779] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0113.779] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0113.779] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0113.779] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0113.779] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0113.779] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0113.779] lstrlenA (lpString="NEPHILIM") returned 8 [0113.779] GetProcessHeap () returned 0x4e0000 [0113.780] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d788 [0113.780] lstrlenA (lpString="NEPHILIM") returned 8 [0113.780] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\outllibr.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0113.780] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=652640) returned 1 [0113.780] GetProcessHeap () returned 0x4e0000 [0113.780] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0113.780] GetProcessHeap () returned 0x4e0000 [0113.780] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0113.780] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0113.782] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0113.782] GetProcessHeap () returned 0x4e0000 [0113.782] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0113.782] GetProcessHeap () returned 0x4e0000 [0113.782] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0113.782] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce88*=0x100) returned 1 [0113.783] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce84*=0x100) returned 1 [0113.783] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x9f560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.783] SetLastError (dwErrCode=0x0) [0113.783] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.786] GetLastError () returned 0x0 [0113.786] GetLastError () returned 0x0 [0113.786] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x9f660, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.786] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.786] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x9f760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.786] lstrlenA (lpString="NEPHILIM") returned 8 [0113.786] WriteFile (in: hFile=0xf8, lpBuffer=0x50d788*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d788*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0113.786] GetProcessHeap () returned 0x4e0000 [0113.786] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x9f560) returned 0x2110020 [0113.787] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.787] ReadFile (in: hFile=0xf8, lpBuffer=0x2110020, nNumberOfBytesToRead=0x9f560, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x2110020*, lpNumberOfBytesRead=0x24dd0b0*=0x9f560, lpOverlapped=0x0) returned 1 [0113.855] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.855] WriteFile (in: hFile=0xf8, lpBuffer=0x2110020*, nNumberOfBytesToWrite=0x9f560, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x2110020*, lpNumberOfBytesWritten=0x24dd0bc*=0x9f560, lpOverlapped=0x0) returned 1 [0113.857] GetProcessHeap () returned 0x4e0000 [0113.857] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x2110020 | out: hHeap=0x4e0000) returned 1 [0113.862] CloseHandle (hObject=0xf8) returned 1 [0113.862] GetProcessHeap () returned 0x4e0000 [0113.862] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0113.862] GetProcessHeap () returned 0x4e0000 [0113.862] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0113.862] GetProcessHeap () returned 0x4e0000 [0113.862] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0113.862] GetProcessHeap () returned 0x4e0000 [0113.862] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0113.862] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll" [0113.862] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll.NEPHILIM" [0113.862] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\outllibr.rest.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\outllibr.rest.trx_dll.nephilim")) returned 1 [0113.863] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x315ed100, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeef739f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x315ed100, ftLastWriteTime.dwHighDateTime=0x1caca12, nFileSizeHigh=0x0, nFileSizeLow=0x2d60, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="OUTLWVW.DLL.trx_dll", cAlternateFileName="OUTLWV~1.TRX")) returned 1 [0113.863] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2=".") returned 1 [0113.863] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="..") returned 1 [0113.864] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="...") returned 1 [0113.864] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="windows") returned -1 [0113.864] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0113.864] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="rsa") returned -1 [0113.864] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="log") returned 1 [0113.864] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="NTDETECT.COM") returned 1 [0113.864] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="ntldr") returned 1 [0113.864] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="MSDOS.SYS") returned 1 [0113.864] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="IO.SYS") returned 1 [0113.864] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="boot.ini") returned 1 [0113.864] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0113.864] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0113.864] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="desktop.ini") returned 1 [0113.864] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="CONFIG.SYS") returned 1 [0113.864] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="RECYCLER") returned -1 [0113.864] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0113.864] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="bootmgr") returned 1 [0113.864] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="programdata") returned -1 [0113.864] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="appdata") returned 1 [0113.864] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="program files") returned -1 [0113.865] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="program files (x86)") returned -1 [0113.865] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0113.865] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="OUTLWVW.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll" [0113.865] PathFindExtensionW (pszPath="OUTLWVW.DLL.trx_dll") returned=".trx_dll" [0113.865] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0113.865] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0113.865] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0113.865] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0113.865] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0113.865] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0113.865] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0113.865] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0113.865] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0113.865] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0113.865] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0113.865] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0113.865] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0113.865] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0113.865] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0113.865] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0113.865] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0113.865] lstrlenA (lpString="NEPHILIM") returned 8 [0113.865] GetProcessHeap () returned 0x4e0000 [0113.866] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d798 [0113.866] lstrlenA (lpString="NEPHILIM") returned 8 [0113.866] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\outlwvw.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0113.866] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=11616) returned 1 [0113.866] GetProcessHeap () returned 0x4e0000 [0113.866] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0113.866] GetProcessHeap () returned 0x4e0000 [0113.866] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0113.866] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0113.866] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0113.867] GetProcessHeap () returned 0x4e0000 [0113.867] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0113.867] GetProcessHeap () returned 0x4e0000 [0113.867] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0113.867] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce88*=0x100) returned 1 [0113.867] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce84*=0x100) returned 1 [0113.867] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x2d60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.870] SetLastError (dwErrCode=0x0) [0113.870] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.875] GetLastError () returned 0x0 [0113.875] GetLastError () returned 0x0 [0113.875] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x2e60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.875] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.876] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x2f60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.876] lstrlenA (lpString="NEPHILIM") returned 8 [0113.876] WriteFile (in: hFile=0xf8, lpBuffer=0x50d798*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d798*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0113.876] GetProcessHeap () returned 0x4e0000 [0113.876] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x2d60) returned 0x518fd8 [0113.876] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.876] ReadFile (in: hFile=0xf8, lpBuffer=0x518fd8, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesRead=0x24dd0b0*=0x2d60, lpOverlapped=0x0) returned 1 [0113.878] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.878] WriteFile (in: hFile=0xf8, lpBuffer=0x518fd8*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesWritten=0x24dd0bc*=0x2d60, lpOverlapped=0x0) returned 1 [0113.878] GetProcessHeap () returned 0x4e0000 [0113.878] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x518fd8 | out: hHeap=0x4e0000) returned 1 [0113.878] CloseHandle (hObject=0xf8) returned 1 [0113.878] GetProcessHeap () returned 0x4e0000 [0113.878] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0113.879] GetProcessHeap () returned 0x4e0000 [0113.879] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0113.879] GetProcessHeap () returned 0x4e0000 [0113.879] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0113.879] GetProcessHeap () returned 0x4e0000 [0113.879] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0113.879] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll" [0113.879] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll.NEPHILIM" [0113.879] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\outlwvw.dll.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\outlwvw.dll.trx_dll.nephilim")) returned 1 [0113.880] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1a4a9400, ftCreationTime.dwHighDateTime=0x1cac804, ftLastAccessTime.dwLowDateTime=0xef00bf70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x1a4a9400, ftLastWriteTime.dwHighDateTime=0x1cac804, nFileSizeHigh=0x0, nFileSizeLow=0xd160, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="PPINTL.DLL.trx_dll", cAlternateFileName="PPINTL~1.TRX")) returned 1 [0113.880] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2=".") returned 1 [0113.880] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="..") returned 1 [0113.880] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="...") returned 1 [0113.880] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="windows") returned -1 [0113.880] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0113.880] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="rsa") returned -1 [0113.880] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="log") returned 1 [0113.880] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="NTDETECT.COM") returned 1 [0113.880] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="ntldr") returned 1 [0113.880] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="MSDOS.SYS") returned 1 [0113.880] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="IO.SYS") returned 1 [0113.880] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="boot.ini") returned 1 [0113.881] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0113.881] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0113.881] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="desktop.ini") returned 1 [0113.881] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="CONFIG.SYS") returned 1 [0113.881] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="RECYCLER") returned -1 [0113.881] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0113.881] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="bootmgr") returned 1 [0113.881] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="programdata") returned -1 [0113.881] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="appdata") returned 1 [0113.881] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="program files") returned -1 [0113.881] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="program files (x86)") returned -1 [0113.881] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0113.881] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="PPINTL.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll" [0113.881] PathFindExtensionW (pszPath="PPINTL.DLL.trx_dll") returned=".trx_dll" [0113.881] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0113.881] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0113.881] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0113.881] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0113.881] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0113.881] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0113.881] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0113.881] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0113.881] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0113.881] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0113.882] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0113.882] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0113.882] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0113.882] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0113.882] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0113.882] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0113.882] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0113.882] lstrlenA (lpString="NEPHILIM") returned 8 [0113.882] GetProcessHeap () returned 0x4e0000 [0113.882] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d7a8 [0113.882] lstrlenA (lpString="NEPHILIM") returned 8 [0113.882] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\ppintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0113.882] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=53600) returned 1 [0113.883] GetProcessHeap () returned 0x4e0000 [0113.883] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0113.883] GetProcessHeap () returned 0x4e0000 [0113.883] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0113.883] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0113.883] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0113.883] GetProcessHeap () returned 0x4e0000 [0113.883] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0113.883] GetProcessHeap () returned 0x4e0000 [0113.883] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0113.883] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce88*=0x100) returned 1 [0113.883] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce84*=0x100) returned 1 [0113.883] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0xd160, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.884] SetLastError (dwErrCode=0x0) [0113.884] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.887] GetLastError () returned 0x0 [0113.887] GetLastError () returned 0x0 [0113.887] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0xd260, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.887] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.888] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0xd360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.888] lstrlenA (lpString="NEPHILIM") returned 8 [0113.888] WriteFile (in: hFile=0xf8, lpBuffer=0x50d7a8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d7a8*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0113.888] GetProcessHeap () returned 0x4e0000 [0113.888] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xd160) returned 0x518fd8 [0113.888] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.888] ReadFile (in: hFile=0xf8, lpBuffer=0x518fd8, nNumberOfBytesToRead=0xd160, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesRead=0x24dd0b0*=0xd160, lpOverlapped=0x0) returned 1 [0113.893] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.894] WriteFile (in: hFile=0xf8, lpBuffer=0x518fd8*, nNumberOfBytesToWrite=0xd160, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesWritten=0x24dd0bc*=0xd160, lpOverlapped=0x0) returned 1 [0113.894] GetProcessHeap () returned 0x4e0000 [0113.894] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x518fd8 | out: hHeap=0x4e0000) returned 1 [0113.894] CloseHandle (hObject=0xf8) returned 1 [0113.894] GetProcessHeap () returned 0x4e0000 [0113.894] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0113.894] GetProcessHeap () returned 0x4e0000 [0113.894] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0113.894] GetProcessHeap () returned 0x4e0000 [0113.894] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0113.894] GetProcessHeap () returned 0x4e0000 [0113.895] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0113.895] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll" [0113.895] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll.NEPHILIM" [0113.895] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\ppintl.dll.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\ppintl.dll.trx_dll.nephilim")) returned 1 [0113.896] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x19196700, ftCreationTime.dwHighDateTime=0x1cac804, ftLastAccessTime.dwLowDateTime=0xef00bf70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x19196700, ftLastWriteTime.dwHighDateTime=0x1cac804, nFileSizeHigh=0x0, nFileSizeLow=0x43560, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="PPINTL.REST.trx_dll", cAlternateFileName="PPINTL~2.TRX")) returned 1 [0113.896] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2=".") returned 1 [0113.896] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="..") returned 1 [0113.896] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="...") returned 1 [0113.896] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="windows") returned -1 [0113.896] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0113.896] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="rsa") returned -1 [0113.896] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="log") returned 1 [0113.896] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="NTDETECT.COM") returned 1 [0113.896] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="ntldr") returned 1 [0113.896] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="MSDOS.SYS") returned 1 [0113.896] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="IO.SYS") returned 1 [0113.896] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="boot.ini") returned 1 [0113.896] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0113.896] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="ntuser.dat") returned 1 [0113.896] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="desktop.ini") returned 1 [0113.896] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="CONFIG.SYS") returned 1 [0113.896] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="RECYCLER") returned -1 [0113.896] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0113.896] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="bootmgr") returned 1 [0113.896] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="programdata") returned -1 [0113.896] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="appdata") returned 1 [0113.897] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="program files") returned -1 [0113.897] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="program files (x86)") returned -1 [0113.897] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0113.897] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="PPINTL.REST.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll" [0113.897] PathFindExtensionW (pszPath="PPINTL.REST.trx_dll") returned=".trx_dll" [0113.897] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0113.897] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0113.897] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0113.897] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0113.897] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0113.897] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0113.897] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0113.897] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0113.897] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0113.897] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0113.897] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0113.897] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0113.897] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0113.897] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0113.897] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0113.897] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0113.897] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0113.898] lstrlenA (lpString="NEPHILIM") returned 8 [0113.898] GetProcessHeap () returned 0x4e0000 [0113.898] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d7b8 [0113.898] lstrlenA (lpString="NEPHILIM") returned 8 [0113.898] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\ppintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0113.898] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=275808) returned 1 [0113.898] GetProcessHeap () returned 0x4e0000 [0113.898] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0113.898] GetProcessHeap () returned 0x4e0000 [0113.898] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0113.899] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0113.899] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0113.899] GetProcessHeap () returned 0x4e0000 [0113.899] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0113.899] GetProcessHeap () returned 0x4e0000 [0113.899] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0113.899] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce88*=0x100) returned 1 [0113.899] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce84*=0x100) returned 1 [0113.899] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x43560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.899] SetLastError (dwErrCode=0x0) [0113.899] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.902] GetLastError () returned 0x0 [0113.902] GetLastError () returned 0x0 [0113.902] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x43660, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.902] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.902] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x43760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.902] lstrlenA (lpString="NEPHILIM") returned 8 [0113.902] WriteFile (in: hFile=0xf8, lpBuffer=0x50d7b8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d7b8*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0113.902] GetProcessHeap () returned 0x4e0000 [0113.902] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x43560) returned 0x518fd8 [0113.902] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.902] ReadFile (in: hFile=0xf8, lpBuffer=0x518fd8, nNumberOfBytesToRead=0x43560, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesRead=0x24dd0b0*=0x43560, lpOverlapped=0x0) returned 1 [0113.925] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.925] WriteFile (in: hFile=0xf8, lpBuffer=0x518fd8*, nNumberOfBytesToWrite=0x43560, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesWritten=0x24dd0bc*=0x43560, lpOverlapped=0x0) returned 1 [0113.926] GetProcessHeap () returned 0x4e0000 [0113.926] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x518fd8 | out: hHeap=0x4e0000) returned 1 [0113.926] CloseHandle (hObject=0xf8) returned 1 [0113.926] GetProcessHeap () returned 0x4e0000 [0113.926] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0113.926] GetProcessHeap () returned 0x4e0000 [0113.926] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0113.926] GetProcessHeap () returned 0x4e0000 [0113.926] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0113.927] GetProcessHeap () returned 0x4e0000 [0113.927] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0113.927] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll" [0113.927] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll.NEPHILIM" [0113.927] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\ppintl.rest.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\ppintl.rest.trx_dll.nephilim")) returned 1 [0113.928] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x58968200, ftCreationTime.dwHighDateTime=0x1cac809, ftLastAccessTime.dwLowDateTime=0xef00bf70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x58968200, ftLastWriteTime.dwHighDateTime=0x1cac809, nFileSizeHigh=0x0, nFileSizeLow=0x1a560, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="PUB6INTL.DLL.trx_dll", cAlternateFileName="PUB6IN~1.TRX")) returned 1 [0113.928] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2=".") returned 1 [0113.928] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="..") returned 1 [0113.928] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="...") returned 1 [0113.928] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="windows") returned -1 [0113.928] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0113.928] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="rsa") returned -1 [0113.928] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="log") returned 1 [0113.928] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="NTDETECT.COM") returned 1 [0113.928] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="ntldr") returned 1 [0113.928] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="MSDOS.SYS") returned 1 [0113.928] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="IO.SYS") returned 1 [0113.928] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="boot.ini") returned 1 [0113.928] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0113.928] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0113.928] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="desktop.ini") returned 1 [0113.928] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="CONFIG.SYS") returned 1 [0113.928] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="RECYCLER") returned -1 [0113.928] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0113.928] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="bootmgr") returned 1 [0113.928] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="programdata") returned 1 [0113.928] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="appdata") returned 1 [0113.928] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="program files") returned 1 [0113.929] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="program files (x86)") returned 1 [0113.929] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0113.929] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="PUB6INTL.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll" [0113.929] PathFindExtensionW (pszPath="PUB6INTL.DLL.trx_dll") returned=".trx_dll" [0113.929] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0113.929] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0113.929] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0113.929] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0113.929] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0113.929] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0113.929] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0113.929] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0113.929] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0113.929] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0113.929] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0113.929] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0113.929] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0113.929] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0113.929] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0113.929] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0113.929] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0113.929] lstrlenA (lpString="NEPHILIM") returned 8 [0113.929] GetProcessHeap () returned 0x4e0000 [0113.929] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d7c8 [0113.930] lstrlenA (lpString="NEPHILIM") returned 8 [0113.930] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\pub6intl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0113.930] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=107872) returned 1 [0113.930] GetProcessHeap () returned 0x4e0000 [0113.930] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0113.930] GetProcessHeap () returned 0x4e0000 [0113.930] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0113.930] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0113.930] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0113.930] GetProcessHeap () returned 0x4e0000 [0113.930] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0113.930] GetProcessHeap () returned 0x4e0000 [0113.930] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0113.931] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce88*=0x100) returned 1 [0113.931] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce84*=0x100) returned 1 [0113.931] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x1a560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.931] SetLastError (dwErrCode=0x0) [0113.931] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.935] GetLastError () returned 0x0 [0113.935] GetLastError () returned 0x0 [0113.935] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x1a660, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.935] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.935] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x1a760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.935] lstrlenA (lpString="NEPHILIM") returned 8 [0113.935] WriteFile (in: hFile=0xf8, lpBuffer=0x50d7c8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d7c8*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0113.935] GetProcessHeap () returned 0x4e0000 [0113.935] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1a560) returned 0x518fd8 [0113.935] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.935] ReadFile (in: hFile=0xf8, lpBuffer=0x518fd8, nNumberOfBytesToRead=0x1a560, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesRead=0x24dd0b0*=0x1a560, lpOverlapped=0x0) returned 1 [0113.944] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.944] WriteFile (in: hFile=0xf8, lpBuffer=0x518fd8*, nNumberOfBytesToWrite=0x1a560, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesWritten=0x24dd0bc*=0x1a560, lpOverlapped=0x0) returned 1 [0113.945] GetProcessHeap () returned 0x4e0000 [0113.945] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x518fd8 | out: hHeap=0x4e0000) returned 1 [0113.945] CloseHandle (hObject=0xf8) returned 1 [0113.945] GetProcessHeap () returned 0x4e0000 [0113.945] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0113.945] GetProcessHeap () returned 0x4e0000 [0113.945] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0113.945] GetProcessHeap () returned 0x4e0000 [0113.945] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0113.945] GetProcessHeap () returned 0x4e0000 [0113.945] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0113.945] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll" [0113.945] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll.NEPHILIM" [0113.945] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\pub6intl.dll.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\pub6intl.dll.trx_dll.nephilim")) returned 1 [0113.946] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x57655500, ftCreationTime.dwHighDateTime=0x1cac809, ftLastAccessTime.dwLowDateTime=0xef0320d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x57655500, ftLastWriteTime.dwHighDateTime=0x1cac809, nFileSizeHigh=0x0, nFileSizeLow=0x87f60, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="PUB6INTL.REST.trx_dll", cAlternateFileName="PUB6IN~2.TRX")) returned 1 [0113.946] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2=".") returned 1 [0113.946] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="..") returned 1 [0113.946] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="...") returned 1 [0113.947] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="windows") returned -1 [0113.947] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0113.947] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="rsa") returned -1 [0113.947] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="log") returned 1 [0113.947] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="NTDETECT.COM") returned 1 [0113.947] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="ntldr") returned 1 [0113.947] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="MSDOS.SYS") returned 1 [0113.947] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="IO.SYS") returned 1 [0113.947] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="boot.ini") returned 1 [0113.947] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0113.947] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="ntuser.dat") returned 1 [0113.947] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="desktop.ini") returned 1 [0113.947] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="CONFIG.SYS") returned 1 [0113.947] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="RECYCLER") returned -1 [0113.947] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0113.947] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="bootmgr") returned 1 [0113.947] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="programdata") returned 1 [0113.947] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="appdata") returned 1 [0113.947] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="program files") returned 1 [0113.947] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="program files (x86)") returned 1 [0113.947] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0113.948] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="PUB6INTL.REST.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll" [0113.948] PathFindExtensionW (pszPath="PUB6INTL.REST.trx_dll") returned=".trx_dll" [0113.948] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0113.948] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0113.948] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0113.948] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0113.948] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0113.948] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0113.948] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0113.948] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0113.948] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0113.948] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0113.948] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0113.948] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0113.948] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0113.948] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0113.948] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0113.948] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0113.948] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0113.948] lstrlenA (lpString="NEPHILIM") returned 8 [0113.948] GetProcessHeap () returned 0x4e0000 [0113.948] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d7d8 [0113.948] lstrlenA (lpString="NEPHILIM") returned 8 [0113.948] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\pub6intl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0113.949] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=556896) returned 1 [0113.949] GetProcessHeap () returned 0x4e0000 [0113.949] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0113.949] GetProcessHeap () returned 0x4e0000 [0113.949] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0113.949] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0113.949] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0113.949] GetProcessHeap () returned 0x4e0000 [0113.949] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0113.949] GetProcessHeap () returned 0x4e0000 [0113.949] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0113.949] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce88*=0x100) returned 1 [0113.950] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce84*=0x100) returned 1 [0113.950] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x87f60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.950] SetLastError (dwErrCode=0x0) [0113.950] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.952] GetLastError () returned 0x0 [0113.952] GetLastError () returned 0x0 [0113.952] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x88060, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.952] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0113.953] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x88160, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.953] lstrlenA (lpString="NEPHILIM") returned 8 [0113.953] WriteFile (in: hFile=0xf8, lpBuffer=0x50d7d8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d7d8*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0113.953] GetProcessHeap () returned 0x4e0000 [0113.953] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x87f60) returned 0x2110020 [0113.953] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.953] ReadFile (in: hFile=0xf8, lpBuffer=0x2110020, nNumberOfBytesToRead=0x87f60, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x2110020*, lpNumberOfBytesRead=0x24dd0b0*=0x87f60, lpOverlapped=0x0) returned 1 [0114.005] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.005] WriteFile (in: hFile=0xf8, lpBuffer=0x2110020*, nNumberOfBytesToWrite=0x87f60, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x2110020*, lpNumberOfBytesWritten=0x24dd0bc*=0x87f60, lpOverlapped=0x0) returned 1 [0114.008] GetProcessHeap () returned 0x4e0000 [0114.008] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x2110020 | out: hHeap=0x4e0000) returned 1 [0114.011] CloseHandle (hObject=0xf8) returned 1 [0114.011] GetProcessHeap () returned 0x4e0000 [0114.011] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0114.011] GetProcessHeap () returned 0x4e0000 [0114.012] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0114.012] GetProcessHeap () returned 0x4e0000 [0114.012] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0114.012] GetProcessHeap () returned 0x4e0000 [0114.012] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0114.012] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll" [0114.012] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll.NEPHILIM" [0114.012] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\pub6intl.rest.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\pub6intl.rest.trx_dll.nephilim")) returned 1 [0114.013] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2720b500, ftCreationTime.dwHighDateTime=0x1cac80f, ftLastAccessTime.dwLowDateTime=0xef0320d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x2720b500, ftLastWriteTime.dwHighDateTime=0x1cac80f, nFileSizeHigh=0x0, nFileSizeLow=0x57f60, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="PUBWZINT.REST.trx_dll", cAlternateFileName="PUBWZI~1.TRX")) returned 1 [0114.013] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2=".") returned 1 [0114.013] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="..") returned 1 [0114.013] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="...") returned 1 [0114.013] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="windows") returned -1 [0114.013] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0114.013] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="rsa") returned -1 [0114.013] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="log") returned 1 [0114.013] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="NTDETECT.COM") returned 1 [0114.013] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="ntldr") returned 1 [0114.013] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="MSDOS.SYS") returned 1 [0114.013] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="IO.SYS") returned 1 [0114.013] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="boot.ini") returned 1 [0114.013] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0114.013] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="ntuser.dat") returned 1 [0114.013] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="desktop.ini") returned 1 [0114.013] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="CONFIG.SYS") returned 1 [0114.013] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="RECYCLER") returned -1 [0114.014] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0114.014] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="bootmgr") returned 1 [0114.014] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="programdata") returned 1 [0114.014] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="appdata") returned 1 [0114.014] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="program files") returned 1 [0114.014] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="program files (x86)") returned 1 [0114.014] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0114.014] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="PUBWZINT.REST.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll" [0114.014] PathFindExtensionW (pszPath="PUBWZINT.REST.trx_dll") returned=".trx_dll" [0114.014] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0114.014] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0114.014] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0114.014] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0114.014] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0114.014] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0114.014] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0114.014] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0114.014] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0114.014] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0114.014] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0114.014] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0114.014] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0114.014] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0114.014] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0114.014] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0114.014] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.018] lstrlenA (lpString="NEPHILIM") returned 8 [0114.018] GetProcessHeap () returned 0x4e0000 [0114.018] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d7e8 [0114.018] lstrlenA (lpString="NEPHILIM") returned 8 [0114.018] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\pubwzint.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0114.019] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=360288) returned 1 [0114.019] GetProcessHeap () returned 0x4e0000 [0114.019] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0114.019] GetProcessHeap () returned 0x4e0000 [0114.019] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0114.019] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0114.019] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0114.019] GetProcessHeap () returned 0x4e0000 [0114.019] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0114.019] GetProcessHeap () returned 0x4e0000 [0114.019] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0114.019] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce88*=0x100) returned 1 [0114.020] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce84*=0x100) returned 1 [0114.020] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x57f60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.020] SetLastError (dwErrCode=0x0) [0114.020] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0114.024] GetLastError () returned 0x0 [0114.024] GetLastError () returned 0x0 [0114.024] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x58060, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.024] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0114.024] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x58160, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.024] lstrlenA (lpString="NEPHILIM") returned 8 [0114.024] WriteFile (in: hFile=0xf8, lpBuffer=0x50d7e8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d7e8*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0114.024] GetProcessHeap () returned 0x4e0000 [0114.024] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x57f60) returned 0x518fd8 [0114.025] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.025] ReadFile (in: hFile=0xf8, lpBuffer=0x518fd8, nNumberOfBytesToRead=0x57f60, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesRead=0x24dd0b0*=0x57f60, lpOverlapped=0x0) returned 1 [0114.052] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.052] WriteFile (in: hFile=0xf8, lpBuffer=0x518fd8*, nNumberOfBytesToWrite=0x57f60, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesWritten=0x24dd0bc*=0x57f60, lpOverlapped=0x0) returned 1 [0114.053] GetProcessHeap () returned 0x4e0000 [0114.054] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x518fd8 | out: hHeap=0x4e0000) returned 1 [0114.054] CloseHandle (hObject=0xf8) returned 1 [0114.054] GetProcessHeap () returned 0x4e0000 [0114.054] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0114.054] GetProcessHeap () returned 0x4e0000 [0114.054] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0114.054] GetProcessHeap () returned 0x4e0000 [0114.054] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0114.054] GetProcessHeap () returned 0x4e0000 [0114.054] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0114.054] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll" [0114.054] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll.NEPHILIM" [0114.054] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\pubwzint.rest.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\pubwzint.rest.trx_dll.nephilim")) returned 1 [0114.055] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x94d0df00, ftCreationTime.dwHighDateTime=0x1cac817, ftLastAccessTime.dwLowDateTime=0xef058230, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x94d0df00, ftLastWriteTime.dwHighDateTime=0x1cac817, nFileSizeHigh=0x0, nFileSizeLow=0x3360, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="SGRES.DLL.trx_dll", cAlternateFileName="SGRESD~1.TRX")) returned 1 [0114.055] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2=".") returned 1 [0114.055] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="..") returned 1 [0114.055] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="...") returned 1 [0114.055] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="windows") returned -1 [0114.055] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0114.056] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="rsa") returned 1 [0114.056] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="log") returned 1 [0114.056] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="NTDETECT.COM") returned 1 [0114.056] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="ntldr") returned 1 [0114.056] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="MSDOS.SYS") returned 1 [0114.056] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="IO.SYS") returned 1 [0114.056] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="boot.ini") returned 1 [0114.056] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0114.056] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0114.056] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="desktop.ini") returned 1 [0114.056] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="CONFIG.SYS") returned 1 [0114.056] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="RECYCLER") returned 1 [0114.056] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0114.056] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="bootmgr") returned 1 [0114.056] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="programdata") returned 1 [0114.056] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="appdata") returned 1 [0114.056] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="program files") returned 1 [0114.056] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="program files (x86)") returned 1 [0114.056] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0114.056] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="SGRES.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll" [0114.056] PathFindExtensionW (pszPath="SGRES.DLL.trx_dll") returned=".trx_dll" [0114.056] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0114.056] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0114.056] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0114.056] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0114.057] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0114.057] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0114.057] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0114.057] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0114.057] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0114.057] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0114.057] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0114.057] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0114.057] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0114.057] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0114.057] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0114.057] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0114.057] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.057] lstrlenA (lpString="NEPHILIM") returned 8 [0114.057] GetProcessHeap () returned 0x4e0000 [0114.057] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d7f8 [0114.057] lstrlenA (lpString="NEPHILIM") returned 8 [0114.057] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\sgres.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0114.058] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=13152) returned 1 [0114.058] GetProcessHeap () returned 0x4e0000 [0114.058] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0114.058] GetProcessHeap () returned 0x4e0000 [0114.058] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0114.058] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0114.058] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0114.058] GetProcessHeap () returned 0x4e0000 [0114.058] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0114.058] GetProcessHeap () returned 0x4e0000 [0114.058] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0114.058] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce88*=0x100) returned 1 [0114.058] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce84*=0x100) returned 1 [0114.059] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x3360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.059] SetLastError (dwErrCode=0x0) [0114.059] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0114.063] GetLastError () returned 0x0 [0114.063] GetLastError () returned 0x0 [0114.063] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x3460, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.064] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0114.064] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x3560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.064] lstrlenA (lpString="NEPHILIM") returned 8 [0114.064] WriteFile (in: hFile=0xf8, lpBuffer=0x50d7f8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d7f8*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0114.064] GetProcessHeap () returned 0x4e0000 [0114.064] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x3360) returned 0x518fd8 [0114.064] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.064] ReadFile (in: hFile=0xf8, lpBuffer=0x518fd8, nNumberOfBytesToRead=0x3360, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesRead=0x24dd0b0*=0x3360, lpOverlapped=0x0) returned 1 [0114.067] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.067] WriteFile (in: hFile=0xf8, lpBuffer=0x518fd8*, nNumberOfBytesToWrite=0x3360, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesWritten=0x24dd0bc*=0x3360, lpOverlapped=0x0) returned 1 [0114.067] GetProcessHeap () returned 0x4e0000 [0114.067] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x518fd8 | out: hHeap=0x4e0000) returned 1 [0114.067] CloseHandle (hObject=0xf8) returned 1 [0114.079] GetProcessHeap () returned 0x4e0000 [0114.079] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0114.079] GetProcessHeap () returned 0x4e0000 [0114.079] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0114.079] GetProcessHeap () returned 0x4e0000 [0114.079] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0114.080] GetProcessHeap () returned 0x4e0000 [0114.080] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0114.080] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll" [0114.080] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll.NEPHILIM" [0114.080] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\sgres.dll.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\sgres.dll.trx_dll.nephilim")) returned 1 [0114.081] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xca190500, ftCreationTime.dwHighDateTime=0x1cac7f6, ftLastAccessTime.dwLowDateTime=0xef058230, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xca190500, ftLastWriteTime.dwHighDateTime=0x1cac7f6, nFileSizeHigh=0x0, nFileSizeLow=0x4360, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="STINTL.DLL.trx_dll", cAlternateFileName="STINTL~1.TRX")) returned 1 [0114.081] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2=".") returned 1 [0114.081] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="..") returned 1 [0114.081] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="...") returned 1 [0114.081] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="windows") returned -1 [0114.081] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0114.081] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="rsa") returned 1 [0114.081] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="log") returned 1 [0114.081] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="NTDETECT.COM") returned 1 [0114.081] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="ntldr") returned 1 [0114.081] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="MSDOS.SYS") returned 1 [0114.081] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="IO.SYS") returned 1 [0114.081] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="boot.ini") returned 1 [0114.081] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0114.081] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0114.081] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="desktop.ini") returned 1 [0114.081] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="CONFIG.SYS") returned 1 [0114.081] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="RECYCLER") returned 1 [0114.082] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0114.082] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="bootmgr") returned 1 [0114.082] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="programdata") returned 1 [0114.082] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="appdata") returned 1 [0114.082] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="program files") returned 1 [0114.082] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="program files (x86)") returned 1 [0114.082] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0114.082] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="STINTL.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll" [0114.082] PathFindExtensionW (pszPath="STINTL.DLL.trx_dll") returned=".trx_dll" [0114.082] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0114.082] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0114.082] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0114.082] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0114.082] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0114.082] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0114.082] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0114.082] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0114.082] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0114.082] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0114.082] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0114.082] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0114.082] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0114.082] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0114.082] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0114.083] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0114.083] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.083] lstrlenA (lpString="NEPHILIM") returned 8 [0114.083] GetProcessHeap () returned 0x4e0000 [0114.083] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d808 [0114.083] lstrlenA (lpString="NEPHILIM") returned 8 [0114.083] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\stintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0114.083] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=17248) returned 1 [0114.083] GetProcessHeap () returned 0x4e0000 [0114.083] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0114.084] GetProcessHeap () returned 0x4e0000 [0114.084] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0114.084] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0114.084] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0114.084] GetProcessHeap () returned 0x4e0000 [0114.084] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0114.084] GetProcessHeap () returned 0x4e0000 [0114.084] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0114.084] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce88*=0x100) returned 1 [0114.084] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce84*=0x100) returned 1 [0114.084] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x4360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.084] SetLastError (dwErrCode=0x0) [0114.084] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0114.087] GetLastError () returned 0x0 [0114.087] GetLastError () returned 0x0 [0114.087] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x4460, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.087] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0114.087] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x4560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.087] lstrlenA (lpString="NEPHILIM") returned 8 [0114.087] WriteFile (in: hFile=0xf8, lpBuffer=0x50d808*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d808*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0114.087] GetProcessHeap () returned 0x4e0000 [0114.087] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x4360) returned 0x518fd8 [0114.087] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.087] ReadFile (in: hFile=0xf8, lpBuffer=0x518fd8, nNumberOfBytesToRead=0x4360, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesRead=0x24dd0b0*=0x4360, lpOverlapped=0x0) returned 1 [0114.089] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.089] WriteFile (in: hFile=0xf8, lpBuffer=0x518fd8*, nNumberOfBytesToWrite=0x4360, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesWritten=0x24dd0bc*=0x4360, lpOverlapped=0x0) returned 1 [0114.090] GetProcessHeap () returned 0x4e0000 [0114.090] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x518fd8 | out: hHeap=0x4e0000) returned 1 [0114.090] CloseHandle (hObject=0xf8) returned 1 [0114.090] GetProcessHeap () returned 0x4e0000 [0114.090] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0114.090] GetProcessHeap () returned 0x4e0000 [0114.090] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0114.090] GetProcessHeap () returned 0x4e0000 [0114.090] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0114.090] GetProcessHeap () returned 0x4e0000 [0114.090] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0114.090] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll" [0114.090] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll.NEPHILIM" [0114.090] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\stintl.dll.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\stintl.dll.trx_dll.nephilim")) returned 1 [0114.091] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbf706700, ftCreationTime.dwHighDateTime=0x1cac81a, ftLastAccessTime.dwLowDateTime=0xef0a44f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xbf706700, ftLastWriteTime.dwHighDateTime=0x1cac81a, nFileSizeHigh=0x0, nFileSizeLow=0x6960, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="VISBRRES.DLL.trx_dll", cAlternateFileName="VISBRR~1.TRX")) returned 1 [0114.091] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2=".") returned 1 [0114.091] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="..") returned 1 [0114.091] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="...") returned 1 [0114.091] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="windows") returned -1 [0114.092] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0114.092] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="rsa") returned 1 [0114.092] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="log") returned 1 [0114.092] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="NTDETECT.COM") returned 1 [0114.092] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="ntldr") returned 1 [0114.092] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="MSDOS.SYS") returned 1 [0114.092] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="IO.SYS") returned 1 [0114.092] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="boot.ini") returned 1 [0114.092] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0114.092] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0114.092] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="desktop.ini") returned 1 [0114.092] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="CONFIG.SYS") returned 1 [0114.092] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="RECYCLER") returned 1 [0114.092] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0114.092] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="bootmgr") returned 1 [0114.092] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="programdata") returned 1 [0114.092] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="appdata") returned 1 [0114.092] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="program files") returned 1 [0114.092] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="program files (x86)") returned 1 [0114.092] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0114.092] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="VISBRRES.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll" [0114.092] PathFindExtensionW (pszPath="VISBRRES.DLL.trx_dll") returned=".trx_dll" [0114.092] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0114.092] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0114.092] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0114.093] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0114.093] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0114.093] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0114.093] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0114.093] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0114.093] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0114.093] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0114.093] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0114.093] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0114.093] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0114.093] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0114.093] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0114.093] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0114.093] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.093] lstrlenA (lpString="NEPHILIM") returned 8 [0114.093] GetProcessHeap () returned 0x4e0000 [0114.093] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d818 [0114.093] lstrlenA (lpString="NEPHILIM") returned 8 [0114.093] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\visbrres.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0114.094] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=26976) returned 1 [0114.094] GetProcessHeap () returned 0x4e0000 [0114.094] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0114.094] GetProcessHeap () returned 0x4e0000 [0114.094] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0114.094] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0114.094] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0114.094] GetProcessHeap () returned 0x4e0000 [0114.094] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0114.094] GetProcessHeap () returned 0x4e0000 [0114.094] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0114.094] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce88*=0x100) returned 1 [0114.094] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce84*=0x100) returned 1 [0114.095] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x6960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.095] SetLastError (dwErrCode=0x0) [0114.095] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0114.097] GetLastError () returned 0x0 [0114.097] GetLastError () returned 0x0 [0114.098] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x6a60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.098] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0114.098] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x6b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.098] lstrlenA (lpString="NEPHILIM") returned 8 [0114.098] WriteFile (in: hFile=0xf8, lpBuffer=0x50d818*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d818*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0114.098] GetProcessHeap () returned 0x4e0000 [0114.098] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x6960) returned 0x518fd8 [0114.098] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.098] ReadFile (in: hFile=0xf8, lpBuffer=0x518fd8, nNumberOfBytesToRead=0x6960, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesRead=0x24dd0b0*=0x6960, lpOverlapped=0x0) returned 1 [0114.102] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.103] WriteFile (in: hFile=0xf8, lpBuffer=0x518fd8*, nNumberOfBytesToWrite=0x6960, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesWritten=0x24dd0bc*=0x6960, lpOverlapped=0x0) returned 1 [0114.103] GetProcessHeap () returned 0x4e0000 [0114.103] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x518fd8 | out: hHeap=0x4e0000) returned 1 [0114.103] CloseHandle (hObject=0xf8) returned 1 [0114.103] GetProcessHeap () returned 0x4e0000 [0114.103] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0114.103] GetProcessHeap () returned 0x4e0000 [0114.103] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0114.103] GetProcessHeap () returned 0x4e0000 [0114.103] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0114.103] GetProcessHeap () returned 0x4e0000 [0114.103] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0114.103] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll" [0114.103] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll.NEPHILIM" [0114.104] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\visbrres.dll.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\visbrres.dll.trx_dll.nephilim")) returned 1 [0114.104] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x70273800, ftCreationTime.dwHighDateTime=0x1cac814, ftLastAccessTime.dwLowDateTime=0xef0a44f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x70273800, ftLastWriteTime.dwHighDateTime=0x1cac814, nFileSizeHigh=0x0, nFileSizeLow=0x73960, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="VISINTL.DLL.trx_dll", cAlternateFileName="VISINT~1.TRX")) returned 1 [0114.104] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2=".") returned 1 [0114.105] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="..") returned 1 [0114.105] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="...") returned 1 [0114.105] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="windows") returned -1 [0114.105] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0114.105] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="rsa") returned 1 [0114.105] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="log") returned 1 [0114.105] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="NTDETECT.COM") returned 1 [0114.105] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="ntldr") returned 1 [0114.105] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="MSDOS.SYS") returned 1 [0114.105] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="IO.SYS") returned 1 [0114.105] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="boot.ini") returned 1 [0114.105] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0114.105] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0114.105] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="desktop.ini") returned 1 [0114.105] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="CONFIG.SYS") returned 1 [0114.105] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="RECYCLER") returned 1 [0114.105] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0114.105] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="bootmgr") returned 1 [0114.105] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="programdata") returned 1 [0114.105] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="appdata") returned 1 [0114.105] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="program files") returned 1 [0114.105] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="program files (x86)") returned 1 [0114.105] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0114.105] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="VISINTL.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll" [0114.105] PathFindExtensionW (pszPath="VISINTL.DLL.trx_dll") returned=".trx_dll" [0114.105] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0114.106] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0114.106] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0114.106] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0114.106] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0114.106] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0114.106] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0114.106] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0114.106] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0114.106] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0114.106] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0114.106] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0114.106] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0114.106] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0114.106] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0114.106] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0114.106] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.106] lstrlenA (lpString="NEPHILIM") returned 8 [0114.106] GetProcessHeap () returned 0x4e0000 [0114.106] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d828 [0114.106] lstrlenA (lpString="NEPHILIM") returned 8 [0114.106] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\visintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0114.107] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=473440) returned 1 [0114.107] GetProcessHeap () returned 0x4e0000 [0114.107] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0114.107] GetProcessHeap () returned 0x4e0000 [0114.107] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0114.107] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0114.107] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0114.107] GetProcessHeap () returned 0x4e0000 [0114.107] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0114.107] GetProcessHeap () returned 0x4e0000 [0114.107] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0114.107] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce88*=0x100) returned 1 [0114.108] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce84*=0x100) returned 1 [0114.108] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x73960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.108] SetLastError (dwErrCode=0x0) [0114.108] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0114.111] GetLastError () returned 0x0 [0114.111] GetLastError () returned 0x0 [0114.111] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x73a60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.112] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0114.112] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x73b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.112] lstrlenA (lpString="NEPHILIM") returned 8 [0114.112] WriteFile (in: hFile=0xf8, lpBuffer=0x50d828*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d828*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0114.112] GetProcessHeap () returned 0x4e0000 [0114.112] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x73960) returned 0x2010048 [0114.112] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.112] ReadFile (in: hFile=0xf8, lpBuffer=0x2010048, nNumberOfBytesToRead=0x73960, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x2010048*, lpNumberOfBytesRead=0x24dd0b0*=0x73960, lpOverlapped=0x0) returned 1 [0114.146] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.146] WriteFile (in: hFile=0xf8, lpBuffer=0x2010048*, nNumberOfBytesToWrite=0x73960, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x2010048*, lpNumberOfBytesWritten=0x24dd0bc*=0x73960, lpOverlapped=0x0) returned 1 [0114.148] GetProcessHeap () returned 0x4e0000 [0114.148] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x2010048 | out: hHeap=0x4e0000) returned 1 [0114.148] CloseHandle (hObject=0xf8) returned 1 [0114.149] GetProcessHeap () returned 0x4e0000 [0114.149] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0114.149] GetProcessHeap () returned 0x4e0000 [0114.149] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0114.149] GetProcessHeap () returned 0x4e0000 [0114.149] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0114.149] GetProcessHeap () returned 0x4e0000 [0114.149] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0114.149] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll" [0114.149] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll.NEPHILIM" [0114.149] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\visintl.dll.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\visintl.dll.trx_dll.nephilim")) returned 1 [0114.150] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa1789a00, ftCreationTime.dwHighDateTime=0x1cacd25, ftLastAccessTime.dwLowDateTime=0xef0ca650, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xa1789a00, ftLastWriteTime.dwHighDateTime=0x1cacd25, nFileSizeHigh=0x0, nFileSizeLow=0x24360, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="WWINTL.DLL.trx_dll", cAlternateFileName="WWINTL~1.TRX")) returned 1 [0114.150] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2=".") returned 1 [0114.150] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="..") returned 1 [0114.150] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="...") returned 1 [0114.150] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="windows") returned 1 [0114.150] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0114.150] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="rsa") returned 1 [0114.150] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="log") returned 1 [0114.150] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="NTDETECT.COM") returned 1 [0114.150] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="ntldr") returned 1 [0114.151] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="MSDOS.SYS") returned 1 [0114.151] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="IO.SYS") returned 1 [0114.151] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="boot.ini") returned 1 [0114.151] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0114.151] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0114.151] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="desktop.ini") returned 1 [0114.151] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="CONFIG.SYS") returned 1 [0114.151] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="RECYCLER") returned 1 [0114.151] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0114.151] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="bootmgr") returned 1 [0114.151] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="programdata") returned 1 [0114.151] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="appdata") returned 1 [0114.151] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="program files") returned 1 [0114.151] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="program files (x86)") returned 1 [0114.151] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0114.151] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="WWINTL.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll" [0114.151] PathFindExtensionW (pszPath="WWINTL.DLL.trx_dll") returned=".trx_dll" [0114.151] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0114.151] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0114.151] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0114.151] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0114.152] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0114.152] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0114.152] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0114.152] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0114.152] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0114.152] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0114.152] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0114.152] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0114.152] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0114.152] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0114.152] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0114.152] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0114.152] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.152] lstrlenA (lpString="NEPHILIM") returned 8 [0114.152] GetProcessHeap () returned 0x4e0000 [0114.152] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d838 [0114.152] lstrlenA (lpString="NEPHILIM") returned 8 [0114.152] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\wwintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0114.153] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=148320) returned 1 [0114.153] GetProcessHeap () returned 0x4e0000 [0114.153] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0114.153] GetProcessHeap () returned 0x4e0000 [0114.153] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0114.153] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0114.153] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0114.153] GetProcessHeap () returned 0x4e0000 [0114.153] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0114.153] GetProcessHeap () returned 0x4e0000 [0114.153] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0114.153] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce88*=0x100) returned 1 [0114.154] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce84*=0x100) returned 1 [0114.154] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x24360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.154] SetLastError (dwErrCode=0x0) [0114.154] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0114.160] GetLastError () returned 0x0 [0114.160] GetLastError () returned 0x0 [0114.160] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x24460, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.161] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0114.162] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x24560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.162] lstrlenA (lpString="NEPHILIM") returned 8 [0114.162] WriteFile (in: hFile=0xf8, lpBuffer=0x50d838*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d838*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0114.162] GetProcessHeap () returned 0x4e0000 [0114.162] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x24360) returned 0x518fd8 [0114.162] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.162] ReadFile (in: hFile=0xf8, lpBuffer=0x518fd8, nNumberOfBytesToRead=0x24360, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesRead=0x24dd0b0*=0x24360, lpOverlapped=0x0) returned 1 [0114.173] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.173] WriteFile (in: hFile=0xf8, lpBuffer=0x518fd8*, nNumberOfBytesToWrite=0x24360, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesWritten=0x24dd0bc*=0x24360, lpOverlapped=0x0) returned 1 [0114.174] GetProcessHeap () returned 0x4e0000 [0114.174] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x518fd8 | out: hHeap=0x4e0000) returned 1 [0114.174] CloseHandle (hObject=0xf8) returned 1 [0114.174] GetProcessHeap () returned 0x4e0000 [0114.174] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0114.175] GetProcessHeap () returned 0x4e0000 [0114.175] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0114.175] GetProcessHeap () returned 0x4e0000 [0114.175] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0114.175] GetProcessHeap () returned 0x4e0000 [0114.175] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0114.175] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll" [0114.175] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll.NEPHILIM" [0114.175] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\wwintl.dll.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\wwintl.dll.trx_dll.nephilim")) returned 1 [0114.176] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa2a9c700, ftCreationTime.dwHighDateTime=0x1cacd25, ftLastAccessTime.dwLowDateTime=0xef0f07b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xa2a9c700, ftLastWriteTime.dwHighDateTime=0x1cacd25, nFileSizeHigh=0x0, nFileSizeLow=0x110b60, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="WWINTL.REST.trx_dll", cAlternateFileName="WWINTL~2.TRX")) returned 1 [0114.176] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2=".") returned 1 [0114.176] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="..") returned 1 [0114.176] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="...") returned 1 [0114.176] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="windows") returned 1 [0114.176] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0114.176] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="rsa") returned 1 [0114.176] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="log") returned 1 [0114.176] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="NTDETECT.COM") returned 1 [0114.176] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="ntldr") returned 1 [0114.176] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="MSDOS.SYS") returned 1 [0114.176] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="IO.SYS") returned 1 [0114.176] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="boot.ini") returned 1 [0114.176] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0114.177] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="ntuser.dat") returned 1 [0114.177] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="desktop.ini") returned 1 [0114.177] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="CONFIG.SYS") returned 1 [0114.177] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="RECYCLER") returned 1 [0114.177] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0114.177] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="bootmgr") returned 1 [0114.177] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="programdata") returned 1 [0114.177] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="appdata") returned 1 [0114.177] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="program files") returned 1 [0114.177] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="program files (x86)") returned 1 [0114.177] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0114.177] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="WWINTL.REST.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll" [0114.177] PathFindExtensionW (pszPath="WWINTL.REST.trx_dll") returned=".trx_dll" [0114.177] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0114.177] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0114.177] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0114.177] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0114.177] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0114.177] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0114.177] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0114.177] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0114.177] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0114.177] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0114.178] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0114.178] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0114.178] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0114.178] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0114.178] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0114.178] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0114.178] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.178] lstrlenA (lpString="NEPHILIM") returned 8 [0114.178] GetProcessHeap () returned 0x4e0000 [0114.178] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d848 [0114.178] lstrlenA (lpString="NEPHILIM") returned 8 [0114.178] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\wwintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0114.181] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=1117024) returned 1 [0114.181] GetProcessHeap () returned 0x4e0000 [0114.181] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0114.181] GetProcessHeap () returned 0x4e0000 [0114.181] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0114.181] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0114.181] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0114.181] GetProcessHeap () returned 0x4e0000 [0114.181] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0114.181] GetProcessHeap () returned 0x4e0000 [0114.181] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0114.181] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce88*=0x100) returned 1 [0114.182] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce84*=0x100) returned 1 [0114.182] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x110b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.182] SetLastError (dwErrCode=0x0) [0114.182] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0114.187] GetLastError () returned 0x0 [0114.187] GetLastError () returned 0x0 [0114.187] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x110c60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.187] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0114.188] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x110d60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.188] lstrlenA (lpString="NEPHILIM") returned 8 [0114.188] WriteFile (in: hFile=0xf8, lpBuffer=0x50d848*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d848*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0114.188] GetProcessHeap () returned 0x4e0000 [0114.188] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x110b60) returned 0x22b0020 [0114.188] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.188] ReadFile (in: hFile=0xf8, lpBuffer=0x22b0020, nNumberOfBytesToRead=0x110b60, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x22b0020*, lpNumberOfBytesRead=0x24dd0b0*=0x110b60, lpOverlapped=0x0) returned 1 [0114.287] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.287] WriteFile (in: hFile=0xf8, lpBuffer=0x22b0020*, nNumberOfBytesToWrite=0x110b60, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x22b0020*, lpNumberOfBytesWritten=0x24dd0bc*=0x110b60, lpOverlapped=0x0) returned 1 [0114.291] GetProcessHeap () returned 0x4e0000 [0114.291] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x22b0020 | out: hHeap=0x4e0000) returned 1 [0114.299] CloseHandle (hObject=0xf8) returned 1 [0114.299] GetProcessHeap () returned 0x4e0000 [0114.299] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0114.299] GetProcessHeap () returned 0x4e0000 [0114.299] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0114.299] GetProcessHeap () returned 0x4e0000 [0114.299] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0114.299] GetProcessHeap () returned 0x4e0000 [0114.299] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0114.299] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll" [0114.299] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll.NEPHILIM" [0114.299] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\wwintl.rest.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\wwintl.rest.trx_dll.nephilim")) returned 1 [0114.300] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x61df1900, ftCreationTime.dwHighDateTime=0x1cac820, ftLastAccessTime.dwLowDateTime=0xef0f07b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x61df1900, ftLastWriteTime.dwHighDateTime=0x1cac820, nFileSizeHigh=0x0, nFileSizeLow=0x23960, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="XLINTL32.DLL.trx_dll", cAlternateFileName="XLINTL~1.TRX")) returned 1 [0114.300] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2=".") returned 1 [0114.300] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="..") returned 1 [0114.300] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="...") returned 1 [0114.300] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="windows") returned 1 [0114.300] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0114.300] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="rsa") returned 1 [0114.301] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="log") returned 1 [0114.301] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="NTDETECT.COM") returned 1 [0114.301] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="ntldr") returned 1 [0114.301] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="MSDOS.SYS") returned 1 [0114.301] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="IO.SYS") returned 1 [0114.301] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="boot.ini") returned 1 [0114.301] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0114.301] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0114.301] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="desktop.ini") returned 1 [0114.301] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="CONFIG.SYS") returned 1 [0114.301] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="RECYCLER") returned 1 [0114.301] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0114.301] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="bootmgr") returned 1 [0114.301] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="programdata") returned 1 [0114.301] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="appdata") returned 1 [0114.301] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="program files") returned 1 [0114.301] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="program files (x86)") returned 1 [0114.301] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0114.301] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="XLINTL32.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll" [0114.301] PathFindExtensionW (pszPath="XLINTL32.DLL.trx_dll") returned=".trx_dll" [0114.301] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0114.301] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0114.301] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0114.301] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0114.302] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0114.302] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0114.302] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0114.302] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0114.302] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0114.302] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0114.302] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0114.302] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0114.302] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0114.302] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0114.302] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0114.302] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0114.302] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.302] lstrlenA (lpString="NEPHILIM") returned 8 [0114.302] GetProcessHeap () returned 0x4e0000 [0114.302] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d858 [0114.302] lstrlenA (lpString="NEPHILIM") returned 8 [0114.302] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\xlintl32.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0114.303] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=145760) returned 1 [0114.303] GetProcessHeap () returned 0x4e0000 [0114.303] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0114.303] GetProcessHeap () returned 0x4e0000 [0114.303] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0114.303] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0114.303] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0114.303] GetProcessHeap () returned 0x4e0000 [0114.303] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0114.303] GetProcessHeap () returned 0x4e0000 [0114.303] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0114.303] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce88*=0x100) returned 1 [0114.303] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce84*=0x100) returned 1 [0114.304] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x23960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.304] SetLastError (dwErrCode=0x0) [0114.304] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0114.310] GetLastError () returned 0x0 [0114.310] GetLastError () returned 0x0 [0114.310] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x23a60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.310] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0114.310] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x23b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.310] lstrlenA (lpString="NEPHILIM") returned 8 [0114.310] WriteFile (in: hFile=0xf8, lpBuffer=0x50d858*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d858*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0114.310] GetProcessHeap () returned 0x4e0000 [0114.310] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x23960) returned 0x518fd8 [0114.310] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.310] ReadFile (in: hFile=0xf8, lpBuffer=0x518fd8, nNumberOfBytesToRead=0x23960, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesRead=0x24dd0b0*=0x23960, lpOverlapped=0x0) returned 1 [0114.321] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.322] WriteFile (in: hFile=0xf8, lpBuffer=0x518fd8*, nNumberOfBytesToWrite=0x23960, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesWritten=0x24dd0bc*=0x23960, lpOverlapped=0x0) returned 1 [0114.322] GetProcessHeap () returned 0x4e0000 [0114.322] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x518fd8 | out: hHeap=0x4e0000) returned 1 [0114.322] CloseHandle (hObject=0xf8) returned 1 [0114.323] GetProcessHeap () returned 0x4e0000 [0114.323] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0114.323] GetProcessHeap () returned 0x4e0000 [0114.323] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0114.323] GetProcessHeap () returned 0x4e0000 [0114.323] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0114.323] GetProcessHeap () returned 0x4e0000 [0114.323] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0114.323] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll" [0114.323] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll.NEPHILIM" [0114.323] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\xlintl32.dll.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\xlintl32.dll.trx_dll.nephilim")) returned 1 [0114.324] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x61df1900, ftCreationTime.dwHighDateTime=0x1cac820, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x61df1900, ftLastWriteTime.dwHighDateTime=0x1cac820, nFileSizeHigh=0x0, nFileSizeLow=0x126760, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="XLINTL32.REST.trx_dll", cAlternateFileName="XLINTL~2.TRX")) returned 1 [0114.324] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2=".") returned 1 [0114.324] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="..") returned 1 [0114.324] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="...") returned 1 [0114.324] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="windows") returned 1 [0114.324] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0114.324] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="rsa") returned 1 [0114.324] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="log") returned 1 [0114.324] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="NTDETECT.COM") returned 1 [0114.324] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="ntldr") returned 1 [0114.324] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="MSDOS.SYS") returned 1 [0114.324] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="IO.SYS") returned 1 [0114.324] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="boot.ini") returned 1 [0114.324] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0114.324] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="ntuser.dat") returned 1 [0114.325] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="desktop.ini") returned 1 [0114.325] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="CONFIG.SYS") returned 1 [0114.325] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="RECYCLER") returned 1 [0114.325] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0114.325] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="bootmgr") returned 1 [0114.325] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="programdata") returned 1 [0114.325] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="appdata") returned 1 [0114.325] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="program files") returned 1 [0114.325] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="program files (x86)") returned 1 [0114.325] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0114.325] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="XLINTL32.REST.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll" [0114.325] PathFindExtensionW (pszPath="XLINTL32.REST.trx_dll") returned=".trx_dll" [0114.325] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0114.325] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0114.325] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0114.325] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0114.325] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0114.325] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0114.325] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0114.325] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0114.325] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0114.325] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0114.325] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0114.325] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0114.325] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0114.325] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0114.326] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0114.326] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0114.326] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.326] lstrlenA (lpString="NEPHILIM") returned 8 [0114.326] GetProcessHeap () returned 0x4e0000 [0114.326] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d868 [0114.326] lstrlenA (lpString="NEPHILIM") returned 8 [0114.326] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\xlintl32.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0114.326] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=1206112) returned 1 [0114.326] GetProcessHeap () returned 0x4e0000 [0114.327] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0114.327] GetProcessHeap () returned 0x4e0000 [0114.327] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0114.327] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0114.327] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0114.327] GetProcessHeap () returned 0x4e0000 [0114.327] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0114.327] GetProcessHeap () returned 0x4e0000 [0114.327] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0114.327] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce88*=0x100) returned 1 [0114.327] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce84*=0x100) returned 1 [0114.328] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x126760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.328] SetLastError (dwErrCode=0x0) [0114.328] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0114.330] GetLastError () returned 0x0 [0114.330] GetLastError () returned 0x0 [0114.330] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x126860, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.330] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0114.330] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x126960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.330] lstrlenA (lpString="NEPHILIM") returned 8 [0114.330] WriteFile (in: hFile=0xf8, lpBuffer=0x50d868*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d868*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0114.330] GetProcessHeap () returned 0x4e0000 [0114.330] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x927c0) returned 0x2110020 [0114.331] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.331] ReadFile (in: hFile=0xf8, lpBuffer=0x2110020, nNumberOfBytesToRead=0x927c0, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x2110020*, lpNumberOfBytesRead=0x24dd0b0*=0x927c0, lpOverlapped=0x0) returned 1 [0114.386] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.386] WriteFile (in: hFile=0xf8, lpBuffer=0x2110020*, nNumberOfBytesToWrite=0x927c0, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x2110020*, lpNumberOfBytesWritten=0x24dd0bc*=0x927c0, lpOverlapped=0x0) returned 1 [0114.388] GetProcessHeap () returned 0x4e0000 [0114.388] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x2110020 | out: hHeap=0x4e0000) returned 1 [0114.408] CloseHandle (hObject=0xf8) returned 1 [0114.408] GetProcessHeap () returned 0x4e0000 [0114.408] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0114.408] GetProcessHeap () returned 0x4e0000 [0114.408] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0114.408] GetProcessHeap () returned 0x4e0000 [0114.408] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0114.408] GetProcessHeap () returned 0x4e0000 [0114.408] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0114.408] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll" [0114.408] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll.NEPHILIM" [0114.408] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\xlintl32.rest.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\xlintl32.rest.trx_dll.nephilim")) returned 1 [0114.409] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd7e38000, ftCreationTime.dwHighDateTime=0x1cac820, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xd7e38000, ftLastWriteTime.dwHighDateTime=0x1cac820, nFileSizeHigh=0x0, nFileSizeLow=0x3960, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="XLSLICER.DLL.trx_dll", cAlternateFileName="XLSLIC~1.TRX")) returned 1 [0114.409] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2=".") returned 1 [0114.409] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="..") returned 1 [0114.409] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="...") returned 1 [0114.409] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="windows") returned 1 [0114.410] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="$RECYCLE.BIN") returned 1 [0114.410] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="rsa") returned 1 [0114.410] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="log") returned 1 [0114.410] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="NTDETECT.COM") returned 1 [0114.410] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="ntldr") returned 1 [0114.410] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="MSDOS.SYS") returned 1 [0114.410] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="IO.SYS") returned 1 [0114.410] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="boot.ini") returned 1 [0114.410] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="AUTOEXEC.BAT") returned 1 [0114.410] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0114.410] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="desktop.ini") returned 1 [0114.410] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="CONFIG.SYS") returned 1 [0114.410] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="RECYCLER") returned 1 [0114.410] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="BOOTSECT.BAK") returned 1 [0114.410] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="bootmgr") returned 1 [0114.410] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="programdata") returned 1 [0114.410] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="appdata") returned 1 [0114.410] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="program files") returned 1 [0114.410] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="program files (x86)") returned 1 [0114.410] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0114.410] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="XLSLICER.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll" [0114.410] PathFindExtensionW (pszPath="XLSLICER.DLL.trx_dll") returned=".trx_dll" [0114.410] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0114.410] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0114.410] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0114.410] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0114.410] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0114.410] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0114.410] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0114.411] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0114.411] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0114.411] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0114.411] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0114.411] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0114.411] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0114.411] lstrcmpiW (lpString1=".trx_dll", lpString2=".NEPHILIM") returned 1 [0114.411] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0114.411] lstrcmpiW (lpString1=".trx_dll", lpString2=".lnk") returned 1 [0114.411] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.411] lstrlenA (lpString="NEPHILIM") returned 8 [0114.411] GetProcessHeap () returned 0x4e0000 [0114.411] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d878 [0114.411] lstrlenA (lpString="NEPHILIM") returned 8 [0114.411] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\xlslicer.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0114.412] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=14688) returned 1 [0114.412] GetProcessHeap () returned 0x4e0000 [0114.412] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0114.412] GetProcessHeap () returned 0x4e0000 [0114.412] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0114.412] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0114.412] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0114.412] GetProcessHeap () returned 0x4e0000 [0114.412] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0114.412] GetProcessHeap () returned 0x4e0000 [0114.412] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0114.412] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dce88*=0x100) returned 1 [0114.412] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dce84*=0x100) returned 1 [0114.412] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x3960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.412] SetLastError (dwErrCode=0x0) [0114.412] WriteFile (in: hFile=0xf8, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0114.417] GetLastError () returned 0x0 [0114.417] GetLastError () returned 0x0 [0114.417] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x3a60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.417] WriteFile (in: hFile=0xf8, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0114.417] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x3b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.417] lstrlenA (lpString="NEPHILIM") returned 8 [0114.417] WriteFile (in: hFile=0xf8, lpBuffer=0x50d878*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50d878*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0114.417] GetProcessHeap () returned 0x4e0000 [0114.417] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x3960) returned 0x518fd8 [0114.418] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.418] ReadFile (in: hFile=0xf8, lpBuffer=0x518fd8, nNumberOfBytesToRead=0x3960, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesRead=0x24dd0b0*=0x3960, lpOverlapped=0x0) returned 1 [0114.424] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.424] WriteFile (in: hFile=0xf8, lpBuffer=0x518fd8*, nNumberOfBytesToWrite=0x3960, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesWritten=0x24dd0bc*=0x3960, lpOverlapped=0x0) returned 1 [0114.424] GetProcessHeap () returned 0x4e0000 [0114.424] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x518fd8 | out: hHeap=0x4e0000) returned 1 [0114.424] CloseHandle (hObject=0xf8) returned 1 [0114.425] GetProcessHeap () returned 0x4e0000 [0114.425] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0114.425] GetProcessHeap () returned 0x4e0000 [0114.425] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0114.425] GetProcessHeap () returned 0x4e0000 [0114.425] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0114.425] GetProcessHeap () returned 0x4e0000 [0114.425] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0114.425] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll" [0114.425] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll.NEPHILIM" [0114.425] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\xlslicer.dll.trx_dll"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\xlslicer.dll.trx_dll.nephilim")) returned 1 [0114.427] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd7e38000, ftCreationTime.dwHighDateTime=0x1cac820, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xd7e38000, ftLastWriteTime.dwHighDateTime=0x1cac820, nFileSizeHigh=0x0, nFileSizeLow=0x3960, dwReserved0=0x660064, dwReserved1=0x24ddbe0, cFileName="XLSLICER.DLL.trx_dll", cAlternateFileName="XLSLIC~1.TRX")) returned 0 [0114.427] FindClose (in: hFindFile=0x50a9c0 | out: hFindFile=0x50a9c0) returned 1 [0114.427] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef116910, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24dd72c, dwReserved1=0x3cadb4a3, cFileName="3082", cAlternateFileName="")) returned 0 [0114.427] FindClose (in: hFindFile=0x50a980 | out: hFindFile=0x50a980) returned 1 [0114.427] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed38550, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="UICaptions", cAlternateFileName="UICAPT~1")) returned 0 [0114.427] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0114.427] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xfa44d4a0, ftLastAccessTime.dwHighDateTime=0x1d305fd, ftLastWriteTime.dwLowDateTime=0xfa44d4a0, ftLastWriteTime.dwHighDateTime=0x1d305fd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="OfficeSoftwareProtectionPlatform", cAlternateFileName="OFFICE~1")) returned 1 [0114.427] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2=".") returned 1 [0114.427] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="..") returned 1 [0114.427] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="...") returned 1 [0114.427] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="windows") returned -1 [0114.427] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="$RECYCLE.BIN") returned 1 [0114.428] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="rsa") returned -1 [0114.428] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="log") returned 1 [0114.428] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="NTDETECT.COM") returned 1 [0114.428] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="ntldr") returned 1 [0114.428] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="MSDOS.SYS") returned 1 [0114.428] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="IO.SYS") returned 1 [0114.428] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="boot.ini") returned 1 [0114.428] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="AUTOEXEC.BAT") returned 1 [0114.428] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="ntuser.dat") returned 1 [0114.428] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="desktop.ini") returned 1 [0114.428] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="CONFIG.SYS") returned 1 [0114.428] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="RECYCLER") returned -1 [0114.428] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="BOOTSECT.BAK") returned 1 [0114.428] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="bootmgr") returned 1 [0114.428] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="programdata") returned -1 [0114.428] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="appdata") returned 1 [0114.428] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="program files") returned -1 [0114.428] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="program files (x86)") returned -1 [0114.428] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\" [0114.428] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="OfficeSoftwareProtectionPlatform" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform") returned="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform" [0114.428] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\") returned="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\" [0114.428] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\") returned="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\" [0114.429] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\*.*") returned="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\*.*" [0114.429] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xfa44d4a0, ftLastAccessTime.dwHighDateTime=0x1d305fd, ftLastWriteTime.dwLowDateTime=0xfa44d4a0, ftLastWriteTime.dwHighDateTime=0x1d305fd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0114.429] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.429] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xfa44d4a0, ftLastAccessTime.dwHighDateTime=0x1d305fd, ftLastWriteTime.dwLowDateTime=0xfa44d4a0, ftLastWriteTime.dwHighDateTime=0x1d305fd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0114.429] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.429] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.429] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8ab1ae70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x9de525d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9de525d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="Cache", cAlternateFileName="")) returned 1 [0114.429] lstrcmpiW (lpString1="Cache", lpString2=".") returned 1 [0114.429] lstrcmpiW (lpString1="Cache", lpString2="..") returned 1 [0114.429] lstrcmpiW (lpString1="Cache", lpString2="...") returned 1 [0114.429] lstrcmpiW (lpString1="Cache", lpString2="windows") returned -1 [0114.430] lstrcmpiW (lpString1="Cache", lpString2="$RECYCLE.BIN") returned 1 [0114.430] lstrcmpiW (lpString1="Cache", lpString2="rsa") returned -1 [0114.430] lstrcmpiW (lpString1="Cache", lpString2="log") returned -1 [0114.430] lstrcmpiW (lpString1="Cache", lpString2="NTDETECT.COM") returned -1 [0114.430] lstrcmpiW (lpString1="Cache", lpString2="ntldr") returned -1 [0114.430] lstrcmpiW (lpString1="Cache", lpString2="MSDOS.SYS") returned -1 [0114.430] lstrcmpiW (lpString1="Cache", lpString2="IO.SYS") returned -1 [0114.430] lstrcmpiW (lpString1="Cache", lpString2="boot.ini") returned 1 [0114.430] lstrcmpiW (lpString1="Cache", lpString2="AUTOEXEC.BAT") returned 1 [0114.430] lstrcmpiW (lpString1="Cache", lpString2="ntuser.dat") returned -1 [0114.430] lstrcmpiW (lpString1="Cache", lpString2="desktop.ini") returned -1 [0114.430] lstrcmpiW (lpString1="Cache", lpString2="CONFIG.SYS") returned -1 [0114.430] lstrcmpiW (lpString1="Cache", lpString2="RECYCLER") returned -1 [0114.430] lstrcmpiW (lpString1="Cache", lpString2="BOOTSECT.BAK") returned 1 [0114.430] lstrcmpiW (lpString1="Cache", lpString2="bootmgr") returned 1 [0114.430] lstrcmpiW (lpString1="Cache", lpString2="programdata") returned -1 [0114.430] lstrcmpiW (lpString1="Cache", lpString2="appdata") returned 1 [0114.430] lstrcmpiW (lpString1="Cache", lpString2="program files") returned -1 [0114.430] lstrcmpiW (lpString1="Cache", lpString2="program files (x86)") returned -1 [0114.430] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\") returned="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\" [0114.430] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\", lpString2="Cache" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache") returned="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache" [0114.430] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\") returned="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\" [0114.430] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\") returned="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\" [0114.431] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*.*") returned="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*.*" [0114.431] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8ab1ae70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x9de525d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9de525d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x840082, dwReserved1=0x24de260, cFileName=".", cAlternateFileName="")) returned 0x50a980 [0114.431] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.431] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8ab1ae70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x9de525d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9de525d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x840082, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 1 [0114.431] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.431] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.431] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9de525d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x9de525d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2caa5f40, ftLastWriteTime.dwHighDateTime=0x1d4d597, nFileSizeHigh=0x0, nFileSizeLow=0x40270, dwReserved0=0x840082, dwReserved1=0x24de260, cFileName="cache.dat", cAlternateFileName="")) returned 1 [0114.431] lstrcmpiW (lpString1="cache.dat", lpString2=".") returned 1 [0114.431] lstrcmpiW (lpString1="cache.dat", lpString2="..") returned 1 [0114.431] lstrcmpiW (lpString1="cache.dat", lpString2="...") returned 1 [0114.431] lstrcmpiW (lpString1="cache.dat", lpString2="windows") returned -1 [0114.431] lstrcmpiW (lpString1="cache.dat", lpString2="$RECYCLE.BIN") returned 1 [0114.431] lstrcmpiW (lpString1="cache.dat", lpString2="rsa") returned -1 [0114.431] lstrcmpiW (lpString1="cache.dat", lpString2="log") returned -1 [0114.432] lstrcmpiW (lpString1="cache.dat", lpString2="NTDETECT.COM") returned -1 [0114.432] lstrcmpiW (lpString1="cache.dat", lpString2="ntldr") returned -1 [0114.432] lstrcmpiW (lpString1="cache.dat", lpString2="MSDOS.SYS") returned -1 [0114.432] lstrcmpiW (lpString1="cache.dat", lpString2="IO.SYS") returned -1 [0114.432] lstrcmpiW (lpString1="cache.dat", lpString2="boot.ini") returned 1 [0114.432] lstrcmpiW (lpString1="cache.dat", lpString2="AUTOEXEC.BAT") returned 1 [0114.432] lstrcmpiW (lpString1="cache.dat", lpString2="ntuser.dat") returned -1 [0114.432] lstrcmpiW (lpString1="cache.dat", lpString2="desktop.ini") returned -1 [0114.432] lstrcmpiW (lpString1="cache.dat", lpString2="CONFIG.SYS") returned -1 [0114.432] lstrcmpiW (lpString1="cache.dat", lpString2="RECYCLER") returned -1 [0114.432] lstrcmpiW (lpString1="cache.dat", lpString2="BOOTSECT.BAK") returned 1 [0114.432] lstrcmpiW (lpString1="cache.dat", lpString2="bootmgr") returned 1 [0114.432] lstrcmpiW (lpString1="cache.dat", lpString2="programdata") returned -1 [0114.432] lstrcmpiW (lpString1="cache.dat", lpString2="appdata") returned 1 [0114.432] lstrcmpiW (lpString1="cache.dat", lpString2="program files") returned -1 [0114.432] lstrcmpiW (lpString1="cache.dat", lpString2="program files (x86)") returned -1 [0114.432] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\") returned="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\" [0114.432] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\", lpString2="cache.dat" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat") returned="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat" [0114.432] PathFindExtensionW (pszPath="cache.dat") returned=".dat" [0114.432] lstrcmpiW (lpString1=".dat", lpString2=".exe") returned -1 [0114.432] lstrcmpiW (lpString1=".dat", lpString2=".log") returned -1 [0114.432] lstrcmpiW (lpString1=".dat", lpString2=".cab") returned 1 [0114.433] lstrcmpiW (lpString1=".dat", lpString2=".cmd") returned 1 [0114.433] lstrcmpiW (lpString1=".dat", lpString2=".com") returned 1 [0114.433] lstrcmpiW (lpString1=".dat", lpString2=".cpl") returned 1 [0114.433] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0114.433] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0114.433] lstrcmpiW (lpString1=".dat", lpString2=".url") returned -1 [0114.433] lstrcmpiW (lpString1=".dat", lpString2=".ttf") returned -1 [0114.433] lstrcmpiW (lpString1=".dat", lpString2=".mp3") returned -1 [0114.433] lstrcmpiW (lpString1=".dat", lpString2=".pif") returned -1 [0114.433] lstrcmpiW (lpString1=".dat", lpString2=".mp4") returned -1 [0114.433] lstrcmpiW (lpString1=".dat", lpString2=".NEPHILIM") returned -1 [0114.433] lstrcmpiW (lpString1=".dat", lpString2=".msi") returned -1 [0114.433] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0114.433] lstrcmpiW (lpString1="cache.dat", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0114.433] lstrlenA (lpString="NEPHILIM") returned 8 [0114.433] GetProcessHeap () returned 0x4e0000 [0114.433] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d888 [0114.433] lstrlenA (lpString="NEPHILIM") returned 8 [0114.433] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat" (normalized: "c:\\users\\all users\\microsoft\\officesoftwareprotectionplatform\\cache\\cache.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0114.434] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=262768) returned 1 [0114.434] GetProcessHeap () returned 0x4e0000 [0114.434] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0114.434] GetProcessHeap () returned 0x4e0000 [0114.434] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0114.434] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0114.434] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0114.434] GetProcessHeap () returned 0x4e0000 [0114.434] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0114.434] GetProcessHeap () returned 0x4e0000 [0114.434] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0114.435] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dd508*=0x100) returned 1 [0114.435] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dd504*=0x100) returned 1 [0114.435] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x40270, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.435] SetLastError (dwErrCode=0x0) [0114.435] WriteFile (in: hFile=0xf4, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0114.444] GetLastError () returned 0x0 [0114.444] GetLastError () returned 0x0 [0114.444] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x40370, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.444] WriteFile (in: hFile=0xf4, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0114.444] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x40470, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.445] lstrlenA (lpString="NEPHILIM") returned 8 [0114.445] WriteFile (in: hFile=0xf4, lpBuffer=0x50d888*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50d888*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0114.445] GetProcessHeap () returned 0x4e0000 [0114.445] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x40270) returned 0x518fd8 [0114.445] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.445] ReadFile (in: hFile=0xf4, lpBuffer=0x518fd8, nNumberOfBytesToRead=0x40270, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesRead=0x24dd730*=0x40270, lpOverlapped=0x0) returned 1 [0114.465] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.465] WriteFile (in: hFile=0xf4, lpBuffer=0x518fd8*, nNumberOfBytesToWrite=0x40270, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x518fd8*, lpNumberOfBytesWritten=0x24dd73c*=0x40270, lpOverlapped=0x0) returned 1 [0114.466] GetProcessHeap () returned 0x4e0000 [0114.466] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x518fd8 | out: hHeap=0x4e0000) returned 1 [0114.466] CloseHandle (hObject=0xf4) returned 1 [0114.466] GetProcessHeap () returned 0x4e0000 [0114.466] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0114.466] GetProcessHeap () returned 0x4e0000 [0114.466] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0114.467] GetProcessHeap () returned 0x4e0000 [0114.467] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0114.467] GetProcessHeap () returned 0x4e0000 [0114.467] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0114.467] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat") returned="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat" [0114.467] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat.NEPHILIM" [0114.467] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat" (normalized: "c:\\users\\all users\\microsoft\\officesoftwareprotectionplatform\\cache\\cache.dat"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\officesoftwareprotectionplatform\\cache\\cache.dat.nephilim")) returned 1 [0114.468] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9de525d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x9de525d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2caa5f40, ftLastWriteTime.dwHighDateTime=0x1d4d597, nFileSizeHigh=0x0, nFileSizeLow=0x40270, dwReserved0=0x840082, dwReserved1=0x24de260, cFileName="cache.dat", cAlternateFileName="")) returned 0 [0114.468] FindClose (in: hFindFile=0x50a980 | out: hFindFile=0x50a980) returned 1 [0114.468] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8c015050, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xfa44d4a0, ftLastAccessTime.dwHighDateTime=0x1d305fd, ftLastWriteTime.dwLowDateTime=0x63c5e40, ftLastWriteTime.dwHighDateTime=0x1d305fe, nFileSizeHigh=0x0, nFileSizeLow=0x469bd5, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="tokens.dat", cAlternateFileName="")) returned 1 [0114.468] lstrcmpiW (lpString1="tokens.dat", lpString2=".") returned 1 [0114.468] lstrcmpiW (lpString1="tokens.dat", lpString2="..") returned 1 [0114.468] lstrcmpiW (lpString1="tokens.dat", lpString2="...") returned 1 [0114.468] lstrcmpiW (lpString1="tokens.dat", lpString2="windows") returned -1 [0114.468] lstrcmpiW (lpString1="tokens.dat", lpString2="$RECYCLE.BIN") returned 1 [0114.468] lstrcmpiW (lpString1="tokens.dat", lpString2="rsa") returned 1 [0114.468] lstrcmpiW (lpString1="tokens.dat", lpString2="log") returned 1 [0114.468] lstrcmpiW (lpString1="tokens.dat", lpString2="NTDETECT.COM") returned 1 [0114.468] lstrcmpiW (lpString1="tokens.dat", lpString2="ntldr") returned 1 [0114.468] lstrcmpiW (lpString1="tokens.dat", lpString2="MSDOS.SYS") returned 1 [0114.469] lstrcmpiW (lpString1="tokens.dat", lpString2="IO.SYS") returned 1 [0114.469] lstrcmpiW (lpString1="tokens.dat", lpString2="boot.ini") returned 1 [0114.469] lstrcmpiW (lpString1="tokens.dat", lpString2="AUTOEXEC.BAT") returned 1 [0114.469] lstrcmpiW (lpString1="tokens.dat", lpString2="ntuser.dat") returned 1 [0114.469] lstrcmpiW (lpString1="tokens.dat", lpString2="desktop.ini") returned 1 [0114.469] lstrcmpiW (lpString1="tokens.dat", lpString2="CONFIG.SYS") returned 1 [0114.469] lstrcmpiW (lpString1="tokens.dat", lpString2="RECYCLER") returned 1 [0114.469] lstrcmpiW (lpString1="tokens.dat", lpString2="BOOTSECT.BAK") returned 1 [0114.469] lstrcmpiW (lpString1="tokens.dat", lpString2="bootmgr") returned 1 [0114.469] lstrcmpiW (lpString1="tokens.dat", lpString2="programdata") returned 1 [0114.469] lstrcmpiW (lpString1="tokens.dat", lpString2="appdata") returned 1 [0114.469] lstrcmpiW (lpString1="tokens.dat", lpString2="program files") returned 1 [0114.469] lstrcmpiW (lpString1="tokens.dat", lpString2="program files (x86)") returned 1 [0114.469] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\") returned="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\" [0114.469] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\", lpString2="tokens.dat" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat") returned="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat" [0114.469] PathFindExtensionW (pszPath="tokens.dat") returned=".dat" [0114.469] lstrcmpiW (lpString1=".dat", lpString2=".exe") returned -1 [0114.469] lstrcmpiW (lpString1=".dat", lpString2=".log") returned -1 [0114.469] lstrcmpiW (lpString1=".dat", lpString2=".cab") returned 1 [0114.469] lstrcmpiW (lpString1=".dat", lpString2=".cmd") returned 1 [0114.469] lstrcmpiW (lpString1=".dat", lpString2=".com") returned 1 [0114.469] lstrcmpiW (lpString1=".dat", lpString2=".cpl") returned 1 [0114.469] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0114.469] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0114.469] lstrcmpiW (lpString1=".dat", lpString2=".url") returned -1 [0114.469] lstrcmpiW (lpString1=".dat", lpString2=".ttf") returned -1 [0114.469] lstrcmpiW (lpString1=".dat", lpString2=".mp3") returned -1 [0114.470] lstrcmpiW (lpString1=".dat", lpString2=".pif") returned -1 [0114.470] lstrcmpiW (lpString1=".dat", lpString2=".mp4") returned -1 [0114.470] lstrcmpiW (lpString1=".dat", lpString2=".NEPHILIM") returned -1 [0114.470] lstrcmpiW (lpString1=".dat", lpString2=".msi") returned -1 [0114.470] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0114.470] lstrcmpiW (lpString1="tokens.dat", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.470] lstrlenA (lpString="NEPHILIM") returned 8 [0114.470] GetProcessHeap () returned 0x4e0000 [0114.470] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50d898 [0114.470] lstrlenA (lpString="NEPHILIM") returned 8 [0114.470] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat" (normalized: "c:\\users\\all users\\microsoft\\officesoftwareprotectionplatform\\tokens.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0114.471] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=4627413) returned 1 [0114.472] GetProcessHeap () returned 0x4e0000 [0114.472] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0114.472] GetProcessHeap () returned 0x4e0000 [0114.472] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0114.472] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0114.472] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0114.472] GetProcessHeap () returned 0x4e0000 [0114.472] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0114.472] GetProcessHeap () returned 0x4e0000 [0114.472] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0114.472] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0114.472] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0114.473] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x469bd5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.473] SetLastError (dwErrCode=0x0) [0114.473] WriteFile (in: hFile=0xf0, lpBuffer=0x514178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x514178*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0114.475] GetLastError () returned 0x0 [0114.476] GetLastError () returned 0x0 [0114.476] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x469cd5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.476] WriteFile (in: hFile=0xf0, lpBuffer=0x514070*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x514070*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0114.476] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x469dd5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.476] lstrlenA (lpString="NEPHILIM") returned 8 [0114.476] WriteFile (in: hFile=0xf0, lpBuffer=0x50d898*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50d898*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0114.476] GetProcessHeap () returned 0x4e0000 [0114.476] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x927c0) returned 0x2110020 [0114.476] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.476] ReadFile (in: hFile=0xf0, lpBuffer=0x2110020, nNumberOfBytesToRead=0x927c0, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x2110020*, lpNumberOfBytesRead=0x24dddb0*=0x927c0, lpOverlapped=0x0) returned 1 [0114.581] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.581] WriteFile (in: hFile=0xf0, lpBuffer=0x2110020*, nNumberOfBytesToWrite=0x927c0, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x2110020*, lpNumberOfBytesWritten=0x24dddbc*=0x927c0, lpOverlapped=0x0) returned 1 [0114.584] GetProcessHeap () returned 0x4e0000 [0114.584] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x2110020 | out: hHeap=0x4e0000) returned 1 [0114.588] CloseHandle (hObject=0xf0) returned 1 [0114.588] GetProcessHeap () returned 0x4e0000 [0114.588] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514178 | out: hHeap=0x4e0000) returned 1 [0114.589] GetProcessHeap () returned 0x4e0000 [0114.589] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514070 | out: hHeap=0x4e0000) returned 1 [0114.589] GetProcessHeap () returned 0x4e0000 [0114.589] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1d0 | out: hHeap=0x4e0000) returned 1 [0114.589] GetProcessHeap () returned 0x4e0000 [0114.589] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d1b8 | out: hHeap=0x4e0000) returned 1 [0114.589] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat") returned="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat" [0114.589] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat.NEPHILIM" [0114.589] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat" (normalized: "c:\\users\\all users\\microsoft\\officesoftwareprotectionplatform\\tokens.dat"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\officesoftwareprotectionplatform\\tokens.dat.nephilim")) returned 1 [0114.590] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8c015050, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xfa44d4a0, ftLastAccessTime.dwHighDateTime=0x1d305fd, ftLastWriteTime.dwLowDateTime=0x63c5e40, ftLastWriteTime.dwHighDateTime=0x1d305fe, nFileSizeHigh=0x0, nFileSizeLow=0x469bd5, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="tokens.dat", cAlternateFileName="")) returned 0 [0114.590] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0114.590] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="RAC", cAlternateFileName="")) returned 1 [0114.590] lstrcmpiW (lpString1="RAC", lpString2=".") returned 1 [0114.590] lstrcmpiW (lpString1="RAC", lpString2="..") returned 1 [0114.590] lstrcmpiW (lpString1="RAC", lpString2="...") returned 1 [0114.590] lstrcmpiW (lpString1="RAC", lpString2="windows") returned -1 [0114.590] lstrcmpiW (lpString1="RAC", lpString2="$RECYCLE.BIN") returned 1 [0114.590] lstrcmpiW (lpString1="RAC", lpString2="rsa") returned -1 [0114.590] lstrcmpiW (lpString1="RAC", lpString2="log") returned 1 [0114.590] lstrcmpiW (lpString1="RAC", lpString2="NTDETECT.COM") returned 1 [0114.590] lstrcmpiW (lpString1="RAC", lpString2="ntldr") returned 1 [0114.590] lstrcmpiW (lpString1="RAC", lpString2="MSDOS.SYS") returned 1 [0114.590] lstrcmpiW (lpString1="RAC", lpString2="IO.SYS") returned 1 [0114.591] lstrcmpiW (lpString1="RAC", lpString2="boot.ini") returned 1 [0114.591] lstrcmpiW (lpString1="RAC", lpString2="AUTOEXEC.BAT") returned 1 [0114.591] lstrcmpiW (lpString1="RAC", lpString2="ntuser.dat") returned 1 [0114.591] lstrcmpiW (lpString1="RAC", lpString2="desktop.ini") returned 1 [0114.591] lstrcmpiW (lpString1="RAC", lpString2="CONFIG.SYS") returned 1 [0114.591] lstrcmpiW (lpString1="RAC", lpString2="RECYCLER") returned -1 [0114.591] lstrcmpiW (lpString1="RAC", lpString2="BOOTSECT.BAK") returned 1 [0114.591] lstrcmpiW (lpString1="RAC", lpString2="bootmgr") returned 1 [0114.591] lstrcmpiW (lpString1="RAC", lpString2="programdata") returned 1 [0114.591] lstrcmpiW (lpString1="RAC", lpString2="appdata") returned 1 [0114.591] lstrcmpiW (lpString1="RAC", lpString2="program files") returned 1 [0114.591] lstrcmpiW (lpString1="RAC", lpString2="program files (x86)") returned 1 [0114.591] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\" [0114.591] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="RAC" | out: lpString1="C:\\Users\\All Users\\Microsoft\\RAC") returned="C:\\Users\\All Users\\Microsoft\\RAC" [0114.591] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\RAC", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\") returned="C:\\Users\\All Users\\Microsoft\\RAC\\" [0114.591] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Microsoft\\RAC\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\") returned="C:\\Users\\All Users\\Microsoft\\RAC\\" [0114.591] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\*.*") returned="C:\\Users\\All Users\\Microsoft\\RAC\\*.*" [0114.591] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0114.592] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.592] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0114.592] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.592] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.592] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd6e33921, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="Outbound", cAlternateFileName="")) returned 1 [0114.592] lstrcmpiW (lpString1="Outbound", lpString2=".") returned 1 [0114.592] lstrcmpiW (lpString1="Outbound", lpString2="..") returned 1 [0114.592] lstrcmpiW (lpString1="Outbound", lpString2="...") returned 1 [0114.592] lstrcmpiW (lpString1="Outbound", lpString2="windows") returned -1 [0114.592] lstrcmpiW (lpString1="Outbound", lpString2="$RECYCLE.BIN") returned 1 [0114.592] lstrcmpiW (lpString1="Outbound", lpString2="rsa") returned -1 [0114.593] lstrcmpiW (lpString1="Outbound", lpString2="log") returned 1 [0114.593] lstrcmpiW (lpString1="Outbound", lpString2="NTDETECT.COM") returned 1 [0114.593] lstrcmpiW (lpString1="Outbound", lpString2="ntldr") returned 1 [0114.593] lstrcmpiW (lpString1="Outbound", lpString2="MSDOS.SYS") returned 1 [0114.593] lstrcmpiW (lpString1="Outbound", lpString2="IO.SYS") returned 1 [0114.593] lstrcmpiW (lpString1="Outbound", lpString2="boot.ini") returned 1 [0114.593] lstrcmpiW (lpString1="Outbound", lpString2="AUTOEXEC.BAT") returned 1 [0114.593] lstrcmpiW (lpString1="Outbound", lpString2="ntuser.dat") returned 1 [0114.593] lstrcmpiW (lpString1="Outbound", lpString2="desktop.ini") returned 1 [0114.593] lstrcmpiW (lpString1="Outbound", lpString2="CONFIG.SYS") returned 1 [0114.593] lstrcmpiW (lpString1="Outbound", lpString2="RECYCLER") returned -1 [0114.593] lstrcmpiW (lpString1="Outbound", lpString2="BOOTSECT.BAK") returned 1 [0114.593] lstrcmpiW (lpString1="Outbound", lpString2="bootmgr") returned 1 [0114.593] lstrcmpiW (lpString1="Outbound", lpString2="programdata") returned -1 [0114.593] lstrcmpiW (lpString1="Outbound", lpString2="appdata") returned 1 [0114.593] lstrcmpiW (lpString1="Outbound", lpString2="program files") returned -1 [0114.593] lstrcmpiW (lpString1="Outbound", lpString2="program files (x86)") returned -1 [0114.593] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Microsoft\\RAC\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\") returned="C:\\Users\\All Users\\Microsoft\\RAC\\" [0114.594] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\", lpString2="Outbound" | out: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\Outbound") returned="C:\\Users\\All Users\\Microsoft\\RAC\\Outbound" [0114.594] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\Outbound", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\Outbound\\") returned="C:\\Users\\All Users\\Microsoft\\RAC\\Outbound\\" [0114.594] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\All Users\\Microsoft\\RAC\\Outbound\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\Outbound\\") returned="C:\\Users\\All Users\\Microsoft\\RAC\\Outbound\\" [0114.594] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\Outbound\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\Outbound\\*.*") returned="C:\\Users\\All Users\\Microsoft\\RAC\\Outbound\\*.*" [0114.594] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\Outbound\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd6e33921, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de260, cFileName=".", cAlternateFileName="")) returned 0x50a980 [0114.594] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.594] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd6e33921, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 1 [0114.594] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.594] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.594] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd6e33921, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 0 [0114.594] FindClose (in: hFindFile=0x50a980 | out: hFindFile=0x50a980) returned 1 [0114.595] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xd238cbc0, ftLastAccessTime.dwHighDateTime=0x1d607de, ftLastWriteTime.dwLowDateTime=0xd238cbc0, ftLastWriteTime.dwHighDateTime=0x1d607de, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="PublishedData", cAlternateFileName="PUBLIS~1")) returned 1 [0114.595] lstrcmpiW (lpString1="PublishedData", lpString2=".") returned 1 [0114.595] lstrcmpiW (lpString1="PublishedData", lpString2="..") returned 1 [0114.595] lstrcmpiW (lpString1="PublishedData", lpString2="...") returned 1 [0114.595] lstrcmpiW (lpString1="PublishedData", lpString2="windows") returned -1 [0114.595] lstrcmpiW (lpString1="PublishedData", lpString2="$RECYCLE.BIN") returned 1 [0114.595] lstrcmpiW (lpString1="PublishedData", lpString2="rsa") returned -1 [0114.595] lstrcmpiW (lpString1="PublishedData", lpString2="log") returned 1 [0114.595] lstrcmpiW (lpString1="PublishedData", lpString2="NTDETECT.COM") returned 1 [0114.595] lstrcmpiW (lpString1="PublishedData", lpString2="ntldr") returned 1 [0114.595] lstrcmpiW (lpString1="PublishedData", lpString2="MSDOS.SYS") returned 1 [0114.595] lstrcmpiW (lpString1="PublishedData", lpString2="IO.SYS") returned 1 [0114.595] lstrcmpiW (lpString1="PublishedData", lpString2="boot.ini") returned 1 [0114.595] lstrcmpiW (lpString1="PublishedData", lpString2="AUTOEXEC.BAT") returned 1 [0114.595] lstrcmpiW (lpString1="PublishedData", lpString2="ntuser.dat") returned 1 [0114.595] lstrcmpiW (lpString1="PublishedData", lpString2="desktop.ini") returned 1 [0114.595] lstrcmpiW (lpString1="PublishedData", lpString2="CONFIG.SYS") returned 1 [0114.596] lstrcmpiW (lpString1="PublishedData", lpString2="RECYCLER") returned -1 [0114.596] lstrcmpiW (lpString1="PublishedData", lpString2="BOOTSECT.BAK") returned 1 [0114.596] lstrcmpiW (lpString1="PublishedData", lpString2="bootmgr") returned 1 [0114.596] lstrcmpiW (lpString1="PublishedData", lpString2="programdata") returned 1 [0114.596] lstrcmpiW (lpString1="PublishedData", lpString2="appdata") returned 1 [0114.596] lstrcmpiW (lpString1="PublishedData", lpString2="program files") returned 1 [0114.596] lstrcmpiW (lpString1="PublishedData", lpString2="program files (x86)") returned 1 [0114.596] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Microsoft\\RAC\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\") returned="C:\\Users\\All Users\\Microsoft\\RAC\\" [0114.596] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\", lpString2="PublishedData" | out: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData") returned="C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData" [0114.596] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\") returned="C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\" [0114.596] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\") returned="C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\" [0114.596] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\*.*") returned="C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\*.*" [0114.596] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xd238cbc0, ftLastAccessTime.dwHighDateTime=0x1d607de, ftLastWriteTime.dwLowDateTime=0xd238cbc0, ftLastWriteTime.dwHighDateTime=0x1d607de, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de260, cFileName=".", cAlternateFileName="")) returned 0x50a980 [0114.596] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.596] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xd238cbc0, ftLastAccessTime.dwHighDateTime=0x1d607de, ftLastWriteTime.dwLowDateTime=0xd238cbc0, ftLastWriteTime.dwHighDateTime=0x1d607de, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 1 [0114.597] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.597] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.597] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xece09220, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd238cbc0, ftLastAccessTime.dwHighDateTime=0x1d607de, ftLastWriteTime.dwLowDateTime=0xd23d8e80, ftLastWriteTime.dwHighDateTime=0x1d607de, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x4a0048, dwReserved1=0x24de260, cFileName="RacWmiDatabase.sdf", cAlternateFileName="RACWMI~1.SDF")) returned 1 [0114.597] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2=".") returned 1 [0114.597] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="..") returned 1 [0114.597] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="...") returned 1 [0114.597] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="windows") returned -1 [0114.597] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="$RECYCLE.BIN") returned 1 [0114.597] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="rsa") returned -1 [0114.597] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="log") returned 1 [0114.597] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="NTDETECT.COM") returned 1 [0114.597] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="ntldr") returned 1 [0114.597] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="MSDOS.SYS") returned 1 [0114.597] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="IO.SYS") returned 1 [0114.597] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="boot.ini") returned 1 [0114.597] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="AUTOEXEC.BAT") returned 1 [0114.597] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="ntuser.dat") returned 1 [0114.598] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="desktop.ini") returned 1 [0114.598] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="CONFIG.SYS") returned 1 [0114.598] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="RECYCLER") returned -1 [0114.598] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="BOOTSECT.BAK") returned 1 [0114.598] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="bootmgr") returned 1 [0114.598] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="programdata") returned 1 [0114.598] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="appdata") returned 1 [0114.598] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="program files") returned 1 [0114.598] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="program files (x86)") returned 1 [0114.598] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\") returned="C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\" [0114.598] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\", lpString2="RacWmiDatabase.sdf" | out: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf") returned="C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf" [0114.598] PathFindExtensionW (pszPath="RacWmiDatabase.sdf") returned=".sdf" [0114.598] lstrcmpiW (lpString1=".sdf", lpString2=".exe") returned 1 [0114.598] lstrcmpiW (lpString1=".sdf", lpString2=".log") returned 1 [0114.598] lstrcmpiW (lpString1=".sdf", lpString2=".cab") returned 1 [0114.598] lstrcmpiW (lpString1=".sdf", lpString2=".cmd") returned 1 [0114.598] lstrcmpiW (lpString1=".sdf", lpString2=".com") returned 1 [0114.598] lstrcmpiW (lpString1=".sdf", lpString2=".cpl") returned 1 [0114.599] lstrcmpiW (lpString1=".sdf", lpString2=".ini") returned 1 [0114.599] lstrcmpiW (lpString1=".sdf", lpString2=".dll") returned 1 [0114.599] lstrcmpiW (lpString1=".sdf", lpString2=".url") returned -1 [0114.599] lstrcmpiW (lpString1=".sdf", lpString2=".ttf") returned -1 [0114.599] lstrcmpiW (lpString1=".sdf", lpString2=".mp3") returned 1 [0114.599] lstrcmpiW (lpString1=".sdf", lpString2=".pif") returned 1 [0114.599] lstrcmpiW (lpString1=".sdf", lpString2=".mp4") returned 1 [0114.599] lstrcmpiW (lpString1=".sdf", lpString2=".NEPHILIM") returned 1 [0114.599] lstrcmpiW (lpString1=".sdf", lpString2=".msi") returned 1 [0114.599] lstrcmpiW (lpString1=".sdf", lpString2=".lnk") returned 1 [0114.599] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.599] lstrlenA (lpString="NEPHILIM") returned 8 [0114.599] GetProcessHeap () returned 0x4e0000 [0114.599] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f528 [0114.599] lstrlenA (lpString="NEPHILIM") returned 8 [0114.599] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf" (normalized: "c:\\users\\all users\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0114.600] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=4294968320) returned 0 [0114.600] GetProcessHeap () returned 0x4e0000 [0114.600] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1b8 [0114.600] GetProcessHeap () returned 0x4e0000 [0114.600] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1d0 [0114.600] SystemFunction036 (in: RandomBuffer=0x50d1b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1b8) returned 1 [0114.600] SystemFunction036 (in: RandomBuffer=0x50d1d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1d0) returned 1 [0114.600] GetProcessHeap () returned 0x4e0000 [0114.600] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514070 [0114.600] GetProcessHeap () returned 0x4e0000 [0114.600] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514178 [0114.600] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514070*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x514070*, pdwDataLen=0x24dd508*=0x100) returned 1 [0114.601] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514178*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x514178*, pdwDataLen=0x24dd504*=0x100) returned 1 [0114.601] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0114.601] SetLastError (dwErrCode=0x0) [0114.601] WriteFile (in: hFile=0xffffffff, lpBuffer=0x514070, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0) returned 0 [0114.601] GetLastError () returned 0x6 [0114.601] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xece09220, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd238cbc0, ftLastAccessTime.dwHighDateTime=0x1d607de, ftLastWriteTime.dwLowDateTime=0xd23d8e80, ftLastWriteTime.dwHighDateTime=0x1d607de, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x4a0048, dwReserved1=0x24de260, cFileName="RacWmiDatabase.sdf", cAlternateFileName="RACWMI~1.SDF")) returned 0 [0114.601] FindClose (in: hFindFile=0x50a980 | out: hFindFile=0x50a980) returned 1 [0114.601] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xd2366a60, ftLastAccessTime.dwHighDateTime=0x1d607de, ftLastWriteTime.dwLowDateTime=0xd2366a60, ftLastWriteTime.dwHighDateTime=0x1d607de, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="StateData", cAlternateFileName="STATED~1")) returned 1 [0114.601] lstrcmpiW (lpString1="StateData", lpString2=".") returned 1 [0114.601] lstrcmpiW (lpString1="StateData", lpString2="..") returned 1 [0114.601] lstrcmpiW (lpString1="StateData", lpString2="...") returned 1 [0114.601] lstrcmpiW (lpString1="StateData", lpString2="windows") returned -1 [0114.601] lstrcmpiW (lpString1="StateData", lpString2="$RECYCLE.BIN") returned 1 [0114.602] lstrcmpiW (lpString1="StateData", lpString2="rsa") returned 1 [0114.602] lstrcmpiW (lpString1="StateData", lpString2="log") returned 1 [0114.602] lstrcmpiW (lpString1="StateData", lpString2="NTDETECT.COM") returned 1 [0114.602] lstrcmpiW (lpString1="StateData", lpString2="ntldr") returned 1 [0114.602] lstrcmpiW (lpString1="StateData", lpString2="MSDOS.SYS") returned 1 [0114.602] lstrcmpiW (lpString1="StateData", lpString2="IO.SYS") returned 1 [0114.602] lstrcmpiW (lpString1="StateData", lpString2="boot.ini") returned 1 [0114.602] lstrcmpiW (lpString1="StateData", lpString2="AUTOEXEC.BAT") returned 1 [0114.602] lstrcmpiW (lpString1="StateData", lpString2="ntuser.dat") returned 1 [0114.602] lstrcmpiW (lpString1="StateData", lpString2="desktop.ini") returned 1 [0114.602] lstrcmpiW (lpString1="StateData", lpString2="CONFIG.SYS") returned 1 [0114.602] lstrcmpiW (lpString1="StateData", lpString2="RECYCLER") returned 1 [0114.602] lstrcmpiW (lpString1="StateData", lpString2="BOOTSECT.BAK") returned 1 [0114.602] lstrcmpiW (lpString1="StateData", lpString2="bootmgr") returned 1 [0114.602] lstrcmpiW (lpString1="StateData", lpString2="programdata") returned 1 [0114.602] lstrcmpiW (lpString1="StateData", lpString2="appdata") returned 1 [0114.602] lstrcmpiW (lpString1="StateData", lpString2="program files") returned 1 [0114.602] lstrcmpiW (lpString1="StateData", lpString2="program files (x86)") returned 1 [0114.602] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Microsoft\\RAC\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\") returned="C:\\Users\\All Users\\Microsoft\\RAC\\" [0114.602] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\", lpString2="StateData" | out: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\StateData") returned="C:\\Users\\All Users\\Microsoft\\RAC\\StateData" [0114.602] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\StateData", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\") returned="C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\" [0114.602] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\") returned="C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\" [0114.602] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\*.*") returned="C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\*.*" [0114.602] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xd2366a60, ftLastAccessTime.dwHighDateTime=0x1d607de, ftLastWriteTime.dwLowDateTime=0xd2366a60, ftLastWriteTime.dwHighDateTime=0x1d607de, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de260, cFileName=".", cAlternateFileName="")) returned 0x50a980 [0114.603] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.603] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xd2366a60, ftLastAccessTime.dwHighDateTime=0x1d607de, ftLastWriteTime.dwLowDateTime=0xd2366a60, ftLastWriteTime.dwHighDateTime=0x1d607de, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 1 [0114.603] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.603] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.603] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xecb35800, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xecb35800, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xbddb7d60, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x85000, dwReserved0=0x4a0048, dwReserved1=0x24de260, cFileName="RacDatabase.sdf", cAlternateFileName="RACDAT~1.SDF")) returned 1 [0114.603] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2=".") returned 1 [0114.603] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="..") returned 1 [0114.603] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="...") returned 1 [0114.603] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="windows") returned -1 [0114.603] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="$RECYCLE.BIN") returned 1 [0114.603] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="rsa") returned -1 [0114.603] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="log") returned 1 [0114.603] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="NTDETECT.COM") returned 1 [0114.603] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="ntldr") returned 1 [0114.603] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="MSDOS.SYS") returned 1 [0114.603] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="IO.SYS") returned 1 [0114.603] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="boot.ini") returned 1 [0114.603] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="AUTOEXEC.BAT") returned 1 [0114.604] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="ntuser.dat") returned 1 [0114.604] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="desktop.ini") returned 1 [0114.604] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="CONFIG.SYS") returned 1 [0114.604] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="RECYCLER") returned -1 [0114.604] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="BOOTSECT.BAK") returned 1 [0114.604] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="bootmgr") returned 1 [0114.604] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="programdata") returned 1 [0114.604] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="appdata") returned 1 [0114.604] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="program files") returned 1 [0114.604] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="program files (x86)") returned 1 [0114.604] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\") returned="C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\" [0114.604] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\", lpString2="RacDatabase.sdf" | out: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf") returned="C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf" [0114.604] PathFindExtensionW (pszPath="RacDatabase.sdf") returned=".sdf" [0114.604] lstrcmpiW (lpString1=".sdf", lpString2=".exe") returned 1 [0114.604] lstrcmpiW (lpString1=".sdf", lpString2=".log") returned 1 [0114.604] lstrcmpiW (lpString1=".sdf", lpString2=".cab") returned 1 [0114.604] lstrcmpiW (lpString1=".sdf", lpString2=".cmd") returned 1 [0114.604] lstrcmpiW (lpString1=".sdf", lpString2=".com") returned 1 [0114.604] lstrcmpiW (lpString1=".sdf", lpString2=".cpl") returned 1 [0114.604] lstrcmpiW (lpString1=".sdf", lpString2=".ini") returned 1 [0114.604] lstrcmpiW (lpString1=".sdf", lpString2=".dll") returned 1 [0114.604] lstrcmpiW (lpString1=".sdf", lpString2=".url") returned -1 [0114.604] lstrcmpiW (lpString1=".sdf", lpString2=".ttf") returned -1 [0114.604] lstrcmpiW (lpString1=".sdf", lpString2=".mp3") returned 1 [0114.604] lstrcmpiW (lpString1=".sdf", lpString2=".pif") returned 1 [0114.605] lstrcmpiW (lpString1=".sdf", lpString2=".mp4") returned 1 [0114.605] lstrcmpiW (lpString1=".sdf", lpString2=".NEPHILIM") returned 1 [0114.605] lstrcmpiW (lpString1=".sdf", lpString2=".msi") returned 1 [0114.605] lstrcmpiW (lpString1=".sdf", lpString2=".lnk") returned 1 [0114.605] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.605] lstrlenA (lpString="NEPHILIM") returned 8 [0114.605] GetProcessHeap () returned 0x4e0000 [0114.605] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f538 [0114.605] lstrlenA (lpString="NEPHILIM") returned 8 [0114.605] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf" (normalized: "c:\\users\\all users\\microsoft\\rac\\statedata\\racdatabase.sdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0114.605] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=4294968320) returned 0 [0114.605] GetProcessHeap () returned 0x4e0000 [0114.605] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d1e8 [0114.605] GetProcessHeap () returned 0x4e0000 [0114.605] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d200 [0114.606] SystemFunction036 (in: RandomBuffer=0x50d1e8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d1e8) returned 1 [0114.606] SystemFunction036 (in: RandomBuffer=0x50d200, RandomBufferLength=0x10 | out: RandomBuffer=0x50d200) returned 1 [0114.606] GetProcessHeap () returned 0x4e0000 [0114.606] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514280 [0114.606] GetProcessHeap () returned 0x4e0000 [0114.606] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514388 [0114.606] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514280*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x514280*, pdwDataLen=0x24dd508*=0x100) returned 1 [0114.606] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514388*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x514388*, pdwDataLen=0x24dd504*=0x100) returned 1 [0114.606] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0114.606] SetLastError (dwErrCode=0x0) [0114.606] WriteFile (in: hFile=0xffffffff, lpBuffer=0x514280, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0) returned 0 [0114.606] GetLastError () returned 0x6 [0114.606] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4e1e72ec, ftCreationTime.dwHighDateTime=0x1cb8927, ftLastAccessTime.dwLowDateTime=0x4e1e72ec, ftLastAccessTime.dwHighDateTime=0x1cb8927, ftLastWriteTime.dwLowDateTime=0xbddddec0, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x8, dwReserved0=0x4a0048, dwReserved1=0x24de260, cFileName="RacMetaData.dat", cAlternateFileName="RACMET~1.DAT")) returned 1 [0114.607] lstrcmpiW (lpString1="RacMetaData.dat", lpString2=".") returned 1 [0114.607] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="..") returned 1 [0114.607] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="...") returned 1 [0114.607] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="windows") returned -1 [0114.607] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="$RECYCLE.BIN") returned 1 [0114.607] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="rsa") returned -1 [0114.607] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="log") returned 1 [0114.607] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="NTDETECT.COM") returned 1 [0114.607] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="ntldr") returned 1 [0114.607] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="MSDOS.SYS") returned 1 [0114.607] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="IO.SYS") returned 1 [0114.607] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="boot.ini") returned 1 [0114.607] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="AUTOEXEC.BAT") returned 1 [0114.607] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="ntuser.dat") returned 1 [0114.607] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="desktop.ini") returned 1 [0114.607] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="CONFIG.SYS") returned 1 [0114.607] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="RECYCLER") returned -1 [0114.607] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="BOOTSECT.BAK") returned 1 [0114.607] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="bootmgr") returned 1 [0114.607] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="programdata") returned 1 [0114.607] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="appdata") returned 1 [0114.607] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="program files") returned 1 [0114.607] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="program files (x86)") returned 1 [0114.608] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\") returned="C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\" [0114.608] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\", lpString2="RacMetaData.dat" | out: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacMetaData.dat") returned="C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacMetaData.dat" [0114.608] PathFindExtensionW (pszPath="RacMetaData.dat") returned=".dat" [0114.608] lstrcmpiW (lpString1=".dat", lpString2=".exe") returned -1 [0114.608] lstrcmpiW (lpString1=".dat", lpString2=".log") returned -1 [0114.608] lstrcmpiW (lpString1=".dat", lpString2=".cab") returned 1 [0114.608] lstrcmpiW (lpString1=".dat", lpString2=".cmd") returned 1 [0114.608] lstrcmpiW (lpString1=".dat", lpString2=".com") returned 1 [0114.608] lstrcmpiW (lpString1=".dat", lpString2=".cpl") returned 1 [0114.608] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0114.608] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0114.608] lstrcmpiW (lpString1=".dat", lpString2=".url") returned -1 [0114.608] lstrcmpiW (lpString1=".dat", lpString2=".ttf") returned -1 [0114.608] lstrcmpiW (lpString1=".dat", lpString2=".mp3") returned -1 [0114.608] lstrcmpiW (lpString1=".dat", lpString2=".pif") returned -1 [0114.608] lstrcmpiW (lpString1=".dat", lpString2=".mp4") returned -1 [0114.608] lstrcmpiW (lpString1=".dat", lpString2=".NEPHILIM") returned -1 [0114.608] lstrcmpiW (lpString1=".dat", lpString2=".msi") returned -1 [0114.608] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0114.608] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.608] lstrlenA (lpString="NEPHILIM") returned 8 [0114.608] GetProcessHeap () returned 0x4e0000 [0114.608] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f548 [0114.608] lstrlenA (lpString="NEPHILIM") returned 8 [0114.608] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacMetaData.dat" (normalized: "c:\\users\\all users\\microsoft\\rac\\statedata\\racmetadata.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0114.609] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=4294968320) returned 0 [0114.609] GetProcessHeap () returned 0x4e0000 [0114.609] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d218 [0114.609] GetProcessHeap () returned 0x4e0000 [0114.609] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d230 [0114.609] SystemFunction036 (in: RandomBuffer=0x50d218, RandomBufferLength=0x10 | out: RandomBuffer=0x50d218) returned 1 [0114.609] SystemFunction036 (in: RandomBuffer=0x50d230, RandomBufferLength=0x10 | out: RandomBuffer=0x50d230) returned 1 [0114.609] GetProcessHeap () returned 0x4e0000 [0114.609] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514490 [0114.609] GetProcessHeap () returned 0x4e0000 [0114.609] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514598 [0114.609] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514490*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x514490*, pdwDataLen=0x24dd508*=0x100) returned 1 [0114.610] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514598*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x514598*, pdwDataLen=0x24dd504*=0x100) returned 1 [0114.610] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0114.610] SetLastError (dwErrCode=0x0) [0114.610] WriteFile (in: hFile=0xffffffff, lpBuffer=0x514490, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0) returned 0 [0114.610] GetLastError () returned 0x6 [0114.610] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4e1e72ec, ftCreationTime.dwHighDateTime=0x1cb8927, ftLastAccessTime.dwLowDateTime=0x4e1e72ec, ftLastAccessTime.dwHighDateTime=0x1cb8927, ftLastWriteTime.dwLowDateTime=0xbddddec0, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x8, dwReserved0=0x4a0048, dwReserved1=0x24de260, cFileName="RacMetaData.dat", cAlternateFileName="RACMET~1.DAT")) returned 0 [0114.610] FindClose (in: hFindFile=0x50a980 | out: hFindFile=0x50a980) returned 1 [0114.610] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xd24bd6c0, ftLastAccessTime.dwHighDateTime=0x1d607de, ftLastWriteTime.dwLowDateTime=0xd24bd6c0, ftLastWriteTime.dwHighDateTime=0x1d607de, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="Temp", cAlternateFileName="")) returned 1 [0114.611] lstrcmpiW (lpString1="Temp", lpString2=".") returned 1 [0114.611] lstrcmpiW (lpString1="Temp", lpString2="..") returned 1 [0114.611] lstrcmpiW (lpString1="Temp", lpString2="...") returned 1 [0114.611] lstrcmpiW (lpString1="Temp", lpString2="windows") returned -1 [0114.611] lstrcmpiW (lpString1="Temp", lpString2="$RECYCLE.BIN") returned 1 [0114.611] lstrcmpiW (lpString1="Temp", lpString2="rsa") returned 1 [0114.611] lstrcmpiW (lpString1="Temp", lpString2="log") returned 1 [0114.611] lstrcmpiW (lpString1="Temp", lpString2="NTDETECT.COM") returned 1 [0114.611] lstrcmpiW (lpString1="Temp", lpString2="ntldr") returned 1 [0114.611] lstrcmpiW (lpString1="Temp", lpString2="MSDOS.SYS") returned 1 [0114.611] lstrcmpiW (lpString1="Temp", lpString2="IO.SYS") returned 1 [0114.611] lstrcmpiW (lpString1="Temp", lpString2="boot.ini") returned 1 [0114.611] lstrcmpiW (lpString1="Temp", lpString2="AUTOEXEC.BAT") returned 1 [0114.611] lstrcmpiW (lpString1="Temp", lpString2="ntuser.dat") returned 1 [0114.611] lstrcmpiW (lpString1="Temp", lpString2="desktop.ini") returned 1 [0114.611] lstrcmpiW (lpString1="Temp", lpString2="CONFIG.SYS") returned 1 [0114.611] lstrcmpiW (lpString1="Temp", lpString2="RECYCLER") returned 1 [0114.612] lstrcmpiW (lpString1="Temp", lpString2="BOOTSECT.BAK") returned 1 [0114.612] lstrcmpiW (lpString1="Temp", lpString2="bootmgr") returned 1 [0114.612] lstrcmpiW (lpString1="Temp", lpString2="programdata") returned 1 [0114.612] lstrcmpiW (lpString1="Temp", lpString2="appdata") returned 1 [0114.612] lstrcmpiW (lpString1="Temp", lpString2="program files") returned 1 [0114.612] lstrcmpiW (lpString1="Temp", lpString2="program files (x86)") returned 1 [0114.612] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Microsoft\\RAC\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\") returned="C:\\Users\\All Users\\Microsoft\\RAC\\" [0114.612] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\", lpString2="Temp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\Temp") returned="C:\\Users\\All Users\\Microsoft\\RAC\\Temp" [0114.612] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\Temp", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\") returned="C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\" [0114.612] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\") returned="C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\" [0114.612] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\*.*") returned="C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\*.*" [0114.612] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xd24bd6c0, ftLastAccessTime.dwHighDateTime=0x1d607de, ftLastWriteTime.dwLowDateTime=0xd24bd6c0, ftLastWriteTime.dwHighDateTime=0x1d607de, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de260, cFileName=".", cAlternateFileName="")) returned 0x50a980 [0114.613] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.613] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xd24bd6c0, ftLastAccessTime.dwHighDateTime=0x1d607de, ftLastWriteTime.dwLowDateTime=0xd24bd6c0, ftLastWriteTime.dwHighDateTime=0x1d607de, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 1 [0114.613] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.613] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.613] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd2497560, ftCreationTime.dwHighDateTime=0x1d607de, ftLastAccessTime.dwLowDateTime=0xd2497560, ftLastAccessTime.dwHighDateTime=0x1d607de, ftLastWriteTime.dwLowDateTime=0xd2497560, ftLastWriteTime.dwHighDateTime=0x1d607de, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0x4a0048, dwReserved1=0x24de260, cFileName="sql1296.tmp", cAlternateFileName="")) returned 1 [0114.613] lstrcmpiW (lpString1="sql1296.tmp", lpString2=".") returned 1 [0114.613] lstrcmpiW (lpString1="sql1296.tmp", lpString2="..") returned 1 [0114.613] lstrcmpiW (lpString1="sql1296.tmp", lpString2="...") returned 1 [0114.613] lstrcmpiW (lpString1="sql1296.tmp", lpString2="windows") returned -1 [0114.613] lstrcmpiW (lpString1="sql1296.tmp", lpString2="$RECYCLE.BIN") returned 1 [0114.613] lstrcmpiW (lpString1="sql1296.tmp", lpString2="rsa") returned 1 [0114.613] lstrcmpiW (lpString1="sql1296.tmp", lpString2="log") returned 1 [0114.613] lstrcmpiW (lpString1="sql1296.tmp", lpString2="NTDETECT.COM") returned 1 [0114.613] lstrcmpiW (lpString1="sql1296.tmp", lpString2="ntldr") returned 1 [0114.613] lstrcmpiW (lpString1="sql1296.tmp", lpString2="MSDOS.SYS") returned 1 [0114.613] lstrcmpiW (lpString1="sql1296.tmp", lpString2="IO.SYS") returned 1 [0114.614] lstrcmpiW (lpString1="sql1296.tmp", lpString2="boot.ini") returned 1 [0114.614] lstrcmpiW (lpString1="sql1296.tmp", lpString2="AUTOEXEC.BAT") returned 1 [0114.614] lstrcmpiW (lpString1="sql1296.tmp", lpString2="ntuser.dat") returned 1 [0114.614] lstrcmpiW (lpString1="sql1296.tmp", lpString2="desktop.ini") returned 1 [0114.614] lstrcmpiW (lpString1="sql1296.tmp", lpString2="CONFIG.SYS") returned 1 [0114.614] lstrcmpiW (lpString1="sql1296.tmp", lpString2="RECYCLER") returned 1 [0114.614] lstrcmpiW (lpString1="sql1296.tmp", lpString2="BOOTSECT.BAK") returned 1 [0114.614] lstrcmpiW (lpString1="sql1296.tmp", lpString2="bootmgr") returned 1 [0114.614] lstrcmpiW (lpString1="sql1296.tmp", lpString2="programdata") returned 1 [0114.614] lstrcmpiW (lpString1="sql1296.tmp", lpString2="appdata") returned 1 [0114.614] lstrcmpiW (lpString1="sql1296.tmp", lpString2="program files") returned 1 [0114.614] lstrcmpiW (lpString1="sql1296.tmp", lpString2="program files (x86)") returned 1 [0114.614] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\") returned="C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\" [0114.614] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\", lpString2="sql1296.tmp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\sql1296.tmp") returned="C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\sql1296.tmp" [0114.614] PathFindExtensionW (pszPath="sql1296.tmp") returned=".tmp" [0114.614] lstrcmpiW (lpString1=".tmp", lpString2=".exe") returned 1 [0114.614] lstrcmpiW (lpString1=".tmp", lpString2=".log") returned 1 [0114.614] lstrcmpiW (lpString1=".tmp", lpString2=".cab") returned 1 [0114.615] lstrcmpiW (lpString1=".tmp", lpString2=".cmd") returned 1 [0114.615] lstrcmpiW (lpString1=".tmp", lpString2=".com") returned 1 [0114.615] lstrcmpiW (lpString1=".tmp", lpString2=".cpl") returned 1 [0114.615] lstrcmpiW (lpString1=".tmp", lpString2=".ini") returned 1 [0114.615] lstrcmpiW (lpString1=".tmp", lpString2=".dll") returned 1 [0114.615] lstrcmpiW (lpString1=".tmp", lpString2=".url") returned -1 [0114.615] lstrcmpiW (lpString1=".tmp", lpString2=".ttf") returned -1 [0114.615] lstrcmpiW (lpString1=".tmp", lpString2=".mp3") returned 1 [0114.615] lstrcmpiW (lpString1=".tmp", lpString2=".pif") returned 1 [0114.615] lstrcmpiW (lpString1=".tmp", lpString2=".mp4") returned 1 [0114.615] lstrcmpiW (lpString1=".tmp", lpString2=".NEPHILIM") returned 1 [0114.615] lstrcmpiW (lpString1=".tmp", lpString2=".msi") returned 1 [0114.615] lstrcmpiW (lpString1=".tmp", lpString2=".lnk") returned 1 [0114.615] lstrcmpiW (lpString1="sql1296.tmp", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.615] lstrlenA (lpString="NEPHILIM") returned 8 [0114.615] GetProcessHeap () returned 0x4e0000 [0114.615] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f558 [0114.616] lstrlenA (lpString="NEPHILIM") returned 8 [0114.616] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\sql1296.tmp" (normalized: "c:\\users\\all users\\microsoft\\rac\\temp\\sql1296.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0114.616] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=4294968320) returned 0 [0114.616] GetProcessHeap () returned 0x4e0000 [0114.616] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d248 [0114.616] GetProcessHeap () returned 0x4e0000 [0114.616] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d260 [0114.616] SystemFunction036 (in: RandomBuffer=0x50d248, RandomBufferLength=0x10 | out: RandomBuffer=0x50d248) returned 1 [0114.616] SystemFunction036 (in: RandomBuffer=0x50d260, RandomBufferLength=0x10 | out: RandomBuffer=0x50d260) returned 1 [0114.616] GetProcessHeap () returned 0x4e0000 [0114.617] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5146a0 [0114.617] GetProcessHeap () returned 0x4e0000 [0114.617] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5147a8 [0114.617] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5146a0*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x5146a0*, pdwDataLen=0x24dd508*=0x100) returned 1 [0114.617] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5147a8*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x5147a8*, pdwDataLen=0x24dd504*=0x100) returned 1 [0114.617] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0114.617] SetLastError (dwErrCode=0x0) [0114.617] WriteFile (in: hFile=0xffffffff, lpBuffer=0x5146a0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0) returned 0 [0114.618] GetLastError () returned 0x6 [0114.618] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd24bd6c0, ftCreationTime.dwHighDateTime=0x1d607de, ftLastAccessTime.dwLowDateTime=0xd24bd6c0, ftLastAccessTime.dwHighDateTime=0x1d607de, ftLastWriteTime.dwLowDateTime=0xd24e3820, ftLastWriteTime.dwHighDateTime=0x1d607de, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0x4a0048, dwReserved1=0x24de260, cFileName="sql12A6.tmp", cAlternateFileName="")) returned 1 [0114.618] lstrcmpiW (lpString1="sql12A6.tmp", lpString2=".") returned 1 [0114.618] lstrcmpiW (lpString1="sql12A6.tmp", lpString2="..") returned 1 [0114.618] lstrcmpiW (lpString1="sql12A6.tmp", lpString2="...") returned 1 [0114.618] lstrcmpiW (lpString1="sql12A6.tmp", lpString2="windows") returned -1 [0114.618] lstrcmpiW (lpString1="sql12A6.tmp", lpString2="$RECYCLE.BIN") returned 1 [0114.618] lstrcmpiW (lpString1="sql12A6.tmp", lpString2="rsa") returned 1 [0114.618] lstrcmpiW (lpString1="sql12A6.tmp", lpString2="log") returned 1 [0114.618] lstrcmpiW (lpString1="sql12A6.tmp", lpString2="NTDETECT.COM") returned 1 [0114.618] lstrcmpiW (lpString1="sql12A6.tmp", lpString2="ntldr") returned 1 [0114.618] lstrcmpiW (lpString1="sql12A6.tmp", lpString2="MSDOS.SYS") returned 1 [0114.618] lstrcmpiW (lpString1="sql12A6.tmp", lpString2="IO.SYS") returned 1 [0114.618] lstrcmpiW (lpString1="sql12A6.tmp", lpString2="boot.ini") returned 1 [0114.618] lstrcmpiW (lpString1="sql12A6.tmp", lpString2="AUTOEXEC.BAT") returned 1 [0114.618] lstrcmpiW (lpString1="sql12A6.tmp", lpString2="ntuser.dat") returned 1 [0114.618] lstrcmpiW (lpString1="sql12A6.tmp", lpString2="desktop.ini") returned 1 [0114.618] lstrcmpiW (lpString1="sql12A6.tmp", lpString2="CONFIG.SYS") returned 1 [0114.619] lstrcmpiW (lpString1="sql12A6.tmp", lpString2="RECYCLER") returned 1 [0114.619] lstrcmpiW (lpString1="sql12A6.tmp", lpString2="BOOTSECT.BAK") returned 1 [0114.619] lstrcmpiW (lpString1="sql12A6.tmp", lpString2="bootmgr") returned 1 [0114.619] lstrcmpiW (lpString1="sql12A6.tmp", lpString2="programdata") returned 1 [0114.619] lstrcmpiW (lpString1="sql12A6.tmp", lpString2="appdata") returned 1 [0114.619] lstrcmpiW (lpString1="sql12A6.tmp", lpString2="program files") returned 1 [0114.619] lstrcmpiW (lpString1="sql12A6.tmp", lpString2="program files (x86)") returned 1 [0114.619] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\") returned="C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\" [0114.619] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\", lpString2="sql12A6.tmp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\sql12A6.tmp") returned="C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\sql12A6.tmp" [0114.619] PathFindExtensionW (pszPath="sql12A6.tmp") returned=".tmp" [0114.619] lstrcmpiW (lpString1=".tmp", lpString2=".exe") returned 1 [0114.619] lstrcmpiW (lpString1=".tmp", lpString2=".log") returned 1 [0114.619] lstrcmpiW (lpString1=".tmp", lpString2=".cab") returned 1 [0114.619] lstrcmpiW (lpString1=".tmp", lpString2=".cmd") returned 1 [0114.619] lstrcmpiW (lpString1=".tmp", lpString2=".com") returned 1 [0114.619] lstrcmpiW (lpString1=".tmp", lpString2=".cpl") returned 1 [0114.619] lstrcmpiW (lpString1=".tmp", lpString2=".ini") returned 1 [0114.619] lstrcmpiW (lpString1=".tmp", lpString2=".dll") returned 1 [0114.619] lstrcmpiW (lpString1=".tmp", lpString2=".url") returned -1 [0114.619] lstrcmpiW (lpString1=".tmp", lpString2=".ttf") returned -1 [0114.619] lstrcmpiW (lpString1=".tmp", lpString2=".mp3") returned 1 [0114.619] lstrcmpiW (lpString1=".tmp", lpString2=".pif") returned 1 [0114.619] lstrcmpiW (lpString1=".tmp", lpString2=".mp4") returned 1 [0114.620] lstrcmpiW (lpString1=".tmp", lpString2=".NEPHILIM") returned 1 [0114.620] lstrcmpiW (lpString1=".tmp", lpString2=".msi") returned 1 [0114.620] lstrcmpiW (lpString1=".tmp", lpString2=".lnk") returned 1 [0114.620] lstrcmpiW (lpString1="sql12A6.tmp", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.620] lstrlenA (lpString="NEPHILIM") returned 8 [0114.620] GetProcessHeap () returned 0x4e0000 [0114.620] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f568 [0114.620] lstrlenA (lpString="NEPHILIM") returned 8 [0114.620] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\sql12A6.tmp" (normalized: "c:\\users\\all users\\microsoft\\rac\\temp\\sql12a6.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0114.620] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=4294968320) returned 0 [0114.620] GetProcessHeap () returned 0x4e0000 [0114.620] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d278 [0114.620] GetProcessHeap () returned 0x4e0000 [0114.620] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d290 [0114.620] SystemFunction036 (in: RandomBuffer=0x50d278, RandomBufferLength=0x10 | out: RandomBuffer=0x50d278) returned 1 [0114.620] SystemFunction036 (in: RandomBuffer=0x50d290, RandomBufferLength=0x10 | out: RandomBuffer=0x50d290) returned 1 [0114.620] GetProcessHeap () returned 0x4e0000 [0114.620] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5148b0 [0114.620] GetProcessHeap () returned 0x4e0000 [0114.621] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5149b8 [0114.621] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5148b0*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x5148b0*, pdwDataLen=0x24dd508*=0x100) returned 1 [0114.621] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5149b8*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x5149b8*, pdwDataLen=0x24dd504*=0x100) returned 1 [0114.621] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0114.621] SetLastError (dwErrCode=0x0) [0114.621] WriteFile (in: hFile=0xffffffff, lpBuffer=0x5148b0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0) returned 0 [0114.621] GetLastError () returned 0x6 [0114.621] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd24bd6c0, ftCreationTime.dwHighDateTime=0x1d607de, ftLastAccessTime.dwLowDateTime=0xd24bd6c0, ftLastAccessTime.dwHighDateTime=0x1d607de, ftLastWriteTime.dwLowDateTime=0xd24e3820, ftLastWriteTime.dwHighDateTime=0x1d607de, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0x4a0048, dwReserved1=0x24de260, cFileName="sql12A6.tmp", cAlternateFileName="")) returned 0 [0114.621] FindClose (in: hFindFile=0x50a980 | out: hFindFile=0x50a980) returned 1 [0114.621] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xd24bd6c0, ftLastAccessTime.dwHighDateTime=0x1d607de, ftLastWriteTime.dwLowDateTime=0xd24bd6c0, ftLastWriteTime.dwHighDateTime=0x1d607de, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="Temp", cAlternateFileName="")) returned 0 [0114.621] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0114.621] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27df8b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27df8b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="Search", cAlternateFileName="")) returned 1 [0114.621] lstrcmpiW (lpString1="Search", lpString2=".") returned 1 [0114.621] lstrcmpiW (lpString1="Search", lpString2="..") returned 1 [0114.621] lstrcmpiW (lpString1="Search", lpString2="...") returned 1 [0114.622] lstrcmpiW (lpString1="Search", lpString2="windows") returned -1 [0114.622] lstrcmpiW (lpString1="Search", lpString2="$RECYCLE.BIN") returned 1 [0114.622] lstrcmpiW (lpString1="Search", lpString2="rsa") returned 1 [0114.622] lstrcmpiW (lpString1="Search", lpString2="log") returned 1 [0114.622] lstrcmpiW (lpString1="Search", lpString2="NTDETECT.COM") returned 1 [0114.622] lstrcmpiW (lpString1="Search", lpString2="ntldr") returned 1 [0114.622] lstrcmpiW (lpString1="Search", lpString2="MSDOS.SYS") returned 1 [0114.622] lstrcmpiW (lpString1="Search", lpString2="IO.SYS") returned 1 [0114.622] lstrcmpiW (lpString1="Search", lpString2="boot.ini") returned 1 [0114.622] lstrcmpiW (lpString1="Search", lpString2="AUTOEXEC.BAT") returned 1 [0114.622] lstrcmpiW (lpString1="Search", lpString2="ntuser.dat") returned 1 [0114.622] lstrcmpiW (lpString1="Search", lpString2="desktop.ini") returned 1 [0114.622] lstrcmpiW (lpString1="Search", lpString2="CONFIG.SYS") returned 1 [0114.622] lstrcmpiW (lpString1="Search", lpString2="RECYCLER") returned 1 [0114.622] lstrcmpiW (lpString1="Search", lpString2="BOOTSECT.BAK") returned 1 [0114.622] lstrcmpiW (lpString1="Search", lpString2="bootmgr") returned 1 [0114.622] lstrcmpiW (lpString1="Search", lpString2="programdata") returned 1 [0114.622] lstrcmpiW (lpString1="Search", lpString2="appdata") returned 1 [0114.622] lstrcmpiW (lpString1="Search", lpString2="program files") returned 1 [0114.622] lstrcmpiW (lpString1="Search", lpString2="program files (x86)") returned 1 [0114.622] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\" [0114.622] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="Search" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search") returned="C:\\Users\\All Users\\Microsoft\\Search" [0114.622] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Search", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\") returned="C:\\Users\\All Users\\Microsoft\\Search\\" [0114.622] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Microsoft\\Search\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\") returned="C:\\Users\\All Users\\Microsoft\\Search\\" [0114.622] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Search\\*.*" [0114.624] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Search\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27df8b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27df8b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0114.629] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.629] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27df8b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27df8b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0114.629] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.629] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.629] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="Data", cAlternateFileName="")) returned 1 [0114.630] lstrcmpiW (lpString1="Data", lpString2=".") returned 1 [0114.630] lstrcmpiW (lpString1="Data", lpString2="..") returned 1 [0114.630] lstrcmpiW (lpString1="Data", lpString2="...") returned 1 [0114.630] lstrcmpiW (lpString1="Data", lpString2="windows") returned -1 [0114.630] lstrcmpiW (lpString1="Data", lpString2="$RECYCLE.BIN") returned 1 [0114.630] lstrcmpiW (lpString1="Data", lpString2="rsa") returned -1 [0114.630] lstrcmpiW (lpString1="Data", lpString2="log") returned -1 [0114.630] lstrcmpiW (lpString1="Data", lpString2="NTDETECT.COM") returned -1 [0114.630] lstrcmpiW (lpString1="Data", lpString2="ntldr") returned -1 [0114.630] lstrcmpiW (lpString1="Data", lpString2="MSDOS.SYS") returned -1 [0114.630] lstrcmpiW (lpString1="Data", lpString2="IO.SYS") returned -1 [0114.630] lstrcmpiW (lpString1="Data", lpString2="boot.ini") returned 1 [0114.630] lstrcmpiW (lpString1="Data", lpString2="AUTOEXEC.BAT") returned 1 [0114.630] lstrcmpiW (lpString1="Data", lpString2="ntuser.dat") returned -1 [0114.630] lstrcmpiW (lpString1="Data", lpString2="desktop.ini") returned -1 [0114.630] lstrcmpiW (lpString1="Data", lpString2="CONFIG.SYS") returned 1 [0114.630] lstrcmpiW (lpString1="Data", lpString2="RECYCLER") returned -1 [0114.631] lstrcmpiW (lpString1="Data", lpString2="BOOTSECT.BAK") returned 1 [0114.631] lstrcmpiW (lpString1="Data", lpString2="bootmgr") returned 1 [0114.631] lstrcmpiW (lpString1="Data", lpString2="programdata") returned -1 [0114.631] lstrcmpiW (lpString1="Data", lpString2="appdata") returned 1 [0114.631] lstrcmpiW (lpString1="Data", lpString2="program files") returned -1 [0114.631] lstrcmpiW (lpString1="Data", lpString2="program files (x86)") returned -1 [0114.631] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Microsoft\\Search\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\") returned="C:\\Users\\All Users\\Microsoft\\Search\\" [0114.631] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\", lpString2="Data" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data" [0114.631] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data\\" [0114.631] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\All Users\\Microsoft\\Search\\Data\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data\\" [0114.631] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data\\*.*" [0114.631] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Search\\Data\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x50004e, dwReserved1=0x24de260, cFileName=".", cAlternateFileName="")) returned 0x50a980 [0114.631] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.631] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x50004e, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 1 [0114.632] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.632] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.632] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x50004e, dwReserved1=0x24de260, cFileName="Applications", cAlternateFileName="APPLIC~1")) returned 1 [0114.632] lstrcmpiW (lpString1="Applications", lpString2=".") returned 1 [0114.632] lstrcmpiW (lpString1="Applications", lpString2="..") returned 1 [0114.632] lstrcmpiW (lpString1="Applications", lpString2="...") returned 1 [0114.632] lstrcmpiW (lpString1="Applications", lpString2="windows") returned -1 [0114.632] lstrcmpiW (lpString1="Applications", lpString2="$RECYCLE.BIN") returned 1 [0114.632] lstrcmpiW (lpString1="Applications", lpString2="rsa") returned -1 [0114.632] lstrcmpiW (lpString1="Applications", lpString2="log") returned -1 [0114.632] lstrcmpiW (lpString1="Applications", lpString2="NTDETECT.COM") returned -1 [0114.632] lstrcmpiW (lpString1="Applications", lpString2="ntldr") returned -1 [0114.632] lstrcmpiW (lpString1="Applications", lpString2="MSDOS.SYS") returned -1 [0114.632] lstrcmpiW (lpString1="Applications", lpString2="IO.SYS") returned -1 [0114.632] lstrcmpiW (lpString1="Applications", lpString2="boot.ini") returned -1 [0114.632] lstrcmpiW (lpString1="Applications", lpString2="AUTOEXEC.BAT") returned -1 [0114.632] lstrcmpiW (lpString1="Applications", lpString2="ntuser.dat") returned -1 [0114.632] lstrcmpiW (lpString1="Applications", lpString2="desktop.ini") returned -1 [0114.632] lstrcmpiW (lpString1="Applications", lpString2="CONFIG.SYS") returned -1 [0114.632] lstrcmpiW (lpString1="Applications", lpString2="RECYCLER") returned -1 [0114.632] lstrcmpiW (lpString1="Applications", lpString2="BOOTSECT.BAK") returned -1 [0114.632] lstrcmpiW (lpString1="Applications", lpString2="bootmgr") returned -1 [0114.633] lstrcmpiW (lpString1="Applications", lpString2="programdata") returned -1 [0114.633] lstrcmpiW (lpString1="Applications", lpString2="appdata") returned 1 [0114.633] lstrcmpiW (lpString1="Applications", lpString2="program files") returned -1 [0114.633] lstrcmpiW (lpString1="Applications", lpString2="program files (x86)") returned -1 [0114.633] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\Search\\Data\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data\\" [0114.633] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\", lpString2="Applications" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications" [0114.633] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\" [0114.633] lstrcpyW (in: lpString1=0x24dd560, lpString2="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\" [0114.633] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\*.*" [0114.633] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\*.*", lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a0058, dwReserved1=0x24ddbe0, cFileName=".", cAlternateFileName="")) returned 0x50a9c0 [0114.636] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.636] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a0058, dwReserved1=0x24ddbe0, cFileName="..", cAlternateFileName="")) returned 1 [0114.636] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.636] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.636] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29612a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29612a20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a0058, dwReserved1=0x24ddbe0, cFileName="Windows", cAlternateFileName="")) returned 1 [0114.636] lstrcmpiW (lpString1="Windows", lpString2=".") returned 1 [0114.636] lstrcmpiW (lpString1="Windows", lpString2="..") returned 1 [0114.636] lstrcmpiW (lpString1="Windows", lpString2="...") returned 1 [0114.636] lstrcmpiW (lpString1="Windows", lpString2="windows") returned 0 [0114.636] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29612a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29612a20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a0058, dwReserved1=0x24ddbe0, cFileName="Windows", cAlternateFileName="")) returned 0 [0114.636] FindClose (in: hFindFile=0x50a9c0 | out: hFindFile=0x50a9c0) returned 1 [0114.636] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e1ecc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e1ecc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e1ecc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x50004e, dwReserved1=0x24de260, cFileName="Temp", cAlternateFileName="")) returned 1 [0114.636] lstrcmpiW (lpString1="Temp", lpString2=".") returned 1 [0114.637] lstrcmpiW (lpString1="Temp", lpString2="..") returned 1 [0114.637] lstrcmpiW (lpString1="Temp", lpString2="...") returned 1 [0114.637] lstrcmpiW (lpString1="Temp", lpString2="windows") returned -1 [0114.637] lstrcmpiW (lpString1="Temp", lpString2="$RECYCLE.BIN") returned 1 [0114.637] lstrcmpiW (lpString1="Temp", lpString2="rsa") returned 1 [0114.637] lstrcmpiW (lpString1="Temp", lpString2="log") returned 1 [0114.637] lstrcmpiW (lpString1="Temp", lpString2="NTDETECT.COM") returned 1 [0114.637] lstrcmpiW (lpString1="Temp", lpString2="ntldr") returned 1 [0114.637] lstrcmpiW (lpString1="Temp", lpString2="MSDOS.SYS") returned 1 [0114.637] lstrcmpiW (lpString1="Temp", lpString2="IO.SYS") returned 1 [0114.637] lstrcmpiW (lpString1="Temp", lpString2="boot.ini") returned 1 [0114.637] lstrcmpiW (lpString1="Temp", lpString2="AUTOEXEC.BAT") returned 1 [0114.637] lstrcmpiW (lpString1="Temp", lpString2="ntuser.dat") returned 1 [0114.637] lstrcmpiW (lpString1="Temp", lpString2="desktop.ini") returned 1 [0114.637] lstrcmpiW (lpString1="Temp", lpString2="CONFIG.SYS") returned 1 [0114.637] lstrcmpiW (lpString1="Temp", lpString2="RECYCLER") returned 1 [0114.637] lstrcmpiW (lpString1="Temp", lpString2="BOOTSECT.BAK") returned 1 [0114.637] lstrcmpiW (lpString1="Temp", lpString2="bootmgr") returned 1 [0114.637] lstrcmpiW (lpString1="Temp", lpString2="programdata") returned 1 [0114.637] lstrcmpiW (lpString1="Temp", lpString2="appdata") returned 1 [0114.637] lstrcmpiW (lpString1="Temp", lpString2="program files") returned 1 [0114.637] lstrcmpiW (lpString1="Temp", lpString2="program files (x86)") returned 1 [0114.637] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\Search\\Data\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data\\" [0114.637] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\", lpString2="Temp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp" [0114.637] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\" [0114.637] lstrcpyW (in: lpString1=0x24dd560, lpString2="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\" [0114.638] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\*.*" [0114.638] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\*.*", lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e1ecc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e1ecc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x422b7290, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a0058, dwReserved1=0x24ddbe0, cFileName=".", cAlternateFileName="")) returned 0x50a9c0 [0114.638] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.638] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e1ecc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e1ecc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x422b7290, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a0058, dwReserved1=0x24ddbe0, cFileName="..", cAlternateFileName="")) returned 1 [0114.638] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.638] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.638] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e1ecc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e1ecc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x422b7290, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a0058, dwReserved1=0x24ddbe0, cFileName="..", cAlternateFileName="")) returned 0 [0114.638] FindClose (in: hFindFile=0x50a9c0 | out: hFindFile=0x50a9c0) returned 1 [0114.638] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e1ecc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e1ecc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e1ecc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x50004e, dwReserved1=0x24de260, cFileName="Temp", cAlternateFileName="")) returned 0 [0114.638] FindClose (in: hFindFile=0x50a980 | out: hFindFile=0x50a980) returned 1 [0114.639] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="Data", cAlternateFileName="")) returned 0 [0114.639] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0114.639] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x29423840, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29423840, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="User Account Pictures", cAlternateFileName="USERAC~1")) returned 1 [0114.639] lstrcmpiW (lpString1="User Account Pictures", lpString2=".") returned 1 [0114.639] lstrcmpiW (lpString1="User Account Pictures", lpString2="..") returned 1 [0114.639] lstrcmpiW (lpString1="User Account Pictures", lpString2="...") returned 1 [0114.639] lstrcmpiW (lpString1="User Account Pictures", lpString2="windows") returned -1 [0114.639] lstrcmpiW (lpString1="User Account Pictures", lpString2="$RECYCLE.BIN") returned 1 [0114.639] lstrcmpiW (lpString1="User Account Pictures", lpString2="rsa") returned 1 [0114.639] lstrcmpiW (lpString1="User Account Pictures", lpString2="log") returned 1 [0114.639] lstrcmpiW (lpString1="User Account Pictures", lpString2="NTDETECT.COM") returned 1 [0114.639] lstrcmpiW (lpString1="User Account Pictures", lpString2="ntldr") returned 1 [0114.639] lstrcmpiW (lpString1="User Account Pictures", lpString2="MSDOS.SYS") returned 1 [0114.639] lstrcmpiW (lpString1="User Account Pictures", lpString2="IO.SYS") returned 1 [0114.639] lstrcmpiW (lpString1="User Account Pictures", lpString2="boot.ini") returned 1 [0114.639] lstrcmpiW (lpString1="User Account Pictures", lpString2="AUTOEXEC.BAT") returned 1 [0114.639] lstrcmpiW (lpString1="User Account Pictures", lpString2="ntuser.dat") returned 1 [0114.639] lstrcmpiW (lpString1="User Account Pictures", lpString2="desktop.ini") returned 1 [0114.639] lstrcmpiW (lpString1="User Account Pictures", lpString2="CONFIG.SYS") returned 1 [0114.639] lstrcmpiW (lpString1="User Account Pictures", lpString2="RECYCLER") returned 1 [0114.639] lstrcmpiW (lpString1="User Account Pictures", lpString2="BOOTSECT.BAK") returned 1 [0114.639] lstrcmpiW (lpString1="User Account Pictures", lpString2="bootmgr") returned 1 [0114.639] lstrcmpiW (lpString1="User Account Pictures", lpString2="programdata") returned 1 [0114.640] lstrcmpiW (lpString1="User Account Pictures", lpString2="appdata") returned 1 [0114.640] lstrcmpiW (lpString1="User Account Pictures", lpString2="program files") returned 1 [0114.640] lstrcmpiW (lpString1="User Account Pictures", lpString2="program files (x86)") returned 1 [0114.640] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\" [0114.640] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="User Account Pictures" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures" [0114.640] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\" [0114.640] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\" [0114.640] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*.*") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*.*" [0114.640] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x29423840, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29423840, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0114.640] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.640] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x29423840, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29423840, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0114.640] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.640] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.640] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x29423840, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29423840, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29423840, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="5p5NrGJn0jS HALPmcxz.dat", cAlternateFileName="5P5NRG~1.DAT")) returned 1 [0114.640] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2=".") returned 1 [0114.641] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="..") returned 1 [0114.641] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="...") returned 1 [0114.641] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="windows") returned -1 [0114.641] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="$RECYCLE.BIN") returned 1 [0114.641] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="rsa") returned -1 [0114.641] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="log") returned -1 [0114.641] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="NTDETECT.COM") returned -1 [0114.641] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="ntldr") returned -1 [0114.641] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="MSDOS.SYS") returned -1 [0114.641] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="IO.SYS") returned -1 [0114.641] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="boot.ini") returned -1 [0114.641] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="AUTOEXEC.BAT") returned -1 [0114.641] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="ntuser.dat") returned -1 [0114.641] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="desktop.ini") returned -1 [0114.641] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="CONFIG.SYS") returned -1 [0114.641] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="RECYCLER") returned -1 [0114.641] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="BOOTSECT.BAK") returned -1 [0114.641] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="bootmgr") returned -1 [0114.641] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="programdata") returned -1 [0114.641] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="appdata") returned -1 [0114.641] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="program files") returned -1 [0114.641] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="program files (x86)") returned -1 [0114.641] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\" [0114.641] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\", lpString2="5p5NrGJn0jS HALPmcxz.dat" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat" [0114.641] PathFindExtensionW (pszPath="5p5NrGJn0jS HALPmcxz.dat") returned=".dat" [0114.642] lstrcmpiW (lpString1=".dat", lpString2=".exe") returned -1 [0114.642] lstrcmpiW (lpString1=".dat", lpString2=".log") returned -1 [0114.642] lstrcmpiW (lpString1=".dat", lpString2=".cab") returned 1 [0114.642] lstrcmpiW (lpString1=".dat", lpString2=".cmd") returned 1 [0114.642] lstrcmpiW (lpString1=".dat", lpString2=".com") returned 1 [0114.642] lstrcmpiW (lpString1=".dat", lpString2=".cpl") returned 1 [0114.642] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0114.642] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0114.642] lstrcmpiW (lpString1=".dat", lpString2=".url") returned -1 [0114.642] lstrcmpiW (lpString1=".dat", lpString2=".ttf") returned -1 [0114.642] lstrcmpiW (lpString1=".dat", lpString2=".mp3") returned -1 [0114.642] lstrcmpiW (lpString1=".dat", lpString2=".pif") returned -1 [0114.642] lstrcmpiW (lpString1=".dat", lpString2=".mp4") returned -1 [0114.642] lstrcmpiW (lpString1=".dat", lpString2=".NEPHILIM") returned -1 [0114.642] lstrcmpiW (lpString1=".dat", lpString2=".msi") returned -1 [0114.642] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0114.642] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0114.642] lstrlenA (lpString="NEPHILIM") returned 8 [0114.642] GetProcessHeap () returned 0x4e0000 [0114.642] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f578 [0114.642] lstrlenA (lpString="NEPHILIM") returned 8 [0114.642] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\5p5nrgjn0js halpmcxz.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0114.645] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=0) returned 1 [0114.645] GetProcessHeap () returned 0x4e0000 [0114.645] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d2a8 [0114.646] GetProcessHeap () returned 0x4e0000 [0114.646] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d2c0 [0114.646] SystemFunction036 (in: RandomBuffer=0x50d2a8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d2a8) returned 1 [0114.646] SystemFunction036 (in: RandomBuffer=0x50d2c0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d2c0) returned 1 [0114.646] GetProcessHeap () returned 0x4e0000 [0114.646] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514ac0 [0114.646] GetProcessHeap () returned 0x4e0000 [0114.646] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514bc8 [0114.646] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514ac0*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x514ac0*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0114.646] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514bc8*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x514bc8*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0114.647] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.647] SetLastError (dwErrCode=0x0) [0114.647] WriteFile (in: hFile=0xf0, lpBuffer=0x514ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x514ac0*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0114.648] GetLastError () returned 0x0 [0114.648] GetLastError () returned 0x0 [0114.648] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.648] WriteFile (in: hFile=0xf0, lpBuffer=0x514bc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x514bc8*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0114.648] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.648] lstrlenA (lpString="NEPHILIM") returned 8 [0114.649] WriteFile (in: hFile=0xf0, lpBuffer=0x50f578*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50f578*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0114.649] GetProcessHeap () returned 0x4e0000 [0114.649] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x0) returned 0x50f588 [0114.649] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.649] ReadFile (in: hFile=0xf0, lpBuffer=0x50f588, nNumberOfBytesToRead=0x0, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50f588*, lpNumberOfBytesRead=0x24dddb0*=0x0, lpOverlapped=0x0) returned 1 [0114.649] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.649] WriteFile (in: hFile=0xf0, lpBuffer=0x50f588*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50f588*, lpNumberOfBytesWritten=0x24dddbc*=0x0, lpOverlapped=0x0) returned 1 [0114.649] GetProcessHeap () returned 0x4e0000 [0114.649] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50f588 | out: hHeap=0x4e0000) returned 1 [0114.649] CloseHandle (hObject=0xf0) returned 1 [0114.649] GetProcessHeap () returned 0x4e0000 [0114.649] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514ac0 | out: hHeap=0x4e0000) returned 1 [0114.649] GetProcessHeap () returned 0x4e0000 [0114.649] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x514bc8 | out: hHeap=0x4e0000) returned 1 [0114.649] GetProcessHeap () returned 0x4e0000 [0114.649] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d2a8 | out: hHeap=0x4e0000) returned 1 [0114.649] GetProcessHeap () returned 0x4e0000 [0114.650] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50d2c0 | out: hHeap=0x4e0000) returned 1 [0114.650] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat" [0114.650] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat.NEPHILIM" [0114.650] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\5p5nrgjn0js halpmcxz.dat"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\5p5nrgjn0js halpmcxz.dat.nephilim")) returned 1 [0114.651] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80366a76, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80366a76, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="Default Pictures", cAlternateFileName="DEFAUL~1")) returned 1 [0114.651] lstrcmpiW (lpString1="Default Pictures", lpString2=".") returned 1 [0114.651] lstrcmpiW (lpString1="Default Pictures", lpString2="..") returned 1 [0114.651] lstrcmpiW (lpString1="Default Pictures", lpString2="...") returned 1 [0114.651] lstrcmpiW (lpString1="Default Pictures", lpString2="windows") returned -1 [0114.651] lstrcmpiW (lpString1="Default Pictures", lpString2="$RECYCLE.BIN") returned 1 [0114.651] lstrcmpiW (lpString1="Default Pictures", lpString2="rsa") returned -1 [0114.651] lstrcmpiW (lpString1="Default Pictures", lpString2="log") returned -1 [0114.651] lstrcmpiW (lpString1="Default Pictures", lpString2="NTDETECT.COM") returned -1 [0114.651] lstrcmpiW (lpString1="Default Pictures", lpString2="ntldr") returned -1 [0114.651] lstrcmpiW (lpString1="Default Pictures", lpString2="MSDOS.SYS") returned -1 [0114.651] lstrcmpiW (lpString1="Default Pictures", lpString2="IO.SYS") returned -1 [0114.651] lstrcmpiW (lpString1="Default Pictures", lpString2="boot.ini") returned 1 [0114.651] lstrcmpiW (lpString1="Default Pictures", lpString2="AUTOEXEC.BAT") returned 1 [0114.651] lstrcmpiW (lpString1="Default Pictures", lpString2="ntuser.dat") returned -1 [0114.651] lstrcmpiW (lpString1="Default Pictures", lpString2="desktop.ini") returned -1 [0114.651] lstrcmpiW (lpString1="Default Pictures", lpString2="CONFIG.SYS") returned 1 [0114.651] lstrcmpiW (lpString1="Default Pictures", lpString2="RECYCLER") returned -1 [0114.652] lstrcmpiW (lpString1="Default Pictures", lpString2="BOOTSECT.BAK") returned 1 [0114.652] lstrcmpiW (lpString1="Default Pictures", lpString2="bootmgr") returned 1 [0114.652] lstrcmpiW (lpString1="Default Pictures", lpString2="programdata") returned -1 [0114.652] lstrcmpiW (lpString1="Default Pictures", lpString2="appdata") returned 1 [0114.652] lstrcmpiW (lpString1="Default Pictures", lpString2="program files") returned -1 [0114.652] lstrcmpiW (lpString1="Default Pictures", lpString2="program files (x86)") returned -1 [0114.652] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\" [0114.652] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\", lpString2="Default Pictures" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures" [0114.652] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0114.652] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0114.652] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0114.652] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80366a76, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80366a76, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24dd72c, dwReserved1=0x8184c892, cFileName=".", cAlternateFileName="")) returned 0x50a980 [0114.657] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.657] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80366a76, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80366a76, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24dd72c, dwReserved1=0x8184c892, cFileName="..", cAlternateFileName="")) returned 1 [0114.657] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.657] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.657] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae24f474, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae24f474, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xda0a8861, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x24dd72c, dwReserved1=0x8184c892, cFileName="usertile10.bmp", cAlternateFileName="")) returned 1 [0114.657] lstrcmpiW (lpString1="usertile10.bmp", lpString2=".") returned 1 [0114.657] lstrcmpiW (lpString1="usertile10.bmp", lpString2="..") returned 1 [0114.657] lstrcmpiW (lpString1="usertile10.bmp", lpString2="...") returned 1 [0114.657] lstrcmpiW (lpString1="usertile10.bmp", lpString2="windows") returned -1 [0114.657] lstrcmpiW (lpString1="usertile10.bmp", lpString2="$RECYCLE.BIN") returned 1 [0114.658] lstrcmpiW (lpString1="usertile10.bmp", lpString2="rsa") returned 1 [0114.658] lstrcmpiW (lpString1="usertile10.bmp", lpString2="log") returned 1 [0114.658] lstrcmpiW (lpString1="usertile10.bmp", lpString2="NTDETECT.COM") returned 1 [0114.658] lstrcmpiW (lpString1="usertile10.bmp", lpString2="ntldr") returned 1 [0114.658] lstrcmpiW (lpString1="usertile10.bmp", lpString2="MSDOS.SYS") returned 1 [0114.658] lstrcmpiW (lpString1="usertile10.bmp", lpString2="IO.SYS") returned 1 [0114.658] lstrcmpiW (lpString1="usertile10.bmp", lpString2="boot.ini") returned 1 [0114.658] lstrcmpiW (lpString1="usertile10.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0114.658] lstrcmpiW (lpString1="usertile10.bmp", lpString2="ntuser.dat") returned 1 [0114.658] lstrcmpiW (lpString1="usertile10.bmp", lpString2="desktop.ini") returned 1 [0114.658] lstrcmpiW (lpString1="usertile10.bmp", lpString2="CONFIG.SYS") returned 1 [0114.658] lstrcmpiW (lpString1="usertile10.bmp", lpString2="RECYCLER") returned 1 [0114.658] lstrcmpiW (lpString1="usertile10.bmp", lpString2="BOOTSECT.BAK") returned 1 [0114.658] lstrcmpiW (lpString1="usertile10.bmp", lpString2="bootmgr") returned 1 [0114.658] lstrcmpiW (lpString1="usertile10.bmp", lpString2="programdata") returned 1 [0114.658] lstrcmpiW (lpString1="usertile10.bmp", lpString2="appdata") returned 1 [0114.658] lstrcmpiW (lpString1="usertile10.bmp", lpString2="program files") returned 1 [0114.658] lstrcmpiW (lpString1="usertile10.bmp", lpString2="program files (x86)") returned 1 [0114.658] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0114.658] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile10.bmp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp" [0114.658] PathFindExtensionW (pszPath="usertile10.bmp") returned=".bmp" [0114.658] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0114.658] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0114.658] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0114.658] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0114.659] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0114.659] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0114.659] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0114.659] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0114.659] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0114.659] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0114.659] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0114.659] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0114.659] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0114.659] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0114.659] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0114.659] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0114.659] lstrcmpiW (lpString1="usertile10.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.659] lstrlenA (lpString="NEPHILIM") returned 8 [0114.659] GetProcessHeap () returned 0x4e0000 [0114.659] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f588 [0114.659] lstrlenA (lpString="NEPHILIM") returned 8 [0114.659] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile10.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0114.662] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=4294968320) returned 0 [0114.662] GetProcessHeap () returned 0x4e0000 [0114.662] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d2c0 [0114.662] GetProcessHeap () returned 0x4e0000 [0114.662] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d2a8 [0114.662] SystemFunction036 (in: RandomBuffer=0x50d2c0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d2c0) returned 1 [0114.662] SystemFunction036 (in: RandomBuffer=0x50d2a8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d2a8) returned 1 [0114.662] GetProcessHeap () returned 0x4e0000 [0114.663] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514bc8 [0114.663] GetProcessHeap () returned 0x4e0000 [0114.663] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514ac0 [0114.663] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514bc8*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x514bc8*, pdwDataLen=0x24dd508*=0x100) returned 1 [0114.663] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514ac0*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x514ac0*, pdwDataLen=0x24dd504*=0x100) returned 1 [0114.663] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0114.663] SetLastError (dwErrCode=0x0) [0114.663] WriteFile (in: hFile=0xffffffff, lpBuffer=0x514bc8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0) returned 0 [0114.663] GetLastError () returned 0x6 [0114.663] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae24f474, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae24f474, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdb5a2927, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x24dd72c, dwReserved1=0x8184c892, cFileName="usertile11.bmp", cAlternateFileName="")) returned 1 [0114.664] lstrcmpiW (lpString1="usertile11.bmp", lpString2=".") returned 1 [0114.664] lstrcmpiW (lpString1="usertile11.bmp", lpString2="..") returned 1 [0114.664] lstrcmpiW (lpString1="usertile11.bmp", lpString2="...") returned 1 [0114.664] lstrcmpiW (lpString1="usertile11.bmp", lpString2="windows") returned -1 [0114.664] lstrcmpiW (lpString1="usertile11.bmp", lpString2="$RECYCLE.BIN") returned 1 [0114.664] lstrcmpiW (lpString1="usertile11.bmp", lpString2="rsa") returned 1 [0114.664] lstrcmpiW (lpString1="usertile11.bmp", lpString2="log") returned 1 [0114.664] lstrcmpiW (lpString1="usertile11.bmp", lpString2="NTDETECT.COM") returned 1 [0114.664] lstrcmpiW (lpString1="usertile11.bmp", lpString2="ntldr") returned 1 [0114.664] lstrcmpiW (lpString1="usertile11.bmp", lpString2="MSDOS.SYS") returned 1 [0114.664] lstrcmpiW (lpString1="usertile11.bmp", lpString2="IO.SYS") returned 1 [0114.664] lstrcmpiW (lpString1="usertile11.bmp", lpString2="boot.ini") returned 1 [0114.664] lstrcmpiW (lpString1="usertile11.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0114.664] lstrcmpiW (lpString1="usertile11.bmp", lpString2="ntuser.dat") returned 1 [0114.664] lstrcmpiW (lpString1="usertile11.bmp", lpString2="desktop.ini") returned 1 [0114.664] lstrcmpiW (lpString1="usertile11.bmp", lpString2="CONFIG.SYS") returned 1 [0114.664] lstrcmpiW (lpString1="usertile11.bmp", lpString2="RECYCLER") returned 1 [0114.664] lstrcmpiW (lpString1="usertile11.bmp", lpString2="BOOTSECT.BAK") returned 1 [0114.664] lstrcmpiW (lpString1="usertile11.bmp", lpString2="bootmgr") returned 1 [0114.664] lstrcmpiW (lpString1="usertile11.bmp", lpString2="programdata") returned 1 [0114.664] lstrcmpiW (lpString1="usertile11.bmp", lpString2="appdata") returned 1 [0114.664] lstrcmpiW (lpString1="usertile11.bmp", lpString2="program files") returned 1 [0114.664] lstrcmpiW (lpString1="usertile11.bmp", lpString2="program files (x86)") returned 1 [0114.664] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0114.664] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile11.bmp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp" [0114.665] PathFindExtensionW (pszPath="usertile11.bmp") returned=".bmp" [0114.665] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0114.665] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0114.665] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0114.665] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0114.665] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0114.665] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0114.665] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0114.665] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0114.665] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0114.665] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0114.665] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0114.665] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0114.665] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0114.665] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0114.665] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0114.665] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0114.665] lstrcmpiW (lpString1="usertile11.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.665] lstrlenA (lpString="NEPHILIM") returned 8 [0114.665] GetProcessHeap () returned 0x4e0000 [0114.665] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f598 [0114.665] lstrlenA (lpString="NEPHILIM") returned 8 [0114.665] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile11.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0114.666] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=4294968320) returned 0 [0114.666] GetProcessHeap () returned 0x4e0000 [0114.666] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d2d8 [0114.666] GetProcessHeap () returned 0x4e0000 [0114.666] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d2f0 [0114.666] SystemFunction036 (in: RandomBuffer=0x50d2d8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d2d8) returned 1 [0114.666] SystemFunction036 (in: RandomBuffer=0x50d2f0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d2f0) returned 1 [0114.666] GetProcessHeap () returned 0x4e0000 [0114.666] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514cd0 [0114.666] GetProcessHeap () returned 0x4e0000 [0114.666] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x514dd8 [0114.666] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514cd0*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x514cd0*, pdwDataLen=0x24dd508*=0x100) returned 1 [0114.666] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x514dd8*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x514dd8*, pdwDataLen=0x24dd504*=0x100) returned 1 [0114.667] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0114.667] SetLastError (dwErrCode=0x0) [0114.667] WriteFile (in: hFile=0xffffffff, lpBuffer=0x514cd0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0) returned 0 [0114.667] GetLastError () returned 0x6 [0114.667] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae2755d1, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae2755d1, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdb6d3417, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x24dd72c, dwReserved1=0x8184c892, cFileName="usertile12.bmp", cAlternateFileName="")) returned 1 [0114.667] lstrcmpiW (lpString1="usertile12.bmp", lpString2=".") returned 1 [0114.667] lstrcmpiW (lpString1="usertile12.bmp", lpString2="..") returned 1 [0114.667] lstrcmpiW (lpString1="usertile12.bmp", lpString2="...") returned 1 [0114.667] lstrcmpiW (lpString1="usertile12.bmp", lpString2="windows") returned -1 [0114.667] lstrcmpiW (lpString1="usertile12.bmp", lpString2="$RECYCLE.BIN") returned 1 [0114.667] lstrcmpiW (lpString1="usertile12.bmp", lpString2="rsa") returned 1 [0114.667] lstrcmpiW (lpString1="usertile12.bmp", lpString2="log") returned 1 [0114.667] lstrcmpiW (lpString1="usertile12.bmp", lpString2="NTDETECT.COM") returned 1 [0114.667] lstrcmpiW (lpString1="usertile12.bmp", lpString2="ntldr") returned 1 [0114.667] lstrcmpiW (lpString1="usertile12.bmp", lpString2="MSDOS.SYS") returned 1 [0114.667] lstrcmpiW (lpString1="usertile12.bmp", lpString2="IO.SYS") returned 1 [0114.668] lstrcmpiW (lpString1="usertile12.bmp", lpString2="boot.ini") returned 1 [0114.668] lstrcmpiW (lpString1="usertile12.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0114.668] lstrcmpiW (lpString1="usertile12.bmp", lpString2="ntuser.dat") returned 1 [0114.668] lstrcmpiW (lpString1="usertile12.bmp", lpString2="desktop.ini") returned 1 [0114.668] lstrcmpiW (lpString1="usertile12.bmp", lpString2="CONFIG.SYS") returned 1 [0114.668] lstrcmpiW (lpString1="usertile12.bmp", lpString2="RECYCLER") returned 1 [0114.668] lstrcmpiW (lpString1="usertile12.bmp", lpString2="BOOTSECT.BAK") returned 1 [0114.668] lstrcmpiW (lpString1="usertile12.bmp", lpString2="bootmgr") returned 1 [0114.668] lstrcmpiW (lpString1="usertile12.bmp", lpString2="programdata") returned 1 [0114.668] lstrcmpiW (lpString1="usertile12.bmp", lpString2="appdata") returned 1 [0114.668] lstrcmpiW (lpString1="usertile12.bmp", lpString2="program files") returned 1 [0114.668] lstrcmpiW (lpString1="usertile12.bmp", lpString2="program files (x86)") returned 1 [0114.668] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0114.668] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile12.bmp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp" [0114.668] PathFindExtensionW (pszPath="usertile12.bmp") returned=".bmp" [0114.668] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0114.668] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0114.668] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0114.668] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0114.668] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0114.668] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0114.668] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0114.668] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0114.668] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0114.668] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0114.668] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0114.669] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0114.669] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0114.669] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0114.669] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0114.669] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0114.669] lstrcmpiW (lpString1="usertile12.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.669] lstrlenA (lpString="NEPHILIM") returned 8 [0114.669] GetProcessHeap () returned 0x4e0000 [0114.669] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f5a8 [0114.669] lstrlenA (lpString="NEPHILIM") returned 8 [0114.669] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile12.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0114.669] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=4294968320) returned 0 [0114.669] GetProcessHeap () returned 0x4e0000 [0114.669] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d308 [0114.669] GetProcessHeap () returned 0x4e0000 [0114.669] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d320 [0114.669] SystemFunction036 (in: RandomBuffer=0x50d308, RandomBufferLength=0x10 | out: RandomBuffer=0x50d308) returned 1 [0114.670] SystemFunction036 (in: RandomBuffer=0x50d320, RandomBufferLength=0x10 | out: RandomBuffer=0x50d320) returned 1 [0114.670] GetProcessHeap () returned 0x4e0000 [0114.670] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x518ff0 [0114.672] GetProcessHeap () returned 0x4e0000 [0114.672] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x5190f8 [0114.672] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x518ff0*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x518ff0*, pdwDataLen=0x24dd508*=0x100) returned 1 [0114.672] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5190f8*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x5190f8*, pdwDataLen=0x24dd504*=0x100) returned 1 [0114.673] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0114.673] SetLastError (dwErrCode=0x0) [0114.673] WriteFile (in: hFile=0xffffffff, lpBuffer=0x518ff0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0) returned 0 [0114.673] GetLastError () returned 0x6 [0114.673] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae29b72e, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae29b72e, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdb76b98f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xbeb8, dwReserved0=0x24dd72c, dwReserved1=0x8184c892, cFileName="usertile13.bmp", cAlternateFileName="")) returned 1 [0114.673] lstrcmpiW (lpString1="usertile13.bmp", lpString2=".") returned 1 [0114.673] lstrcmpiW (lpString1="usertile13.bmp", lpString2="..") returned 1 [0114.673] lstrcmpiW (lpString1="usertile13.bmp", lpString2="...") returned 1 [0114.673] lstrcmpiW (lpString1="usertile13.bmp", lpString2="windows") returned -1 [0114.673] lstrcmpiW (lpString1="usertile13.bmp", lpString2="$RECYCLE.BIN") returned 1 [0114.673] lstrcmpiW (lpString1="usertile13.bmp", lpString2="rsa") returned 1 [0114.673] lstrcmpiW (lpString1="usertile13.bmp", lpString2="log") returned 1 [0114.673] lstrcmpiW (lpString1="usertile13.bmp", lpString2="NTDETECT.COM") returned 1 [0114.673] lstrcmpiW (lpString1="usertile13.bmp", lpString2="ntldr") returned 1 [0114.673] lstrcmpiW (lpString1="usertile13.bmp", lpString2="MSDOS.SYS") returned 1 [0114.673] lstrcmpiW (lpString1="usertile13.bmp", lpString2="IO.SYS") returned 1 [0114.673] lstrcmpiW (lpString1="usertile13.bmp", lpString2="boot.ini") returned 1 [0114.673] lstrcmpiW (lpString1="usertile13.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0114.673] lstrcmpiW (lpString1="usertile13.bmp", lpString2="ntuser.dat") returned 1 [0114.673] lstrcmpiW (lpString1="usertile13.bmp", lpString2="desktop.ini") returned 1 [0114.673] lstrcmpiW (lpString1="usertile13.bmp", lpString2="CONFIG.SYS") returned 1 [0114.674] lstrcmpiW (lpString1="usertile13.bmp", lpString2="RECYCLER") returned 1 [0114.674] lstrcmpiW (lpString1="usertile13.bmp", lpString2="BOOTSECT.BAK") returned 1 [0114.674] lstrcmpiW (lpString1="usertile13.bmp", lpString2="bootmgr") returned 1 [0114.674] lstrcmpiW (lpString1="usertile13.bmp", lpString2="programdata") returned 1 [0114.674] lstrcmpiW (lpString1="usertile13.bmp", lpString2="appdata") returned 1 [0114.674] lstrcmpiW (lpString1="usertile13.bmp", lpString2="program files") returned 1 [0114.674] lstrcmpiW (lpString1="usertile13.bmp", lpString2="program files (x86)") returned 1 [0114.674] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0114.674] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile13.bmp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp" [0114.674] PathFindExtensionW (pszPath="usertile13.bmp") returned=".bmp" [0114.674] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0114.674] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0114.674] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0114.674] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0114.674] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0114.674] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0114.674] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0114.674] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0114.674] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0114.674] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0114.674] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0114.674] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0114.674] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0114.674] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0114.674] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0114.674] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0114.675] lstrcmpiW (lpString1="usertile13.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.675] lstrlenA (lpString="NEPHILIM") returned 8 [0114.675] GetProcessHeap () returned 0x4e0000 [0114.675] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f5b8 [0114.675] lstrlenA (lpString="NEPHILIM") returned 8 [0114.675] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile13.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0114.675] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=4294968320) returned 0 [0114.675] GetProcessHeap () returned 0x4e0000 [0114.675] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d338 [0114.675] GetProcessHeap () returned 0x4e0000 [0114.675] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d350 [0114.675] SystemFunction036 (in: RandomBuffer=0x50d338, RandomBufferLength=0x10 | out: RandomBuffer=0x50d338) returned 1 [0114.675] SystemFunction036 (in: RandomBuffer=0x50d350, RandomBufferLength=0x10 | out: RandomBuffer=0x50d350) returned 1 [0114.675] GetProcessHeap () returned 0x4e0000 [0114.675] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x519200 [0114.675] GetProcessHeap () returned 0x4e0000 [0114.675] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x519308 [0114.676] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x519200*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x519200*, pdwDataLen=0x24dd508*=0x100) returned 1 [0114.676] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x519308*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x519308*, pdwDataLen=0x24dd504*=0x100) returned 1 [0114.676] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0114.676] SetLastError (dwErrCode=0x0) [0114.676] WriteFile (in: hFile=0xffffffff, lpBuffer=0x519200, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0) returned 0 [0114.676] GetLastError () returned 0x6 [0114.676] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae2e79e8, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae2e79e8, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdb82a065, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x24dd72c, dwReserved1=0x8184c892, cFileName="usertile14.bmp", cAlternateFileName="")) returned 1 [0114.676] lstrcmpiW (lpString1="usertile14.bmp", lpString2=".") returned 1 [0114.676] lstrcmpiW (lpString1="usertile14.bmp", lpString2="..") returned 1 [0114.676] lstrcmpiW (lpString1="usertile14.bmp", lpString2="...") returned 1 [0114.676] lstrcmpiW (lpString1="usertile14.bmp", lpString2="windows") returned -1 [0114.676] lstrcmpiW (lpString1="usertile14.bmp", lpString2="$RECYCLE.BIN") returned 1 [0114.677] lstrcmpiW (lpString1="usertile14.bmp", lpString2="rsa") returned 1 [0114.677] lstrcmpiW (lpString1="usertile14.bmp", lpString2="log") returned 1 [0114.677] lstrcmpiW (lpString1="usertile14.bmp", lpString2="NTDETECT.COM") returned 1 [0114.677] lstrcmpiW (lpString1="usertile14.bmp", lpString2="ntldr") returned 1 [0114.677] lstrcmpiW (lpString1="usertile14.bmp", lpString2="MSDOS.SYS") returned 1 [0114.677] lstrcmpiW (lpString1="usertile14.bmp", lpString2="IO.SYS") returned 1 [0114.677] lstrcmpiW (lpString1="usertile14.bmp", lpString2="boot.ini") returned 1 [0114.677] lstrcmpiW (lpString1="usertile14.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0114.677] lstrcmpiW (lpString1="usertile14.bmp", lpString2="ntuser.dat") returned 1 [0114.677] lstrcmpiW (lpString1="usertile14.bmp", lpString2="desktop.ini") returned 1 [0114.677] lstrcmpiW (lpString1="usertile14.bmp", lpString2="CONFIG.SYS") returned 1 [0114.677] lstrcmpiW (lpString1="usertile14.bmp", lpString2="RECYCLER") returned 1 [0114.677] lstrcmpiW (lpString1="usertile14.bmp", lpString2="BOOTSECT.BAK") returned 1 [0114.677] lstrcmpiW (lpString1="usertile14.bmp", lpString2="bootmgr") returned 1 [0114.677] lstrcmpiW (lpString1="usertile14.bmp", lpString2="programdata") returned 1 [0114.677] lstrcmpiW (lpString1="usertile14.bmp", lpString2="appdata") returned 1 [0114.677] lstrcmpiW (lpString1="usertile14.bmp", lpString2="program files") returned 1 [0114.677] lstrcmpiW (lpString1="usertile14.bmp", lpString2="program files (x86)") returned 1 [0114.677] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0114.677] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile14.bmp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp" [0114.677] PathFindExtensionW (pszPath="usertile14.bmp") returned=".bmp" [0114.677] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0114.677] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0114.677] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0114.677] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0114.677] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0114.678] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0114.678] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0114.678] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0114.678] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0114.678] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0114.678] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0114.678] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0114.678] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0114.678] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0114.678] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0114.678] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0114.678] lstrcmpiW (lpString1="usertile14.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.678] lstrlenA (lpString="NEPHILIM") returned 8 [0114.678] GetProcessHeap () returned 0x4e0000 [0114.678] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f5c8 [0114.678] lstrlenA (lpString="NEPHILIM") returned 8 [0114.678] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile14.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0114.683] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=4294968320) returned 0 [0114.683] GetProcessHeap () returned 0x4e0000 [0114.683] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d368 [0114.684] GetProcessHeap () returned 0x4e0000 [0114.684] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d380 [0114.684] SystemFunction036 (in: RandomBuffer=0x50d368, RandomBufferLength=0x10 | out: RandomBuffer=0x50d368) returned 1 [0114.684] SystemFunction036 (in: RandomBuffer=0x50d380, RandomBufferLength=0x10 | out: RandomBuffer=0x50d380) returned 1 [0114.684] GetProcessHeap () returned 0x4e0000 [0114.684] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x519410 [0114.684] GetProcessHeap () returned 0x4e0000 [0114.684] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x519518 [0114.684] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x519410*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x519410*, pdwDataLen=0x24dd508*=0x100) returned 1 [0114.684] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x519518*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x519518*, pdwDataLen=0x24dd504*=0x100) returned 1 [0114.684] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0114.684] SetLastError (dwErrCode=0x0) [0114.684] WriteFile (in: hFile=0xffffffff, lpBuffer=0x519410, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0) returned 0 [0114.684] GetLastError () returned 0x6 [0114.684] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae2e79e8, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae2e79e8, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdbb95fd7, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x24dd72c, dwReserved1=0x8184c892, cFileName="usertile15.bmp", cAlternateFileName="")) returned 1 [0114.684] lstrcmpiW (lpString1="usertile15.bmp", lpString2=".") returned 1 [0114.684] lstrcmpiW (lpString1="usertile15.bmp", lpString2="..") returned 1 [0114.684] lstrcmpiW (lpString1="usertile15.bmp", lpString2="...") returned 1 [0114.685] lstrcmpiW (lpString1="usertile15.bmp", lpString2="windows") returned -1 [0114.685] lstrcmpiW (lpString1="usertile15.bmp", lpString2="$RECYCLE.BIN") returned 1 [0114.685] lstrcmpiW (lpString1="usertile15.bmp", lpString2="rsa") returned 1 [0114.685] lstrcmpiW (lpString1="usertile15.bmp", lpString2="log") returned 1 [0114.685] lstrcmpiW (lpString1="usertile15.bmp", lpString2="NTDETECT.COM") returned 1 [0114.685] lstrcmpiW (lpString1="usertile15.bmp", lpString2="ntldr") returned 1 [0114.685] lstrcmpiW (lpString1="usertile15.bmp", lpString2="MSDOS.SYS") returned 1 [0114.685] lstrcmpiW (lpString1="usertile15.bmp", lpString2="IO.SYS") returned 1 [0114.685] lstrcmpiW (lpString1="usertile15.bmp", lpString2="boot.ini") returned 1 [0114.685] lstrcmpiW (lpString1="usertile15.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0114.685] lstrcmpiW (lpString1="usertile15.bmp", lpString2="ntuser.dat") returned 1 [0114.685] lstrcmpiW (lpString1="usertile15.bmp", lpString2="desktop.ini") returned 1 [0114.685] lstrcmpiW (lpString1="usertile15.bmp", lpString2="CONFIG.SYS") returned 1 [0114.685] lstrcmpiW (lpString1="usertile15.bmp", lpString2="RECYCLER") returned 1 [0114.685] lstrcmpiW (lpString1="usertile15.bmp", lpString2="BOOTSECT.BAK") returned 1 [0114.685] lstrcmpiW (lpString1="usertile15.bmp", lpString2="bootmgr") returned 1 [0114.685] lstrcmpiW (lpString1="usertile15.bmp", lpString2="programdata") returned 1 [0114.685] lstrcmpiW (lpString1="usertile15.bmp", lpString2="appdata") returned 1 [0114.685] lstrcmpiW (lpString1="usertile15.bmp", lpString2="program files") returned 1 [0114.685] lstrcmpiW (lpString1="usertile15.bmp", lpString2="program files (x86)") returned 1 [0114.685] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0114.685] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile15.bmp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp" [0114.686] PathFindExtensionW (pszPath="usertile15.bmp") returned=".bmp" [0114.686] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0114.686] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0114.686] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0114.686] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0114.686] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0114.686] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0114.686] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0114.686] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0114.686] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0114.686] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0114.686] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0114.686] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0114.686] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0114.686] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0114.686] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0114.686] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0114.686] lstrcmpiW (lpString1="usertile15.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.686] lstrlenA (lpString="NEPHILIM") returned 8 [0114.686] GetProcessHeap () returned 0x4e0000 [0114.686] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f5d8 [0114.686] lstrlenA (lpString="NEPHILIM") returned 8 [0114.686] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile15.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0114.687] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=4294968320) returned 0 [0114.687] GetProcessHeap () returned 0x4e0000 [0114.687] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d398 [0114.687] GetProcessHeap () returned 0x4e0000 [0114.687] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d3b0 [0114.687] SystemFunction036 (in: RandomBuffer=0x50d398, RandomBufferLength=0x10 | out: RandomBuffer=0x50d398) returned 1 [0114.687] SystemFunction036 (in: RandomBuffer=0x50d3b0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d3b0) returned 1 [0114.687] GetProcessHeap () returned 0x4e0000 [0114.687] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x519620 [0114.687] GetProcessHeap () returned 0x4e0000 [0114.687] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x519728 [0114.687] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x519620*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x519620*, pdwDataLen=0x24dd508*=0x100) returned 1 [0114.687] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x519728*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x519728*, pdwDataLen=0x24dd504*=0x100) returned 1 [0114.687] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0114.687] SetLastError (dwErrCode=0x0) [0114.687] WriteFile (in: hFile=0xffffffff, lpBuffer=0x519620, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0) returned 0 [0114.688] GetLastError () returned 0x6 [0114.688] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae30db45, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae30db45, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdca9c9ed, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x24dd72c, dwReserved1=0x8184c892, cFileName="usertile16.bmp", cAlternateFileName="")) returned 1 [0114.688] lstrcmpiW (lpString1="usertile16.bmp", lpString2=".") returned 1 [0114.688] lstrcmpiW (lpString1="usertile16.bmp", lpString2="..") returned 1 [0114.688] lstrcmpiW (lpString1="usertile16.bmp", lpString2="...") returned 1 [0114.688] lstrcmpiW (lpString1="usertile16.bmp", lpString2="windows") returned -1 [0114.688] lstrcmpiW (lpString1="usertile16.bmp", lpString2="$RECYCLE.BIN") returned 1 [0114.688] lstrcmpiW (lpString1="usertile16.bmp", lpString2="rsa") returned 1 [0114.688] lstrcmpiW (lpString1="usertile16.bmp", lpString2="log") returned 1 [0114.688] lstrcmpiW (lpString1="usertile16.bmp", lpString2="NTDETECT.COM") returned 1 [0114.688] lstrcmpiW (lpString1="usertile16.bmp", lpString2="ntldr") returned 1 [0114.688] lstrcmpiW (lpString1="usertile16.bmp", lpString2="MSDOS.SYS") returned 1 [0114.688] lstrcmpiW (lpString1="usertile16.bmp", lpString2="IO.SYS") returned 1 [0114.688] lstrcmpiW (lpString1="usertile16.bmp", lpString2="boot.ini") returned 1 [0114.688] lstrcmpiW (lpString1="usertile16.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0114.688] lstrcmpiW (lpString1="usertile16.bmp", lpString2="ntuser.dat") returned 1 [0114.688] lstrcmpiW (lpString1="usertile16.bmp", lpString2="desktop.ini") returned 1 [0114.688] lstrcmpiW (lpString1="usertile16.bmp", lpString2="CONFIG.SYS") returned 1 [0114.688] lstrcmpiW (lpString1="usertile16.bmp", lpString2="RECYCLER") returned 1 [0114.688] lstrcmpiW (lpString1="usertile16.bmp", lpString2="BOOTSECT.BAK") returned 1 [0114.688] lstrcmpiW (lpString1="usertile16.bmp", lpString2="bootmgr") returned 1 [0114.688] lstrcmpiW (lpString1="usertile16.bmp", lpString2="programdata") returned 1 [0114.688] lstrcmpiW (lpString1="usertile16.bmp", lpString2="appdata") returned 1 [0114.688] lstrcmpiW (lpString1="usertile16.bmp", lpString2="program files") returned 1 [0114.688] lstrcmpiW (lpString1="usertile16.bmp", lpString2="program files (x86)") returned 1 [0114.688] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0114.688] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile16.bmp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp" [0114.688] PathFindExtensionW (pszPath="usertile16.bmp") returned=".bmp" [0114.688] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0114.689] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0114.689] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0114.689] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0114.689] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0114.689] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0114.689] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0114.689] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0114.689] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0114.689] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0114.689] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0114.689] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0114.689] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0114.689] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0114.689] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0114.689] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0114.689] lstrcmpiW (lpString1="usertile16.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.689] lstrlenA (lpString="NEPHILIM") returned 8 [0114.689] GetProcessHeap () returned 0x4e0000 [0114.689] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f5e8 [0114.689] lstrlenA (lpString="NEPHILIM") returned 8 [0114.689] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile16.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0114.689] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=4294968320) returned 0 [0114.689] GetProcessHeap () returned 0x4e0000 [0114.689] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d3c8 [0114.690] GetProcessHeap () returned 0x4e0000 [0114.690] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d3e0 [0114.690] SystemFunction036 (in: RandomBuffer=0x50d3c8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d3c8) returned 1 [0114.690] SystemFunction036 (in: RandomBuffer=0x50d3e0, RandomBufferLength=0x10 | out: RandomBuffer=0x50d3e0) returned 1 [0114.690] GetProcessHeap () returned 0x4e0000 [0114.690] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x519830 [0114.690] GetProcessHeap () returned 0x4e0000 [0114.690] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x519938 [0114.690] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x519830*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x519830*, pdwDataLen=0x24dd508*=0x100) returned 1 [0114.690] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x519938*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x519938*, pdwDataLen=0x24dd504*=0x100) returned 1 [0114.690] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0114.690] SetLastError (dwErrCode=0x0) [0114.690] WriteFile (in: hFile=0xffffffff, lpBuffer=0x519830, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0) returned 0 [0114.690] GetLastError () returned 0x6 [0114.690] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae333ca2, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae333ca2, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdcc3f8f7, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x24dd72c, dwReserved1=0x8184c892, cFileName="usertile17.bmp", cAlternateFileName="")) returned 1 [0114.690] lstrcmpiW (lpString1="usertile17.bmp", lpString2=".") returned 1 [0114.690] lstrcmpiW (lpString1="usertile17.bmp", lpString2="..") returned 1 [0114.691] lstrcmpiW (lpString1="usertile17.bmp", lpString2="...") returned 1 [0114.691] lstrcmpiW (lpString1="usertile17.bmp", lpString2="windows") returned -1 [0114.691] lstrcmpiW (lpString1="usertile17.bmp", lpString2="$RECYCLE.BIN") returned 1 [0114.691] lstrcmpiW (lpString1="usertile17.bmp", lpString2="rsa") returned 1 [0114.691] lstrcmpiW (lpString1="usertile17.bmp", lpString2="log") returned 1 [0114.691] lstrcmpiW (lpString1="usertile17.bmp", lpString2="NTDETECT.COM") returned 1 [0114.691] lstrcmpiW (lpString1="usertile17.bmp", lpString2="ntldr") returned 1 [0114.691] lstrcmpiW (lpString1="usertile17.bmp", lpString2="MSDOS.SYS") returned 1 [0114.691] lstrcmpiW (lpString1="usertile17.bmp", lpString2="IO.SYS") returned 1 [0114.691] lstrcmpiW (lpString1="usertile17.bmp", lpString2="boot.ini") returned 1 [0114.691] lstrcmpiW (lpString1="usertile17.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0114.691] lstrcmpiW (lpString1="usertile17.bmp", lpString2="ntuser.dat") returned 1 [0114.691] lstrcmpiW (lpString1="usertile17.bmp", lpString2="desktop.ini") returned 1 [0114.691] lstrcmpiW (lpString1="usertile17.bmp", lpString2="CONFIG.SYS") returned 1 [0114.691] lstrcmpiW (lpString1="usertile17.bmp", lpString2="RECYCLER") returned 1 [0114.691] lstrcmpiW (lpString1="usertile17.bmp", lpString2="BOOTSECT.BAK") returned 1 [0114.691] lstrcmpiW (lpString1="usertile17.bmp", lpString2="bootmgr") returned 1 [0114.691] lstrcmpiW (lpString1="usertile17.bmp", lpString2="programdata") returned 1 [0114.691] lstrcmpiW (lpString1="usertile17.bmp", lpString2="appdata") returned 1 [0114.691] lstrcmpiW (lpString1="usertile17.bmp", lpString2="program files") returned 1 [0114.691] lstrcmpiW (lpString1="usertile17.bmp", lpString2="program files (x86)") returned 1 [0114.691] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0114.691] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile17.bmp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp" [0114.691] PathFindExtensionW (pszPath="usertile17.bmp") returned=".bmp" [0114.691] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0114.691] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0114.691] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0114.691] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0114.691] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0114.691] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0114.692] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0114.692] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0114.692] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0114.692] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0114.692] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0114.692] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0114.692] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0114.692] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0114.692] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0114.692] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0114.692] lstrcmpiW (lpString1="usertile17.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.692] lstrlenA (lpString="NEPHILIM") returned 8 [0114.692] GetProcessHeap () returned 0x4e0000 [0114.692] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f5f8 [0114.692] lstrlenA (lpString="NEPHILIM") returned 8 [0114.692] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile17.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0114.692] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=4294968320) returned 0 [0114.692] GetProcessHeap () returned 0x4e0000 [0114.692] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d3f8 [0114.692] GetProcessHeap () returned 0x4e0000 [0114.692] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d410 [0114.692] SystemFunction036 (in: RandomBuffer=0x50d3f8, RandomBufferLength=0x10 | out: RandomBuffer=0x50d3f8) returned 1 [0114.692] SystemFunction036 (in: RandomBuffer=0x50d410, RandomBufferLength=0x10 | out: RandomBuffer=0x50d410) returned 1 [0114.692] GetProcessHeap () returned 0x4e0000 [0114.692] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x519a40 [0114.693] GetProcessHeap () returned 0x4e0000 [0114.693] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x519b48 [0114.693] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x519a40*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x519a40*, pdwDataLen=0x24dd508*=0x100) returned 1 [0114.693] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x519b48*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x519b48*, pdwDataLen=0x24dd504*=0x100) returned 1 [0114.693] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0114.693] SetLastError (dwErrCode=0x0) [0114.693] WriteFile (in: hFile=0xffffffff, lpBuffer=0x519a40, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0) returned 0 [0114.693] GetLastError () returned 0x6 [0114.693] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae333ca2, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae333ca2, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdcc65a55, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x24dd72c, dwReserved1=0x8184c892, cFileName="usertile18.bmp", cAlternateFileName="")) returned 1 [0114.693] lstrcmpiW (lpString1="usertile18.bmp", lpString2=".") returned 1 [0114.693] lstrcmpiW (lpString1="usertile18.bmp", lpString2="..") returned 1 [0114.693] lstrcmpiW (lpString1="usertile18.bmp", lpString2="...") returned 1 [0114.693] lstrcmpiW (lpString1="usertile18.bmp", lpString2="windows") returned -1 [0114.693] lstrcmpiW (lpString1="usertile18.bmp", lpString2="$RECYCLE.BIN") returned 1 [0114.693] lstrcmpiW (lpString1="usertile18.bmp", lpString2="rsa") returned 1 [0114.693] lstrcmpiW (lpString1="usertile18.bmp", lpString2="log") returned 1 [0114.693] lstrcmpiW (lpString1="usertile18.bmp", lpString2="NTDETECT.COM") returned 1 [0114.693] lstrcmpiW (lpString1="usertile18.bmp", lpString2="ntldr") returned 1 [0114.693] lstrcmpiW (lpString1="usertile18.bmp", lpString2="MSDOS.SYS") returned 1 [0114.693] lstrcmpiW (lpString1="usertile18.bmp", lpString2="IO.SYS") returned 1 [0114.693] lstrcmpiW (lpString1="usertile18.bmp", lpString2="boot.ini") returned 1 [0114.694] lstrcmpiW (lpString1="usertile18.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0114.694] lstrcmpiW (lpString1="usertile18.bmp", lpString2="ntuser.dat") returned 1 [0114.694] lstrcmpiW (lpString1="usertile18.bmp", lpString2="desktop.ini") returned 1 [0114.694] lstrcmpiW (lpString1="usertile18.bmp", lpString2="CONFIG.SYS") returned 1 [0114.694] lstrcmpiW (lpString1="usertile18.bmp", lpString2="RECYCLER") returned 1 [0114.694] lstrcmpiW (lpString1="usertile18.bmp", lpString2="BOOTSECT.BAK") returned 1 [0114.694] lstrcmpiW (lpString1="usertile18.bmp", lpString2="bootmgr") returned 1 [0114.694] lstrcmpiW (lpString1="usertile18.bmp", lpString2="programdata") returned 1 [0114.694] lstrcmpiW (lpString1="usertile18.bmp", lpString2="appdata") returned 1 [0114.694] lstrcmpiW (lpString1="usertile18.bmp", lpString2="program files") returned 1 [0114.694] lstrcmpiW (lpString1="usertile18.bmp", lpString2="program files (x86)") returned 1 [0114.694] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0114.694] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile18.bmp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp" [0114.694] PathFindExtensionW (pszPath="usertile18.bmp") returned=".bmp" [0114.694] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0114.694] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0114.694] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0114.694] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0114.694] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0114.694] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0114.694] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0114.694] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0114.694] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0114.694] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0114.694] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0114.694] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0114.694] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0114.694] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0114.694] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0114.694] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0114.694] lstrcmpiW (lpString1="usertile18.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.694] lstrlenA (lpString="NEPHILIM") returned 8 [0114.695] GetProcessHeap () returned 0x4e0000 [0114.695] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f608 [0114.695] lstrlenA (lpString="NEPHILIM") returned 8 [0114.695] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile18.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0114.698] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=4294968320) returned 0 [0114.698] GetProcessHeap () returned 0x4e0000 [0114.698] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d428 [0114.698] GetProcessHeap () returned 0x4e0000 [0114.698] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d440 [0114.698] SystemFunction036 (in: RandomBuffer=0x50d428, RandomBufferLength=0x10 | out: RandomBuffer=0x50d428) returned 1 [0114.698] SystemFunction036 (in: RandomBuffer=0x50d440, RandomBufferLength=0x10 | out: RandomBuffer=0x50d440) returned 1 [0114.698] GetProcessHeap () returned 0x4e0000 [0114.698] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x519c50 [0114.698] GetProcessHeap () returned 0x4e0000 [0114.698] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x519d58 [0114.698] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x519c50*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x519c50*, pdwDataLen=0x24dd508*=0x100) returned 1 [0114.698] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x519d58*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x519d58*, pdwDataLen=0x24dd504*=0x100) returned 1 [0114.698] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0114.698] SetLastError (dwErrCode=0x0) [0114.699] WriteFile (in: hFile=0xffffffff, lpBuffer=0x519c50, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0) returned 0 [0114.699] GetLastError () returned 0x6 [0114.699] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae359dff, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae359dff, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdcc8bbb3, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x24dd72c, dwReserved1=0x8184c892, cFileName="usertile19.bmp", cAlternateFileName="")) returned 1 [0114.699] lstrcmpiW (lpString1="usertile19.bmp", lpString2=".") returned 1 [0114.699] lstrcmpiW (lpString1="usertile19.bmp", lpString2="..") returned 1 [0114.699] lstrcmpiW (lpString1="usertile19.bmp", lpString2="...") returned 1 [0114.699] lstrcmpiW (lpString1="usertile19.bmp", lpString2="windows") returned -1 [0114.699] lstrcmpiW (lpString1="usertile19.bmp", lpString2="$RECYCLE.BIN") returned 1 [0114.699] lstrcmpiW (lpString1="usertile19.bmp", lpString2="rsa") returned 1 [0114.699] lstrcmpiW (lpString1="usertile19.bmp", lpString2="log") returned 1 [0114.699] lstrcmpiW (lpString1="usertile19.bmp", lpString2="NTDETECT.COM") returned 1 [0114.699] lstrcmpiW (lpString1="usertile19.bmp", lpString2="ntldr") returned 1 [0114.699] lstrcmpiW (lpString1="usertile19.bmp", lpString2="MSDOS.SYS") returned 1 [0114.699] lstrcmpiW (lpString1="usertile19.bmp", lpString2="IO.SYS") returned 1 [0114.699] lstrcmpiW (lpString1="usertile19.bmp", lpString2="boot.ini") returned 1 [0114.699] lstrcmpiW (lpString1="usertile19.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0114.699] lstrcmpiW (lpString1="usertile19.bmp", lpString2="ntuser.dat") returned 1 [0114.700] lstrcmpiW (lpString1="usertile19.bmp", lpString2="desktop.ini") returned 1 [0114.700] lstrcmpiW (lpString1="usertile19.bmp", lpString2="CONFIG.SYS") returned 1 [0114.700] lstrcmpiW (lpString1="usertile19.bmp", lpString2="RECYCLER") returned 1 [0114.700] lstrcmpiW (lpString1="usertile19.bmp", lpString2="BOOTSECT.BAK") returned 1 [0114.700] lstrcmpiW (lpString1="usertile19.bmp", lpString2="bootmgr") returned 1 [0114.700] lstrcmpiW (lpString1="usertile19.bmp", lpString2="programdata") returned 1 [0114.700] lstrcmpiW (lpString1="usertile19.bmp", lpString2="appdata") returned 1 [0114.700] lstrcmpiW (lpString1="usertile19.bmp", lpString2="program files") returned 1 [0114.700] lstrcmpiW (lpString1="usertile19.bmp", lpString2="program files (x86)") returned 1 [0114.700] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0114.700] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile19.bmp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp" [0114.700] PathFindExtensionW (pszPath="usertile19.bmp") returned=".bmp" [0114.700] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0114.700] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0114.700] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0114.700] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0114.700] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0114.700] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0114.700] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0114.700] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0114.700] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0114.700] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0114.700] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0114.700] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0114.700] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0114.700] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0114.701] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0114.701] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0114.701] lstrcmpiW (lpString1="usertile19.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.701] lstrlenA (lpString="NEPHILIM") returned 8 [0114.701] GetProcessHeap () returned 0x4e0000 [0114.701] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f618 [0114.701] lstrlenA (lpString="NEPHILIM") returned 8 [0114.701] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile19.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0114.701] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=4294968320) returned 0 [0114.701] GetProcessHeap () returned 0x4e0000 [0114.701] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d458 [0114.701] GetProcessHeap () returned 0x4e0000 [0114.701] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d470 [0114.701] SystemFunction036 (in: RandomBuffer=0x50d458, RandomBufferLength=0x10 | out: RandomBuffer=0x50d458) returned 1 [0114.701] SystemFunction036 (in: RandomBuffer=0x50d470, RandomBufferLength=0x10 | out: RandomBuffer=0x50d470) returned 1 [0114.701] GetProcessHeap () returned 0x4e0000 [0114.701] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x519e60 [0114.702] GetProcessHeap () returned 0x4e0000 [0114.702] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x519f68 [0114.702] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x519e60*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x519e60*, pdwDataLen=0x24dd508*=0x100) returned 1 [0114.702] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x519f68*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x519f68*, pdwDataLen=0x24dd504*=0x100) returned 1 [0114.702] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0114.702] SetLastError (dwErrCode=0x0) [0114.702] WriteFile (in: hFile=0xffffffff, lpBuffer=0x519e60, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0) returned 0 [0114.702] GetLastError () returned 0x6 [0114.703] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae37ff5c, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae37ff5c, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdccb1d11, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x24dd72c, dwReserved1=0x8184c892, cFileName="usertile20.bmp", cAlternateFileName="")) returned 1 [0114.703] lstrcmpiW (lpString1="usertile20.bmp", lpString2=".") returned 1 [0114.703] lstrcmpiW (lpString1="usertile20.bmp", lpString2="..") returned 1 [0114.703] lstrcmpiW (lpString1="usertile20.bmp", lpString2="...") returned 1 [0114.703] lstrcmpiW (lpString1="usertile20.bmp", lpString2="windows") returned -1 [0114.703] lstrcmpiW (lpString1="usertile20.bmp", lpString2="$RECYCLE.BIN") returned 1 [0114.703] lstrcmpiW (lpString1="usertile20.bmp", lpString2="rsa") returned 1 [0114.703] lstrcmpiW (lpString1="usertile20.bmp", lpString2="log") returned 1 [0114.703] lstrcmpiW (lpString1="usertile20.bmp", lpString2="NTDETECT.COM") returned 1 [0114.703] lstrcmpiW (lpString1="usertile20.bmp", lpString2="ntldr") returned 1 [0114.703] lstrcmpiW (lpString1="usertile20.bmp", lpString2="MSDOS.SYS") returned 1 [0114.703] lstrcmpiW (lpString1="usertile20.bmp", lpString2="IO.SYS") returned 1 [0114.703] lstrcmpiW (lpString1="usertile20.bmp", lpString2="boot.ini") returned 1 [0114.703] lstrcmpiW (lpString1="usertile20.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0114.703] lstrcmpiW (lpString1="usertile20.bmp", lpString2="ntuser.dat") returned 1 [0114.703] lstrcmpiW (lpString1="usertile20.bmp", lpString2="desktop.ini") returned 1 [0114.703] lstrcmpiW (lpString1="usertile20.bmp", lpString2="CONFIG.SYS") returned 1 [0114.703] lstrcmpiW (lpString1="usertile20.bmp", lpString2="RECYCLER") returned 1 [0114.703] lstrcmpiW (lpString1="usertile20.bmp", lpString2="BOOTSECT.BAK") returned 1 [0114.703] lstrcmpiW (lpString1="usertile20.bmp", lpString2="bootmgr") returned 1 [0114.703] lstrcmpiW (lpString1="usertile20.bmp", lpString2="programdata") returned 1 [0114.703] lstrcmpiW (lpString1="usertile20.bmp", lpString2="appdata") returned 1 [0114.704] lstrcmpiW (lpString1="usertile20.bmp", lpString2="program files") returned 1 [0114.704] lstrcmpiW (lpString1="usertile20.bmp", lpString2="program files (x86)") returned 1 [0114.704] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0114.704] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile20.bmp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp" [0114.704] PathFindExtensionW (pszPath="usertile20.bmp") returned=".bmp" [0114.704] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0114.704] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0114.704] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0114.704] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0114.704] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0114.704] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0114.704] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0114.704] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0114.704] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0114.704] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0114.704] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0114.704] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0114.704] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0114.704] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0114.704] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0114.704] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0114.704] lstrcmpiW (lpString1="usertile20.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.705] lstrlenA (lpString="NEPHILIM") returned 8 [0114.705] GetProcessHeap () returned 0x4e0000 [0114.705] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f628 [0114.705] lstrlenA (lpString="NEPHILIM") returned 8 [0114.705] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile20.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0114.705] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=4294968320) returned 0 [0114.705] GetProcessHeap () returned 0x4e0000 [0114.705] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50d488 [0114.705] GetProcessHeap () returned 0x4e0000 [0114.705] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50f928 [0114.705] SystemFunction036 (in: RandomBuffer=0x50d488, RandomBufferLength=0x10 | out: RandomBuffer=0x50d488) returned 1 [0114.705] SystemFunction036 (in: RandomBuffer=0x50f928, RandomBufferLength=0x10 | out: RandomBuffer=0x50f928) returned 1 [0114.705] GetProcessHeap () returned 0x4e0000 [0114.705] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51a070 [0114.705] GetProcessHeap () returned 0x4e0000 [0114.706] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51a178 [0114.706] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51a070*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x51a070*, pdwDataLen=0x24dd508*=0x100) returned 1 [0114.706] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51a178*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x51a178*, pdwDataLen=0x24dd504*=0x100) returned 1 [0114.706] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0114.706] SetLastError (dwErrCode=0x0) [0114.706] WriteFile (in: hFile=0xffffffff, lpBuffer=0x51a070, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0) returned 0 [0114.706] GetLastError () returned 0x6 [0114.706] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3a60b9, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3a60b9, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd069f3f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x24dd72c, dwReserved1=0x8184c892, cFileName="usertile21.bmp", cAlternateFileName="")) returned 1 [0114.707] lstrcmpiW (lpString1="usertile21.bmp", lpString2=".") returned 1 [0114.707] lstrcmpiW (lpString1="usertile21.bmp", lpString2="..") returned 1 [0114.707] lstrcmpiW (lpString1="usertile21.bmp", lpString2="...") returned 1 [0114.707] lstrcmpiW (lpString1="usertile21.bmp", lpString2="windows") returned -1 [0114.707] lstrcmpiW (lpString1="usertile21.bmp", lpString2="$RECYCLE.BIN") returned 1 [0114.707] lstrcmpiW (lpString1="usertile21.bmp", lpString2="rsa") returned 1 [0114.707] lstrcmpiW (lpString1="usertile21.bmp", lpString2="log") returned 1 [0114.707] lstrcmpiW (lpString1="usertile21.bmp", lpString2="NTDETECT.COM") returned 1 [0114.707] lstrcmpiW (lpString1="usertile21.bmp", lpString2="ntldr") returned 1 [0114.707] lstrcmpiW (lpString1="usertile21.bmp", lpString2="MSDOS.SYS") returned 1 [0114.707] lstrcmpiW (lpString1="usertile21.bmp", lpString2="IO.SYS") returned 1 [0114.707] lstrcmpiW (lpString1="usertile21.bmp", lpString2="boot.ini") returned 1 [0114.707] lstrcmpiW (lpString1="usertile21.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0114.707] lstrcmpiW (lpString1="usertile21.bmp", lpString2="ntuser.dat") returned 1 [0114.707] lstrcmpiW (lpString1="usertile21.bmp", lpString2="desktop.ini") returned 1 [0114.707] lstrcmpiW (lpString1="usertile21.bmp", lpString2="CONFIG.SYS") returned 1 [0114.707] lstrcmpiW (lpString1="usertile21.bmp", lpString2="RECYCLER") returned 1 [0114.707] lstrcmpiW (lpString1="usertile21.bmp", lpString2="BOOTSECT.BAK") returned 1 [0114.707] lstrcmpiW (lpString1="usertile21.bmp", lpString2="bootmgr") returned 1 [0114.707] lstrcmpiW (lpString1="usertile21.bmp", lpString2="programdata") returned 1 [0114.707] lstrcmpiW (lpString1="usertile21.bmp", lpString2="appdata") returned 1 [0114.708] lstrcmpiW (lpString1="usertile21.bmp", lpString2="program files") returned 1 [0114.708] lstrcmpiW (lpString1="usertile21.bmp", lpString2="program files (x86)") returned 1 [0114.708] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0114.708] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile21.bmp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp" [0114.708] PathFindExtensionW (pszPath="usertile21.bmp") returned=".bmp" [0114.708] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0114.708] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0114.708] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0114.708] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0114.708] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0114.708] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0114.708] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0114.708] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0114.708] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0114.708] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0114.708] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0114.708] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0114.708] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0114.708] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0114.708] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0114.708] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0114.708] lstrcmpiW (lpString1="usertile21.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.708] lstrlenA (lpString="NEPHILIM") returned 8 [0114.709] GetProcessHeap () returned 0x4e0000 [0114.709] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f638 [0114.709] lstrlenA (lpString="NEPHILIM") returned 8 [0114.709] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile21.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0114.709] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=4294968320) returned 0 [0114.709] GetProcessHeap () returned 0x4e0000 [0114.709] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50f940 [0114.709] GetProcessHeap () returned 0x4e0000 [0114.709] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50f958 [0114.709] SystemFunction036 (in: RandomBuffer=0x50f940, RandomBufferLength=0x10 | out: RandomBuffer=0x50f940) returned 1 [0114.709] SystemFunction036 (in: RandomBuffer=0x50f958, RandomBufferLength=0x10 | out: RandomBuffer=0x50f958) returned 1 [0114.709] GetProcessHeap () returned 0x4e0000 [0114.709] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51a280 [0114.709] GetProcessHeap () returned 0x4e0000 [0114.709] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51a388 [0114.710] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51a280*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x51a280*, pdwDataLen=0x24dd508*=0x100) returned 1 [0114.710] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51a388*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x51a388*, pdwDataLen=0x24dd504*=0x100) returned 1 [0114.710] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0114.710] SetLastError (dwErrCode=0x0) [0114.710] WriteFile (in: hFile=0xffffffff, lpBuffer=0x51a280, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0) returned 0 [0114.710] GetLastError () returned 0x6 [0114.710] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3a60b9, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3a60b9, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd09009d, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x24dd72c, dwReserved1=0x8184c892, cFileName="usertile22.bmp", cAlternateFileName="")) returned 1 [0114.710] lstrcmpiW (lpString1="usertile22.bmp", lpString2=".") returned 1 [0114.710] lstrcmpiW (lpString1="usertile22.bmp", lpString2="..") returned 1 [0114.710] lstrcmpiW (lpString1="usertile22.bmp", lpString2="...") returned 1 [0114.710] lstrcmpiW (lpString1="usertile22.bmp", lpString2="windows") returned -1 [0114.710] lstrcmpiW (lpString1="usertile22.bmp", lpString2="$RECYCLE.BIN") returned 1 [0114.710] lstrcmpiW (lpString1="usertile22.bmp", lpString2="rsa") returned 1 [0114.710] lstrcmpiW (lpString1="usertile22.bmp", lpString2="log") returned 1 [0114.711] lstrcmpiW (lpString1="usertile22.bmp", lpString2="NTDETECT.COM") returned 1 [0114.711] lstrcmpiW (lpString1="usertile22.bmp", lpString2="ntldr") returned 1 [0114.711] lstrcmpiW (lpString1="usertile22.bmp", lpString2="MSDOS.SYS") returned 1 [0114.711] lstrcmpiW (lpString1="usertile22.bmp", lpString2="IO.SYS") returned 1 [0114.711] lstrcmpiW (lpString1="usertile22.bmp", lpString2="boot.ini") returned 1 [0114.711] lstrcmpiW (lpString1="usertile22.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0114.711] lstrcmpiW (lpString1="usertile22.bmp", lpString2="ntuser.dat") returned 1 [0114.711] lstrcmpiW (lpString1="usertile22.bmp", lpString2="desktop.ini") returned 1 [0114.711] lstrcmpiW (lpString1="usertile22.bmp", lpString2="CONFIG.SYS") returned 1 [0114.711] lstrcmpiW (lpString1="usertile22.bmp", lpString2="RECYCLER") returned 1 [0114.711] lstrcmpiW (lpString1="usertile22.bmp", lpString2="BOOTSECT.BAK") returned 1 [0114.711] lstrcmpiW (lpString1="usertile22.bmp", lpString2="bootmgr") returned 1 [0114.711] lstrcmpiW (lpString1="usertile22.bmp", lpString2="programdata") returned 1 [0114.711] lstrcmpiW (lpString1="usertile22.bmp", lpString2="appdata") returned 1 [0114.711] lstrcmpiW (lpString1="usertile22.bmp", lpString2="program files") returned 1 [0114.711] lstrcmpiW (lpString1="usertile22.bmp", lpString2="program files (x86)") returned 1 [0114.711] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0114.711] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile22.bmp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp" [0114.711] PathFindExtensionW (pszPath="usertile22.bmp") returned=".bmp" [0114.711] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0114.711] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0114.711] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0114.711] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0114.711] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0114.711] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0114.711] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0114.711] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0114.711] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0114.712] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0114.712] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0114.712] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0114.712] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0114.712] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0114.712] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0114.712] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0114.712] lstrcmpiW (lpString1="usertile22.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.712] lstrlenA (lpString="NEPHILIM") returned 8 [0114.712] GetProcessHeap () returned 0x4e0000 [0114.712] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f648 [0114.712] lstrlenA (lpString="NEPHILIM") returned 8 [0114.712] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile22.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0114.713] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=4294968320) returned 0 [0114.714] GetProcessHeap () returned 0x4e0000 [0114.714] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50f970 [0114.714] GetProcessHeap () returned 0x4e0000 [0114.714] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50f988 [0114.714] SystemFunction036 (in: RandomBuffer=0x50f970, RandomBufferLength=0x10 | out: RandomBuffer=0x50f970) returned 1 [0114.714] SystemFunction036 (in: RandomBuffer=0x50f988, RandomBufferLength=0x10 | out: RandomBuffer=0x50f988) returned 1 [0114.714] GetProcessHeap () returned 0x4e0000 [0114.714] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51a490 [0114.714] GetProcessHeap () returned 0x4e0000 [0114.714] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51a598 [0114.714] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51a490*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x51a490*, pdwDataLen=0x24dd508*=0x100) returned 1 [0114.714] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51a598*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x51a598*, pdwDataLen=0x24dd504*=0x100) returned 1 [0114.714] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0114.714] SetLastError (dwErrCode=0x0) [0114.714] WriteFile (in: hFile=0xffffffff, lpBuffer=0x51a490, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0) returned 0 [0114.715] GetLastError () returned 0x6 [0114.715] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3cc216, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3cc216, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd0b61fb, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x24dd72c, dwReserved1=0x8184c892, cFileName="usertile23.bmp", cAlternateFileName="")) returned 1 [0114.715] lstrcmpiW (lpString1="usertile23.bmp", lpString2=".") returned 1 [0114.715] lstrcmpiW (lpString1="usertile23.bmp", lpString2="..") returned 1 [0114.715] lstrcmpiW (lpString1="usertile23.bmp", lpString2="...") returned 1 [0114.715] lstrcmpiW (lpString1="usertile23.bmp", lpString2="windows") returned -1 [0114.715] lstrcmpiW (lpString1="usertile23.bmp", lpString2="$RECYCLE.BIN") returned 1 [0114.715] lstrcmpiW (lpString1="usertile23.bmp", lpString2="rsa") returned 1 [0114.715] lstrcmpiW (lpString1="usertile23.bmp", lpString2="log") returned 1 [0114.715] lstrcmpiW (lpString1="usertile23.bmp", lpString2="NTDETECT.COM") returned 1 [0114.715] lstrcmpiW (lpString1="usertile23.bmp", lpString2="ntldr") returned 1 [0114.715] lstrcmpiW (lpString1="usertile23.bmp", lpString2="MSDOS.SYS") returned 1 [0114.715] lstrcmpiW (lpString1="usertile23.bmp", lpString2="IO.SYS") returned 1 [0114.715] lstrcmpiW (lpString1="usertile23.bmp", lpString2="boot.ini") returned 1 [0114.715] lstrcmpiW (lpString1="usertile23.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0114.715] lstrcmpiW (lpString1="usertile23.bmp", lpString2="ntuser.dat") returned 1 [0114.715] lstrcmpiW (lpString1="usertile23.bmp", lpString2="desktop.ini") returned 1 [0114.715] lstrcmpiW (lpString1="usertile23.bmp", lpString2="CONFIG.SYS") returned 1 [0114.715] lstrcmpiW (lpString1="usertile23.bmp", lpString2="RECYCLER") returned 1 [0114.715] lstrcmpiW (lpString1="usertile23.bmp", lpString2="BOOTSECT.BAK") returned 1 [0114.715] lstrcmpiW (lpString1="usertile23.bmp", lpString2="bootmgr") returned 1 [0114.715] lstrcmpiW (lpString1="usertile23.bmp", lpString2="programdata") returned 1 [0114.715] lstrcmpiW (lpString1="usertile23.bmp", lpString2="appdata") returned 1 [0114.715] lstrcmpiW (lpString1="usertile23.bmp", lpString2="program files") returned 1 [0114.715] lstrcmpiW (lpString1="usertile23.bmp", lpString2="program files (x86)") returned 1 [0114.715] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0114.716] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile23.bmp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp" [0114.716] PathFindExtensionW (pszPath="usertile23.bmp") returned=".bmp" [0114.716] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0114.716] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0114.716] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0114.716] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0114.716] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0114.716] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0114.716] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0114.716] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0114.716] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0114.716] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0114.716] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0114.716] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0114.716] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0114.716] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0114.716] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0114.716] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0114.716] lstrcmpiW (lpString1="usertile23.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.716] lstrlenA (lpString="NEPHILIM") returned 8 [0114.716] GetProcessHeap () returned 0x4e0000 [0114.716] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f658 [0114.716] lstrlenA (lpString="NEPHILIM") returned 8 [0114.716] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile23.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0114.717] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=4294968320) returned 0 [0114.717] GetProcessHeap () returned 0x4e0000 [0114.717] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50f9a0 [0114.717] GetProcessHeap () returned 0x4e0000 [0114.717] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50f9b8 [0114.717] SystemFunction036 (in: RandomBuffer=0x50f9a0, RandomBufferLength=0x10 | out: RandomBuffer=0x50f9a0) returned 1 [0114.717] SystemFunction036 (in: RandomBuffer=0x50f9b8, RandomBufferLength=0x10 | out: RandomBuffer=0x50f9b8) returned 1 [0114.717] GetProcessHeap () returned 0x4e0000 [0114.717] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51a6a0 [0114.717] GetProcessHeap () returned 0x4e0000 [0114.717] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51a7a8 [0114.717] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51a6a0*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x51a6a0*, pdwDataLen=0x24dd508*=0x100) returned 1 [0114.718] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51a7a8*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x51a7a8*, pdwDataLen=0x24dd504*=0x100) returned 1 [0114.718] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0114.718] SetLastError (dwErrCode=0x0) [0114.718] WriteFile (in: hFile=0xffffffff, lpBuffer=0x51a6a0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0) returned 0 [0114.718] GetLastError () returned 0x6 [0114.718] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3f2373, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3f2373, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd232fa7, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x24dd72c, dwReserved1=0x8184c892, cFileName="usertile24.bmp", cAlternateFileName="")) returned 1 [0114.718] lstrcmpiW (lpString1="usertile24.bmp", lpString2=".") returned 1 [0114.718] lstrcmpiW (lpString1="usertile24.bmp", lpString2="..") returned 1 [0114.718] lstrcmpiW (lpString1="usertile24.bmp", lpString2="...") returned 1 [0114.718] lstrcmpiW (lpString1="usertile24.bmp", lpString2="windows") returned -1 [0114.718] lstrcmpiW (lpString1="usertile24.bmp", lpString2="$RECYCLE.BIN") returned 1 [0114.718] lstrcmpiW (lpString1="usertile24.bmp", lpString2="rsa") returned 1 [0114.718] lstrcmpiW (lpString1="usertile24.bmp", lpString2="log") returned 1 [0114.718] lstrcmpiW (lpString1="usertile24.bmp", lpString2="NTDETECT.COM") returned 1 [0114.719] lstrcmpiW (lpString1="usertile24.bmp", lpString2="ntldr") returned 1 [0114.719] lstrcmpiW (lpString1="usertile24.bmp", lpString2="MSDOS.SYS") returned 1 [0114.719] lstrcmpiW (lpString1="usertile24.bmp", lpString2="IO.SYS") returned 1 [0114.719] lstrcmpiW (lpString1="usertile24.bmp", lpString2="boot.ini") returned 1 [0114.719] lstrcmpiW (lpString1="usertile24.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0114.719] lstrcmpiW (lpString1="usertile24.bmp", lpString2="ntuser.dat") returned 1 [0114.719] lstrcmpiW (lpString1="usertile24.bmp", lpString2="desktop.ini") returned 1 [0114.719] lstrcmpiW (lpString1="usertile24.bmp", lpString2="CONFIG.SYS") returned 1 [0114.719] lstrcmpiW (lpString1="usertile24.bmp", lpString2="RECYCLER") returned 1 [0114.719] lstrcmpiW (lpString1="usertile24.bmp", lpString2="BOOTSECT.BAK") returned 1 [0114.719] lstrcmpiW (lpString1="usertile24.bmp", lpString2="bootmgr") returned 1 [0114.719] lstrcmpiW (lpString1="usertile24.bmp", lpString2="programdata") returned 1 [0114.719] lstrcmpiW (lpString1="usertile24.bmp", lpString2="appdata") returned 1 [0114.719] lstrcmpiW (lpString1="usertile24.bmp", lpString2="program files") returned 1 [0114.719] lstrcmpiW (lpString1="usertile24.bmp", lpString2="program files (x86)") returned 1 [0114.719] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0114.719] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile24.bmp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp" [0114.719] PathFindExtensionW (pszPath="usertile24.bmp") returned=".bmp" [0114.719] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0114.719] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0114.719] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0114.719] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0114.719] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0114.720] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0114.720] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0114.720] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0114.720] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0114.720] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0114.720] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0114.720] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0114.720] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0114.720] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0114.720] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0114.720] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0114.720] lstrcmpiW (lpString1="usertile24.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.720] lstrlenA (lpString="NEPHILIM") returned 8 [0114.720] GetProcessHeap () returned 0x4e0000 [0114.720] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f668 [0114.720] lstrlenA (lpString="NEPHILIM") returned 8 [0114.720] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile24.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0114.720] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=4294968320) returned 0 [0114.721] GetProcessHeap () returned 0x4e0000 [0114.721] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50f9d0 [0114.721] GetProcessHeap () returned 0x4e0000 [0114.721] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50f9e8 [0114.721] SystemFunction036 (in: RandomBuffer=0x50f9d0, RandomBufferLength=0x10 | out: RandomBuffer=0x50f9d0) returned 1 [0114.721] SystemFunction036 (in: RandomBuffer=0x50f9e8, RandomBufferLength=0x10 | out: RandomBuffer=0x50f9e8) returned 1 [0114.721] GetProcessHeap () returned 0x4e0000 [0114.721] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51a8b0 [0114.721] GetProcessHeap () returned 0x4e0000 [0114.721] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51a9b8 [0114.721] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51a8b0*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x51a8b0*, pdwDataLen=0x24dd508*=0x100) returned 1 [0114.721] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51a9b8*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x51a9b8*, pdwDataLen=0x24dd504*=0x100) returned 1 [0114.721] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0114.722] SetLastError (dwErrCode=0x0) [0114.722] WriteFile (in: hFile=0xffffffff, lpBuffer=0x51a8b0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0) returned 0 [0114.722] GetLastError () returned 0x6 [0114.722] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3f2373, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3f2373, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd259105, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x24dd72c, dwReserved1=0x8184c892, cFileName="usertile25.bmp", cAlternateFileName="")) returned 1 [0114.722] lstrcmpiW (lpString1="usertile25.bmp", lpString2=".") returned 1 [0114.722] lstrcmpiW (lpString1="usertile25.bmp", lpString2="..") returned 1 [0114.722] lstrcmpiW (lpString1="usertile25.bmp", lpString2="...") returned 1 [0114.722] lstrcmpiW (lpString1="usertile25.bmp", lpString2="windows") returned -1 [0114.722] lstrcmpiW (lpString1="usertile25.bmp", lpString2="$RECYCLE.BIN") returned 1 [0114.722] lstrcmpiW (lpString1="usertile25.bmp", lpString2="rsa") returned 1 [0114.722] lstrcmpiW (lpString1="usertile25.bmp", lpString2="log") returned 1 [0114.722] lstrcmpiW (lpString1="usertile25.bmp", lpString2="NTDETECT.COM") returned 1 [0114.722] lstrcmpiW (lpString1="usertile25.bmp", lpString2="ntldr") returned 1 [0114.722] lstrcmpiW (lpString1="usertile25.bmp", lpString2="MSDOS.SYS") returned 1 [0114.722] lstrcmpiW (lpString1="usertile25.bmp", lpString2="IO.SYS") returned 1 [0114.722] lstrcmpiW (lpString1="usertile25.bmp", lpString2="boot.ini") returned 1 [0114.722] lstrcmpiW (lpString1="usertile25.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0114.722] lstrcmpiW (lpString1="usertile25.bmp", lpString2="ntuser.dat") returned 1 [0114.722] lstrcmpiW (lpString1="usertile25.bmp", lpString2="desktop.ini") returned 1 [0114.723] lstrcmpiW (lpString1="usertile25.bmp", lpString2="CONFIG.SYS") returned 1 [0114.723] lstrcmpiW (lpString1="usertile25.bmp", lpString2="RECYCLER") returned 1 [0114.723] lstrcmpiW (lpString1="usertile25.bmp", lpString2="BOOTSECT.BAK") returned 1 [0114.723] lstrcmpiW (lpString1="usertile25.bmp", lpString2="bootmgr") returned 1 [0114.723] lstrcmpiW (lpString1="usertile25.bmp", lpString2="programdata") returned 1 [0114.723] lstrcmpiW (lpString1="usertile25.bmp", lpString2="appdata") returned 1 [0114.723] lstrcmpiW (lpString1="usertile25.bmp", lpString2="program files") returned 1 [0114.723] lstrcmpiW (lpString1="usertile25.bmp", lpString2="program files (x86)") returned 1 [0114.723] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0114.723] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile25.bmp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp" [0114.723] PathFindExtensionW (pszPath="usertile25.bmp") returned=".bmp" [0114.723] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0114.723] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0114.723] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0114.723] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0114.723] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0114.723] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0114.723] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0114.724] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0114.724] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0114.724] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0114.724] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0114.724] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0114.724] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0114.724] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0114.724] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0114.724] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0114.724] lstrcmpiW (lpString1="usertile25.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.724] lstrlenA (lpString="NEPHILIM") returned 8 [0114.724] GetProcessHeap () returned 0x4e0000 [0114.724] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f678 [0114.724] lstrlenA (lpString="NEPHILIM") returned 8 [0114.724] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile25.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0114.725] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=4294968320) returned 0 [0114.725] GetProcessHeap () returned 0x4e0000 [0114.725] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50fa00 [0114.725] GetProcessHeap () returned 0x4e0000 [0114.725] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50fa18 [0114.725] SystemFunction036 (in: RandomBuffer=0x50fa00, RandomBufferLength=0x10 | out: RandomBuffer=0x50fa00) returned 1 [0114.725] SystemFunction036 (in: RandomBuffer=0x50fa18, RandomBufferLength=0x10 | out: RandomBuffer=0x50fa18) returned 1 [0114.725] GetProcessHeap () returned 0x4e0000 [0114.725] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51aac0 [0114.725] GetProcessHeap () returned 0x4e0000 [0114.725] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51abc8 [0114.725] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51aac0*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x51aac0*, pdwDataLen=0x24dd508*=0x100) returned 1 [0114.725] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51abc8*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x51abc8*, pdwDataLen=0x24dd504*=0x100) returned 1 [0114.725] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0114.726] SetLastError (dwErrCode=0x0) [0114.726] WriteFile (in: hFile=0xffffffff, lpBuffer=0x51aac0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0) returned 0 [0114.726] GetLastError () returned 0x6 [0114.726] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3f2373, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3f2373, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd27f263, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x24dd72c, dwReserved1=0x8184c892, cFileName="usertile26.bmp", cAlternateFileName="")) returned 1 [0114.726] lstrcmpiW (lpString1="usertile26.bmp", lpString2=".") returned 1 [0114.726] lstrcmpiW (lpString1="usertile26.bmp", lpString2="..") returned 1 [0114.726] lstrcmpiW (lpString1="usertile26.bmp", lpString2="...") returned 1 [0114.726] lstrcmpiW (lpString1="usertile26.bmp", lpString2="windows") returned -1 [0114.726] lstrcmpiW (lpString1="usertile26.bmp", lpString2="$RECYCLE.BIN") returned 1 [0114.726] lstrcmpiW (lpString1="usertile26.bmp", lpString2="rsa") returned 1 [0114.726] lstrcmpiW (lpString1="usertile26.bmp", lpString2="log") returned 1 [0114.726] lstrcmpiW (lpString1="usertile26.bmp", lpString2="NTDETECT.COM") returned 1 [0114.726] lstrcmpiW (lpString1="usertile26.bmp", lpString2="ntldr") returned 1 [0114.726] lstrcmpiW (lpString1="usertile26.bmp", lpString2="MSDOS.SYS") returned 1 [0114.726] lstrcmpiW (lpString1="usertile26.bmp", lpString2="IO.SYS") returned 1 [0114.726] lstrcmpiW (lpString1="usertile26.bmp", lpString2="boot.ini") returned 1 [0114.726] lstrcmpiW (lpString1="usertile26.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0114.726] lstrcmpiW (lpString1="usertile26.bmp", lpString2="ntuser.dat") returned 1 [0114.726] lstrcmpiW (lpString1="usertile26.bmp", lpString2="desktop.ini") returned 1 [0114.726] lstrcmpiW (lpString1="usertile26.bmp", lpString2="CONFIG.SYS") returned 1 [0114.726] lstrcmpiW (lpString1="usertile26.bmp", lpString2="RECYCLER") returned 1 [0114.726] lstrcmpiW (lpString1="usertile26.bmp", lpString2="BOOTSECT.BAK") returned 1 [0114.727] lstrcmpiW (lpString1="usertile26.bmp", lpString2="bootmgr") returned 1 [0114.727] lstrcmpiW (lpString1="usertile26.bmp", lpString2="programdata") returned 1 [0114.727] lstrcmpiW (lpString1="usertile26.bmp", lpString2="appdata") returned 1 [0114.727] lstrcmpiW (lpString1="usertile26.bmp", lpString2="program files") returned 1 [0114.727] lstrcmpiW (lpString1="usertile26.bmp", lpString2="program files (x86)") returned 1 [0114.727] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0114.727] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile26.bmp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp" [0114.727] PathFindExtensionW (pszPath="usertile26.bmp") returned=".bmp" [0114.727] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0114.727] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0114.727] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0114.727] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0114.727] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0114.727] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0114.727] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0114.727] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0114.727] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0114.727] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0114.727] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0114.727] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0114.727] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0114.727] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0114.727] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0114.728] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0114.728] lstrcmpiW (lpString1="usertile26.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.728] lstrlenA (lpString="NEPHILIM") returned 8 [0114.728] GetProcessHeap () returned 0x4e0000 [0114.728] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f688 [0114.728] lstrlenA (lpString="NEPHILIM") returned 8 [0114.728] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile26.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0114.730] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=4294968320) returned 0 [0114.730] GetProcessHeap () returned 0x4e0000 [0114.731] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50fa30 [0114.731] GetProcessHeap () returned 0x4e0000 [0114.731] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50fa48 [0114.731] SystemFunction036 (in: RandomBuffer=0x50fa30, RandomBufferLength=0x10 | out: RandomBuffer=0x50fa30) returned 1 [0114.731] SystemFunction036 (in: RandomBuffer=0x50fa48, RandomBufferLength=0x10 | out: RandomBuffer=0x50fa48) returned 1 [0114.731] GetProcessHeap () returned 0x4e0000 [0114.731] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51acd0 [0114.731] GetProcessHeap () returned 0x4e0000 [0114.731] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51add8 [0114.731] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51acd0*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x51acd0*, pdwDataLen=0x24dd508*=0x100) returned 1 [0114.732] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51add8*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x51add8*, pdwDataLen=0x24dd504*=0x100) returned 1 [0114.732] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0114.732] SetLastError (dwErrCode=0x0) [0114.732] WriteFile (in: hFile=0xffffffff, lpBuffer=0x51acd0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0) returned 0 [0114.732] GetLastError () returned 0x6 [0114.732] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae4184d0, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae4184d0, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd2a53c1, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x24dd72c, dwReserved1=0x8184c892, cFileName="usertile27.bmp", cAlternateFileName="")) returned 1 [0114.732] lstrcmpiW (lpString1="usertile27.bmp", lpString2=".") returned 1 [0114.732] lstrcmpiW (lpString1="usertile27.bmp", lpString2="..") returned 1 [0114.732] lstrcmpiW (lpString1="usertile27.bmp", lpString2="...") returned 1 [0114.732] lstrcmpiW (lpString1="usertile27.bmp", lpString2="windows") returned -1 [0114.732] lstrcmpiW (lpString1="usertile27.bmp", lpString2="$RECYCLE.BIN") returned 1 [0114.732] lstrcmpiW (lpString1="usertile27.bmp", lpString2="rsa") returned 1 [0114.732] lstrcmpiW (lpString1="usertile27.bmp", lpString2="log") returned 1 [0114.733] lstrcmpiW (lpString1="usertile27.bmp", lpString2="NTDETECT.COM") returned 1 [0114.733] lstrcmpiW (lpString1="usertile27.bmp", lpString2="ntldr") returned 1 [0114.733] lstrcmpiW (lpString1="usertile27.bmp", lpString2="MSDOS.SYS") returned 1 [0114.733] lstrcmpiW (lpString1="usertile27.bmp", lpString2="IO.SYS") returned 1 [0114.733] lstrcmpiW (lpString1="usertile27.bmp", lpString2="boot.ini") returned 1 [0114.733] lstrcmpiW (lpString1="usertile27.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0114.733] lstrcmpiW (lpString1="usertile27.bmp", lpString2="ntuser.dat") returned 1 [0114.733] lstrcmpiW (lpString1="usertile27.bmp", lpString2="desktop.ini") returned 1 [0114.733] lstrcmpiW (lpString1="usertile27.bmp", lpString2="CONFIG.SYS") returned 1 [0114.733] lstrcmpiW (lpString1="usertile27.bmp", lpString2="RECYCLER") returned 1 [0114.733] lstrcmpiW (lpString1="usertile27.bmp", lpString2="BOOTSECT.BAK") returned 1 [0114.733] lstrcmpiW (lpString1="usertile27.bmp", lpString2="bootmgr") returned 1 [0114.733] lstrcmpiW (lpString1="usertile27.bmp", lpString2="programdata") returned 1 [0114.733] lstrcmpiW (lpString1="usertile27.bmp", lpString2="appdata") returned 1 [0114.733] lstrcmpiW (lpString1="usertile27.bmp", lpString2="program files") returned 1 [0114.733] lstrcmpiW (lpString1="usertile27.bmp", lpString2="program files (x86)") returned 1 [0114.733] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0114.733] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile27.bmp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp" [0114.733] PathFindExtensionW (pszPath="usertile27.bmp") returned=".bmp" [0114.733] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0114.733] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0114.733] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0114.734] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0114.734] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0114.734] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0114.734] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0114.734] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0114.734] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0114.734] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0114.734] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0114.734] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0114.734] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0114.734] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0114.734] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0114.734] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0114.734] lstrcmpiW (lpString1="usertile27.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.734] lstrlenA (lpString="NEPHILIM") returned 8 [0114.734] GetProcessHeap () returned 0x4e0000 [0114.734] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f698 [0114.734] lstrlenA (lpString="NEPHILIM") returned 8 [0114.734] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile27.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0114.736] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=4294968320) returned 0 [0114.736] GetProcessHeap () returned 0x4e0000 [0114.736] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50fa60 [0114.736] GetProcessHeap () returned 0x4e0000 [0114.736] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50fa78 [0114.736] SystemFunction036 (in: RandomBuffer=0x50fa60, RandomBufferLength=0x10 | out: RandomBuffer=0x50fa60) returned 1 [0114.736] SystemFunction036 (in: RandomBuffer=0x50fa78, RandomBufferLength=0x10 | out: RandomBuffer=0x50fa78) returned 1 [0114.736] GetProcessHeap () returned 0x4e0000 [0114.736] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51aff0 [0114.736] GetProcessHeap () returned 0x4e0000 [0114.736] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51b0f8 [0114.736] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51aff0*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x51aff0*, pdwDataLen=0x24dd508*=0x100) returned 1 [0114.737] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51b0f8*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x51b0f8*, pdwDataLen=0x24dd504*=0x100) returned 1 [0114.737] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0114.737] SetLastError (dwErrCode=0x0) [0114.737] WriteFile (in: hFile=0xffffffff, lpBuffer=0x51aff0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0) returned 0 [0114.737] GetLastError () returned 0x6 [0114.737] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae43e62d, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae43e62d, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd3177db, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x24dd72c, dwReserved1=0x8184c892, cFileName="usertile28.bmp", cAlternateFileName="")) returned 1 [0114.737] lstrcmpiW (lpString1="usertile28.bmp", lpString2=".") returned 1 [0114.737] lstrcmpiW (lpString1="usertile28.bmp", lpString2="..") returned 1 [0114.737] lstrcmpiW (lpString1="usertile28.bmp", lpString2="...") returned 1 [0114.737] lstrcmpiW (lpString1="usertile28.bmp", lpString2="windows") returned -1 [0114.737] lstrcmpiW (lpString1="usertile28.bmp", lpString2="$RECYCLE.BIN") returned 1 [0114.737] lstrcmpiW (lpString1="usertile28.bmp", lpString2="rsa") returned 1 [0114.737] lstrcmpiW (lpString1="usertile28.bmp", lpString2="log") returned 1 [0114.737] lstrcmpiW (lpString1="usertile28.bmp", lpString2="NTDETECT.COM") returned 1 [0114.737] lstrcmpiW (lpString1="usertile28.bmp", lpString2="ntldr") returned 1 [0114.737] lstrcmpiW (lpString1="usertile28.bmp", lpString2="MSDOS.SYS") returned 1 [0114.738] lstrcmpiW (lpString1="usertile28.bmp", lpString2="IO.SYS") returned 1 [0114.738] lstrcmpiW (lpString1="usertile28.bmp", lpString2="boot.ini") returned 1 [0114.738] lstrcmpiW (lpString1="usertile28.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0114.738] lstrcmpiW (lpString1="usertile28.bmp", lpString2="ntuser.dat") returned 1 [0114.738] lstrcmpiW (lpString1="usertile28.bmp", lpString2="desktop.ini") returned 1 [0114.738] lstrcmpiW (lpString1="usertile28.bmp", lpString2="CONFIG.SYS") returned 1 [0114.738] lstrcmpiW (lpString1="usertile28.bmp", lpString2="RECYCLER") returned 1 [0114.738] lstrcmpiW (lpString1="usertile28.bmp", lpString2="BOOTSECT.BAK") returned 1 [0114.738] lstrcmpiW (lpString1="usertile28.bmp", lpString2="bootmgr") returned 1 [0114.738] lstrcmpiW (lpString1="usertile28.bmp", lpString2="programdata") returned 1 [0114.738] lstrcmpiW (lpString1="usertile28.bmp", lpString2="appdata") returned 1 [0114.738] lstrcmpiW (lpString1="usertile28.bmp", lpString2="program files") returned 1 [0114.738] lstrcmpiW (lpString1="usertile28.bmp", lpString2="program files (x86)") returned 1 [0114.738] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0114.738] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile28.bmp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp" [0114.738] PathFindExtensionW (pszPath="usertile28.bmp") returned=".bmp" [0114.738] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0114.738] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0114.738] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0114.738] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0114.738] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0114.738] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0114.738] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0114.738] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0114.738] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0114.738] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0114.739] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0114.739] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0114.739] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0114.739] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0114.739] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0114.739] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0114.739] lstrcmpiW (lpString1="usertile28.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.739] lstrlenA (lpString="NEPHILIM") returned 8 [0114.739] GetProcessHeap () returned 0x4e0000 [0114.739] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f6a8 [0114.739] lstrlenA (lpString="NEPHILIM") returned 8 [0114.739] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile28.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0114.739] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=4294968320) returned 0 [0114.739] GetProcessHeap () returned 0x4e0000 [0114.739] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50fa90 [0114.739] GetProcessHeap () returned 0x4e0000 [0114.739] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50faa8 [0114.740] SystemFunction036 (in: RandomBuffer=0x50fa90, RandomBufferLength=0x10 | out: RandomBuffer=0x50fa90) returned 1 [0114.740] SystemFunction036 (in: RandomBuffer=0x50faa8, RandomBufferLength=0x10 | out: RandomBuffer=0x50faa8) returned 1 [0114.740] GetProcessHeap () returned 0x4e0000 [0114.740] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51b200 [0114.740] GetProcessHeap () returned 0x4e0000 [0114.740] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51b308 [0114.740] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51b200*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x51b200*, pdwDataLen=0x24dd508*=0x100) returned 1 [0114.740] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51b308*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x51b308*, pdwDataLen=0x24dd504*=0x100) returned 1 [0114.740] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0114.740] SetLastError (dwErrCode=0x0) [0114.740] WriteFile (in: hFile=0xffffffff, lpBuffer=0x51b200, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0) returned 0 [0114.740] GetLastError () returned 0x6 [0114.740] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae43e62d, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae43e62d, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd33d939, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x24dd72c, dwReserved1=0x8184c892, cFileName="usertile29.bmp", cAlternateFileName="")) returned 1 [0114.740] lstrcmpiW (lpString1="usertile29.bmp", lpString2=".") returned 1 [0114.740] lstrcmpiW (lpString1="usertile29.bmp", lpString2="..") returned 1 [0114.740] lstrcmpiW (lpString1="usertile29.bmp", lpString2="...") returned 1 [0114.740] lstrcmpiW (lpString1="usertile29.bmp", lpString2="windows") returned -1 [0114.740] lstrcmpiW (lpString1="usertile29.bmp", lpString2="$RECYCLE.BIN") returned 1 [0114.741] lstrcmpiW (lpString1="usertile29.bmp", lpString2="rsa") returned 1 [0114.741] lstrcmpiW (lpString1="usertile29.bmp", lpString2="log") returned 1 [0114.741] lstrcmpiW (lpString1="usertile29.bmp", lpString2="NTDETECT.COM") returned 1 [0114.741] lstrcmpiW (lpString1="usertile29.bmp", lpString2="ntldr") returned 1 [0114.741] lstrcmpiW (lpString1="usertile29.bmp", lpString2="MSDOS.SYS") returned 1 [0114.741] lstrcmpiW (lpString1="usertile29.bmp", lpString2="IO.SYS") returned 1 [0114.741] lstrcmpiW (lpString1="usertile29.bmp", lpString2="boot.ini") returned 1 [0114.741] lstrcmpiW (lpString1="usertile29.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0114.741] lstrcmpiW (lpString1="usertile29.bmp", lpString2="ntuser.dat") returned 1 [0114.741] lstrcmpiW (lpString1="usertile29.bmp", lpString2="desktop.ini") returned 1 [0114.741] lstrcmpiW (lpString1="usertile29.bmp", lpString2="CONFIG.SYS") returned 1 [0114.741] lstrcmpiW (lpString1="usertile29.bmp", lpString2="RECYCLER") returned 1 [0114.741] lstrcmpiW (lpString1="usertile29.bmp", lpString2="BOOTSECT.BAK") returned 1 [0114.741] lstrcmpiW (lpString1="usertile29.bmp", lpString2="bootmgr") returned 1 [0114.741] lstrcmpiW (lpString1="usertile29.bmp", lpString2="programdata") returned 1 [0114.741] lstrcmpiW (lpString1="usertile29.bmp", lpString2="appdata") returned 1 [0114.741] lstrcmpiW (lpString1="usertile29.bmp", lpString2="program files") returned 1 [0114.741] lstrcmpiW (lpString1="usertile29.bmp", lpString2="program files (x86)") returned 1 [0114.741] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0114.741] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile29.bmp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp" [0114.741] PathFindExtensionW (pszPath="usertile29.bmp") returned=".bmp" [0114.741] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0114.741] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0114.741] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0114.741] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0114.741] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0114.741] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0114.741] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0114.742] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0114.742] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0114.742] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0114.742] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0114.742] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0114.742] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0114.742] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0114.742] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0114.742] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0114.742] lstrcmpiW (lpString1="usertile29.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.742] lstrlenA (lpString="NEPHILIM") returned 8 [0114.742] GetProcessHeap () returned 0x4e0000 [0114.742] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f6b8 [0114.742] lstrlenA (lpString="NEPHILIM") returned 8 [0114.742] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile29.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0114.742] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=4294968320) returned 0 [0114.742] GetProcessHeap () returned 0x4e0000 [0114.742] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50fac0 [0114.742] GetProcessHeap () returned 0x4e0000 [0114.742] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50fad8 [0114.742] SystemFunction036 (in: RandomBuffer=0x50fac0, RandomBufferLength=0x10 | out: RandomBuffer=0x50fac0) returned 1 [0114.742] SystemFunction036 (in: RandomBuffer=0x50fad8, RandomBufferLength=0x10 | out: RandomBuffer=0x50fad8) returned 1 [0114.742] GetProcessHeap () returned 0x4e0000 [0114.743] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51b410 [0114.743] GetProcessHeap () returned 0x4e0000 [0114.743] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51b518 [0114.743] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51b410*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x51b410*, pdwDataLen=0x24dd508*=0x100) returned 1 [0114.743] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51b518*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x51b518*, pdwDataLen=0x24dd504*=0x100) returned 1 [0114.743] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0114.743] SetLastError (dwErrCode=0x0) [0114.743] WriteFile (in: hFile=0xffffffff, lpBuffer=0x51b410, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0) returned 0 [0114.743] GetLastError () returned 0x6 [0114.743] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae46478a, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae46478a, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd3fc00f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x24dd72c, dwReserved1=0x8184c892, cFileName="usertile30.bmp", cAlternateFileName="")) returned 1 [0114.743] lstrcmpiW (lpString1="usertile30.bmp", lpString2=".") returned 1 [0114.743] lstrcmpiW (lpString1="usertile30.bmp", lpString2="..") returned 1 [0114.743] lstrcmpiW (lpString1="usertile30.bmp", lpString2="...") returned 1 [0114.743] lstrcmpiW (lpString1="usertile30.bmp", lpString2="windows") returned -1 [0114.743] lstrcmpiW (lpString1="usertile30.bmp", lpString2="$RECYCLE.BIN") returned 1 [0114.743] lstrcmpiW (lpString1="usertile30.bmp", lpString2="rsa") returned 1 [0114.743] lstrcmpiW (lpString1="usertile30.bmp", lpString2="log") returned 1 [0114.743] lstrcmpiW (lpString1="usertile30.bmp", lpString2="NTDETECT.COM") returned 1 [0114.744] lstrcmpiW (lpString1="usertile30.bmp", lpString2="ntldr") returned 1 [0114.744] lstrcmpiW (lpString1="usertile30.bmp", lpString2="MSDOS.SYS") returned 1 [0114.744] lstrcmpiW (lpString1="usertile30.bmp", lpString2="IO.SYS") returned 1 [0114.744] lstrcmpiW (lpString1="usertile30.bmp", lpString2="boot.ini") returned 1 [0114.744] lstrcmpiW (lpString1="usertile30.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0114.744] lstrcmpiW (lpString1="usertile30.bmp", lpString2="ntuser.dat") returned 1 [0114.744] lstrcmpiW (lpString1="usertile30.bmp", lpString2="desktop.ini") returned 1 [0114.744] lstrcmpiW (lpString1="usertile30.bmp", lpString2="CONFIG.SYS") returned 1 [0114.744] lstrcmpiW (lpString1="usertile30.bmp", lpString2="RECYCLER") returned 1 [0114.744] lstrcmpiW (lpString1="usertile30.bmp", lpString2="BOOTSECT.BAK") returned 1 [0114.744] lstrcmpiW (lpString1="usertile30.bmp", lpString2="bootmgr") returned 1 [0114.744] lstrcmpiW (lpString1="usertile30.bmp", lpString2="programdata") returned 1 [0114.744] lstrcmpiW (lpString1="usertile30.bmp", lpString2="appdata") returned 1 [0114.744] lstrcmpiW (lpString1="usertile30.bmp", lpString2="program files") returned 1 [0114.744] lstrcmpiW (lpString1="usertile30.bmp", lpString2="program files (x86)") returned 1 [0114.744] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0114.744] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile30.bmp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp" [0114.744] PathFindExtensionW (pszPath="usertile30.bmp") returned=".bmp" [0114.744] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0114.744] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0114.744] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0114.744] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0114.744] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0114.744] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0114.744] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0114.744] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0114.744] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0114.744] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0114.745] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0114.745] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0114.745] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0114.745] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0114.745] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0114.745] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0114.745] lstrcmpiW (lpString1="usertile30.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.745] lstrlenA (lpString="NEPHILIM") returned 8 [0114.745] GetProcessHeap () returned 0x4e0000 [0114.745] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f6c8 [0114.745] lstrlenA (lpString="NEPHILIM") returned 8 [0114.745] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile30.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0114.749] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=4294968320) returned 0 [0114.749] GetProcessHeap () returned 0x4e0000 [0114.749] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50faf0 [0114.750] GetProcessHeap () returned 0x4e0000 [0114.750] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50fb08 [0114.750] SystemFunction036 (in: RandomBuffer=0x50faf0, RandomBufferLength=0x10 | out: RandomBuffer=0x50faf0) returned 1 [0114.750] SystemFunction036 (in: RandomBuffer=0x50fb08, RandomBufferLength=0x10 | out: RandomBuffer=0x50fb08) returned 1 [0114.750] GetProcessHeap () returned 0x4e0000 [0114.750] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51b620 [0114.750] GetProcessHeap () returned 0x4e0000 [0114.750] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51b728 [0114.750] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51b620*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x51b620*, pdwDataLen=0x24dd508*=0x100) returned 1 [0114.750] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51b728*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x51b728*, pdwDataLen=0x24dd504*=0x100) returned 1 [0114.750] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0114.750] SetLastError (dwErrCode=0x0) [0114.750] WriteFile (in: hFile=0xffffffff, lpBuffer=0x51b620, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0) returned 0 [0114.751] GetLastError () returned 0x6 [0114.751] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae48a8e7, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae48a8e7, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd3fc00f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x24dd72c, dwReserved1=0x8184c892, cFileName="usertile31.bmp", cAlternateFileName="")) returned 1 [0114.751] lstrcmpiW (lpString1="usertile31.bmp", lpString2=".") returned 1 [0114.751] lstrcmpiW (lpString1="usertile31.bmp", lpString2="..") returned 1 [0114.751] lstrcmpiW (lpString1="usertile31.bmp", lpString2="...") returned 1 [0114.751] lstrcmpiW (lpString1="usertile31.bmp", lpString2="windows") returned -1 [0114.751] lstrcmpiW (lpString1="usertile31.bmp", lpString2="$RECYCLE.BIN") returned 1 [0114.751] lstrcmpiW (lpString1="usertile31.bmp", lpString2="rsa") returned 1 [0114.751] lstrcmpiW (lpString1="usertile31.bmp", lpString2="log") returned 1 [0114.751] lstrcmpiW (lpString1="usertile31.bmp", lpString2="NTDETECT.COM") returned 1 [0114.751] lstrcmpiW (lpString1="usertile31.bmp", lpString2="ntldr") returned 1 [0114.751] lstrcmpiW (lpString1="usertile31.bmp", lpString2="MSDOS.SYS") returned 1 [0114.751] lstrcmpiW (lpString1="usertile31.bmp", lpString2="IO.SYS") returned 1 [0114.751] lstrcmpiW (lpString1="usertile31.bmp", lpString2="boot.ini") returned 1 [0114.751] lstrcmpiW (lpString1="usertile31.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0114.751] lstrcmpiW (lpString1="usertile31.bmp", lpString2="ntuser.dat") returned 1 [0114.751] lstrcmpiW (lpString1="usertile31.bmp", lpString2="desktop.ini") returned 1 [0114.751] lstrcmpiW (lpString1="usertile31.bmp", lpString2="CONFIG.SYS") returned 1 [0114.751] lstrcmpiW (lpString1="usertile31.bmp", lpString2="RECYCLER") returned 1 [0114.751] lstrcmpiW (lpString1="usertile31.bmp", lpString2="BOOTSECT.BAK") returned 1 [0114.751] lstrcmpiW (lpString1="usertile31.bmp", lpString2="bootmgr") returned 1 [0114.751] lstrcmpiW (lpString1="usertile31.bmp", lpString2="programdata") returned 1 [0114.751] lstrcmpiW (lpString1="usertile31.bmp", lpString2="appdata") returned 1 [0114.751] lstrcmpiW (lpString1="usertile31.bmp", lpString2="program files") returned 1 [0114.751] lstrcmpiW (lpString1="usertile31.bmp", lpString2="program files (x86)") returned 1 [0114.751] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0114.752] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile31.bmp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp" [0114.752] PathFindExtensionW (pszPath="usertile31.bmp") returned=".bmp" [0114.752] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0114.752] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0114.752] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0114.752] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0114.752] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0114.752] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0114.752] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0114.752] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0114.752] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0114.752] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0114.752] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0114.752] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0114.752] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0114.752] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0114.752] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0114.752] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0114.752] lstrcmpiW (lpString1="usertile31.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.752] lstrlenA (lpString="NEPHILIM") returned 8 [0114.752] GetProcessHeap () returned 0x4e0000 [0114.752] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f6d8 [0114.752] lstrlenA (lpString="NEPHILIM") returned 8 [0114.752] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile31.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0114.753] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=4294968320) returned 0 [0114.753] GetProcessHeap () returned 0x4e0000 [0114.753] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50fb20 [0114.753] GetProcessHeap () returned 0x4e0000 [0114.753] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50fb38 [0114.753] SystemFunction036 (in: RandomBuffer=0x50fb20, RandomBufferLength=0x10 | out: RandomBuffer=0x50fb20) returned 1 [0114.753] SystemFunction036 (in: RandomBuffer=0x50fb38, RandomBufferLength=0x10 | out: RandomBuffer=0x50fb38) returned 1 [0114.753] GetProcessHeap () returned 0x4e0000 [0114.753] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51b830 [0114.753] GetProcessHeap () returned 0x4e0000 [0114.753] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51b938 [0114.753] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51b830*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x51b830*, pdwDataLen=0x24dd508*=0x100) returned 1 [0114.754] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51b938*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x51b938*, pdwDataLen=0x24dd504*=0x100) returned 1 [0114.754] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0114.754] SetLastError (dwErrCode=0x0) [0114.754] WriteFile (in: hFile=0xffffffff, lpBuffer=0x51b830, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0) returned 0 [0114.754] GetLastError () returned 0x6 [0114.754] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae48a8e7, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae48a8e7, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd42216d, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x24dd72c, dwReserved1=0x8184c892, cFileName="usertile32.bmp", cAlternateFileName="")) returned 1 [0114.754] lstrcmpiW (lpString1="usertile32.bmp", lpString2=".") returned 1 [0114.754] lstrcmpiW (lpString1="usertile32.bmp", lpString2="..") returned 1 [0114.754] lstrcmpiW (lpString1="usertile32.bmp", lpString2="...") returned 1 [0114.754] lstrcmpiW (lpString1="usertile32.bmp", lpString2="windows") returned -1 [0114.754] lstrcmpiW (lpString1="usertile32.bmp", lpString2="$RECYCLE.BIN") returned 1 [0114.754] lstrcmpiW (lpString1="usertile32.bmp", lpString2="rsa") returned 1 [0114.754] lstrcmpiW (lpString1="usertile32.bmp", lpString2="log") returned 1 [0114.754] lstrcmpiW (lpString1="usertile32.bmp", lpString2="NTDETECT.COM") returned 1 [0114.754] lstrcmpiW (lpString1="usertile32.bmp", lpString2="ntldr") returned 1 [0114.755] lstrcmpiW (lpString1="usertile32.bmp", lpString2="MSDOS.SYS") returned 1 [0114.755] lstrcmpiW (lpString1="usertile32.bmp", lpString2="IO.SYS") returned 1 [0114.755] lstrcmpiW (lpString1="usertile32.bmp", lpString2="boot.ini") returned 1 [0114.755] lstrcmpiW (lpString1="usertile32.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0114.755] lstrcmpiW (lpString1="usertile32.bmp", lpString2="ntuser.dat") returned 1 [0114.755] lstrcmpiW (lpString1="usertile32.bmp", lpString2="desktop.ini") returned 1 [0114.755] lstrcmpiW (lpString1="usertile32.bmp", lpString2="CONFIG.SYS") returned 1 [0114.755] lstrcmpiW (lpString1="usertile32.bmp", lpString2="RECYCLER") returned 1 [0114.755] lstrcmpiW (lpString1="usertile32.bmp", lpString2="BOOTSECT.BAK") returned 1 [0114.755] lstrcmpiW (lpString1="usertile32.bmp", lpString2="bootmgr") returned 1 [0114.755] lstrcmpiW (lpString1="usertile32.bmp", lpString2="programdata") returned 1 [0114.755] lstrcmpiW (lpString1="usertile32.bmp", lpString2="appdata") returned 1 [0114.755] lstrcmpiW (lpString1="usertile32.bmp", lpString2="program files") returned 1 [0114.755] lstrcmpiW (lpString1="usertile32.bmp", lpString2="program files (x86)") returned 1 [0114.755] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0114.755] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile32.bmp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp" [0114.755] PathFindExtensionW (pszPath="usertile32.bmp") returned=".bmp" [0114.755] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0114.755] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0114.755] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0114.755] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0114.755] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0114.756] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0114.756] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0114.756] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0114.756] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0114.756] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0114.756] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0114.756] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0114.756] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0114.756] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0114.756] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0114.756] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0114.756] lstrcmpiW (lpString1="usertile32.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.756] lstrlenA (lpString="NEPHILIM") returned 8 [0114.756] GetProcessHeap () returned 0x4e0000 [0114.756] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f6e8 [0114.756] lstrlenA (lpString="NEPHILIM") returned 8 [0114.756] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile32.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0114.756] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=4294968320) returned 0 [0114.757] GetProcessHeap () returned 0x4e0000 [0114.757] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50fb50 [0114.757] GetProcessHeap () returned 0x4e0000 [0114.757] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50fb68 [0114.757] SystemFunction036 (in: RandomBuffer=0x50fb50, RandomBufferLength=0x10 | out: RandomBuffer=0x50fb50) returned 1 [0114.757] SystemFunction036 (in: RandomBuffer=0x50fb68, RandomBufferLength=0x10 | out: RandomBuffer=0x50fb68) returned 1 [0114.757] GetProcessHeap () returned 0x4e0000 [0114.757] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51ba40 [0114.757] GetProcessHeap () returned 0x4e0000 [0114.757] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51bb48 [0114.757] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51ba40*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x51ba40*, pdwDataLen=0x24dd508*=0x100) returned 1 [0114.757] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51bb48*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x51bb48*, pdwDataLen=0x24dd504*=0x100) returned 1 [0114.758] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0114.758] SetLastError (dwErrCode=0x0) [0114.758] WriteFile (in: hFile=0xffffffff, lpBuffer=0x51ba40, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0) returned 0 [0114.758] GetLastError () returned 0x6 [0114.758] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae4b0a44, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae4b0a44, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd4482cb, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x24dd72c, dwReserved1=0x8184c892, cFileName="usertile33.bmp", cAlternateFileName="")) returned 1 [0114.758] lstrcmpiW (lpString1="usertile33.bmp", lpString2=".") returned 1 [0114.758] lstrcmpiW (lpString1="usertile33.bmp", lpString2="..") returned 1 [0114.758] lstrcmpiW (lpString1="usertile33.bmp", lpString2="...") returned 1 [0114.758] lstrcmpiW (lpString1="usertile33.bmp", lpString2="windows") returned -1 [0114.758] lstrcmpiW (lpString1="usertile33.bmp", lpString2="$RECYCLE.BIN") returned 1 [0114.758] lstrcmpiW (lpString1="usertile33.bmp", lpString2="rsa") returned 1 [0114.758] lstrcmpiW (lpString1="usertile33.bmp", lpString2="log") returned 1 [0114.758] lstrcmpiW (lpString1="usertile33.bmp", lpString2="NTDETECT.COM") returned 1 [0114.758] lstrcmpiW (lpString1="usertile33.bmp", lpString2="ntldr") returned 1 [0114.758] lstrcmpiW (lpString1="usertile33.bmp", lpString2="MSDOS.SYS") returned 1 [0114.758] lstrcmpiW (lpString1="usertile33.bmp", lpString2="IO.SYS") returned 1 [0114.758] lstrcmpiW (lpString1="usertile33.bmp", lpString2="boot.ini") returned 1 [0114.758] lstrcmpiW (lpString1="usertile33.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0114.758] lstrcmpiW (lpString1="usertile33.bmp", lpString2="ntuser.dat") returned 1 [0114.758] lstrcmpiW (lpString1="usertile33.bmp", lpString2="desktop.ini") returned 1 [0114.758] lstrcmpiW (lpString1="usertile33.bmp", lpString2="CONFIG.SYS") returned 1 [0114.759] lstrcmpiW (lpString1="usertile33.bmp", lpString2="RECYCLER") returned 1 [0114.759] lstrcmpiW (lpString1="usertile33.bmp", lpString2="BOOTSECT.BAK") returned 1 [0114.759] lstrcmpiW (lpString1="usertile33.bmp", lpString2="bootmgr") returned 1 [0114.759] lstrcmpiW (lpString1="usertile33.bmp", lpString2="programdata") returned 1 [0114.759] lstrcmpiW (lpString1="usertile33.bmp", lpString2="appdata") returned 1 [0114.759] lstrcmpiW (lpString1="usertile33.bmp", lpString2="program files") returned 1 [0114.759] lstrcmpiW (lpString1="usertile33.bmp", lpString2="program files (x86)") returned 1 [0114.759] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0114.759] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile33.bmp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp" [0114.759] PathFindExtensionW (pszPath="usertile33.bmp") returned=".bmp" [0114.759] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0114.759] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0114.759] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0114.759] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0114.759] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0114.759] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0114.759] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0114.759] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0114.759] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0114.759] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0114.759] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0114.759] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0114.759] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0114.760] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0114.760] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0114.760] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0114.760] lstrcmpiW (lpString1="usertile33.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.760] lstrlenA (lpString="NEPHILIM") returned 8 [0114.760] GetProcessHeap () returned 0x4e0000 [0114.760] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f6f8 [0114.760] lstrlenA (lpString="NEPHILIM") returned 8 [0114.760] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile33.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0114.760] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=4294968320) returned 0 [0114.760] GetProcessHeap () returned 0x4e0000 [0114.760] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50fb80 [0114.760] GetProcessHeap () returned 0x4e0000 [0114.760] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50fb98 [0114.760] SystemFunction036 (in: RandomBuffer=0x50fb80, RandomBufferLength=0x10 | out: RandomBuffer=0x50fb80) returned 1 [0114.760] SystemFunction036 (in: RandomBuffer=0x50fb98, RandomBufferLength=0x10 | out: RandomBuffer=0x50fb98) returned 1 [0114.760] GetProcessHeap () returned 0x4e0000 [0114.760] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51bc50 [0114.760] GetProcessHeap () returned 0x4e0000 [0114.760] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51bd58 [0114.761] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51bc50*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x51bc50*, pdwDataLen=0x24dd508*=0x100) returned 1 [0114.761] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51bd58*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x51bd58*, pdwDataLen=0x24dd504*=0x100) returned 1 [0114.761] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0114.761] SetLastError (dwErrCode=0x0) [0114.761] WriteFile (in: hFile=0xffffffff, lpBuffer=0x51bc50, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0) returned 0 [0114.761] GetLastError () returned 0x6 [0114.761] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae4fccfe, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae4fccfe, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd9c9561, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x24dd72c, dwReserved1=0x8184c892, cFileName="usertile34.bmp", cAlternateFileName="")) returned 1 [0114.761] lstrcmpiW (lpString1="usertile34.bmp", lpString2=".") returned 1 [0114.761] lstrcmpiW (lpString1="usertile34.bmp", lpString2="..") returned 1 [0114.761] lstrcmpiW (lpString1="usertile34.bmp", lpString2="...") returned 1 [0114.761] lstrcmpiW (lpString1="usertile34.bmp", lpString2="windows") returned -1 [0114.761] lstrcmpiW (lpString1="usertile34.bmp", lpString2="$RECYCLE.BIN") returned 1 [0114.761] lstrcmpiW (lpString1="usertile34.bmp", lpString2="rsa") returned 1 [0114.761] lstrcmpiW (lpString1="usertile34.bmp", lpString2="log") returned 1 [0114.761] lstrcmpiW (lpString1="usertile34.bmp", lpString2="NTDETECT.COM") returned 1 [0114.761] lstrcmpiW (lpString1="usertile34.bmp", lpString2="ntldr") returned 1 [0114.761] lstrcmpiW (lpString1="usertile34.bmp", lpString2="MSDOS.SYS") returned 1 [0114.761] lstrcmpiW (lpString1="usertile34.bmp", lpString2="IO.SYS") returned 1 [0114.762] lstrcmpiW (lpString1="usertile34.bmp", lpString2="boot.ini") returned 1 [0114.762] lstrcmpiW (lpString1="usertile34.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0114.762] lstrcmpiW (lpString1="usertile34.bmp", lpString2="ntuser.dat") returned 1 [0114.762] lstrcmpiW (lpString1="usertile34.bmp", lpString2="desktop.ini") returned 1 [0114.762] lstrcmpiW (lpString1="usertile34.bmp", lpString2="CONFIG.SYS") returned 1 [0114.762] lstrcmpiW (lpString1="usertile34.bmp", lpString2="RECYCLER") returned 1 [0114.762] lstrcmpiW (lpString1="usertile34.bmp", lpString2="BOOTSECT.BAK") returned 1 [0114.762] lstrcmpiW (lpString1="usertile34.bmp", lpString2="bootmgr") returned 1 [0114.762] lstrcmpiW (lpString1="usertile34.bmp", lpString2="programdata") returned 1 [0114.762] lstrcmpiW (lpString1="usertile34.bmp", lpString2="appdata") returned 1 [0114.762] lstrcmpiW (lpString1="usertile34.bmp", lpString2="program files") returned 1 [0114.762] lstrcmpiW (lpString1="usertile34.bmp", lpString2="program files (x86)") returned 1 [0114.762] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0114.762] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile34.bmp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp" [0114.762] PathFindExtensionW (pszPath="usertile34.bmp") returned=".bmp" [0114.762] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0114.762] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0114.762] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0114.762] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0114.762] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0114.762] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0114.762] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0114.762] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0114.762] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0114.762] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0114.762] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0114.762] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0114.762] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0114.762] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0114.763] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0114.763] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0114.763] lstrcmpiW (lpString1="usertile34.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.763] lstrlenA (lpString="NEPHILIM") returned 8 [0114.763] GetProcessHeap () returned 0x4e0000 [0114.763] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f708 [0114.763] lstrlenA (lpString="NEPHILIM") returned 8 [0114.763] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile34.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0114.765] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=4294968320) returned 0 [0114.765] GetProcessHeap () returned 0x4e0000 [0114.765] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50fbb0 [0114.765] GetProcessHeap () returned 0x4e0000 [0114.765] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50fbc8 [0114.765] SystemFunction036 (in: RandomBuffer=0x50fbb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50fbb0) returned 1 [0114.765] SystemFunction036 (in: RandomBuffer=0x50fbc8, RandomBufferLength=0x10 | out: RandomBuffer=0x50fbc8) returned 1 [0114.765] GetProcessHeap () returned 0x4e0000 [0114.765] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51be60 [0114.765] GetProcessHeap () returned 0x4e0000 [0114.765] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51bf68 [0114.766] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51be60*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x51be60*, pdwDataLen=0x24dd508*=0x100) returned 1 [0114.766] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51bf68*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x51bf68*, pdwDataLen=0x24dd504*=0x100) returned 1 [0114.766] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0114.766] SetLastError (dwErrCode=0x0) [0114.766] WriteFile (in: hFile=0xffffffff, lpBuffer=0x51be60, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0) returned 0 [0114.766] GetLastError () returned 0x6 [0114.766] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae4fccfe, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae4fccfe, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd9ef6bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x24dd72c, dwReserved1=0x8184c892, cFileName="usertile35.bmp", cAlternateFileName="")) returned 1 [0114.766] lstrcmpiW (lpString1="usertile35.bmp", lpString2=".") returned 1 [0114.766] lstrcmpiW (lpString1="usertile35.bmp", lpString2="..") returned 1 [0114.766] lstrcmpiW (lpString1="usertile35.bmp", lpString2="...") returned 1 [0114.766] lstrcmpiW (lpString1="usertile35.bmp", lpString2="windows") returned -1 [0114.766] lstrcmpiW (lpString1="usertile35.bmp", lpString2="$RECYCLE.BIN") returned 1 [0114.766] lstrcmpiW (lpString1="usertile35.bmp", lpString2="rsa") returned 1 [0114.766] lstrcmpiW (lpString1="usertile35.bmp", lpString2="log") returned 1 [0114.766] lstrcmpiW (lpString1="usertile35.bmp", lpString2="NTDETECT.COM") returned 1 [0114.767] lstrcmpiW (lpString1="usertile35.bmp", lpString2="ntldr") returned 1 [0114.767] lstrcmpiW (lpString1="usertile35.bmp", lpString2="MSDOS.SYS") returned 1 [0114.767] lstrcmpiW (lpString1="usertile35.bmp", lpString2="IO.SYS") returned 1 [0114.767] lstrcmpiW (lpString1="usertile35.bmp", lpString2="boot.ini") returned 1 [0114.767] lstrcmpiW (lpString1="usertile35.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0114.767] lstrcmpiW (lpString1="usertile35.bmp", lpString2="ntuser.dat") returned 1 [0114.767] lstrcmpiW (lpString1="usertile35.bmp", lpString2="desktop.ini") returned 1 [0114.767] lstrcmpiW (lpString1="usertile35.bmp", lpString2="CONFIG.SYS") returned 1 [0114.767] lstrcmpiW (lpString1="usertile35.bmp", lpString2="RECYCLER") returned 1 [0114.767] lstrcmpiW (lpString1="usertile35.bmp", lpString2="BOOTSECT.BAK") returned 1 [0114.767] lstrcmpiW (lpString1="usertile35.bmp", lpString2="bootmgr") returned 1 [0114.767] lstrcmpiW (lpString1="usertile35.bmp", lpString2="programdata") returned 1 [0114.767] lstrcmpiW (lpString1="usertile35.bmp", lpString2="appdata") returned 1 [0114.767] lstrcmpiW (lpString1="usertile35.bmp", lpString2="program files") returned 1 [0114.767] lstrcmpiW (lpString1="usertile35.bmp", lpString2="program files (x86)") returned 1 [0114.767] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0114.767] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile35.bmp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp" [0114.767] PathFindExtensionW (pszPath="usertile35.bmp") returned=".bmp" [0114.767] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0114.767] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0114.767] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0114.767] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0114.767] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0114.767] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0114.767] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0114.767] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0114.768] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0114.768] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0114.768] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0114.768] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0114.768] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0114.768] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0114.768] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0114.768] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0114.768] lstrcmpiW (lpString1="usertile35.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.768] lstrlenA (lpString="NEPHILIM") returned 8 [0114.768] GetProcessHeap () returned 0x4e0000 [0114.768] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f718 [0114.768] lstrlenA (lpString="NEPHILIM") returned 8 [0114.768] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile35.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0114.768] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=4294968320) returned 0 [0114.768] GetProcessHeap () returned 0x4e0000 [0114.768] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50fbe0 [0114.768] GetProcessHeap () returned 0x4e0000 [0114.769] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50fbf8 [0114.769] SystemFunction036 (in: RandomBuffer=0x50fbe0, RandomBufferLength=0x10 | out: RandomBuffer=0x50fbe0) returned 1 [0114.769] SystemFunction036 (in: RandomBuffer=0x50fbf8, RandomBufferLength=0x10 | out: RandomBuffer=0x50fbf8) returned 1 [0114.769] GetProcessHeap () returned 0x4e0000 [0114.769] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51c070 [0114.769] GetProcessHeap () returned 0x4e0000 [0114.769] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51c178 [0114.769] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51c070*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x51c070*, pdwDataLen=0x24dd508*=0x100) returned 1 [0114.769] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51c178*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x51c178*, pdwDataLen=0x24dd504*=0x100) returned 1 [0114.769] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0114.769] SetLastError (dwErrCode=0x0) [0114.769] WriteFile (in: hFile=0xffffffff, lpBuffer=0x51c070, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0) returned 0 [0114.770] GetLastError () returned 0x6 [0114.770] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae548fb8, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae548fb8, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd9ef6bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x24dd72c, dwReserved1=0x8184c892, cFileName="usertile36.bmp", cAlternateFileName="")) returned 1 [0114.770] lstrcmpiW (lpString1="usertile36.bmp", lpString2=".") returned 1 [0114.770] lstrcmpiW (lpString1="usertile36.bmp", lpString2="..") returned 1 [0114.770] lstrcmpiW (lpString1="usertile36.bmp", lpString2="...") returned 1 [0114.770] lstrcmpiW (lpString1="usertile36.bmp", lpString2="windows") returned -1 [0114.770] lstrcmpiW (lpString1="usertile36.bmp", lpString2="$RECYCLE.BIN") returned 1 [0114.770] lstrcmpiW (lpString1="usertile36.bmp", lpString2="rsa") returned 1 [0114.770] lstrcmpiW (lpString1="usertile36.bmp", lpString2="log") returned 1 [0114.770] lstrcmpiW (lpString1="usertile36.bmp", lpString2="NTDETECT.COM") returned 1 [0114.770] lstrcmpiW (lpString1="usertile36.bmp", lpString2="ntldr") returned 1 [0114.770] lstrcmpiW (lpString1="usertile36.bmp", lpString2="MSDOS.SYS") returned 1 [0114.770] lstrcmpiW (lpString1="usertile36.bmp", lpString2="IO.SYS") returned 1 [0114.770] lstrcmpiW (lpString1="usertile36.bmp", lpString2="boot.ini") returned 1 [0114.770] lstrcmpiW (lpString1="usertile36.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0114.770] lstrcmpiW (lpString1="usertile36.bmp", lpString2="ntuser.dat") returned 1 [0114.770] lstrcmpiW (lpString1="usertile36.bmp", lpString2="desktop.ini") returned 1 [0114.770] lstrcmpiW (lpString1="usertile36.bmp", lpString2="CONFIG.SYS") returned 1 [0114.770] lstrcmpiW (lpString1="usertile36.bmp", lpString2="RECYCLER") returned 1 [0114.770] lstrcmpiW (lpString1="usertile36.bmp", lpString2="BOOTSECT.BAK") returned 1 [0114.770] lstrcmpiW (lpString1="usertile36.bmp", lpString2="bootmgr") returned 1 [0114.770] lstrcmpiW (lpString1="usertile36.bmp", lpString2="programdata") returned 1 [0114.770] lstrcmpiW (lpString1="usertile36.bmp", lpString2="appdata") returned 1 [0114.770] lstrcmpiW (lpString1="usertile36.bmp", lpString2="program files") returned 1 [0114.770] lstrcmpiW (lpString1="usertile36.bmp", lpString2="program files (x86)") returned 1 [0114.771] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0114.771] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile36.bmp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp" [0114.771] PathFindExtensionW (pszPath="usertile36.bmp") returned=".bmp" [0114.771] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0114.771] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0114.771] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0114.771] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0114.771] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0114.771] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0114.771] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0114.771] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0114.771] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0114.771] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0114.771] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0114.771] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0114.771] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0114.771] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0114.771] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0114.771] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0114.771] lstrcmpiW (lpString1="usertile36.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.771] lstrlenA (lpString="NEPHILIM") returned 8 [0114.771] GetProcessHeap () returned 0x4e0000 [0114.771] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f728 [0114.771] lstrlenA (lpString="NEPHILIM") returned 8 [0114.771] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile36.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0114.772] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=4294968320) returned 0 [0114.772] GetProcessHeap () returned 0x4e0000 [0114.772] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50fc10 [0114.772] GetProcessHeap () returned 0x4e0000 [0114.772] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50fc28 [0114.772] SystemFunction036 (in: RandomBuffer=0x50fc10, RandomBufferLength=0x10 | out: RandomBuffer=0x50fc10) returned 1 [0114.772] SystemFunction036 (in: RandomBuffer=0x50fc28, RandomBufferLength=0x10 | out: RandomBuffer=0x50fc28) returned 1 [0114.772] GetProcessHeap () returned 0x4e0000 [0114.772] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51c280 [0114.772] GetProcessHeap () returned 0x4e0000 [0114.772] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51c388 [0114.772] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51c280*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x51c280*, pdwDataLen=0x24dd508*=0x100) returned 1 [0114.772] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51c388*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x51c388*, pdwDataLen=0x24dd504*=0x100) returned 1 [0114.773] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0114.773] SetLastError (dwErrCode=0x0) [0114.773] WriteFile (in: hFile=0xffffffff, lpBuffer=0x51c280, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0) returned 0 [0114.773] GetLastError () returned 0x6 [0114.773] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae595272, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae595272, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddb6c46b, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x24dd72c, dwReserved1=0x8184c892, cFileName="usertile37.bmp", cAlternateFileName="")) returned 1 [0114.773] lstrcmpiW (lpString1="usertile37.bmp", lpString2=".") returned 1 [0114.773] lstrcmpiW (lpString1="usertile37.bmp", lpString2="..") returned 1 [0114.773] lstrcmpiW (lpString1="usertile37.bmp", lpString2="...") returned 1 [0114.773] lstrcmpiW (lpString1="usertile37.bmp", lpString2="windows") returned -1 [0114.773] lstrcmpiW (lpString1="usertile37.bmp", lpString2="$RECYCLE.BIN") returned 1 [0114.773] lstrcmpiW (lpString1="usertile37.bmp", lpString2="rsa") returned 1 [0114.773] lstrcmpiW (lpString1="usertile37.bmp", lpString2="log") returned 1 [0114.773] lstrcmpiW (lpString1="usertile37.bmp", lpString2="NTDETECT.COM") returned 1 [0114.773] lstrcmpiW (lpString1="usertile37.bmp", lpString2="ntldr") returned 1 [0114.773] lstrcmpiW (lpString1="usertile37.bmp", lpString2="MSDOS.SYS") returned 1 [0114.773] lstrcmpiW (lpString1="usertile37.bmp", lpString2="IO.SYS") returned 1 [0114.773] lstrcmpiW (lpString1="usertile37.bmp", lpString2="boot.ini") returned 1 [0114.773] lstrcmpiW (lpString1="usertile37.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0114.773] lstrcmpiW (lpString1="usertile37.bmp", lpString2="ntuser.dat") returned 1 [0114.773] lstrcmpiW (lpString1="usertile37.bmp", lpString2="desktop.ini") returned 1 [0114.773] lstrcmpiW (lpString1="usertile37.bmp", lpString2="CONFIG.SYS") returned 1 [0114.773] lstrcmpiW (lpString1="usertile37.bmp", lpString2="RECYCLER") returned 1 [0114.773] lstrcmpiW (lpString1="usertile37.bmp", lpString2="BOOTSECT.BAK") returned 1 [0114.773] lstrcmpiW (lpString1="usertile37.bmp", lpString2="bootmgr") returned 1 [0114.774] lstrcmpiW (lpString1="usertile37.bmp", lpString2="programdata") returned 1 [0114.774] lstrcmpiW (lpString1="usertile37.bmp", lpString2="appdata") returned 1 [0114.774] lstrcmpiW (lpString1="usertile37.bmp", lpString2="program files") returned 1 [0114.774] lstrcmpiW (lpString1="usertile37.bmp", lpString2="program files (x86)") returned 1 [0114.774] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0114.774] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile37.bmp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp" [0114.774] PathFindExtensionW (pszPath="usertile37.bmp") returned=".bmp" [0114.774] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0114.774] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0114.774] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0114.774] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0114.774] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0114.774] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0114.774] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0114.774] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0114.774] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0114.774] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0114.774] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0114.774] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0114.774] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0114.774] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0114.774] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0114.774] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0114.774] lstrcmpiW (lpString1="usertile37.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.774] lstrlenA (lpString="NEPHILIM") returned 8 [0114.774] GetProcessHeap () returned 0x4e0000 [0114.774] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f738 [0114.775] lstrlenA (lpString="NEPHILIM") returned 8 [0114.775] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile37.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0114.775] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=4294968320) returned 0 [0114.775] GetProcessHeap () returned 0x4e0000 [0114.775] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50fc40 [0114.775] GetProcessHeap () returned 0x4e0000 [0114.775] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50fc58 [0114.775] SystemFunction036 (in: RandomBuffer=0x50fc40, RandomBufferLength=0x10 | out: RandomBuffer=0x50fc40) returned 1 [0114.775] SystemFunction036 (in: RandomBuffer=0x50fc58, RandomBufferLength=0x10 | out: RandomBuffer=0x50fc58) returned 1 [0114.775] GetProcessHeap () returned 0x4e0000 [0114.775] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51c490 [0114.775] GetProcessHeap () returned 0x4e0000 [0114.775] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51c598 [0114.775] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51c490*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x51c490*, pdwDataLen=0x24dd508*=0x100) returned 1 [0114.775] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51c598*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x51c598*, pdwDataLen=0x24dd504*=0x100) returned 1 [0114.776] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0114.776] SetLastError (dwErrCode=0x0) [0114.776] WriteFile (in: hFile=0xffffffff, lpBuffer=0x51c490, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0) returned 0 [0114.776] GetLastError () returned 0x6 [0114.776] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae5bb3cf, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae5bb3cf, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddb6c46b, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x24dd72c, dwReserved1=0x8184c892, cFileName="usertile38.bmp", cAlternateFileName="")) returned 1 [0114.776] lstrcmpiW (lpString1="usertile38.bmp", lpString2=".") returned 1 [0114.776] lstrcmpiW (lpString1="usertile38.bmp", lpString2="..") returned 1 [0114.776] lstrcmpiW (lpString1="usertile38.bmp", lpString2="...") returned 1 [0114.776] lstrcmpiW (lpString1="usertile38.bmp", lpString2="windows") returned -1 [0114.776] lstrcmpiW (lpString1="usertile38.bmp", lpString2="$RECYCLE.BIN") returned 1 [0114.776] lstrcmpiW (lpString1="usertile38.bmp", lpString2="rsa") returned 1 [0114.776] lstrcmpiW (lpString1="usertile38.bmp", lpString2="log") returned 1 [0114.776] lstrcmpiW (lpString1="usertile38.bmp", lpString2="NTDETECT.COM") returned 1 [0114.776] lstrcmpiW (lpString1="usertile38.bmp", lpString2="ntldr") returned 1 [0114.776] lstrcmpiW (lpString1="usertile38.bmp", lpString2="MSDOS.SYS") returned 1 [0114.776] lstrcmpiW (lpString1="usertile38.bmp", lpString2="IO.SYS") returned 1 [0114.776] lstrcmpiW (lpString1="usertile38.bmp", lpString2="boot.ini") returned 1 [0114.776] lstrcmpiW (lpString1="usertile38.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0114.776] lstrcmpiW (lpString1="usertile38.bmp", lpString2="ntuser.dat") returned 1 [0114.776] lstrcmpiW (lpString1="usertile38.bmp", lpString2="desktop.ini") returned 1 [0114.776] lstrcmpiW (lpString1="usertile38.bmp", lpString2="CONFIG.SYS") returned 1 [0114.777] lstrcmpiW (lpString1="usertile38.bmp", lpString2="RECYCLER") returned 1 [0114.777] lstrcmpiW (lpString1="usertile38.bmp", lpString2="BOOTSECT.BAK") returned 1 [0114.777] lstrcmpiW (lpString1="usertile38.bmp", lpString2="bootmgr") returned 1 [0114.777] lstrcmpiW (lpString1="usertile38.bmp", lpString2="programdata") returned 1 [0114.777] lstrcmpiW (lpString1="usertile38.bmp", lpString2="appdata") returned 1 [0114.777] lstrcmpiW (lpString1="usertile38.bmp", lpString2="program files") returned 1 [0114.777] lstrcmpiW (lpString1="usertile38.bmp", lpString2="program files (x86)") returned 1 [0114.777] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0114.777] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile38.bmp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp" [0114.777] PathFindExtensionW (pszPath="usertile38.bmp") returned=".bmp" [0114.777] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0114.777] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0114.777] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0114.777] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0114.777] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0114.777] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0114.777] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0114.777] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0114.777] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0114.777] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0114.777] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0114.777] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0114.777] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0114.777] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0114.777] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0114.777] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0114.777] lstrcmpiW (lpString1="usertile38.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.778] lstrlenA (lpString="NEPHILIM") returned 8 [0114.778] GetProcessHeap () returned 0x4e0000 [0114.778] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f748 [0114.778] lstrlenA (lpString="NEPHILIM") returned 8 [0114.778] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile38.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0114.784] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=4294968320) returned 0 [0114.784] GetProcessHeap () returned 0x4e0000 [0114.784] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50fc70 [0114.784] GetProcessHeap () returned 0x4e0000 [0114.784] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50fc88 [0114.784] SystemFunction036 (in: RandomBuffer=0x50fc70, RandomBufferLength=0x10 | out: RandomBuffer=0x50fc70) returned 1 [0114.784] SystemFunction036 (in: RandomBuffer=0x50fc88, RandomBufferLength=0x10 | out: RandomBuffer=0x50fc88) returned 1 [0114.784] GetProcessHeap () returned 0x4e0000 [0114.784] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51c6a0 [0114.784] GetProcessHeap () returned 0x4e0000 [0114.784] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51c7a8 [0114.784] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51c6a0*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x51c6a0*, pdwDataLen=0x24dd508*=0x100) returned 1 [0114.785] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51c7a8*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x51c7a8*, pdwDataLen=0x24dd504*=0x100) returned 1 [0114.785] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0114.785] SetLastError (dwErrCode=0x0) [0114.785] WriteFile (in: hFile=0xffffffff, lpBuffer=0x51c6a0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0) returned 0 [0114.785] GetLastError () returned 0x6 [0114.785] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae5e152c, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae5e152c, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddc2ab41, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x24dd72c, dwReserved1=0x8184c892, cFileName="usertile39.bmp", cAlternateFileName="")) returned 1 [0114.785] lstrcmpiW (lpString1="usertile39.bmp", lpString2=".") returned 1 [0114.785] lstrcmpiW (lpString1="usertile39.bmp", lpString2="..") returned 1 [0114.785] lstrcmpiW (lpString1="usertile39.bmp", lpString2="...") returned 1 [0114.785] lstrcmpiW (lpString1="usertile39.bmp", lpString2="windows") returned -1 [0114.785] lstrcmpiW (lpString1="usertile39.bmp", lpString2="$RECYCLE.BIN") returned 1 [0114.786] lstrcmpiW (lpString1="usertile39.bmp", lpString2="rsa") returned 1 [0114.786] lstrcmpiW (lpString1="usertile39.bmp", lpString2="log") returned 1 [0114.786] lstrcmpiW (lpString1="usertile39.bmp", lpString2="NTDETECT.COM") returned 1 [0114.786] lstrcmpiW (lpString1="usertile39.bmp", lpString2="ntldr") returned 1 [0114.786] lstrcmpiW (lpString1="usertile39.bmp", lpString2="MSDOS.SYS") returned 1 [0114.786] lstrcmpiW (lpString1="usertile39.bmp", lpString2="IO.SYS") returned 1 [0114.786] lstrcmpiW (lpString1="usertile39.bmp", lpString2="boot.ini") returned 1 [0114.786] lstrcmpiW (lpString1="usertile39.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0114.786] lstrcmpiW (lpString1="usertile39.bmp", lpString2="ntuser.dat") returned 1 [0114.786] lstrcmpiW (lpString1="usertile39.bmp", lpString2="desktop.ini") returned 1 [0114.786] lstrcmpiW (lpString1="usertile39.bmp", lpString2="CONFIG.SYS") returned 1 [0114.786] lstrcmpiW (lpString1="usertile39.bmp", lpString2="RECYCLER") returned 1 [0114.786] lstrcmpiW (lpString1="usertile39.bmp", lpString2="BOOTSECT.BAK") returned 1 [0114.786] lstrcmpiW (lpString1="usertile39.bmp", lpString2="bootmgr") returned 1 [0114.786] lstrcmpiW (lpString1="usertile39.bmp", lpString2="programdata") returned 1 [0114.786] lstrcmpiW (lpString1="usertile39.bmp", lpString2="appdata") returned 1 [0114.786] lstrcmpiW (lpString1="usertile39.bmp", lpString2="program files") returned 1 [0114.786] lstrcmpiW (lpString1="usertile39.bmp", lpString2="program files (x86)") returned 1 [0114.786] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0114.786] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile39.bmp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp" [0114.786] PathFindExtensionW (pszPath="usertile39.bmp") returned=".bmp" [0114.786] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0114.786] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0114.787] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0114.787] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0114.787] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0114.787] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0114.787] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0114.787] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0114.787] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0114.787] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0114.787] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0114.787] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0114.787] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0114.787] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0114.787] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0114.787] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0114.787] lstrcmpiW (lpString1="usertile39.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.787] lstrlenA (lpString="NEPHILIM") returned 8 [0114.787] GetProcessHeap () returned 0x4e0000 [0114.787] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f758 [0114.787] lstrlenA (lpString="NEPHILIM") returned 8 [0114.788] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile39.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0114.788] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=4294968320) returned 0 [0114.788] GetProcessHeap () returned 0x4e0000 [0114.788] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50fca0 [0114.788] GetProcessHeap () returned 0x4e0000 [0114.788] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50fcb8 [0114.788] SystemFunction036 (in: RandomBuffer=0x50fca0, RandomBufferLength=0x10 | out: RandomBuffer=0x50fca0) returned 1 [0114.788] SystemFunction036 (in: RandomBuffer=0x50fcb8, RandomBufferLength=0x10 | out: RandomBuffer=0x50fcb8) returned 1 [0114.788] GetProcessHeap () returned 0x4e0000 [0114.788] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51c8b0 [0114.788] GetProcessHeap () returned 0x4e0000 [0114.788] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51c9b8 [0114.788] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51c8b0*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x51c8b0*, pdwDataLen=0x24dd508*=0x100) returned 1 [0114.789] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51c9b8*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x51c9b8*, pdwDataLen=0x24dd504*=0x100) returned 1 [0114.789] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0114.789] SetLastError (dwErrCode=0x0) [0114.789] WriteFile (in: hFile=0xffffffff, lpBuffer=0x51c8b0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0) returned 0 [0114.789] GetLastError () returned 0x6 [0114.789] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae607689, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae607689, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddc50c9f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x24dd72c, dwReserved1=0x8184c892, cFileName="usertile40.bmp", cAlternateFileName="")) returned 1 [0114.789] lstrcmpiW (lpString1="usertile40.bmp", lpString2=".") returned 1 [0114.789] lstrcmpiW (lpString1="usertile40.bmp", lpString2="..") returned 1 [0114.789] lstrcmpiW (lpString1="usertile40.bmp", lpString2="...") returned 1 [0114.789] lstrcmpiW (lpString1="usertile40.bmp", lpString2="windows") returned -1 [0114.789] lstrcmpiW (lpString1="usertile40.bmp", lpString2="$RECYCLE.BIN") returned 1 [0114.789] lstrcmpiW (lpString1="usertile40.bmp", lpString2="rsa") returned 1 [0114.789] lstrcmpiW (lpString1="usertile40.bmp", lpString2="log") returned 1 [0114.790] lstrcmpiW (lpString1="usertile40.bmp", lpString2="NTDETECT.COM") returned 1 [0114.790] lstrcmpiW (lpString1="usertile40.bmp", lpString2="ntldr") returned 1 [0114.790] lstrcmpiW (lpString1="usertile40.bmp", lpString2="MSDOS.SYS") returned 1 [0114.790] lstrcmpiW (lpString1="usertile40.bmp", lpString2="IO.SYS") returned 1 [0114.790] lstrcmpiW (lpString1="usertile40.bmp", lpString2="boot.ini") returned 1 [0114.790] lstrcmpiW (lpString1="usertile40.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0114.790] lstrcmpiW (lpString1="usertile40.bmp", lpString2="ntuser.dat") returned 1 [0114.790] lstrcmpiW (lpString1="usertile40.bmp", lpString2="desktop.ini") returned 1 [0114.790] lstrcmpiW (lpString1="usertile40.bmp", lpString2="CONFIG.SYS") returned 1 [0114.790] lstrcmpiW (lpString1="usertile40.bmp", lpString2="RECYCLER") returned 1 [0114.790] lstrcmpiW (lpString1="usertile40.bmp", lpString2="BOOTSECT.BAK") returned 1 [0114.790] lstrcmpiW (lpString1="usertile40.bmp", lpString2="bootmgr") returned 1 [0114.790] lstrcmpiW (lpString1="usertile40.bmp", lpString2="programdata") returned 1 [0114.790] lstrcmpiW (lpString1="usertile40.bmp", lpString2="appdata") returned 1 [0114.790] lstrcmpiW (lpString1="usertile40.bmp", lpString2="program files") returned 1 [0114.790] lstrcmpiW (lpString1="usertile40.bmp", lpString2="program files (x86)") returned 1 [0114.790] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0114.790] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile40.bmp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp" [0114.790] PathFindExtensionW (pszPath="usertile40.bmp") returned=".bmp" [0114.790] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0114.790] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0114.790] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0114.791] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0114.791] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0114.791] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0114.791] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0114.791] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0114.791] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0114.791] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0114.791] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0114.791] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0114.791] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0114.791] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0114.791] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0114.791] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0114.791] lstrcmpiW (lpString1="usertile40.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.791] lstrlenA (lpString="NEPHILIM") returned 8 [0114.791] GetProcessHeap () returned 0x4e0000 [0114.791] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f768 [0114.791] lstrlenA (lpString="NEPHILIM") returned 8 [0114.791] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile40.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0114.792] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=4294968320) returned 0 [0114.792] GetProcessHeap () returned 0x4e0000 [0114.792] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50fcd0 [0114.792] GetProcessHeap () returned 0x4e0000 [0114.792] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50fce8 [0114.792] SystemFunction036 (in: RandomBuffer=0x50fcd0, RandomBufferLength=0x10 | out: RandomBuffer=0x50fcd0) returned 1 [0114.792] SystemFunction036 (in: RandomBuffer=0x50fce8, RandomBufferLength=0x10 | out: RandomBuffer=0x50fce8) returned 1 [0114.792] GetProcessHeap () returned 0x4e0000 [0114.792] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51cac0 [0114.792] GetProcessHeap () returned 0x4e0000 [0114.792] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51cbc8 [0114.792] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51cac0*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x51cac0*, pdwDataLen=0x24dd508*=0x100) returned 1 [0114.793] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51cbc8*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x51cbc8*, pdwDataLen=0x24dd504*=0x100) returned 1 [0114.793] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0114.793] SetLastError (dwErrCode=0x0) [0114.793] WriteFile (in: hFile=0xffffffff, lpBuffer=0x51cac0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0) returned 0 [0114.793] GetLastError () returned 0x6 [0114.793] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae62d7e6, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae62d7e6, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddcc30b9, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x24dd72c, dwReserved1=0x8184c892, cFileName="usertile41.bmp", cAlternateFileName="")) returned 1 [0114.793] lstrcmpiW (lpString1="usertile41.bmp", lpString2=".") returned 1 [0114.793] lstrcmpiW (lpString1="usertile41.bmp", lpString2="..") returned 1 [0114.793] lstrcmpiW (lpString1="usertile41.bmp", lpString2="...") returned 1 [0114.793] lstrcmpiW (lpString1="usertile41.bmp", lpString2="windows") returned -1 [0114.793] lstrcmpiW (lpString1="usertile41.bmp", lpString2="$RECYCLE.BIN") returned 1 [0114.793] lstrcmpiW (lpString1="usertile41.bmp", lpString2="rsa") returned 1 [0114.793] lstrcmpiW (lpString1="usertile41.bmp", lpString2="log") returned 1 [0114.794] lstrcmpiW (lpString1="usertile41.bmp", lpString2="NTDETECT.COM") returned 1 [0114.794] lstrcmpiW (lpString1="usertile41.bmp", lpString2="ntldr") returned 1 [0114.794] lstrcmpiW (lpString1="usertile41.bmp", lpString2="MSDOS.SYS") returned 1 [0114.794] lstrcmpiW (lpString1="usertile41.bmp", lpString2="IO.SYS") returned 1 [0114.794] lstrcmpiW (lpString1="usertile41.bmp", lpString2="boot.ini") returned 1 [0114.794] lstrcmpiW (lpString1="usertile41.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0114.794] lstrcmpiW (lpString1="usertile41.bmp", lpString2="ntuser.dat") returned 1 [0114.794] lstrcmpiW (lpString1="usertile41.bmp", lpString2="desktop.ini") returned 1 [0114.794] lstrcmpiW (lpString1="usertile41.bmp", lpString2="CONFIG.SYS") returned 1 [0114.794] lstrcmpiW (lpString1="usertile41.bmp", lpString2="RECYCLER") returned 1 [0114.794] lstrcmpiW (lpString1="usertile41.bmp", lpString2="BOOTSECT.BAK") returned 1 [0114.794] lstrcmpiW (lpString1="usertile41.bmp", lpString2="bootmgr") returned 1 [0114.794] lstrcmpiW (lpString1="usertile41.bmp", lpString2="programdata") returned 1 [0114.794] lstrcmpiW (lpString1="usertile41.bmp", lpString2="appdata") returned 1 [0114.794] lstrcmpiW (lpString1="usertile41.bmp", lpString2="program files") returned 1 [0114.794] lstrcmpiW (lpString1="usertile41.bmp", lpString2="program files (x86)") returned 1 [0114.794] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0114.794] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile41.bmp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp" [0114.794] PathFindExtensionW (pszPath="usertile41.bmp") returned=".bmp" [0114.794] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0114.794] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0114.796] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0114.796] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0114.796] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0114.796] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0114.796] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0114.796] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0114.796] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0114.796] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0114.796] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0114.796] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0114.796] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0114.796] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0114.796] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0114.797] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0114.797] lstrcmpiW (lpString1="usertile41.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.797] lstrlenA (lpString="NEPHILIM") returned 8 [0114.797] GetProcessHeap () returned 0x4e0000 [0114.797] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f778 [0114.797] lstrlenA (lpString="NEPHILIM") returned 8 [0114.797] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile41.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0114.798] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=4294968320) returned 0 [0114.798] GetProcessHeap () returned 0x4e0000 [0114.798] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dcd0 [0114.798] GetProcessHeap () returned 0x4e0000 [0114.798] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dce8 [0114.798] SystemFunction036 (in: RandomBuffer=0x50dcd0, RandomBufferLength=0x10 | out: RandomBuffer=0x50dcd0) returned 1 [0114.798] SystemFunction036 (in: RandomBuffer=0x50dce8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dce8) returned 1 [0114.798] GetProcessHeap () returned 0x4e0000 [0114.798] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51ccd0 [0114.799] GetProcessHeap () returned 0x4e0000 [0114.799] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51cdd8 [0114.799] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51ccd0*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x51ccd0*, pdwDataLen=0x24dd508*=0x100) returned 1 [0114.799] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51cdd8*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x51cdd8*, pdwDataLen=0x24dd504*=0x100) returned 1 [0114.799] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0114.799] SetLastError (dwErrCode=0x0) [0114.799] WriteFile (in: hFile=0xffffffff, lpBuffer=0x51ccd0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0) returned 0 [0114.799] GetLastError () returned 0x6 [0114.799] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae653943, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae653943, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddce9217, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x24dd72c, dwReserved1=0x8184c892, cFileName="usertile42.bmp", cAlternateFileName="")) returned 1 [0114.800] lstrcmpiW (lpString1="usertile42.bmp", lpString2=".") returned 1 [0114.800] lstrcmpiW (lpString1="usertile42.bmp", lpString2="..") returned 1 [0114.800] lstrcmpiW (lpString1="usertile42.bmp", lpString2="...") returned 1 [0114.800] lstrcmpiW (lpString1="usertile42.bmp", lpString2="windows") returned -1 [0114.800] lstrcmpiW (lpString1="usertile42.bmp", lpString2="$RECYCLE.BIN") returned 1 [0114.800] lstrcmpiW (lpString1="usertile42.bmp", lpString2="rsa") returned 1 [0114.800] lstrcmpiW (lpString1="usertile42.bmp", lpString2="log") returned 1 [0114.800] lstrcmpiW (lpString1="usertile42.bmp", lpString2="NTDETECT.COM") returned 1 [0114.800] lstrcmpiW (lpString1="usertile42.bmp", lpString2="ntldr") returned 1 [0114.800] lstrcmpiW (lpString1="usertile42.bmp", lpString2="MSDOS.SYS") returned 1 [0114.800] lstrcmpiW (lpString1="usertile42.bmp", lpString2="IO.SYS") returned 1 [0114.800] lstrcmpiW (lpString1="usertile42.bmp", lpString2="boot.ini") returned 1 [0114.800] lstrcmpiW (lpString1="usertile42.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0114.800] lstrcmpiW (lpString1="usertile42.bmp", lpString2="ntuser.dat") returned 1 [0114.800] lstrcmpiW (lpString1="usertile42.bmp", lpString2="desktop.ini") returned 1 [0114.800] lstrcmpiW (lpString1="usertile42.bmp", lpString2="CONFIG.SYS") returned 1 [0114.800] lstrcmpiW (lpString1="usertile42.bmp", lpString2="RECYCLER") returned 1 [0114.800] lstrcmpiW (lpString1="usertile42.bmp", lpString2="BOOTSECT.BAK") returned 1 [0114.800] lstrcmpiW (lpString1="usertile42.bmp", lpString2="bootmgr") returned 1 [0114.800] lstrcmpiW (lpString1="usertile42.bmp", lpString2="programdata") returned 1 [0114.801] lstrcmpiW (lpString1="usertile42.bmp", lpString2="appdata") returned 1 [0114.801] lstrcmpiW (lpString1="usertile42.bmp", lpString2="program files") returned 1 [0114.801] lstrcmpiW (lpString1="usertile42.bmp", lpString2="program files (x86)") returned 1 [0114.801] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0114.801] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile42.bmp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp" [0114.801] PathFindExtensionW (pszPath="usertile42.bmp") returned=".bmp" [0114.801] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0114.801] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0114.801] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0114.801] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0114.801] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0114.801] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0114.801] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0114.801] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0114.801] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0114.801] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0114.801] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0114.801] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0114.801] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0114.801] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0114.801] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0114.801] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0114.801] lstrcmpiW (lpString1="usertile42.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.801] lstrlenA (lpString="NEPHILIM") returned 8 [0114.801] GetProcessHeap () returned 0x4e0000 [0114.801] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f788 [0114.802] lstrlenA (lpString="NEPHILIM") returned 8 [0114.802] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile42.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0114.802] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=4294968320) returned 0 [0114.802] GetProcessHeap () returned 0x4e0000 [0114.802] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dd00 [0114.802] GetProcessHeap () returned 0x4e0000 [0114.802] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dd18 [0114.802] SystemFunction036 (in: RandomBuffer=0x50dd00, RandomBufferLength=0x10 | out: RandomBuffer=0x50dd00) returned 1 [0114.802] SystemFunction036 (in: RandomBuffer=0x50dd18, RandomBufferLength=0x10 | out: RandomBuffer=0x50dd18) returned 1 [0114.802] GetProcessHeap () returned 0x4e0000 [0114.802] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51cff0 [0114.802] GetProcessHeap () returned 0x4e0000 [0114.802] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51d0f8 [0114.802] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51cff0*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x51cff0*, pdwDataLen=0x24dd508*=0x100) returned 1 [0114.803] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51d0f8*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x51d0f8*, pdwDataLen=0x24dd504*=0x100) returned 1 [0114.803] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0114.803] SetLastError (dwErrCode=0x0) [0114.803] WriteFile (in: hFile=0xffffffff, lpBuffer=0x51cff0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0) returned 0 [0114.803] GetLastError () returned 0x6 [0114.803] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae653943, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae653943, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddd0f375, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x24dd72c, dwReserved1=0x8184c892, cFileName="usertile43.bmp", cAlternateFileName="")) returned 1 [0114.803] lstrcmpiW (lpString1="usertile43.bmp", lpString2=".") returned 1 [0114.803] lstrcmpiW (lpString1="usertile43.bmp", lpString2="..") returned 1 [0114.803] lstrcmpiW (lpString1="usertile43.bmp", lpString2="...") returned 1 [0114.803] lstrcmpiW (lpString1="usertile43.bmp", lpString2="windows") returned -1 [0114.803] lstrcmpiW (lpString1="usertile43.bmp", lpString2="$RECYCLE.BIN") returned 1 [0114.803] lstrcmpiW (lpString1="usertile43.bmp", lpString2="rsa") returned 1 [0114.803] lstrcmpiW (lpString1="usertile43.bmp", lpString2="log") returned 1 [0114.803] lstrcmpiW (lpString1="usertile43.bmp", lpString2="NTDETECT.COM") returned 1 [0114.803] lstrcmpiW (lpString1="usertile43.bmp", lpString2="ntldr") returned 1 [0114.803] lstrcmpiW (lpString1="usertile43.bmp", lpString2="MSDOS.SYS") returned 1 [0114.803] lstrcmpiW (lpString1="usertile43.bmp", lpString2="IO.SYS") returned 1 [0114.803] lstrcmpiW (lpString1="usertile43.bmp", lpString2="boot.ini") returned 1 [0114.803] lstrcmpiW (lpString1="usertile43.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0114.803] lstrcmpiW (lpString1="usertile43.bmp", lpString2="ntuser.dat") returned 1 [0114.803] lstrcmpiW (lpString1="usertile43.bmp", lpString2="desktop.ini") returned 1 [0114.803] lstrcmpiW (lpString1="usertile43.bmp", lpString2="CONFIG.SYS") returned 1 [0114.803] lstrcmpiW (lpString1="usertile43.bmp", lpString2="RECYCLER") returned 1 [0114.803] lstrcmpiW (lpString1="usertile43.bmp", lpString2="BOOTSECT.BAK") returned 1 [0114.804] lstrcmpiW (lpString1="usertile43.bmp", lpString2="bootmgr") returned 1 [0114.804] lstrcmpiW (lpString1="usertile43.bmp", lpString2="programdata") returned 1 [0114.804] lstrcmpiW (lpString1="usertile43.bmp", lpString2="appdata") returned 1 [0114.804] lstrcmpiW (lpString1="usertile43.bmp", lpString2="program files") returned 1 [0114.804] lstrcmpiW (lpString1="usertile43.bmp", lpString2="program files (x86)") returned 1 [0114.804] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0114.804] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile43.bmp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp" [0114.804] PathFindExtensionW (pszPath="usertile43.bmp") returned=".bmp" [0114.804] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0114.804] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0114.804] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0114.804] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0114.804] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0114.804] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0114.804] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0114.804] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0114.804] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0114.804] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0114.804] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0114.804] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0114.804] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0114.804] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0114.804] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0114.804] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0114.804] lstrcmpiW (lpString1="usertile43.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.804] lstrlenA (lpString="NEPHILIM") returned 8 [0114.804] GetProcessHeap () returned 0x4e0000 [0114.804] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f798 [0114.805] lstrlenA (lpString="NEPHILIM") returned 8 [0114.805] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile43.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0114.805] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=4294968320) returned 0 [0114.805] GetProcessHeap () returned 0x4e0000 [0114.805] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dd30 [0114.805] GetProcessHeap () returned 0x4e0000 [0114.805] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dd48 [0114.805] SystemFunction036 (in: RandomBuffer=0x50dd30, RandomBufferLength=0x10 | out: RandomBuffer=0x50dd30) returned 1 [0114.805] SystemFunction036 (in: RandomBuffer=0x50dd48, RandomBufferLength=0x10 | out: RandomBuffer=0x50dd48) returned 1 [0114.805] GetProcessHeap () returned 0x4e0000 [0114.805] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51d200 [0114.805] GetProcessHeap () returned 0x4e0000 [0114.805] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51d308 [0114.805] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51d200*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x51d200*, pdwDataLen=0x24dd508*=0x100) returned 1 [0114.805] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51d308*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x51d308*, pdwDataLen=0x24dd504*=0x100) returned 1 [0114.806] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0114.806] SetLastError (dwErrCode=0x0) [0114.806] WriteFile (in: hFile=0xffffffff, lpBuffer=0x51d200, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0) returned 0 [0114.806] GetLastError () returned 0x6 [0114.806] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae679aa0, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae679aa0, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddd354d3, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x24dd72c, dwReserved1=0x8184c892, cFileName="usertile44.bmp", cAlternateFileName="")) returned 1 [0114.806] lstrcmpiW (lpString1="usertile44.bmp", lpString2=".") returned 1 [0114.806] lstrcmpiW (lpString1="usertile44.bmp", lpString2="..") returned 1 [0114.806] lstrcmpiW (lpString1="usertile44.bmp", lpString2="...") returned 1 [0114.806] lstrcmpiW (lpString1="usertile44.bmp", lpString2="windows") returned -1 [0114.806] lstrcmpiW (lpString1="usertile44.bmp", lpString2="$RECYCLE.BIN") returned 1 [0114.806] lstrcmpiW (lpString1="usertile44.bmp", lpString2="rsa") returned 1 [0114.806] lstrcmpiW (lpString1="usertile44.bmp", lpString2="log") returned 1 [0114.806] lstrcmpiW (lpString1="usertile44.bmp", lpString2="NTDETECT.COM") returned 1 [0114.806] lstrcmpiW (lpString1="usertile44.bmp", lpString2="ntldr") returned 1 [0114.806] lstrcmpiW (lpString1="usertile44.bmp", lpString2="MSDOS.SYS") returned 1 [0114.806] lstrcmpiW (lpString1="usertile44.bmp", lpString2="IO.SYS") returned 1 [0114.806] lstrcmpiW (lpString1="usertile44.bmp", lpString2="boot.ini") returned 1 [0114.806] lstrcmpiW (lpString1="usertile44.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0114.806] lstrcmpiW (lpString1="usertile44.bmp", lpString2="ntuser.dat") returned 1 [0114.806] lstrcmpiW (lpString1="usertile44.bmp", lpString2="desktop.ini") returned 1 [0114.806] lstrcmpiW (lpString1="usertile44.bmp", lpString2="CONFIG.SYS") returned 1 [0114.806] lstrcmpiW (lpString1="usertile44.bmp", lpString2="RECYCLER") returned 1 [0114.807] lstrcmpiW (lpString1="usertile44.bmp", lpString2="BOOTSECT.BAK") returned 1 [0114.807] lstrcmpiW (lpString1="usertile44.bmp", lpString2="bootmgr") returned 1 [0114.807] lstrcmpiW (lpString1="usertile44.bmp", lpString2="programdata") returned 1 [0114.807] lstrcmpiW (lpString1="usertile44.bmp", lpString2="appdata") returned 1 [0114.807] lstrcmpiW (lpString1="usertile44.bmp", lpString2="program files") returned 1 [0114.807] lstrcmpiW (lpString1="usertile44.bmp", lpString2="program files (x86)") returned 1 [0114.807] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0114.807] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile44.bmp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp" [0114.807] PathFindExtensionW (pszPath="usertile44.bmp") returned=".bmp" [0114.807] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0114.807] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0114.807] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0114.807] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0114.807] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0114.807] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0114.807] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0114.807] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0114.807] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0114.807] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0114.807] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0114.807] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0114.807] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0114.807] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0114.807] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0114.807] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0114.807] lstrcmpiW (lpString1="usertile44.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.807] lstrlenA (lpString="NEPHILIM") returned 8 [0114.807] GetProcessHeap () returned 0x4e0000 [0114.808] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f7a8 [0114.808] lstrlenA (lpString="NEPHILIM") returned 8 [0114.808] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile44.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0114.808] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=4294968320) returned 0 [0114.808] GetProcessHeap () returned 0x4e0000 [0114.808] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dd60 [0114.808] GetProcessHeap () returned 0x4e0000 [0114.808] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dd78 [0114.808] SystemFunction036 (in: RandomBuffer=0x50dd60, RandomBufferLength=0x10 | out: RandomBuffer=0x50dd60) returned 1 [0114.808] SystemFunction036 (in: RandomBuffer=0x50dd78, RandomBufferLength=0x10 | out: RandomBuffer=0x50dd78) returned 1 [0114.808] GetProcessHeap () returned 0x4e0000 [0114.808] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51d410 [0114.808] GetProcessHeap () returned 0x4e0000 [0114.808] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51d518 [0114.808] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51d410*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x51d410*, pdwDataLen=0x24dd508*=0x100) returned 1 [0114.809] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51d518*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x51d518*, pdwDataLen=0x24dd504*=0x100) returned 1 [0114.809] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0114.809] SetLastError (dwErrCode=0x0) [0114.809] WriteFile (in: hFile=0xffffffff, lpBuffer=0x51d410, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0) returned 0 [0114.809] GetLastError () returned 0x6 [0114.809] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae679aa0, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae679aa0, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddd354d3, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x24dd72c, dwReserved1=0x8184c892, cFileName="usertile44.bmp", cAlternateFileName="")) returned 0 [0114.809] FindClose (in: hFindFile=0x50a980 | out: hFindFile=0x50a980) returned 1 [0114.811] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bed1018, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7bed1018, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="guest.bmp", cAlternateFileName="")) returned 1 [0114.811] lstrcmpiW (lpString1="guest.bmp", lpString2=".") returned 1 [0114.811] lstrcmpiW (lpString1="guest.bmp", lpString2="..") returned 1 [0114.811] lstrcmpiW (lpString1="guest.bmp", lpString2="...") returned 1 [0114.811] lstrcmpiW (lpString1="guest.bmp", lpString2="windows") returned -1 [0114.811] lstrcmpiW (lpString1="guest.bmp", lpString2="$RECYCLE.BIN") returned 1 [0114.811] lstrcmpiW (lpString1="guest.bmp", lpString2="rsa") returned -1 [0114.811] lstrcmpiW (lpString1="guest.bmp", lpString2="log") returned -1 [0114.811] lstrcmpiW (lpString1="guest.bmp", lpString2="NTDETECT.COM") returned -1 [0114.811] lstrcmpiW (lpString1="guest.bmp", lpString2="ntldr") returned -1 [0114.811] lstrcmpiW (lpString1="guest.bmp", lpString2="MSDOS.SYS") returned -1 [0114.811] lstrcmpiW (lpString1="guest.bmp", lpString2="IO.SYS") returned -1 [0114.811] lstrcmpiW (lpString1="guest.bmp", lpString2="boot.ini") returned 1 [0114.811] lstrcmpiW (lpString1="guest.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0114.811] lstrcmpiW (lpString1="guest.bmp", lpString2="ntuser.dat") returned -1 [0114.811] lstrcmpiW (lpString1="guest.bmp", lpString2="desktop.ini") returned 1 [0114.811] lstrcmpiW (lpString1="guest.bmp", lpString2="CONFIG.SYS") returned 1 [0114.811] lstrcmpiW (lpString1="guest.bmp", lpString2="RECYCLER") returned -1 [0114.811] lstrcmpiW (lpString1="guest.bmp", lpString2="BOOTSECT.BAK") returned 1 [0114.811] lstrcmpiW (lpString1="guest.bmp", lpString2="bootmgr") returned 1 [0114.811] lstrcmpiW (lpString1="guest.bmp", lpString2="programdata") returned -1 [0114.811] lstrcmpiW (lpString1="guest.bmp", lpString2="appdata") returned 1 [0114.811] lstrcmpiW (lpString1="guest.bmp", lpString2="program files") returned -1 [0114.812] lstrcmpiW (lpString1="guest.bmp", lpString2="program files (x86)") returned -1 [0114.812] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\" [0114.812] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\", lpString2="guest.bmp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\guest.bmp") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\guest.bmp" [0114.812] PathFindExtensionW (pszPath="guest.bmp") returned=".bmp" [0114.822] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0114.822] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0114.822] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0114.822] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0114.822] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0114.822] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0114.822] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0114.822] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0114.822] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0114.822] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0114.822] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0114.822] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0114.822] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0114.822] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0114.823] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0114.823] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0114.823] lstrcmpiW (lpString1="guest.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0114.823] lstrlenA (lpString="NEPHILIM") returned 8 [0114.823] GetProcessHeap () returned 0x4e0000 [0114.823] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f7b8 [0114.823] lstrlenA (lpString="NEPHILIM") returned 8 [0114.823] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\guest.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\guest.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0114.824] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=49208) returned 1 [0114.824] GetProcessHeap () returned 0x4e0000 [0114.824] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dd90 [0114.824] GetProcessHeap () returned 0x4e0000 [0114.824] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dda8 [0114.824] SystemFunction036 (in: RandomBuffer=0x50dd90, RandomBufferLength=0x10 | out: RandomBuffer=0x50dd90) returned 1 [0114.824] SystemFunction036 (in: RandomBuffer=0x50dda8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dda8) returned 1 [0114.824] GetProcessHeap () returned 0x4e0000 [0114.824] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51d620 [0114.824] GetProcessHeap () returned 0x4e0000 [0114.824] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51d728 [0114.824] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51d620*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x51d620*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0114.824] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51d728*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x51d728*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0114.824] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xc038, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.824] SetLastError (dwErrCode=0x0) [0114.824] WriteFile (in: hFile=0xf0, lpBuffer=0x51d620*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x51d620*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0114.827] GetLastError () returned 0x0 [0114.827] GetLastError () returned 0x0 [0114.827] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xc138, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.827] WriteFile (in: hFile=0xf0, lpBuffer=0x51d728*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x51d728*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0114.828] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xc238, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.828] lstrlenA (lpString="NEPHILIM") returned 8 [0114.828] WriteFile (in: hFile=0xf0, lpBuffer=0x50f7b8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50f7b8*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0114.828] GetProcessHeap () returned 0x4e0000 [0114.828] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xc038) returned 0x51efd8 [0114.828] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.828] ReadFile (in: hFile=0xf0, lpBuffer=0x51efd8, nNumberOfBytesToRead=0xc038, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x51efd8*, lpNumberOfBytesRead=0x24dddb0*=0xc038, lpOverlapped=0x0) returned 1 [0114.834] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.834] WriteFile (in: hFile=0xf0, lpBuffer=0x51efd8*, nNumberOfBytesToWrite=0xc038, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x51efd8*, lpNumberOfBytesWritten=0x24dddbc*=0xc038, lpOverlapped=0x0) returned 1 [0114.834] GetProcessHeap () returned 0x4e0000 [0114.834] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51efd8 | out: hHeap=0x4e0000) returned 1 [0114.834] CloseHandle (hObject=0xf0) returned 1 [0114.834] GetProcessHeap () returned 0x4e0000 [0114.834] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51d620 | out: hHeap=0x4e0000) returned 1 [0114.834] GetProcessHeap () returned 0x4e0000 [0114.834] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51d728 | out: hHeap=0x4e0000) returned 1 [0114.834] GetProcessHeap () returned 0x4e0000 [0114.834] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dd90 | out: hHeap=0x4e0000) returned 1 [0114.834] GetProcessHeap () returned 0x4e0000 [0114.834] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dda8 | out: hHeap=0x4e0000) returned 1 [0114.834] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\guest.bmp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\guest.bmp") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\guest.bmp" [0114.834] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\guest.bmp", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\guest.bmp.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\guest.bmp.NEPHILIM" [0114.835] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\guest.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\guest.bmp"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\guest.bmp.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\guest.bmp.nephilim")) returned 1 [0114.835] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bed1018, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7bed1018, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="user.bmp", cAlternateFileName="")) returned 1 [0114.836] lstrcmpiW (lpString1="user.bmp", lpString2=".") returned 1 [0114.836] lstrcmpiW (lpString1="user.bmp", lpString2="..") returned 1 [0114.836] lstrcmpiW (lpString1="user.bmp", lpString2="...") returned 1 [0114.836] lstrcmpiW (lpString1="user.bmp", lpString2="windows") returned -1 [0114.836] lstrcmpiW (lpString1="user.bmp", lpString2="$RECYCLE.BIN") returned 1 [0114.836] lstrcmpiW (lpString1="user.bmp", lpString2="rsa") returned 1 [0114.836] lstrcmpiW (lpString1="user.bmp", lpString2="log") returned 1 [0114.836] lstrcmpiW (lpString1="user.bmp", lpString2="NTDETECT.COM") returned 1 [0114.836] lstrcmpiW (lpString1="user.bmp", lpString2="ntldr") returned 1 [0114.836] lstrcmpiW (lpString1="user.bmp", lpString2="MSDOS.SYS") returned 1 [0114.836] lstrcmpiW (lpString1="user.bmp", lpString2="IO.SYS") returned 1 [0114.836] lstrcmpiW (lpString1="user.bmp", lpString2="boot.ini") returned 1 [0114.836] lstrcmpiW (lpString1="user.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0114.836] lstrcmpiW (lpString1="user.bmp", lpString2="ntuser.dat") returned 1 [0114.836] lstrcmpiW (lpString1="user.bmp", lpString2="desktop.ini") returned 1 [0114.836] lstrcmpiW (lpString1="user.bmp", lpString2="CONFIG.SYS") returned 1 [0114.836] lstrcmpiW (lpString1="user.bmp", lpString2="RECYCLER") returned 1 [0114.836] lstrcmpiW (lpString1="user.bmp", lpString2="BOOTSECT.BAK") returned 1 [0114.836] lstrcmpiW (lpString1="user.bmp", lpString2="bootmgr") returned 1 [0114.836] lstrcmpiW (lpString1="user.bmp", lpString2="programdata") returned 1 [0114.836] lstrcmpiW (lpString1="user.bmp", lpString2="appdata") returned 1 [0114.836] lstrcmpiW (lpString1="user.bmp", lpString2="program files") returned 1 [0114.836] lstrcmpiW (lpString1="user.bmp", lpString2="program files (x86)") returned 1 [0114.836] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\" [0114.836] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\", lpString2="user.bmp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user.bmp") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user.bmp" [0114.836] PathFindExtensionW (pszPath="user.bmp") returned=".bmp" [0114.836] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0114.836] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0114.837] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0114.837] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0114.837] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0114.837] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0114.837] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0114.837] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0114.837] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0114.837] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0114.837] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0114.837] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0114.837] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0114.837] lstrcmpiW (lpString1=".bmp", lpString2=".NEPHILIM") returned -1 [0114.837] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0114.837] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0114.837] lstrcmpiW (lpString1="user.bmp", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0114.837] lstrlenA (lpString="NEPHILIM") returned 8 [0114.837] GetProcessHeap () returned 0x4e0000 [0114.837] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f7c8 [0114.837] lstrlenA (lpString="NEPHILIM") returned 8 [0114.837] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\user.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0114.838] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=49208) returned 1 [0114.838] GetProcessHeap () returned 0x4e0000 [0114.838] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dda8 [0114.838] GetProcessHeap () returned 0x4e0000 [0114.838] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dd90 [0114.838] SystemFunction036 (in: RandomBuffer=0x50dda8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dda8) returned 1 [0114.838] SystemFunction036 (in: RandomBuffer=0x50dd90, RandomBufferLength=0x10 | out: RandomBuffer=0x50dd90) returned 1 [0114.838] GetProcessHeap () returned 0x4e0000 [0114.838] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51d728 [0114.838] GetProcessHeap () returned 0x4e0000 [0114.838] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51d620 [0114.838] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51d728*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x51d728*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0114.838] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51d620*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x51d620*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0114.838] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xc038, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.839] SetLastError (dwErrCode=0x0) [0114.839] WriteFile (in: hFile=0xf0, lpBuffer=0x51d728*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x51d728*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0114.840] GetLastError () returned 0x0 [0114.840] GetLastError () returned 0x0 [0114.840] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xc138, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.840] WriteFile (in: hFile=0xf0, lpBuffer=0x51d620*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x51d620*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0114.840] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xc238, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.840] lstrlenA (lpString="NEPHILIM") returned 8 [0114.840] WriteFile (in: hFile=0xf0, lpBuffer=0x50f7c8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50f7c8*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0114.840] GetProcessHeap () returned 0x4e0000 [0114.840] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xc038) returned 0x51efd8 [0114.840] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.840] ReadFile (in: hFile=0xf0, lpBuffer=0x51efd8, nNumberOfBytesToRead=0xc038, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x51efd8*, lpNumberOfBytesRead=0x24dddb0*=0xc038, lpOverlapped=0x0) returned 1 [0114.844] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.844] WriteFile (in: hFile=0xf0, lpBuffer=0x51efd8*, nNumberOfBytesToWrite=0xc038, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x51efd8*, lpNumberOfBytesWritten=0x24dddbc*=0xc038, lpOverlapped=0x0) returned 1 [0114.844] GetProcessHeap () returned 0x4e0000 [0114.844] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51efd8 | out: hHeap=0x4e0000) returned 1 [0114.844] CloseHandle (hObject=0xf0) returned 1 [0114.844] GetProcessHeap () returned 0x4e0000 [0114.844] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51d728 | out: hHeap=0x4e0000) returned 1 [0114.844] GetProcessHeap () returned 0x4e0000 [0114.844] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51d620 | out: hHeap=0x4e0000) returned 1 [0114.844] GetProcessHeap () returned 0x4e0000 [0114.844] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dda8 | out: hHeap=0x4e0000) returned 1 [0114.844] GetProcessHeap () returned 0x4e0000 [0114.845] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dd90 | out: hHeap=0x4e0000) returned 1 [0114.845] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user.bmp" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user.bmp") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user.bmp" [0114.845] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user.bmp", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user.bmp.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user.bmp.NEPHILIM" [0114.845] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\user.bmp"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user.bmp.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\user.bmp.nephilim")) returned 1 [0114.850] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bed1018, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7bed1018, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="user.bmp", cAlternateFileName="")) returned 0 [0114.850] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0114.850] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xc602eec6, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="Vault", cAlternateFileName="")) returned 1 [0114.850] lstrcmpiW (lpString1="Vault", lpString2=".") returned 1 [0114.850] lstrcmpiW (lpString1="Vault", lpString2="..") returned 1 [0114.850] lstrcmpiW (lpString1="Vault", lpString2="...") returned 1 [0114.850] lstrcmpiW (lpString1="Vault", lpString2="windows") returned -1 [0114.850] lstrcmpiW (lpString1="Vault", lpString2="$RECYCLE.BIN") returned 1 [0114.850] lstrcmpiW (lpString1="Vault", lpString2="rsa") returned 1 [0114.850] lstrcmpiW (lpString1="Vault", lpString2="log") returned 1 [0114.850] lstrcmpiW (lpString1="Vault", lpString2="NTDETECT.COM") returned 1 [0114.850] lstrcmpiW (lpString1="Vault", lpString2="ntldr") returned 1 [0114.850] lstrcmpiW (lpString1="Vault", lpString2="MSDOS.SYS") returned 1 [0114.850] lstrcmpiW (lpString1="Vault", lpString2="IO.SYS") returned 1 [0114.850] lstrcmpiW (lpString1="Vault", lpString2="boot.ini") returned 1 [0114.850] lstrcmpiW (lpString1="Vault", lpString2="AUTOEXEC.BAT") returned 1 [0114.850] lstrcmpiW (lpString1="Vault", lpString2="ntuser.dat") returned 1 [0114.851] lstrcmpiW (lpString1="Vault", lpString2="desktop.ini") returned 1 [0114.851] lstrcmpiW (lpString1="Vault", lpString2="CONFIG.SYS") returned 1 [0114.851] lstrcmpiW (lpString1="Vault", lpString2="RECYCLER") returned 1 [0114.851] lstrcmpiW (lpString1="Vault", lpString2="BOOTSECT.BAK") returned 1 [0114.851] lstrcmpiW (lpString1="Vault", lpString2="bootmgr") returned 1 [0114.851] lstrcmpiW (lpString1="Vault", lpString2="programdata") returned 1 [0114.851] lstrcmpiW (lpString1="Vault", lpString2="appdata") returned 1 [0114.851] lstrcmpiW (lpString1="Vault", lpString2="program files") returned 1 [0114.851] lstrcmpiW (lpString1="Vault", lpString2="program files (x86)") returned 1 [0114.851] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\" [0114.851] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="Vault" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Vault") returned="C:\\Users\\All Users\\Microsoft\\Vault" [0114.851] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Vault", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Vault\\") returned="C:\\Users\\All Users\\Microsoft\\Vault\\" [0114.851] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Microsoft\\Vault\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Vault\\") returned="C:\\Users\\All Users\\Microsoft\\Vault\\" [0114.851] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Vault\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Vault\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Vault\\*.*" [0114.851] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Vault\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xc602eec6, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0114.851] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.851] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xc602eec6, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0114.852] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.852] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.852] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xc602eec6, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 0 [0114.852] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0114.852] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x80ac5760, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="VISIO", cAlternateFileName="")) returned 1 [0114.852] lstrcmpiW (lpString1="VISIO", lpString2=".") returned 1 [0114.852] lstrcmpiW (lpString1="VISIO", lpString2="..") returned 1 [0114.852] lstrcmpiW (lpString1="VISIO", lpString2="...") returned 1 [0114.852] lstrcmpiW (lpString1="VISIO", lpString2="windows") returned -1 [0114.852] lstrcmpiW (lpString1="VISIO", lpString2="$RECYCLE.BIN") returned 1 [0114.852] lstrcmpiW (lpString1="VISIO", lpString2="rsa") returned 1 [0114.852] lstrcmpiW (lpString1="VISIO", lpString2="log") returned 1 [0114.852] lstrcmpiW (lpString1="VISIO", lpString2="NTDETECT.COM") returned 1 [0114.852] lstrcmpiW (lpString1="VISIO", lpString2="ntldr") returned 1 [0114.852] lstrcmpiW (lpString1="VISIO", lpString2="MSDOS.SYS") returned 1 [0114.852] lstrcmpiW (lpString1="VISIO", lpString2="IO.SYS") returned 1 [0114.852] lstrcmpiW (lpString1="VISIO", lpString2="boot.ini") returned 1 [0114.852] lstrcmpiW (lpString1="VISIO", lpString2="AUTOEXEC.BAT") returned 1 [0114.852] lstrcmpiW (lpString1="VISIO", lpString2="ntuser.dat") returned 1 [0114.852] lstrcmpiW (lpString1="VISIO", lpString2="desktop.ini") returned 1 [0114.852] lstrcmpiW (lpString1="VISIO", lpString2="CONFIG.SYS") returned 1 [0114.852] lstrcmpiW (lpString1="VISIO", lpString2="RECYCLER") returned 1 [0114.852] lstrcmpiW (lpString1="VISIO", lpString2="BOOTSECT.BAK") returned 1 [0114.853] lstrcmpiW (lpString1="VISIO", lpString2="bootmgr") returned 1 [0114.853] lstrcmpiW (lpString1="VISIO", lpString2="programdata") returned 1 [0114.853] lstrcmpiW (lpString1="VISIO", lpString2="appdata") returned 1 [0114.853] lstrcmpiW (lpString1="VISIO", lpString2="program files") returned 1 [0114.853] lstrcmpiW (lpString1="VISIO", lpString2="program files (x86)") returned 1 [0114.853] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\" [0114.853] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="VISIO" | out: lpString1="C:\\Users\\All Users\\Microsoft\\VISIO") returned="C:\\Users\\All Users\\Microsoft\\VISIO" [0114.853] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\VISIO", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\VISIO\\") returned="C:\\Users\\All Users\\Microsoft\\VISIO\\" [0114.853] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Microsoft\\VISIO\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\VISIO\\") returned="C:\\Users\\All Users\\Microsoft\\VISIO\\" [0114.853] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\VISIO\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\VISIO\\*.*") returned="C:\\Users\\All Users\\Microsoft\\VISIO\\*.*" [0114.853] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\VISIO\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x80ac5760, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0114.856] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.856] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x80ac5760, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0114.856] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.856] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.856] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x80ac5760, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 0 [0114.856] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0114.856] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x60ae73a0, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0x60ae73a0, ftLastWriteTime.dwHighDateTime=0x1d2de2a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="Windows", cAlternateFileName="")) returned 1 [0114.856] lstrcmpiW (lpString1="Windows", lpString2=".") returned 1 [0114.856] lstrcmpiW (lpString1="Windows", lpString2="..") returned 1 [0114.856] lstrcmpiW (lpString1="Windows", lpString2="...") returned 1 [0114.856] lstrcmpiW (lpString1="Windows", lpString2="windows") returned 0 [0114.856] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x591e8ca0, ftLastAccessTime.dwHighDateTime=0x1d4d596, ftLastWriteTime.dwLowDateTime=0x591e8ca0, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="Windows Defender", cAlternateFileName="WINDOW~1")) returned 1 [0114.856] lstrcmpiW (lpString1="Windows Defender", lpString2=".") returned 1 [0114.856] lstrcmpiW (lpString1="Windows Defender", lpString2="..") returned 1 [0114.856] lstrcmpiW (lpString1="Windows Defender", lpString2="...") returned 1 [0114.856] lstrcmpiW (lpString1="Windows Defender", lpString2="windows") returned 1 [0114.856] lstrcmpiW (lpString1="Windows Defender", lpString2="$RECYCLE.BIN") returned 1 [0114.856] lstrcmpiW (lpString1="Windows Defender", lpString2="rsa") returned 1 [0114.856] lstrcmpiW (lpString1="Windows Defender", lpString2="log") returned 1 [0114.856] lstrcmpiW (lpString1="Windows Defender", lpString2="NTDETECT.COM") returned 1 [0114.856] lstrcmpiW (lpString1="Windows Defender", lpString2="ntldr") returned 1 [0114.856] lstrcmpiW (lpString1="Windows Defender", lpString2="MSDOS.SYS") returned 1 [0114.856] lstrcmpiW (lpString1="Windows Defender", lpString2="IO.SYS") returned 1 [0114.857] lstrcmpiW (lpString1="Windows Defender", lpString2="boot.ini") returned 1 [0114.857] lstrcmpiW (lpString1="Windows Defender", lpString2="AUTOEXEC.BAT") returned 1 [0114.857] lstrcmpiW (lpString1="Windows Defender", lpString2="ntuser.dat") returned 1 [0114.857] lstrcmpiW (lpString1="Windows Defender", lpString2="desktop.ini") returned 1 [0114.857] lstrcmpiW (lpString1="Windows Defender", lpString2="CONFIG.SYS") returned 1 [0114.857] lstrcmpiW (lpString1="Windows Defender", lpString2="RECYCLER") returned 1 [0114.857] lstrcmpiW (lpString1="Windows Defender", lpString2="BOOTSECT.BAK") returned 1 [0114.857] lstrcmpiW (lpString1="Windows Defender", lpString2="bootmgr") returned 1 [0114.857] lstrcmpiW (lpString1="Windows Defender", lpString2="programdata") returned 1 [0114.857] lstrcmpiW (lpString1="Windows Defender", lpString2="appdata") returned 1 [0114.857] lstrcmpiW (lpString1="Windows Defender", lpString2="program files") returned 1 [0114.857] lstrcmpiW (lpString1="Windows Defender", lpString2="program files (x86)") returned 1 [0114.857] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\" [0114.857] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="Windows Defender" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender" [0114.857] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\" [0114.857] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Defender\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\" [0114.857] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*" [0114.857] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x591e8ca0, ftLastAccessTime.dwHighDateTime=0x1d4d596, ftLastWriteTime.dwLowDateTime=0x591e8ca0, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0114.864] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.864] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x591e8ca0, ftLastAccessTime.dwHighDateTime=0x1d4d596, ftLastWriteTime.dwLowDateTime=0x591e8ca0, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0114.864] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.864] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.864] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1fb3099, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x1fb3099, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="Definition Updates", cAlternateFileName="DEFINI~1")) returned 1 [0114.864] lstrcmpiW (lpString1="Definition Updates", lpString2=".") returned 1 [0114.864] lstrcmpiW (lpString1="Definition Updates", lpString2="..") returned 1 [0114.864] lstrcmpiW (lpString1="Definition Updates", lpString2="...") returned 1 [0114.864] lstrcmpiW (lpString1="Definition Updates", lpString2="windows") returned -1 [0114.864] lstrcmpiW (lpString1="Definition Updates", lpString2="$RECYCLE.BIN") returned 1 [0114.864] lstrcmpiW (lpString1="Definition Updates", lpString2="rsa") returned -1 [0114.864] lstrcmpiW (lpString1="Definition Updates", lpString2="log") returned -1 [0114.864] lstrcmpiW (lpString1="Definition Updates", lpString2="NTDETECT.COM") returned -1 [0114.864] lstrcmpiW (lpString1="Definition Updates", lpString2="ntldr") returned -1 [0114.864] lstrcmpiW (lpString1="Definition Updates", lpString2="MSDOS.SYS") returned -1 [0114.864] lstrcmpiW (lpString1="Definition Updates", lpString2="IO.SYS") returned -1 [0114.864] lstrcmpiW (lpString1="Definition Updates", lpString2="boot.ini") returned 1 [0114.864] lstrcmpiW (lpString1="Definition Updates", lpString2="AUTOEXEC.BAT") returned 1 [0114.865] lstrcmpiW (lpString1="Definition Updates", lpString2="ntuser.dat") returned -1 [0114.865] lstrcmpiW (lpString1="Definition Updates", lpString2="desktop.ini") returned -1 [0114.865] lstrcmpiW (lpString1="Definition Updates", lpString2="CONFIG.SYS") returned 1 [0114.865] lstrcmpiW (lpString1="Definition Updates", lpString2="RECYCLER") returned -1 [0114.865] lstrcmpiW (lpString1="Definition Updates", lpString2="BOOTSECT.BAK") returned 1 [0114.865] lstrcmpiW (lpString1="Definition Updates", lpString2="bootmgr") returned 1 [0114.865] lstrcmpiW (lpString1="Definition Updates", lpString2="programdata") returned -1 [0114.865] lstrcmpiW (lpString1="Definition Updates", lpString2="appdata") returned 1 [0114.865] lstrcmpiW (lpString1="Definition Updates", lpString2="program files") returned -1 [0114.865] lstrcmpiW (lpString1="Definition Updates", lpString2="program files (x86)") returned -1 [0114.865] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Defender\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\" [0114.865] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\", lpString2="Definition Updates" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates" [0114.865] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\" [0114.865] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\" [0114.865] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\*.*" [0114.865] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1fb3099, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x1fb3099, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x24de260, cFileName=".", cAlternateFileName="")) returned 0x50a980 [0114.866] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.866] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1fb3099, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x1fb3099, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 1 [0114.866] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.866] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.866] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x24de260, cFileName="Backup", cAlternateFileName="")) returned 1 [0114.866] lstrcmpiW (lpString1="Backup", lpString2=".") returned 1 [0114.866] lstrcmpiW (lpString1="Backup", lpString2="..") returned 1 [0114.866] lstrcmpiW (lpString1="Backup", lpString2="...") returned 1 [0114.866] lstrcmpiW (lpString1="Backup", lpString2="windows") returned -1 [0114.866] lstrcmpiW (lpString1="Backup", lpString2="$RECYCLE.BIN") returned 1 [0114.866] lstrcmpiW (lpString1="Backup", lpString2="rsa") returned -1 [0114.866] lstrcmpiW (lpString1="Backup", lpString2="log") returned -1 [0114.866] lstrcmpiW (lpString1="Backup", lpString2="NTDETECT.COM") returned -1 [0114.866] lstrcmpiW (lpString1="Backup", lpString2="ntldr") returned -1 [0114.866] lstrcmpiW (lpString1="Backup", lpString2="MSDOS.SYS") returned -1 [0114.866] lstrcmpiW (lpString1="Backup", lpString2="IO.SYS") returned -1 [0114.866] lstrcmpiW (lpString1="Backup", lpString2="boot.ini") returned -1 [0114.866] lstrcmpiW (lpString1="Backup", lpString2="AUTOEXEC.BAT") returned 1 [0114.866] lstrcmpiW (lpString1="Backup", lpString2="ntuser.dat") returned -1 [0114.866] lstrcmpiW (lpString1="Backup", lpString2="desktop.ini") returned -1 [0114.866] lstrcmpiW (lpString1="Backup", lpString2="CONFIG.SYS") returned -1 [0114.866] lstrcmpiW (lpString1="Backup", lpString2="RECYCLER") returned -1 [0114.866] lstrcmpiW (lpString1="Backup", lpString2="BOOTSECT.BAK") returned -1 [0114.866] lstrcmpiW (lpString1="Backup", lpString2="bootmgr") returned -1 [0114.866] lstrcmpiW (lpString1="Backup", lpString2="programdata") returned -1 [0114.866] lstrcmpiW (lpString1="Backup", lpString2="appdata") returned 1 [0114.866] lstrcmpiW (lpString1="Backup", lpString2="program files") returned -1 [0114.866] lstrcmpiW (lpString1="Backup", lpString2="program files (x86)") returned -1 [0114.867] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\" [0114.867] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\", lpString2="Backup" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup" [0114.867] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\" [0114.867] lstrcpyW (in: lpString1=0x24dd560, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\" [0114.867] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\*.*" [0114.867] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\*.*", lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x8a0088, dwReserved1=0x24ddbe0, cFileName=".", cAlternateFileName="")) returned 0x50a9c0 [0114.867] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.867] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x8a0088, dwReserved1=0x24ddbe0, cFileName="..", cAlternateFileName="")) returned 1 [0114.867] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.867] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.867] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x8a0088, dwReserved1=0x24ddbe0, cFileName="..", cAlternateFileName="")) returned 0 [0114.867] FindClose (in: hFindFile=0x50a9c0 | out: hFindFile=0x50a9c0) returned 1 [0114.867] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x24de260, cFileName="Updates", cAlternateFileName="")) returned 1 [0114.867] lstrcmpiW (lpString1="Updates", lpString2=".") returned 1 [0114.867] lstrcmpiW (lpString1="Updates", lpString2="..") returned 1 [0114.867] lstrcmpiW (lpString1="Updates", lpString2="...") returned 1 [0114.867] lstrcmpiW (lpString1="Updates", lpString2="windows") returned -1 [0114.867] lstrcmpiW (lpString1="Updates", lpString2="$RECYCLE.BIN") returned 1 [0114.868] lstrcmpiW (lpString1="Updates", lpString2="rsa") returned 1 [0114.868] lstrcmpiW (lpString1="Updates", lpString2="log") returned 1 [0114.868] lstrcmpiW (lpString1="Updates", lpString2="NTDETECT.COM") returned 1 [0114.868] lstrcmpiW (lpString1="Updates", lpString2="ntldr") returned 1 [0114.868] lstrcmpiW (lpString1="Updates", lpString2="MSDOS.SYS") returned 1 [0114.868] lstrcmpiW (lpString1="Updates", lpString2="IO.SYS") returned 1 [0114.868] lstrcmpiW (lpString1="Updates", lpString2="boot.ini") returned 1 [0114.868] lstrcmpiW (lpString1="Updates", lpString2="AUTOEXEC.BAT") returned 1 [0114.868] lstrcmpiW (lpString1="Updates", lpString2="ntuser.dat") returned 1 [0114.868] lstrcmpiW (lpString1="Updates", lpString2="desktop.ini") returned 1 [0114.868] lstrcmpiW (lpString1="Updates", lpString2="CONFIG.SYS") returned 1 [0114.868] lstrcmpiW (lpString1="Updates", lpString2="RECYCLER") returned 1 [0114.868] lstrcmpiW (lpString1="Updates", lpString2="BOOTSECT.BAK") returned 1 [0114.868] lstrcmpiW (lpString1="Updates", lpString2="bootmgr") returned 1 [0114.868] lstrcmpiW (lpString1="Updates", lpString2="programdata") returned 1 [0114.868] lstrcmpiW (lpString1="Updates", lpString2="appdata") returned 1 [0114.868] lstrcmpiW (lpString1="Updates", lpString2="program files") returned 1 [0114.868] lstrcmpiW (lpString1="Updates", lpString2="program files (x86)") returned 1 [0114.868] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\" [0114.868] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\", lpString2="Updates" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates" [0114.868] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\" [0114.868] lstrcpyW (in: lpString1=0x24dd560, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\" [0114.868] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\*.*" [0114.868] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\*.*", lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x8a0088, dwReserved1=0x24ddbe0, cFileName=".", cAlternateFileName="")) returned 0x50a9c0 [0114.872] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.872] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x8a0088, dwReserved1=0x24ddbe0, cFileName="..", cAlternateFileName="")) returned 1 [0114.872] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.872] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.872] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x8a0088, dwReserved1=0x24ddbe0, cFileName="..", cAlternateFileName="")) returned 0 [0114.872] FindClose (in: hFindFile=0x50a9c0 | out: hFindFile=0x50a9c0) returned 1 [0114.872] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1fb3099, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x1fff35a, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x1fff35a, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x24de260, cFileName="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", cAlternateFileName="{D2B0B~1")) returned 1 [0114.872] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2=".") returned 1 [0114.872] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="..") returned 1 [0114.873] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="...") returned 1 [0114.873] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="windows") returned -1 [0114.873] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="$RECYCLE.BIN") returned 1 [0114.873] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="rsa") returned -1 [0114.873] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="log") returned -1 [0114.873] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="NTDETECT.COM") returned -1 [0114.873] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="ntldr") returned -1 [0114.873] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="MSDOS.SYS") returned -1 [0114.873] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="IO.SYS") returned -1 [0114.873] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="boot.ini") returned -1 [0114.873] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="AUTOEXEC.BAT") returned -1 [0114.873] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="ntuser.dat") returned -1 [0114.873] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="desktop.ini") returned -1 [0114.873] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="CONFIG.SYS") returned -1 [0114.873] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="RECYCLER") returned -1 [0114.873] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="BOOTSECT.BAK") returned -1 [0114.873] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="bootmgr") returned -1 [0114.873] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="programdata") returned -1 [0114.873] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="appdata") returned -1 [0114.873] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="program files") returned -1 [0114.874] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="program files (x86)") returned -1 [0114.874] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\" [0114.874] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\", lpString2="{D2B0B133-42ED-44D3-809A-46EBB62BA863}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}" [0114.874] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\" [0114.874] lstrcpyW (in: lpString1=0x24dd560, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\" [0114.874] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\*.*" [0114.874] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\*.*", lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1fb3099, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x1fff35a, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x1fff35a, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x8a0088, dwReserved1=0x24ddbe0, cFileName=".", cAlternateFileName="")) returned 0x50a9c0 [0114.874] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0114.874] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1fb3099, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x1fff35a, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x1fff35a, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x8a0088, dwReserved1=0x24ddbe0, cFileName="..", cAlternateFileName="")) returned 1 [0114.874] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0114.874] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0114.874] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1fd91f9, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x1fd91f9, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x12c4d000, ftLastWriteTime.dwHighDateTime=0x1cb85c9, nFileSizeHigh=0x0, nFileSizeLow=0xb17190, dwReserved0=0x8a0088, dwReserved1=0x24ddbe0, cFileName="mpasbase.vdm", cAlternateFileName="")) returned 1 [0114.874] lstrcmpiW (lpString1="mpasbase.vdm", lpString2=".") returned 1 [0114.874] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="..") returned 1 [0114.874] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="...") returned 1 [0114.874] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="windows") returned -1 [0114.875] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="$RECYCLE.BIN") returned 1 [0114.875] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="rsa") returned -1 [0114.875] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="log") returned 1 [0114.875] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="NTDETECT.COM") returned -1 [0114.875] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="ntldr") returned -1 [0114.875] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="MSDOS.SYS") returned -1 [0114.875] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="IO.SYS") returned 1 [0114.875] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="boot.ini") returned 1 [0114.875] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="AUTOEXEC.BAT") returned 1 [0114.875] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="ntuser.dat") returned -1 [0114.875] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="desktop.ini") returned 1 [0114.875] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="CONFIG.SYS") returned 1 [0114.875] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="RECYCLER") returned -1 [0114.875] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="BOOTSECT.BAK") returned 1 [0114.875] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="bootmgr") returned 1 [0114.875] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="programdata") returned -1 [0114.875] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="appdata") returned 1 [0114.875] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="program files") returned -1 [0114.875] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="program files (x86)") returned -1 [0114.875] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\" [0114.875] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\", lpString2="mpasbase.vdm" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm" [0114.875] PathFindExtensionW (pszPath="mpasbase.vdm") returned=".vdm" [0114.875] lstrcmpiW (lpString1=".vdm", lpString2=".exe") returned 1 [0114.875] lstrcmpiW (lpString1=".vdm", lpString2=".log") returned 1 [0114.876] lstrcmpiW (lpString1=".vdm", lpString2=".cab") returned 1 [0114.876] lstrcmpiW (lpString1=".vdm", lpString2=".cmd") returned 1 [0114.876] lstrcmpiW (lpString1=".vdm", lpString2=".com") returned 1 [0114.876] lstrcmpiW (lpString1=".vdm", lpString2=".cpl") returned 1 [0114.876] lstrcmpiW (lpString1=".vdm", lpString2=".ini") returned 1 [0114.876] lstrcmpiW (lpString1=".vdm", lpString2=".dll") returned 1 [0114.876] lstrcmpiW (lpString1=".vdm", lpString2=".url") returned 1 [0114.876] lstrcmpiW (lpString1=".vdm", lpString2=".ttf") returned 1 [0114.876] lstrcmpiW (lpString1=".vdm", lpString2=".mp3") returned 1 [0114.876] lstrcmpiW (lpString1=".vdm", lpString2=".pif") returned 1 [0114.876] lstrcmpiW (lpString1=".vdm", lpString2=".mp4") returned 1 [0114.876] lstrcmpiW (lpString1=".vdm", lpString2=".NEPHILIM") returned 1 [0114.876] lstrcmpiW (lpString1=".vdm", lpString2=".msi") returned 1 [0114.876] lstrcmpiW (lpString1=".vdm", lpString2=".lnk") returned 1 [0114.876] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0114.876] lstrlenA (lpString="NEPHILIM") returned 8 [0114.876] GetProcessHeap () returned 0x4e0000 [0114.876] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f7d8 [0114.876] lstrlenA (lpString="NEPHILIM") returned 8 [0114.876] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpasbase.vdm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0114.880] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=11628944) returned 1 [0114.880] GetProcessHeap () returned 0x4e0000 [0114.880] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dd90 [0114.880] GetProcessHeap () returned 0x4e0000 [0114.880] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dda8 [0114.880] SystemFunction036 (in: RandomBuffer=0x50dd90, RandomBufferLength=0x10 | out: RandomBuffer=0x50dd90) returned 1 [0114.880] SystemFunction036 (in: RandomBuffer=0x50dda8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dda8) returned 1 [0114.880] GetProcessHeap () returned 0x4e0000 [0114.880] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51d620 [0114.880] GetProcessHeap () returned 0x4e0000 [0114.880] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51d728 [0114.880] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51d620*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x51d620*, pdwDataLen=0x24dce88*=0x100) returned 1 [0114.881] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51d728*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x51d728*, pdwDataLen=0x24dce84*=0x100) returned 1 [0114.881] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0xb17190, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.881] SetLastError (dwErrCode=0x0) [0114.881] WriteFile (in: hFile=0xf8, lpBuffer=0x51d620*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x51d620*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0114.883] GetLastError () returned 0x0 [0114.883] GetLastError () returned 0x0 [0114.884] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0xb17290, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.884] WriteFile (in: hFile=0xf8, lpBuffer=0x51d728*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x51d728*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0114.885] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0xb17390, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.885] lstrlenA (lpString="NEPHILIM") returned 8 [0114.885] WriteFile (in: hFile=0xf8, lpBuffer=0x50f7d8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50f7d8*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0114.885] GetProcessHeap () returned 0x4e0000 [0114.885] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x927c0) returned 0x2110020 [0114.886] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.886] ReadFile (in: hFile=0xf8, lpBuffer=0x2110020, nNumberOfBytesToRead=0x927c0, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x2110020*, lpNumberOfBytesRead=0x24dd0b0*=0x927c0, lpOverlapped=0x0) returned 1 [0114.949] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.949] WriteFile (in: hFile=0xf8, lpBuffer=0x2110020*, nNumberOfBytesToWrite=0x927c0, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x2110020*, lpNumberOfBytesWritten=0x24dd0bc*=0x927c0, lpOverlapped=0x0) returned 1 [0114.953] GetProcessHeap () returned 0x4e0000 [0114.953] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x2110020 | out: hHeap=0x4e0000) returned 1 [0114.957] CloseHandle (hObject=0xf8) returned 1 [0114.958] GetProcessHeap () returned 0x4e0000 [0114.958] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51d620 | out: hHeap=0x4e0000) returned 1 [0114.958] GetProcessHeap () returned 0x4e0000 [0114.958] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51d728 | out: hHeap=0x4e0000) returned 1 [0114.958] GetProcessHeap () returned 0x4e0000 [0114.958] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dd90 | out: hHeap=0x4e0000) returned 1 [0114.958] GetProcessHeap () returned 0x4e0000 [0114.958] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dda8 | out: hHeap=0x4e0000) returned 1 [0114.958] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm" [0114.958] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm.NEPHILIM" [0114.958] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpasbase.vdm"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpasbase.vdm.nephilim")) returned 1 [0114.959] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1fff35a, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x1fff35a, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x6da22700, ftLastWriteTime.dwHighDateTime=0x1cb8783, nFileSizeHigh=0x0, nFileSizeLow=0x52d90, dwReserved0=0x8a0088, dwReserved1=0x24ddbe0, cFileName="mpasdlta.vdm", cAlternateFileName="")) returned 1 [0114.959] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2=".") returned 1 [0114.959] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="..") returned 1 [0114.959] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="...") returned 1 [0114.959] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="windows") returned -1 [0114.959] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="$RECYCLE.BIN") returned 1 [0114.959] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="rsa") returned -1 [0114.959] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="log") returned 1 [0114.959] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="NTDETECT.COM") returned -1 [0114.959] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="ntldr") returned -1 [0114.959] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="MSDOS.SYS") returned -1 [0114.960] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="IO.SYS") returned 1 [0114.960] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="boot.ini") returned 1 [0114.960] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="AUTOEXEC.BAT") returned 1 [0114.960] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="ntuser.dat") returned -1 [0114.960] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="desktop.ini") returned 1 [0114.960] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="CONFIG.SYS") returned 1 [0114.960] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="RECYCLER") returned -1 [0114.960] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="BOOTSECT.BAK") returned 1 [0114.960] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="bootmgr") returned 1 [0114.960] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="programdata") returned -1 [0114.960] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="appdata") returned 1 [0114.960] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="program files") returned -1 [0114.960] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="program files (x86)") returned -1 [0114.960] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\" [0114.960] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\", lpString2="mpasdlta.vdm" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm" [0114.960] PathFindExtensionW (pszPath="mpasdlta.vdm") returned=".vdm" [0114.960] lstrcmpiW (lpString1=".vdm", lpString2=".exe") returned 1 [0114.960] lstrcmpiW (lpString1=".vdm", lpString2=".log") returned 1 [0114.960] lstrcmpiW (lpString1=".vdm", lpString2=".cab") returned 1 [0114.960] lstrcmpiW (lpString1=".vdm", lpString2=".cmd") returned 1 [0114.960] lstrcmpiW (lpString1=".vdm", lpString2=".com") returned 1 [0114.960] lstrcmpiW (lpString1=".vdm", lpString2=".cpl") returned 1 [0114.960] lstrcmpiW (lpString1=".vdm", lpString2=".ini") returned 1 [0114.960] lstrcmpiW (lpString1=".vdm", lpString2=".dll") returned 1 [0114.960] lstrcmpiW (lpString1=".vdm", lpString2=".url") returned 1 [0114.961] lstrcmpiW (lpString1=".vdm", lpString2=".ttf") returned 1 [0114.961] lstrcmpiW (lpString1=".vdm", lpString2=".mp3") returned 1 [0114.961] lstrcmpiW (lpString1=".vdm", lpString2=".pif") returned 1 [0114.961] lstrcmpiW (lpString1=".vdm", lpString2=".mp4") returned 1 [0114.961] lstrcmpiW (lpString1=".vdm", lpString2=".NEPHILIM") returned 1 [0114.961] lstrcmpiW (lpString1=".vdm", lpString2=".msi") returned 1 [0114.961] lstrcmpiW (lpString1=".vdm", lpString2=".lnk") returned 1 [0114.961] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0114.961] lstrlenA (lpString="NEPHILIM") returned 8 [0114.961] GetProcessHeap () returned 0x4e0000 [0114.961] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f7e8 [0114.961] lstrlenA (lpString="NEPHILIM") returned 8 [0114.961] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpasdlta.vdm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf8 [0114.962] GetFileSizeEx (in: hFile=0xf8, lpFileSize=0x24dd0c8 | out: lpFileSize=0x24dd0c8*=339344) returned 1 [0114.962] GetProcessHeap () returned 0x4e0000 [0114.962] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dda8 [0114.962] GetProcessHeap () returned 0x4e0000 [0114.962] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dd90 [0114.962] SystemFunction036 (in: RandomBuffer=0x50dda8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dda8) returned 1 [0114.962] SystemFunction036 (in: RandomBuffer=0x50dd90, RandomBufferLength=0x10 | out: RandomBuffer=0x50dd90) returned 1 [0114.962] GetProcessHeap () returned 0x4e0000 [0114.962] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51d728 [0114.962] GetProcessHeap () returned 0x4e0000 [0114.962] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51d620 [0114.962] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51d728*, pdwDataLen=0x24dce88*=0x10, dwBufLen=0x100 | out: pbData=0x51d728*, pdwDataLen=0x24dce88*=0x100) returned 1 [0114.962] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51d620*, pdwDataLen=0x24dce84*=0x10, dwBufLen=0x100 | out: pbData=0x51d620*, pdwDataLen=0x24dce84*=0x100) returned 1 [0114.963] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x52d90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.963] SetLastError (dwErrCode=0x0) [0114.963] WriteFile (in: hFile=0xf8, lpBuffer=0x51d728*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x51d728*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0114.967] GetLastError () returned 0x0 [0114.967] GetLastError () returned 0x0 [0114.967] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x52e90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.967] WriteFile (in: hFile=0xf8, lpBuffer=0x51d620*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x51d620*, lpNumberOfBytesWritten=0x24dd0bc*=0x100, lpOverlapped=0x0) returned 1 [0114.967] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x52f90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.967] lstrlenA (lpString="NEPHILIM") returned 8 [0114.967] WriteFile (in: hFile=0xf8, lpBuffer=0x50f7e8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x50f7e8*, lpNumberOfBytesWritten=0x24dd0bc*=0x8, lpOverlapped=0x0) returned 1 [0114.967] GetProcessHeap () returned 0x4e0000 [0114.967] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x52d90) returned 0x51efd8 [0114.967] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.968] ReadFile (in: hFile=0xf8, lpBuffer=0x51efd8, nNumberOfBytesToRead=0x52d90, lpNumberOfBytesRead=0x24dd0b0, lpOverlapped=0x0 | out: lpBuffer=0x51efd8*, lpNumberOfBytesRead=0x24dd0b0*=0x52d90, lpOverlapped=0x0) returned 1 [0114.992] SetFilePointerEx (in: hFile=0xf8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.992] WriteFile (in: hFile=0xf8, lpBuffer=0x51efd8*, nNumberOfBytesToWrite=0x52d90, lpNumberOfBytesWritten=0x24dd0bc, lpOverlapped=0x0 | out: lpBuffer=0x51efd8*, lpNumberOfBytesWritten=0x24dd0bc*=0x52d90, lpOverlapped=0x0) returned 1 [0114.993] GetProcessHeap () returned 0x4e0000 [0114.993] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51efd8 | out: hHeap=0x4e0000) returned 1 [0114.993] CloseHandle (hObject=0xf8) returned 1 [0114.993] GetProcessHeap () returned 0x4e0000 [0114.993] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51d728 | out: hHeap=0x4e0000) returned 1 [0114.993] GetProcessHeap () returned 0x4e0000 [0114.993] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51d620 | out: hHeap=0x4e0000) returned 1 [0114.993] GetProcessHeap () returned 0x4e0000 [0114.993] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dda8 | out: hHeap=0x4e0000) returned 1 [0114.994] GetProcessHeap () returned 0x4e0000 [0114.994] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dd90 | out: hHeap=0x4e0000) returned 1 [0114.994] lstrcpyW (in: lpString1=0x24dcea8, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm" [0114.994] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm.NEPHILIM" [0114.994] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpasdlta.vdm"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpasdlta.vdm.nephilim")) returned 1 [0114.995] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1fb3099, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x1fb3099, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x93b6800, ftLastWriteTime.dwHighDateTime=0x1cb85c9, nFileSizeHigh=0x0, nFileSizeLow=0x7d1d50, dwReserved0=0x8a0088, dwReserved1=0x24ddbe0, cFileName="mpengine.dll", cAlternateFileName="")) returned 1 [0114.995] lstrcmpiW (lpString1="mpengine.dll", lpString2=".") returned 1 [0114.995] lstrcmpiW (lpString1="mpengine.dll", lpString2="..") returned 1 [0114.995] lstrcmpiW (lpString1="mpengine.dll", lpString2="...") returned 1 [0114.995] lstrcmpiW (lpString1="mpengine.dll", lpString2="windows") returned -1 [0114.995] lstrcmpiW (lpString1="mpengine.dll", lpString2="$RECYCLE.BIN") returned 1 [0114.995] lstrcmpiW (lpString1="mpengine.dll", lpString2="rsa") returned -1 [0114.995] lstrcmpiW (lpString1="mpengine.dll", lpString2="log") returned 1 [0114.995] lstrcmpiW (lpString1="mpengine.dll", lpString2="NTDETECT.COM") returned -1 [0114.995] lstrcmpiW (lpString1="mpengine.dll", lpString2="ntldr") returned -1 [0114.995] lstrcmpiW (lpString1="mpengine.dll", lpString2="MSDOS.SYS") returned -1 [0114.995] lstrcmpiW (lpString1="mpengine.dll", lpString2="IO.SYS") returned 1 [0114.995] lstrcmpiW (lpString1="mpengine.dll", lpString2="boot.ini") returned 1 [0114.995] lstrcmpiW (lpString1="mpengine.dll", lpString2="AUTOEXEC.BAT") returned 1 [0114.995] lstrcmpiW (lpString1="mpengine.dll", lpString2="ntuser.dat") returned -1 [0114.995] lstrcmpiW (lpString1="mpengine.dll", lpString2="desktop.ini") returned 1 [0114.995] lstrcmpiW (lpString1="mpengine.dll", lpString2="CONFIG.SYS") returned 1 [0114.995] lstrcmpiW (lpString1="mpengine.dll", lpString2="RECYCLER") returned -1 [0114.995] lstrcmpiW (lpString1="mpengine.dll", lpString2="BOOTSECT.BAK") returned 1 [0114.995] lstrcmpiW (lpString1="mpengine.dll", lpString2="bootmgr") returned 1 [0114.995] lstrcmpiW (lpString1="mpengine.dll", lpString2="programdata") returned -1 [0114.995] lstrcmpiW (lpString1="mpengine.dll", lpString2="appdata") returned 1 [0114.996] lstrcmpiW (lpString1="mpengine.dll", lpString2="program files") returned -1 [0114.996] lstrcmpiW (lpString1="mpengine.dll", lpString2="program files (x86)") returned -1 [0114.996] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\" [0114.996] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\", lpString2="mpengine.dll" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpengine.dll") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpengine.dll" [0114.996] PathFindExtensionW (pszPath="mpengine.dll") returned=".dll" [0114.996] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0114.996] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0114.996] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0114.996] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0114.996] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0114.996] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0114.996] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0114.996] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0114.996] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1fb3099, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x1fb3099, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x93b6800, ftLastWriteTime.dwHighDateTime=0x1cb85c9, nFileSizeHigh=0x0, nFileSizeLow=0x7d1d50, dwReserved0=0x8a0088, dwReserved1=0x24ddbe0, cFileName="mpengine.dll", cAlternateFileName="")) returned 0 [0114.996] FindClose (in: hFindFile=0x50a9c0 | out: hFindFile=0x50a9c0) returned 1 [0114.996] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1fb3099, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x1fff35a, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x1fff35a, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x24de260, cFileName="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", cAlternateFileName="{D2B0B~1")) returned 0 [0114.996] FindClose (in: hFindFile=0x50a980 | out: hFindFile=0x50a980) returned 1 [0114.996] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="LocalCopy", cAlternateFileName="LOCALC~1")) returned 1 [0114.996] lstrcmpiW (lpString1="LocalCopy", lpString2=".") returned 1 [0114.996] lstrcmpiW (lpString1="LocalCopy", lpString2="..") returned 1 [0114.996] lstrcmpiW (lpString1="LocalCopy", lpString2="...") returned 1 [0114.997] lstrcmpiW (lpString1="LocalCopy", lpString2="windows") returned -1 [0114.997] lstrcmpiW (lpString1="LocalCopy", lpString2="$RECYCLE.BIN") returned 1 [0114.997] lstrcmpiW (lpString1="LocalCopy", lpString2="rsa") returned -1 [0114.997] lstrcmpiW (lpString1="LocalCopy", lpString2="log") returned -1 [0114.997] lstrcmpiW (lpString1="LocalCopy", lpString2="NTDETECT.COM") returned -1 [0114.997] lstrcmpiW (lpString1="LocalCopy", lpString2="ntldr") returned -1 [0114.997] lstrcmpiW (lpString1="LocalCopy", lpString2="MSDOS.SYS") returned -1 [0114.997] lstrcmpiW (lpString1="LocalCopy", lpString2="IO.SYS") returned 1 [0114.997] lstrcmpiW (lpString1="LocalCopy", lpString2="boot.ini") returned 1 [0114.997] lstrcmpiW (lpString1="LocalCopy", lpString2="AUTOEXEC.BAT") returned 1 [0114.997] lstrcmpiW (lpString1="LocalCopy", lpString2="ntuser.dat") returned -1 [0114.997] lstrcmpiW (lpString1="LocalCopy", lpString2="desktop.ini") returned 1 [0114.997] lstrcmpiW (lpString1="LocalCopy", lpString2="CONFIG.SYS") returned 1 [0114.997] lstrcmpiW (lpString1="LocalCopy", lpString2="RECYCLER") returned -1 [0114.997] lstrcmpiW (lpString1="LocalCopy", lpString2="BOOTSECT.BAK") returned 1 [0114.997] lstrcmpiW (lpString1="LocalCopy", lpString2="bootmgr") returned 1 [0114.997] lstrcmpiW (lpString1="LocalCopy", lpString2="programdata") returned -1 [0114.997] lstrcmpiW (lpString1="LocalCopy", lpString2="appdata") returned 1 [0114.997] lstrcmpiW (lpString1="LocalCopy", lpString2="program files") returned -1 [0114.997] lstrcmpiW (lpString1="LocalCopy", lpString2="program files (x86)") returned -1 [0115.000] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Defender\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\" [0115.000] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\", lpString2="LocalCopy" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy" [0115.000] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\" [0115.000] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\" [0115.000] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\*.*" [0115.000] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x24de260, cFileName=".", cAlternateFileName="")) returned 0x50a980 [0115.001] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.001] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 1 [0115.001] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.001] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.001] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 0 [0115.001] FindClose (in: hFindFile=0x50a980 | out: hFindFile=0x50a980) returned 1 [0115.001] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="Quarantine", cAlternateFileName="QUARAN~1")) returned 1 [0115.001] lstrcmpiW (lpString1="Quarantine", lpString2=".") returned 1 [0115.001] lstrcmpiW (lpString1="Quarantine", lpString2="..") returned 1 [0115.001] lstrcmpiW (lpString1="Quarantine", lpString2="...") returned 1 [0115.001] lstrcmpiW (lpString1="Quarantine", lpString2="windows") returned -1 [0115.001] lstrcmpiW (lpString1="Quarantine", lpString2="$RECYCLE.BIN") returned 1 [0115.001] lstrcmpiW (lpString1="Quarantine", lpString2="rsa") returned -1 [0115.001] lstrcmpiW (lpString1="Quarantine", lpString2="log") returned 1 [0115.001] lstrcmpiW (lpString1="Quarantine", lpString2="NTDETECT.COM") returned 1 [0115.001] lstrcmpiW (lpString1="Quarantine", lpString2="ntldr") returned 1 [0115.001] lstrcmpiW (lpString1="Quarantine", lpString2="MSDOS.SYS") returned 1 [0115.001] lstrcmpiW (lpString1="Quarantine", lpString2="IO.SYS") returned 1 [0115.002] lstrcmpiW (lpString1="Quarantine", lpString2="boot.ini") returned 1 [0115.002] lstrcmpiW (lpString1="Quarantine", lpString2="AUTOEXEC.BAT") returned 1 [0115.002] lstrcmpiW (lpString1="Quarantine", lpString2="ntuser.dat") returned 1 [0115.002] lstrcmpiW (lpString1="Quarantine", lpString2="desktop.ini") returned 1 [0115.002] lstrcmpiW (lpString1="Quarantine", lpString2="CONFIG.SYS") returned 1 [0115.002] lstrcmpiW (lpString1="Quarantine", lpString2="RECYCLER") returned -1 [0115.002] lstrcmpiW (lpString1="Quarantine", lpString2="BOOTSECT.BAK") returned 1 [0115.002] lstrcmpiW (lpString1="Quarantine", lpString2="bootmgr") returned 1 [0115.002] lstrcmpiW (lpString1="Quarantine", lpString2="programdata") returned 1 [0115.002] lstrcmpiW (lpString1="Quarantine", lpString2="appdata") returned 1 [0115.002] lstrcmpiW (lpString1="Quarantine", lpString2="program files") returned 1 [0115.002] lstrcmpiW (lpString1="Quarantine", lpString2="program files (x86)") returned 1 [0115.002] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Defender\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\" [0115.002] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\", lpString2="Quarantine" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine" [0115.002] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\" [0115.002] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\" [0115.002] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\*.*" [0115.002] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x24de260, cFileName=".", cAlternateFileName="")) returned 0x50a980 [0115.003] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.003] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 1 [0115.003] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.003] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.003] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 0 [0115.003] FindClose (in: hFindFile=0x50a980 | out: hFindFile=0x50a980) returned 1 [0115.003] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7690f9e4, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x7690f9e4, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="Scans", cAlternateFileName="")) returned 1 [0115.003] lstrcmpiW (lpString1="Scans", lpString2=".") returned 1 [0115.003] lstrcmpiW (lpString1="Scans", lpString2="..") returned 1 [0115.003] lstrcmpiW (lpString1="Scans", lpString2="...") returned 1 [0115.003] lstrcmpiW (lpString1="Scans", lpString2="windows") returned -1 [0115.003] lstrcmpiW (lpString1="Scans", lpString2="$RECYCLE.BIN") returned 1 [0115.003] lstrcmpiW (lpString1="Scans", lpString2="rsa") returned 1 [0115.003] lstrcmpiW (lpString1="Scans", lpString2="log") returned 1 [0115.003] lstrcmpiW (lpString1="Scans", lpString2="NTDETECT.COM") returned 1 [0115.003] lstrcmpiW (lpString1="Scans", lpString2="ntldr") returned 1 [0115.003] lstrcmpiW (lpString1="Scans", lpString2="MSDOS.SYS") returned 1 [0115.003] lstrcmpiW (lpString1="Scans", lpString2="IO.SYS") returned 1 [0115.003] lstrcmpiW (lpString1="Scans", lpString2="boot.ini") returned 1 [0115.003] lstrcmpiW (lpString1="Scans", lpString2="AUTOEXEC.BAT") returned 1 [0115.003] lstrcmpiW (lpString1="Scans", lpString2="ntuser.dat") returned 1 [0115.004] lstrcmpiW (lpString1="Scans", lpString2="desktop.ini") returned 1 [0115.004] lstrcmpiW (lpString1="Scans", lpString2="CONFIG.SYS") returned 1 [0115.004] lstrcmpiW (lpString1="Scans", lpString2="RECYCLER") returned 1 [0115.004] lstrcmpiW (lpString1="Scans", lpString2="BOOTSECT.BAK") returned 1 [0115.004] lstrcmpiW (lpString1="Scans", lpString2="bootmgr") returned 1 [0115.004] lstrcmpiW (lpString1="Scans", lpString2="programdata") returned 1 [0115.004] lstrcmpiW (lpString1="Scans", lpString2="appdata") returned 1 [0115.004] lstrcmpiW (lpString1="Scans", lpString2="program files") returned 1 [0115.004] lstrcmpiW (lpString1="Scans", lpString2="program files (x86)") returned 1 [0115.004] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Defender\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\" [0115.004] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\", lpString2="Scans" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans" [0115.004] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\" [0115.004] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\" [0115.004] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\*.*" [0115.004] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7690f9e4, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x7690f9e4, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x24de260, cFileName=".", cAlternateFileName="")) returned 0x50a980 [0115.008] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.008] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7690f9e4, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x7690f9e4, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 1 [0115.008] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.008] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.009] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7690f9e4, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x244fb42, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x244fb42, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x24de260, cFileName="History", cAlternateFileName="")) returned 1 [0115.009] lstrcmpiW (lpString1="History", lpString2=".") returned 1 [0115.009] lstrcmpiW (lpString1="History", lpString2="..") returned 1 [0115.009] lstrcmpiW (lpString1="History", lpString2="...") returned 1 [0115.009] lstrcmpiW (lpString1="History", lpString2="windows") returned -1 [0115.009] lstrcmpiW (lpString1="History", lpString2="$RECYCLE.BIN") returned 1 [0115.009] lstrcmpiW (lpString1="History", lpString2="rsa") returned -1 [0115.009] lstrcmpiW (lpString1="History", lpString2="log") returned -1 [0115.009] lstrcmpiW (lpString1="History", lpString2="NTDETECT.COM") returned -1 [0115.009] lstrcmpiW (lpString1="History", lpString2="ntldr") returned -1 [0115.009] lstrcmpiW (lpString1="History", lpString2="MSDOS.SYS") returned -1 [0115.009] lstrcmpiW (lpString1="History", lpString2="IO.SYS") returned -1 [0115.009] lstrcmpiW (lpString1="History", lpString2="boot.ini") returned 1 [0115.009] lstrcmpiW (lpString1="History", lpString2="AUTOEXEC.BAT") returned 1 [0115.009] lstrcmpiW (lpString1="History", lpString2="ntuser.dat") returned -1 [0115.009] lstrcmpiW (lpString1="History", lpString2="desktop.ini") returned 1 [0115.009] lstrcmpiW (lpString1="History", lpString2="CONFIG.SYS") returned 1 [0115.009] lstrcmpiW (lpString1="History", lpString2="RECYCLER") returned -1 [0115.009] lstrcmpiW (lpString1="History", lpString2="BOOTSECT.BAK") returned 1 [0115.009] lstrcmpiW (lpString1="History", lpString2="bootmgr") returned 1 [0115.009] lstrcmpiW (lpString1="History", lpString2="programdata") returned -1 [0115.009] lstrcmpiW (lpString1="History", lpString2="appdata") returned 1 [0115.009] lstrcmpiW (lpString1="History", lpString2="program files") returned -1 [0115.009] lstrcmpiW (lpString1="History", lpString2="program files (x86)") returned -1 [0115.009] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\" [0115.010] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\", lpString2="History" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History" [0115.010] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\" [0115.010] lstrcpyW (in: lpString1=0x24dd560, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\" [0115.010] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\*.*" [0115.010] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\*.*", lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7690f9e4, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x244fb42, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x244fb42, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x70006e, dwReserved1=0x24ddbe0, cFileName=".", cAlternateFileName="")) returned 0x50a9c0 [0115.010] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.010] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7690f9e4, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x244fb42, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x244fb42, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x70006e, dwReserved1=0x24ddbe0, cFileName="..", cAlternateFileName="")) returned 1 [0115.010] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.010] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.010] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x76b24d28, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0xcfc0a7e0, ftLastAccessTime.dwHighDateTime=0x1d2faf9, ftLastWriteTime.dwLowDateTime=0xcfc0a7e0, ftLastWriteTime.dwHighDateTime=0x1d2faf9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x70006e, dwReserved1=0x24ddbe0, cFileName="CacheManager", cAlternateFileName="CACHEM~1")) returned 1 [0115.010] lstrcmpiW (lpString1="CacheManager", lpString2=".") returned 1 [0115.010] lstrcmpiW (lpString1="CacheManager", lpString2="..") returned 1 [0115.010] lstrcmpiW (lpString1="CacheManager", lpString2="...") returned 1 [0115.010] lstrcmpiW (lpString1="CacheManager", lpString2="windows") returned -1 [0115.010] lstrcmpiW (lpString1="CacheManager", lpString2="$RECYCLE.BIN") returned 1 [0115.011] lstrcmpiW (lpString1="CacheManager", lpString2="rsa") returned -1 [0115.011] lstrcmpiW (lpString1="CacheManager", lpString2="log") returned -1 [0115.011] lstrcmpiW (lpString1="CacheManager", lpString2="NTDETECT.COM") returned -1 [0115.011] lstrcmpiW (lpString1="CacheManager", lpString2="ntldr") returned -1 [0115.011] lstrcmpiW (lpString1="CacheManager", lpString2="MSDOS.SYS") returned -1 [0115.011] lstrcmpiW (lpString1="CacheManager", lpString2="IO.SYS") returned -1 [0115.011] lstrcmpiW (lpString1="CacheManager", lpString2="boot.ini") returned 1 [0115.011] lstrcmpiW (lpString1="CacheManager", lpString2="AUTOEXEC.BAT") returned 1 [0115.011] lstrcmpiW (lpString1="CacheManager", lpString2="ntuser.dat") returned -1 [0115.011] lstrcmpiW (lpString1="CacheManager", lpString2="desktop.ini") returned -1 [0115.011] lstrcmpiW (lpString1="CacheManager", lpString2="CONFIG.SYS") returned -1 [0115.011] lstrcmpiW (lpString1="CacheManager", lpString2="RECYCLER") returned -1 [0115.011] lstrcmpiW (lpString1="CacheManager", lpString2="BOOTSECT.BAK") returned 1 [0115.011] lstrcmpiW (lpString1="CacheManager", lpString2="bootmgr") returned 1 [0115.011] lstrcmpiW (lpString1="CacheManager", lpString2="programdata") returned -1 [0115.011] lstrcmpiW (lpString1="CacheManager", lpString2="appdata") returned 1 [0115.011] lstrcmpiW (lpString1="CacheManager", lpString2="program files") returned -1 [0115.011] lstrcmpiW (lpString1="CacheManager", lpString2="program files (x86)") returned -1 [0115.011] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\" [0115.011] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\", lpString2="CacheManager" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager" [0115.011] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\" [0115.011] lstrcpyW (in: lpString1=0x24dcee0, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\" [0115.011] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*.*" [0115.011] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*.*", lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x76b24d28, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0xcfc0a7e0, ftLastAccessTime.dwHighDateTime=0x1d2faf9, ftLastWriteTime.dwLowDateTime=0xcfc0a7e0, ftLastWriteTime.dwHighDateTime=0x1d2faf9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x80007e, dwReserved1=0x24dd560, cFileName=".", cAlternateFileName="")) returned 0x50aa00 [0115.012] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.012] FindNextFileW (in: hFindFile=0x50aa00, lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x76b24d28, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0xcfc0a7e0, ftLastAccessTime.dwHighDateTime=0x1d2faf9, ftLastWriteTime.dwLowDateTime=0xcfc0a7e0, ftLastWriteTime.dwHighDateTime=0x1d2faf9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x80007e, dwReserved1=0x24dd560, cFileName="..", cAlternateFileName="")) returned 1 [0115.012] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.012] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.012] FindNextFileW (in: hFindFile=0x50aa00, lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcfc0a7e0, ftCreationTime.dwHighDateTime=0x1d2faf9, ftLastAccessTime.dwLowDateTime=0xcfc0a7e0, ftLastAccessTime.dwHighDateTime=0x1d2faf9, ftLastWriteTime.dwLowDateTime=0xcfc30940, ftLastWriteTime.dwHighDateTime=0x1d2faf9, nFileSizeHigh=0x0, nFileSizeLow=0x33b60, dwReserved0=0x80007e, dwReserved1=0x24dd560, cFileName="MpSfc.bin", cAlternateFileName="")) returned 1 [0115.012] lstrcmpiW (lpString1="MpSfc.bin", lpString2=".") returned 1 [0115.012] lstrcmpiW (lpString1="MpSfc.bin", lpString2="..") returned 1 [0115.012] lstrcmpiW (lpString1="MpSfc.bin", lpString2="...") returned 1 [0115.012] lstrcmpiW (lpString1="MpSfc.bin", lpString2="windows") returned -1 [0115.012] lstrcmpiW (lpString1="MpSfc.bin", lpString2="$RECYCLE.BIN") returned 1 [0115.012] lstrcmpiW (lpString1="MpSfc.bin", lpString2="rsa") returned -1 [0115.012] lstrcmpiW (lpString1="MpSfc.bin", lpString2="log") returned 1 [0115.012] lstrcmpiW (lpString1="MpSfc.bin", lpString2="NTDETECT.COM") returned -1 [0115.012] lstrcmpiW (lpString1="MpSfc.bin", lpString2="ntldr") returned -1 [0115.012] lstrcmpiW (lpString1="MpSfc.bin", lpString2="MSDOS.SYS") returned -1 [0115.012] lstrcmpiW (lpString1="MpSfc.bin", lpString2="IO.SYS") returned 1 [0115.012] lstrcmpiW (lpString1="MpSfc.bin", lpString2="boot.ini") returned 1 [0115.012] lstrcmpiW (lpString1="MpSfc.bin", lpString2="AUTOEXEC.BAT") returned 1 [0115.012] lstrcmpiW (lpString1="MpSfc.bin", lpString2="ntuser.dat") returned -1 [0115.012] lstrcmpiW (lpString1="MpSfc.bin", lpString2="desktop.ini") returned 1 [0115.012] lstrcmpiW (lpString1="MpSfc.bin", lpString2="CONFIG.SYS") returned 1 [0115.012] lstrcmpiW (lpString1="MpSfc.bin", lpString2="RECYCLER") returned -1 [0115.012] lstrcmpiW (lpString1="MpSfc.bin", lpString2="BOOTSECT.BAK") returned 1 [0115.012] lstrcmpiW (lpString1="MpSfc.bin", lpString2="bootmgr") returned 1 [0115.012] lstrcmpiW (lpString1="MpSfc.bin", lpString2="programdata") returned -1 [0115.012] lstrcmpiW (lpString1="MpSfc.bin", lpString2="appdata") returned 1 [0115.012] lstrcmpiW (lpString1="MpSfc.bin", lpString2="program files") returned -1 [0115.012] lstrcmpiW (lpString1="MpSfc.bin", lpString2="program files (x86)") returned -1 [0115.012] lstrcpyW (in: lpString1=0x24dccd8, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\" [0115.013] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\", lpString2="MpSfc.bin" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin" [0115.013] PathFindExtensionW (pszPath="MpSfc.bin") returned=".bin" [0115.013] lstrcmpiW (lpString1=".bin", lpString2=".exe") returned -1 [0115.013] lstrcmpiW (lpString1=".bin", lpString2=".log") returned -1 [0115.013] lstrcmpiW (lpString1=".bin", lpString2=".cab") returned -1 [0115.013] lstrcmpiW (lpString1=".bin", lpString2=".cmd") returned -1 [0115.013] lstrcmpiW (lpString1=".bin", lpString2=".com") returned -1 [0115.013] lstrcmpiW (lpString1=".bin", lpString2=".cpl") returned -1 [0115.013] lstrcmpiW (lpString1=".bin", lpString2=".ini") returned -1 [0115.013] lstrcmpiW (lpString1=".bin", lpString2=".dll") returned -1 [0115.013] lstrcmpiW (lpString1=".bin", lpString2=".url") returned -1 [0115.013] lstrcmpiW (lpString1=".bin", lpString2=".ttf") returned -1 [0115.013] lstrcmpiW (lpString1=".bin", lpString2=".mp3") returned -1 [0115.013] lstrcmpiW (lpString1=".bin", lpString2=".pif") returned -1 [0115.013] lstrcmpiW (lpString1=".bin", lpString2=".mp4") returned -1 [0115.013] lstrcmpiW (lpString1=".bin", lpString2=".NEPHILIM") returned -1 [0115.013] lstrcmpiW (lpString1=".bin", lpString2=".msi") returned -1 [0115.014] lstrcmpiW (lpString1=".bin", lpString2=".lnk") returned -1 [0115.014] lstrcmpiW (lpString1="MpSfc.bin", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0115.014] lstrlenA (lpString="NEPHILIM") returned 8 [0115.014] GetProcessHeap () returned 0x4e0000 [0115.014] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f7f8 [0115.014] lstrlenA (lpString="NEPHILIM") returned 8 [0115.014] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\cachemanager\\mpsfc.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xfc [0115.014] GetFileSizeEx (in: hFile=0xfc, lpFileSize=0x24dca48 | out: lpFileSize=0x24dca48*=211808) returned 1 [0115.014] GetProcessHeap () returned 0x4e0000 [0115.014] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dd90 [0115.014] GetProcessHeap () returned 0x4e0000 [0115.014] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dda8 [0115.015] SystemFunction036 (in: RandomBuffer=0x50dd90, RandomBufferLength=0x10 | out: RandomBuffer=0x50dd90) returned 1 [0115.015] SystemFunction036 (in: RandomBuffer=0x50dda8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dda8) returned 1 [0115.015] GetProcessHeap () returned 0x4e0000 [0115.015] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51d620 [0115.015] GetProcessHeap () returned 0x4e0000 [0115.015] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51d728 [0115.015] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51d620*, pdwDataLen=0x24dc808*=0x10, dwBufLen=0x100 | out: pbData=0x51d620*, pdwDataLen=0x24dc808*=0x100) returned 1 [0115.015] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51d728*, pdwDataLen=0x24dc804*=0x10, dwBufLen=0x100 | out: pbData=0x51d728*, pdwDataLen=0x24dc804*=0x100) returned 1 [0115.015] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x33b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.015] SetLastError (dwErrCode=0x0) [0115.015] WriteFile (in: hFile=0xfc, lpBuffer=0x51d620*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpBuffer=0x51d620*, lpNumberOfBytesWritten=0x24dca3c*=0x100, lpOverlapped=0x0) returned 1 [0115.032] GetLastError () returned 0x0 [0115.032] GetLastError () returned 0x0 [0115.032] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x33c60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.032] WriteFile (in: hFile=0xfc, lpBuffer=0x51d728*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpBuffer=0x51d728*, lpNumberOfBytesWritten=0x24dca3c*=0x100, lpOverlapped=0x0) returned 1 [0115.032] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x33d60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.032] lstrlenA (lpString="NEPHILIM") returned 8 [0115.032] WriteFile (in: hFile=0xfc, lpBuffer=0x50f7f8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpBuffer=0x50f7f8*, lpNumberOfBytesWritten=0x24dca3c*=0x8, lpOverlapped=0x0) returned 1 [0115.032] GetProcessHeap () returned 0x4e0000 [0115.032] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x33b60) returned 0x51ffe0 [0115.033] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.033] ReadFile (in: hFile=0xfc, lpBuffer=0x51ffe0, nNumberOfBytesToRead=0x33b60, lpNumberOfBytesRead=0x24dca30, lpOverlapped=0x0 | out: lpBuffer=0x51ffe0*, lpNumberOfBytesRead=0x24dca30*=0x33b60, lpOverlapped=0x0) returned 1 [0115.044] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.044] WriteFile (in: hFile=0xfc, lpBuffer=0x51ffe0*, nNumberOfBytesToWrite=0x33b60, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpBuffer=0x51ffe0*, lpNumberOfBytesWritten=0x24dca3c*=0x33b60, lpOverlapped=0x0) returned 1 [0115.045] GetProcessHeap () returned 0x4e0000 [0115.045] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51ffe0 | out: hHeap=0x4e0000) returned 1 [0115.045] CloseHandle (hObject=0xfc) returned 1 [0115.045] GetProcessHeap () returned 0x4e0000 [0115.045] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51d620 | out: hHeap=0x4e0000) returned 1 [0115.045] GetProcessHeap () returned 0x4e0000 [0115.045] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51d728 | out: hHeap=0x4e0000) returned 1 [0115.045] GetProcessHeap () returned 0x4e0000 [0115.045] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dd90 | out: hHeap=0x4e0000) returned 1 [0115.045] GetProcessHeap () returned 0x4e0000 [0115.045] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dda8 | out: hHeap=0x4e0000) returned 1 [0115.045] lstrcpyW (in: lpString1=0x24dc828, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin" [0115.045] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin.NEPHILIM" [0115.046] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\cachemanager\\mpsfc.bin"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\cachemanager\\mpsfc.bin.nephilim")) returned 1 [0115.046] FindNextFileW (in: hFindFile=0x50aa00, lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcfc0a7e0, ftCreationTime.dwHighDateTime=0x1d2faf9, ftLastAccessTime.dwLowDateTime=0xcfc0a7e0, ftLastAccessTime.dwHighDateTime=0x1d2faf9, ftLastWriteTime.dwLowDateTime=0xcfc30940, ftLastWriteTime.dwHighDateTime=0x1d2faf9, nFileSizeHigh=0x0, nFileSizeLow=0x33b60, dwReserved0=0x80007e, dwReserved1=0x24dd560, cFileName="MpSfc.bin", cAlternateFileName="")) returned 0 [0115.046] FindClose (in: hFindFile=0x50aa00 | out: hFindFile=0x50aa00) returned 1 [0115.046] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0xa13d69d0, ftLastAccessTime.dwHighDateTime=0x1d2dda3, ftLastWriteTime.dwLowDateTime=0xa13d69d0, ftLastWriteTime.dwHighDateTime=0x1d2dda3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x70006e, dwReserved1=0x24ddbe0, cFileName="Results", cAlternateFileName="")) returned 1 [0115.046] lstrcmpiW (lpString1="Results", lpString2=".") returned 1 [0115.046] lstrcmpiW (lpString1="Results", lpString2="..") returned 1 [0115.046] lstrcmpiW (lpString1="Results", lpString2="...") returned 1 [0115.046] lstrcmpiW (lpString1="Results", lpString2="windows") returned -1 [0115.046] lstrcmpiW (lpString1="Results", lpString2="$RECYCLE.BIN") returned 1 [0115.046] lstrcmpiW (lpString1="Results", lpString2="rsa") returned -1 [0115.047] lstrcmpiW (lpString1="Results", lpString2="log") returned 1 [0115.047] lstrcmpiW (lpString1="Results", lpString2="NTDETECT.COM") returned 1 [0115.047] lstrcmpiW (lpString1="Results", lpString2="ntldr") returned 1 [0115.047] lstrcmpiW (lpString1="Results", lpString2="MSDOS.SYS") returned 1 [0115.047] lstrcmpiW (lpString1="Results", lpString2="IO.SYS") returned 1 [0115.047] lstrcmpiW (lpString1="Results", lpString2="boot.ini") returned 1 [0115.047] lstrcmpiW (lpString1="Results", lpString2="AUTOEXEC.BAT") returned 1 [0115.047] lstrcmpiW (lpString1="Results", lpString2="ntuser.dat") returned 1 [0115.047] lstrcmpiW (lpString1="Results", lpString2="desktop.ini") returned 1 [0115.047] lstrcmpiW (lpString1="Results", lpString2="CONFIG.SYS") returned 1 [0115.047] lstrcmpiW (lpString1="Results", lpString2="RECYCLER") returned 1 [0115.047] lstrcmpiW (lpString1="Results", lpString2="BOOTSECT.BAK") returned 1 [0115.047] lstrcmpiW (lpString1="Results", lpString2="bootmgr") returned 1 [0115.047] lstrcmpiW (lpString1="Results", lpString2="programdata") returned 1 [0115.047] lstrcmpiW (lpString1="Results", lpString2="appdata") returned 1 [0115.047] lstrcmpiW (lpString1="Results", lpString2="program files") returned 1 [0115.047] lstrcmpiW (lpString1="Results", lpString2="program files (x86)") returned 1 [0115.047] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\" [0115.047] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\", lpString2="Results" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results" [0115.047] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\" [0115.047] lstrcpyW (in: lpString1=0x24dcee0, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\" [0115.047] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\*.*" [0115.047] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\*.*", lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0xa13d69d0, ftLastAccessTime.dwHighDateTime=0x1d2dda3, ftLastWriteTime.dwLowDateTime=0xa13d69d0, ftLastWriteTime.dwHighDateTime=0x1d2dda3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x80007e, dwReserved1=0x24dd560, cFileName=".", cAlternateFileName="")) returned 0x50aa00 [0115.047] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.047] FindNextFileW (in: hFindFile=0x50aa00, lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0xa13d69d0, ftLastAccessTime.dwHighDateTime=0x1d2dda3, ftLastWriteTime.dwLowDateTime=0xa13d69d0, ftLastWriteTime.dwHighDateTime=0x1d2dda3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x80007e, dwReserved1=0x24dd560, cFileName="..", cAlternateFileName="")) returned 1 [0115.047] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.048] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.048] FindNextFileW (in: hFindFile=0x50aa00, lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa13d69d0, ftCreationTime.dwHighDateTime=0x1d2dda3, ftLastAccessTime.dwLowDateTime=0x80be8ad0, ftLastAccessTime.dwHighDateTime=0x1d33740, ftLastWriteTime.dwLowDateTime=0x80be8ad0, ftLastWriteTime.dwHighDateTime=0x1d33740, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x80007e, dwReserved1=0x24dd560, cFileName="Resource", cAlternateFileName="")) returned 1 [0115.048] lstrcmpiW (lpString1="Resource", lpString2=".") returned 1 [0115.048] lstrcmpiW (lpString1="Resource", lpString2="..") returned 1 [0115.048] lstrcmpiW (lpString1="Resource", lpString2="...") returned 1 [0115.048] lstrcmpiW (lpString1="Resource", lpString2="windows") returned -1 [0115.048] lstrcmpiW (lpString1="Resource", lpString2="$RECYCLE.BIN") returned 1 [0115.048] lstrcmpiW (lpString1="Resource", lpString2="rsa") returned -1 [0115.048] lstrcmpiW (lpString1="Resource", lpString2="log") returned 1 [0115.048] lstrcmpiW (lpString1="Resource", lpString2="NTDETECT.COM") returned 1 [0115.048] lstrcmpiW (lpString1="Resource", lpString2="ntldr") returned 1 [0115.048] lstrcmpiW (lpString1="Resource", lpString2="MSDOS.SYS") returned 1 [0115.048] lstrcmpiW (lpString1="Resource", lpString2="IO.SYS") returned 1 [0115.048] lstrcmpiW (lpString1="Resource", lpString2="boot.ini") returned 1 [0115.048] lstrcmpiW (lpString1="Resource", lpString2="AUTOEXEC.BAT") returned 1 [0115.048] lstrcmpiW (lpString1="Resource", lpString2="ntuser.dat") returned 1 [0115.048] lstrcmpiW (lpString1="Resource", lpString2="desktop.ini") returned 1 [0115.048] lstrcmpiW (lpString1="Resource", lpString2="CONFIG.SYS") returned 1 [0115.048] lstrcmpiW (lpString1="Resource", lpString2="RECYCLER") returned 1 [0115.048] lstrcmpiW (lpString1="Resource", lpString2="BOOTSECT.BAK") returned 1 [0115.048] lstrcmpiW (lpString1="Resource", lpString2="bootmgr") returned 1 [0115.048] lstrcmpiW (lpString1="Resource", lpString2="programdata") returned 1 [0115.048] lstrcmpiW (lpString1="Resource", lpString2="appdata") returned 1 [0115.048] lstrcmpiW (lpString1="Resource", lpString2="program files") returned 1 [0115.048] lstrcmpiW (lpString1="Resource", lpString2="program files (x86)") returned 1 [0115.048] lstrcpyW (in: lpString1=0x24dccd8, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\" [0115.048] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\", lpString2="Resource" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource" [0115.048] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\" [0115.048] lstrcpyW (in: lpString1=0x24dc860, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\" [0115.048] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\*.*" [0115.048] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\*.*", lpFindFileData=0x24dc408 | out: lpFindFileData=0x24dc408*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa13d69d0, ftCreationTime.dwHighDateTime=0x1d2dda3, ftLastAccessTime.dwLowDateTime=0x80be8ad0, ftLastAccessTime.dwHighDateTime=0x1d33740, ftLastWriteTime.dwLowDateTime=0x80be8ad0, ftLastWriteTime.dwHighDateTime=0x1d33740, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x90008e, dwReserved1=0x24dcee0, cFileName=".", cAlternateFileName="")) returned 0x50aa40 [0115.049] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.049] FindNextFileW (in: hFindFile=0x50aa40, lpFindFileData=0x24dc408 | out: lpFindFileData=0x24dc408*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa13d69d0, ftCreationTime.dwHighDateTime=0x1d2dda3, ftLastAccessTime.dwLowDateTime=0x80be8ad0, ftLastAccessTime.dwHighDateTime=0x1d33740, ftLastWriteTime.dwLowDateTime=0x80be8ad0, ftLastWriteTime.dwHighDateTime=0x1d33740, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x90008e, dwReserved1=0x24dcee0, cFileName="..", cAlternateFileName="")) returned 1 [0115.049] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.049] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.049] FindNextFileW (in: hFindFile=0x50aa40, lpFindFileData=0x24dc408 | out: lpFindFileData=0x24dc408*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80be8ad0, ftCreationTime.dwHighDateTime=0x1d33740, ftLastAccessTime.dwLowDateTime=0x80be8ad0, ftLastAccessTime.dwHighDateTime=0x1d33740, ftLastWriteTime.dwLowDateTime=0x81085570, ftLastWriteTime.dwHighDateTime=0x1d33740, nFileSizeHigh=0x0, nFileSizeLow=0x1a60, dwReserved0=0x90008e, dwReserved1=0x24dcee0, cFileName="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", cAlternateFileName="{1D1DB~1")) returned 1 [0115.049] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2=".") returned 1 [0115.049] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="..") returned 1 [0115.049] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="...") returned 1 [0115.049] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="windows") returned -1 [0115.049] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="$RECYCLE.BIN") returned 1 [0115.049] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="rsa") returned -1 [0115.049] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="log") returned -1 [0115.049] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="NTDETECT.COM") returned -1 [0115.049] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="ntldr") returned -1 [0115.049] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="MSDOS.SYS") returned -1 [0115.049] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="IO.SYS") returned -1 [0115.050] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="boot.ini") returned -1 [0115.050] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="AUTOEXEC.BAT") returned -1 [0115.050] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="ntuser.dat") returned -1 [0115.050] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="desktop.ini") returned -1 [0115.050] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="CONFIG.SYS") returned -1 [0115.050] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="RECYCLER") returned -1 [0115.050] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="BOOTSECT.BAK") returned -1 [0115.050] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="bootmgr") returned -1 [0115.050] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="programdata") returned -1 [0115.050] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="appdata") returned -1 [0115.050] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="program files") returned -1 [0115.050] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="program files (x86)") returned -1 [0115.050] lstrcpyW (in: lpString1=0x24dc658, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\" [0115.050] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\", lpString2="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}" [0115.050] PathFindExtensionW (pszPath="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}") returned="" [0115.050] lstrcmpiW (lpString1="", lpString2=".exe") returned -1 [0115.050] lstrcmpiW (lpString1="", lpString2=".log") returned -1 [0115.050] lstrcmpiW (lpString1="", lpString2=".cab") returned -1 [0115.050] lstrcmpiW (lpString1="", lpString2=".cmd") returned -1 [0115.050] lstrcmpiW (lpString1="", lpString2=".com") returned -1 [0115.050] lstrcmpiW (lpString1="", lpString2=".cpl") returned -1 [0115.050] lstrcmpiW (lpString1="", lpString2=".ini") returned -1 [0115.050] lstrcmpiW (lpString1="", lpString2=".dll") returned -1 [0115.050] lstrcmpiW (lpString1="", lpString2=".url") returned -1 [0115.050] lstrcmpiW (lpString1="", lpString2=".ttf") returned -1 [0115.050] lstrcmpiW (lpString1="", lpString2=".mp3") returned -1 [0115.050] lstrcmpiW (lpString1="", lpString2=".pif") returned -1 [0115.050] lstrcmpiW (lpString1="", lpString2=".mp4") returned -1 [0115.050] lstrcmpiW (lpString1="", lpString2=".NEPHILIM") returned -1 [0115.050] lstrcmpiW (lpString1="", lpString2=".msi") returned -1 [0115.050] lstrcmpiW (lpString1="", lpString2=".lnk") returned -1 [0115.050] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0115.050] lstrlenA (lpString="NEPHILIM") returned 8 [0115.050] GetProcessHeap () returned 0x4e0000 [0115.050] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f808 [0115.051] lstrlenA (lpString="NEPHILIM") returned 8 [0115.051] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\results\\resource\\{1d1dbf3a-752f-47e2-be70-d848d4a9afb0}"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x100 [0115.051] GetFileSizeEx (in: hFile=0x100, lpFileSize=0x24dc3c8 | out: lpFileSize=0x24dc3c8*=6752) returned 1 [0115.051] GetProcessHeap () returned 0x4e0000 [0115.051] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dda8 [0115.051] GetProcessHeap () returned 0x4e0000 [0115.051] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dd90 [0115.051] SystemFunction036 (in: RandomBuffer=0x50dda8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dda8) returned 1 [0115.051] SystemFunction036 (in: RandomBuffer=0x50dd90, RandomBufferLength=0x10 | out: RandomBuffer=0x50dd90) returned 1 [0115.051] GetProcessHeap () returned 0x4e0000 [0115.051] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51d728 [0115.052] GetProcessHeap () returned 0x4e0000 [0115.052] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51d620 [0115.052] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51d728*, pdwDataLen=0x24dc188*=0x10, dwBufLen=0x100 | out: pbData=0x51d728*, pdwDataLen=0x24dc188*=0x100) returned 1 [0115.052] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51d620*, pdwDataLen=0x24dc184*=0x10, dwBufLen=0x100 | out: pbData=0x51d620*, pdwDataLen=0x24dc184*=0x100) returned 1 [0115.052] SetFilePointerEx (in: hFile=0x100, liDistanceToMove=0x1a60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.052] SetLastError (dwErrCode=0x0) [0115.052] WriteFile (in: hFile=0x100, lpBuffer=0x51d728*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dc3bc, lpOverlapped=0x0 | out: lpBuffer=0x51d728*, lpNumberOfBytesWritten=0x24dc3bc*=0x100, lpOverlapped=0x0) returned 1 [0115.069] GetLastError () returned 0x0 [0115.069] GetLastError () returned 0x0 [0115.069] SetFilePointerEx (in: hFile=0x100, liDistanceToMove=0x1b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.069] WriteFile (in: hFile=0x100, lpBuffer=0x51d620*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dc3bc, lpOverlapped=0x0 | out: lpBuffer=0x51d620*, lpNumberOfBytesWritten=0x24dc3bc*=0x100, lpOverlapped=0x0) returned 1 [0115.069] SetFilePointerEx (in: hFile=0x100, liDistanceToMove=0x1c60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.069] lstrlenA (lpString="NEPHILIM") returned 8 [0115.069] WriteFile (in: hFile=0x100, lpBuffer=0x50f808*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dc3bc, lpOverlapped=0x0 | out: lpBuffer=0x50f808*, lpNumberOfBytesWritten=0x24dc3bc*=0x8, lpOverlapped=0x0) returned 1 [0115.069] GetProcessHeap () returned 0x4e0000 [0115.069] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1a60) returned 0x520fe8 [0115.069] SetFilePointerEx (in: hFile=0x100, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.069] ReadFile (in: hFile=0x100, lpBuffer=0x520fe8, nNumberOfBytesToRead=0x1a60, lpNumberOfBytesRead=0x24dc3b0, lpOverlapped=0x0 | out: lpBuffer=0x520fe8*, lpNumberOfBytesRead=0x24dc3b0*=0x1a60, lpOverlapped=0x0) returned 1 [0115.073] SetFilePointerEx (in: hFile=0x100, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.073] WriteFile (in: hFile=0x100, lpBuffer=0x520fe8*, nNumberOfBytesToWrite=0x1a60, lpNumberOfBytesWritten=0x24dc3bc, lpOverlapped=0x0 | out: lpBuffer=0x520fe8*, lpNumberOfBytesWritten=0x24dc3bc*=0x1a60, lpOverlapped=0x0) returned 1 [0115.073] GetProcessHeap () returned 0x4e0000 [0115.073] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x520fe8 | out: hHeap=0x4e0000) returned 1 [0115.073] CloseHandle (hObject=0x100) returned 1 [0115.074] GetProcessHeap () returned 0x4e0000 [0115.074] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51d728 | out: hHeap=0x4e0000) returned 1 [0115.074] GetProcessHeap () returned 0x4e0000 [0115.074] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51d620 | out: hHeap=0x4e0000) returned 1 [0115.074] GetProcessHeap () returned 0x4e0000 [0115.074] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dda8 | out: hHeap=0x4e0000) returned 1 [0115.074] GetProcessHeap () returned 0x4e0000 [0115.074] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dd90 | out: hHeap=0x4e0000) returned 1 [0115.074] lstrcpyW (in: lpString1=0x24dc1a8, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}" [0115.074] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}.NEPHILIM" [0115.074] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\results\\resource\\{1d1dbf3a-752f-47e2-be70-d848d4a9afb0}"), lpNewFileName="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\results\\resource\\{1d1dbf3a-752f-47e2-be70-d848d4a9afb0}.nephilim")) returned 1 [0115.075] FindNextFileW (in: hFindFile=0x50aa40, lpFindFileData=0x24dc408 | out: lpFindFileData=0x24dc408*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80be8ad0, ftCreationTime.dwHighDateTime=0x1d33740, ftLastAccessTime.dwLowDateTime=0x80be8ad0, ftLastAccessTime.dwHighDateTime=0x1d33740, ftLastWriteTime.dwLowDateTime=0x81085570, ftLastWriteTime.dwHighDateTime=0x1d33740, nFileSizeHigh=0x0, nFileSizeLow=0x1a60, dwReserved0=0x90008e, dwReserved1=0x24dcee0, cFileName="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", cAlternateFileName="{1D1DB~1")) returned 0 [0115.075] FindClose (in: hFindFile=0x50aa40 | out: hFindFile=0x50aa40) returned 1 [0115.075] FindNextFileW (in: hFindFile=0x50aa00, lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa13d69d0, ftCreationTime.dwHighDateTime=0x1d2dda3, ftLastAccessTime.dwLowDateTime=0x80be8ad0, ftLastAccessTime.dwHighDateTime=0x1d33740, ftLastWriteTime.dwLowDateTime=0x80be8ad0, ftLastWriteTime.dwHighDateTime=0x1d33740, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x80007e, dwReserved1=0x24dd560, cFileName="Resource", cAlternateFileName="")) returned 0 [0115.075] FindClose (in: hFindFile=0x50aa00 | out: hFindFile=0x50aa00) returned 1 [0115.075] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x769ce0c6, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0xb9820270, ftLastAccessTime.dwHighDateTime=0x1d2faf0, ftLastWriteTime.dwLowDateTime=0xb9820270, ftLastWriteTime.dwHighDateTime=0x1d2faf0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x70006e, dwReserved1=0x24ddbe0, cFileName="Service", cAlternateFileName="")) returned 1 [0115.075] lstrcmpiW (lpString1="Service", lpString2=".") returned 1 [0115.075] lstrcmpiW (lpString1="Service", lpString2="..") returned 1 [0115.075] lstrcmpiW (lpString1="Service", lpString2="...") returned 1 [0115.075] lstrcmpiW (lpString1="Service", lpString2="windows") returned -1 [0115.075] lstrcmpiW (lpString1="Service", lpString2="$RECYCLE.BIN") returned 1 [0115.076] lstrcmpiW (lpString1="Service", lpString2="rsa") returned 1 [0115.076] lstrcmpiW (lpString1="Service", lpString2="log") returned 1 [0115.076] lstrcmpiW (lpString1="Service", lpString2="NTDETECT.COM") returned 1 [0115.076] lstrcmpiW (lpString1="Service", lpString2="ntldr") returned 1 [0115.076] lstrcmpiW (lpString1="Service", lpString2="MSDOS.SYS") returned 1 [0115.076] lstrcmpiW (lpString1="Service", lpString2="IO.SYS") returned 1 [0115.076] lstrcmpiW (lpString1="Service", lpString2="boot.ini") returned 1 [0115.076] lstrcmpiW (lpString1="Service", lpString2="AUTOEXEC.BAT") returned 1 [0115.076] lstrcmpiW (lpString1="Service", lpString2="ntuser.dat") returned 1 [0115.076] lstrcmpiW (lpString1="Service", lpString2="desktop.ini") returned 1 [0115.076] lstrcmpiW (lpString1="Service", lpString2="CONFIG.SYS") returned 1 [0115.076] lstrcmpiW (lpString1="Service", lpString2="RECYCLER") returned 1 [0115.076] lstrcmpiW (lpString1="Service", lpString2="BOOTSECT.BAK") returned 1 [0115.076] lstrcmpiW (lpString1="Service", lpString2="bootmgr") returned 1 [0115.076] lstrcmpiW (lpString1="Service", lpString2="programdata") returned 1 [0115.076] lstrcmpiW (lpString1="Service", lpString2="appdata") returned 1 [0115.076] lstrcmpiW (lpString1="Service", lpString2="program files") returned 1 [0115.076] lstrcmpiW (lpString1="Service", lpString2="program files (x86)") returned 1 [0115.076] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\" [0115.076] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\", lpString2="Service" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service" [0115.076] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\" [0115.076] lstrcpyW (in: lpString1=0x24dcee0, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\" [0115.076] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*.*" [0115.076] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*.*", lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x769ce0c6, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0xb9820270, ftLastAccessTime.dwHighDateTime=0x1d2faf0, ftLastWriteTime.dwLowDateTime=0xb9820270, ftLastWriteTime.dwHighDateTime=0x1d2faf0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x80007e, dwReserved1=0x24dd560, cFileName=".", cAlternateFileName="")) returned 0x50aa00 [0115.078] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.078] FindNextFileW (in: hFindFile=0x50aa00, lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x769ce0c6, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0xb9820270, ftLastAccessTime.dwHighDateTime=0x1d2faf0, ftLastWriteTime.dwLowDateTime=0xb9820270, ftLastWriteTime.dwHighDateTime=0x1d2faf0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x80007e, dwReserved1=0x24dd560, cFileName="..", cAlternateFileName="")) returned 1 [0115.078] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.078] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.078] FindNextFileW (in: hFindFile=0x50aa00, lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb9820270, ftCreationTime.dwHighDateTime=0x1d2faf0, ftLastAccessTime.dwLowDateTime=0xb9820270, ftLastAccessTime.dwHighDateTime=0x1d2faf0, ftLastWriteTime.dwLowDateTime=0x7de6c9b0, ftLastWriteTime.dwHighDateTime=0x1d3373d, nFileSizeHigh=0x0, nFileSizeLow=0x2, dwReserved0=0x80007e, dwReserved1=0x24dd560, cFileName="History.Log", cAlternateFileName="")) returned 1 [0115.078] lstrcmpiW (lpString1="History.Log", lpString2=".") returned 1 [0115.078] lstrcmpiW (lpString1="History.Log", lpString2="..") returned 1 [0115.078] lstrcmpiW (lpString1="History.Log", lpString2="...") returned 1 [0115.078] lstrcmpiW (lpString1="History.Log", lpString2="windows") returned -1 [0115.078] lstrcmpiW (lpString1="History.Log", lpString2="$RECYCLE.BIN") returned 1 [0115.078] lstrcmpiW (lpString1="History.Log", lpString2="rsa") returned -1 [0115.078] lstrcmpiW (lpString1="History.Log", lpString2="log") returned -1 [0115.078] lstrcmpiW (lpString1="History.Log", lpString2="NTDETECT.COM") returned -1 [0115.078] lstrcmpiW (lpString1="History.Log", lpString2="ntldr") returned -1 [0115.078] lstrcmpiW (lpString1="History.Log", lpString2="MSDOS.SYS") returned -1 [0115.078] lstrcmpiW (lpString1="History.Log", lpString2="IO.SYS") returned -1 [0115.078] lstrcmpiW (lpString1="History.Log", lpString2="boot.ini") returned 1 [0115.078] lstrcmpiW (lpString1="History.Log", lpString2="AUTOEXEC.BAT") returned 1 [0115.078] lstrcmpiW (lpString1="History.Log", lpString2="ntuser.dat") returned -1 [0115.078] lstrcmpiW (lpString1="History.Log", lpString2="desktop.ini") returned 1 [0115.078] lstrcmpiW (lpString1="History.Log", lpString2="CONFIG.SYS") returned 1 [0115.078] lstrcmpiW (lpString1="History.Log", lpString2="RECYCLER") returned -1 [0115.078] lstrcmpiW (lpString1="History.Log", lpString2="BOOTSECT.BAK") returned 1 [0115.078] lstrcmpiW (lpString1="History.Log", lpString2="bootmgr") returned 1 [0115.078] lstrcmpiW (lpString1="History.Log", lpString2="programdata") returned -1 [0115.079] lstrcmpiW (lpString1="History.Log", lpString2="appdata") returned 1 [0115.079] lstrcmpiW (lpString1="History.Log", lpString2="program files") returned -1 [0115.079] lstrcmpiW (lpString1="History.Log", lpString2="program files (x86)") returned -1 [0115.079] lstrcpyW (in: lpString1=0x24dccd8, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\" [0115.079] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\", lpString2="History.Log" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\History.Log") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\History.Log" [0115.079] PathFindExtensionW (pszPath="History.Log") returned=".Log" [0115.079] lstrcmpiW (lpString1=".Log", lpString2=".exe") returned 1 [0115.079] lstrcmpiW (lpString1=".Log", lpString2=".log") returned 0 [0115.079] FindNextFileW (in: hFindFile=0x50aa00, lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xadeed740, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0xadeed740, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x2d1f02a0, ftLastWriteTime.dwHighDateTime=0x1d4d597, nFileSizeHigh=0x0, nFileSizeLow=0x1a86, dwReserved0=0x80007e, dwReserved1=0x24dd560, cFileName="Unknown.Log", cAlternateFileName="")) returned 1 [0115.079] lstrcmpiW (lpString1="Unknown.Log", lpString2=".") returned 1 [0115.079] lstrcmpiW (lpString1="Unknown.Log", lpString2="..") returned 1 [0115.079] lstrcmpiW (lpString1="Unknown.Log", lpString2="...") returned 1 [0115.079] lstrcmpiW (lpString1="Unknown.Log", lpString2="windows") returned -1 [0115.079] lstrcmpiW (lpString1="Unknown.Log", lpString2="$RECYCLE.BIN") returned 1 [0115.079] lstrcmpiW (lpString1="Unknown.Log", lpString2="rsa") returned 1 [0115.079] lstrcmpiW (lpString1="Unknown.Log", lpString2="log") returned 1 [0115.079] lstrcmpiW (lpString1="Unknown.Log", lpString2="NTDETECT.COM") returned 1 [0115.079] lstrcmpiW (lpString1="Unknown.Log", lpString2="ntldr") returned 1 [0115.079] lstrcmpiW (lpString1="Unknown.Log", lpString2="MSDOS.SYS") returned 1 [0115.079] lstrcmpiW (lpString1="Unknown.Log", lpString2="IO.SYS") returned 1 [0115.079] lstrcmpiW (lpString1="Unknown.Log", lpString2="boot.ini") returned 1 [0115.079] lstrcmpiW (lpString1="Unknown.Log", lpString2="AUTOEXEC.BAT") returned 1 [0115.079] lstrcmpiW (lpString1="Unknown.Log", lpString2="ntuser.dat") returned 1 [0115.079] lstrcmpiW (lpString1="Unknown.Log", lpString2="desktop.ini") returned 1 [0115.079] lstrcmpiW (lpString1="Unknown.Log", lpString2="CONFIG.SYS") returned 1 [0115.079] lstrcmpiW (lpString1="Unknown.Log", lpString2="RECYCLER") returned 1 [0115.080] lstrcmpiW (lpString1="Unknown.Log", lpString2="BOOTSECT.BAK") returned 1 [0115.080] lstrcmpiW (lpString1="Unknown.Log", lpString2="bootmgr") returned 1 [0115.080] lstrcmpiW (lpString1="Unknown.Log", lpString2="programdata") returned 1 [0115.080] lstrcmpiW (lpString1="Unknown.Log", lpString2="appdata") returned 1 [0115.080] lstrcmpiW (lpString1="Unknown.Log", lpString2="program files") returned 1 [0115.080] lstrcmpiW (lpString1="Unknown.Log", lpString2="program files (x86)") returned 1 [0115.080] lstrcpyW (in: lpString1=0x24dccd8, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\" [0115.080] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\", lpString2="Unknown.Log" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Unknown.Log") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Unknown.Log" [0115.080] PathFindExtensionW (pszPath="Unknown.Log") returned=".Log" [0115.080] lstrcmpiW (lpString1=".Log", lpString2=".exe") returned 1 [0115.080] lstrcmpiW (lpString1=".Log", lpString2=".log") returned 0 [0115.080] FindNextFileW (in: hFindFile=0x50aa00, lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xadeed740, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0xadeed740, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x2d1f02a0, ftLastWriteTime.dwHighDateTime=0x1d4d597, nFileSizeHigh=0x0, nFileSizeLow=0x1a86, dwReserved0=0x80007e, dwReserved1=0x24dd560, cFileName="Unknown.Log", cAlternateFileName="")) returned 0 [0115.080] FindClose (in: hFindFile=0x50aa00 | out: hFindFile=0x50aa00) returned 1 [0115.080] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x244fb42, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x244fb42, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x70006e, dwReserved1=0x24ddbe0, cFileName="Store", cAlternateFileName="")) returned 1 [0115.080] lstrcmpiW (lpString1="Store", lpString2=".") returned 1 [0115.080] lstrcmpiW (lpString1="Store", lpString2="..") returned 1 [0115.080] lstrcmpiW (lpString1="Store", lpString2="...") returned 1 [0115.080] lstrcmpiW (lpString1="Store", lpString2="windows") returned -1 [0115.080] lstrcmpiW (lpString1="Store", lpString2="$RECYCLE.BIN") returned 1 [0115.080] lstrcmpiW (lpString1="Store", lpString2="rsa") returned 1 [0115.080] lstrcmpiW (lpString1="Store", lpString2="log") returned 1 [0115.080] lstrcmpiW (lpString1="Store", lpString2="NTDETECT.COM") returned 1 [0115.080] lstrcmpiW (lpString1="Store", lpString2="ntldr") returned 1 [0115.081] lstrcmpiW (lpString1="Store", lpString2="MSDOS.SYS") returned 1 [0115.081] lstrcmpiW (lpString1="Store", lpString2="IO.SYS") returned 1 [0115.081] lstrcmpiW (lpString1="Store", lpString2="boot.ini") returned 1 [0115.081] lstrcmpiW (lpString1="Store", lpString2="AUTOEXEC.BAT") returned 1 [0115.081] lstrcmpiW (lpString1="Store", lpString2="ntuser.dat") returned 1 [0115.081] lstrcmpiW (lpString1="Store", lpString2="desktop.ini") returned 1 [0115.081] lstrcmpiW (lpString1="Store", lpString2="CONFIG.SYS") returned 1 [0115.081] lstrcmpiW (lpString1="Store", lpString2="RECYCLER") returned 1 [0115.081] lstrcmpiW (lpString1="Store", lpString2="BOOTSECT.BAK") returned 1 [0115.081] lstrcmpiW (lpString1="Store", lpString2="bootmgr") returned 1 [0115.081] lstrcmpiW (lpString1="Store", lpString2="programdata") returned 1 [0115.081] lstrcmpiW (lpString1="Store", lpString2="appdata") returned 1 [0115.081] lstrcmpiW (lpString1="Store", lpString2="program files") returned 1 [0115.081] lstrcmpiW (lpString1="Store", lpString2="program files (x86)") returned 1 [0115.081] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\" [0115.081] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\", lpString2="Store" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store" [0115.081] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\" [0115.081] lstrcpyW (in: lpString1=0x24dcee0, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\" [0115.081] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\*.*" [0115.081] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\*.*", lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x244fb42, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x244fb42, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x80007e, dwReserved1=0x24dd560, cFileName=".", cAlternateFileName="")) returned 0x50aa00 [0115.082] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.082] FindNextFileW (in: hFindFile=0x50aa00, lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x244fb42, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x244fb42, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x80007e, dwReserved1=0x24dd560, cFileName="..", cAlternateFileName="")) returned 1 [0115.082] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.082] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.082] FindNextFileW (in: hFindFile=0x50aa00, lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x244fb42, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x244fb42, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x80007e, dwReserved1=0x24dd560, cFileName="..", cAlternateFileName="")) returned 0 [0115.082] FindClose (in: hFindFile=0x50aa00 | out: hFindFile=0x50aa00) returned 1 [0115.082] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x244fb42, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x244fb42, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x70006e, dwReserved1=0x24ddbe0, cFileName="Store", cAlternateFileName="")) returned 0 [0115.082] FindClose (in: hFindFile=0x50a9c0 | out: hFindFile=0x50a9c0) returned 1 [0115.082] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7690f9e4, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x244fb42, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x244fb42, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x24de260, cFileName="History", cAlternateFileName="")) returned 0 [0115.082] FindClose (in: hFindFile=0x50a980 | out: hFindFile=0x50a980) returned 1 [0115.082] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x76792c22, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x76792c22, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="Support", cAlternateFileName="")) returned 1 [0115.082] lstrcmpiW (lpString1="Support", lpString2=".") returned 1 [0115.082] lstrcmpiW (lpString1="Support", lpString2="..") returned 1 [0115.082] lstrcmpiW (lpString1="Support", lpString2="...") returned 1 [0115.082] lstrcmpiW (lpString1="Support", lpString2="windows") returned -1 [0115.082] lstrcmpiW (lpString1="Support", lpString2="$RECYCLE.BIN") returned 1 [0115.083] lstrcmpiW (lpString1="Support", lpString2="rsa") returned 1 [0115.083] lstrcmpiW (lpString1="Support", lpString2="log") returned 1 [0115.083] lstrcmpiW (lpString1="Support", lpString2="NTDETECT.COM") returned 1 [0115.083] lstrcmpiW (lpString1="Support", lpString2="ntldr") returned 1 [0115.083] lstrcmpiW (lpString1="Support", lpString2="MSDOS.SYS") returned 1 [0115.083] lstrcmpiW (lpString1="Support", lpString2="IO.SYS") returned 1 [0115.083] lstrcmpiW (lpString1="Support", lpString2="boot.ini") returned 1 [0115.083] lstrcmpiW (lpString1="Support", lpString2="AUTOEXEC.BAT") returned 1 [0115.083] lstrcmpiW (lpString1="Support", lpString2="ntuser.dat") returned 1 [0115.083] lstrcmpiW (lpString1="Support", lpString2="desktop.ini") returned 1 [0115.083] lstrcmpiW (lpString1="Support", lpString2="CONFIG.SYS") returned 1 [0115.083] lstrcmpiW (lpString1="Support", lpString2="RECYCLER") returned 1 [0115.083] lstrcmpiW (lpString1="Support", lpString2="BOOTSECT.BAK") returned 1 [0115.083] lstrcmpiW (lpString1="Support", lpString2="bootmgr") returned 1 [0115.083] lstrcmpiW (lpString1="Support", lpString2="programdata") returned 1 [0115.083] lstrcmpiW (lpString1="Support", lpString2="appdata") returned 1 [0115.083] lstrcmpiW (lpString1="Support", lpString2="program files") returned 1 [0115.083] lstrcmpiW (lpString1="Support", lpString2="program files (x86)") returned 1 [0115.083] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Defender\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\" [0115.083] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\", lpString2="Support" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support" [0115.083] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\" [0115.083] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\" [0115.083] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\*.*" [0115.083] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x76792c22, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x76792c22, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x24de260, cFileName=".", cAlternateFileName="")) returned 0x50a980 [0115.084] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.084] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x76792c22, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x76792c22, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 1 [0115.084] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.084] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.084] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x76792c22, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x76792c22, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x798d48a0, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x30ada, dwReserved0=0x640062, dwReserved1=0x24de260, cFileName="MPLog-07132009-221054.log", cAlternateFileName="MPLOG-~1.LOG")) returned 1 [0115.084] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2=".") returned 1 [0115.084] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="..") returned 1 [0115.084] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="...") returned 1 [0115.084] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="windows") returned -1 [0115.084] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="$RECYCLE.BIN") returned 1 [0115.084] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="rsa") returned -1 [0115.084] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="log") returned 1 [0115.084] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="NTDETECT.COM") returned -1 [0115.085] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="ntldr") returned -1 [0115.085] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="MSDOS.SYS") returned -1 [0115.085] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="IO.SYS") returned 1 [0115.085] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="boot.ini") returned 1 [0115.085] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="AUTOEXEC.BAT") returned 1 [0115.085] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="ntuser.dat") returned -1 [0115.085] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="desktop.ini") returned 1 [0115.085] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="CONFIG.SYS") returned 1 [0115.085] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="RECYCLER") returned -1 [0115.085] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="BOOTSECT.BAK") returned 1 [0115.085] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="bootmgr") returned 1 [0115.085] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="programdata") returned -1 [0115.085] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="appdata") returned 1 [0115.085] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="program files") returned -1 [0115.085] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="program files (x86)") returned -1 [0115.085] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\" [0115.085] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\", lpString2="MPLog-07132009-221054.log" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-221054.log") returned="C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-221054.log" [0115.085] PathFindExtensionW (pszPath="MPLog-07132009-221054.log") returned=".log" [0115.085] lstrcmpiW (lpString1=".log", lpString2=".exe") returned 1 [0115.085] lstrcmpiW (lpString1=".log", lpString2=".log") returned 0 [0115.085] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x76792c22, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x76792c22, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x798d48a0, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x30ada, dwReserved0=0x640062, dwReserved1=0x24de260, cFileName="MPLog-07132009-221054.log", cAlternateFileName="MPLOG-~1.LOG")) returned 0 [0115.085] FindClose (in: hFindFile=0x50a980 | out: hFindFile=0x50a980) returned 1 [0115.085] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x76792c22, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x76792c22, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="Support", cAlternateFileName="")) returned 0 [0115.085] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0115.086] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="Windows NT", cAlternateFileName="WINDOW~2")) returned 1 [0115.086] lstrcmpiW (lpString1="Windows NT", lpString2=".") returned 1 [0115.086] lstrcmpiW (lpString1="Windows NT", lpString2="..") returned 1 [0115.086] lstrcmpiW (lpString1="Windows NT", lpString2="...") returned 1 [0115.086] lstrcmpiW (lpString1="Windows NT", lpString2="windows") returned 1 [0115.086] lstrcmpiW (lpString1="Windows NT", lpString2="$RECYCLE.BIN") returned 1 [0115.086] lstrcmpiW (lpString1="Windows NT", lpString2="rsa") returned 1 [0115.086] lstrcmpiW (lpString1="Windows NT", lpString2="log") returned 1 [0115.086] lstrcmpiW (lpString1="Windows NT", lpString2="NTDETECT.COM") returned 1 [0115.086] lstrcmpiW (lpString1="Windows NT", lpString2="ntldr") returned 1 [0115.086] lstrcmpiW (lpString1="Windows NT", lpString2="MSDOS.SYS") returned 1 [0115.086] lstrcmpiW (lpString1="Windows NT", lpString2="IO.SYS") returned 1 [0115.086] lstrcmpiW (lpString1="Windows NT", lpString2="boot.ini") returned 1 [0115.086] lstrcmpiW (lpString1="Windows NT", lpString2="AUTOEXEC.BAT") returned 1 [0115.086] lstrcmpiW (lpString1="Windows NT", lpString2="ntuser.dat") returned 1 [0115.086] lstrcmpiW (lpString1="Windows NT", lpString2="desktop.ini") returned 1 [0115.086] lstrcmpiW (lpString1="Windows NT", lpString2="CONFIG.SYS") returned 1 [0115.086] lstrcmpiW (lpString1="Windows NT", lpString2="RECYCLER") returned 1 [0115.086] lstrcmpiW (lpString1="Windows NT", lpString2="BOOTSECT.BAK") returned 1 [0115.086] lstrcmpiW (lpString1="Windows NT", lpString2="bootmgr") returned 1 [0115.086] lstrcmpiW (lpString1="Windows NT", lpString2="programdata") returned 1 [0115.086] lstrcmpiW (lpString1="Windows NT", lpString2="appdata") returned 1 [0115.086] lstrcmpiW (lpString1="Windows NT", lpString2="program files") returned 1 [0115.086] lstrcmpiW (lpString1="Windows NT", lpString2="program files (x86)") returned 1 [0115.086] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\" [0115.086] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="Windows NT" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT") returned="C:\\Users\\All Users\\Microsoft\\Windows NT" [0115.087] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\" [0115.087] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Microsoft\\Windows NT\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\" [0115.087] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\*.*" [0115.087] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows NT\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0115.087] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.087] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0115.087] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.087] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.087] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="MSFax", cAlternateFileName="")) returned 1 [0115.087] lstrcmpiW (lpString1="MSFax", lpString2=".") returned 1 [0115.087] lstrcmpiW (lpString1="MSFax", lpString2="..") returned 1 [0115.087] lstrcmpiW (lpString1="MSFax", lpString2="...") returned 1 [0115.087] lstrcmpiW (lpString1="MSFax", lpString2="windows") returned -1 [0115.087] lstrcmpiW (lpString1="MSFax", lpString2="$RECYCLE.BIN") returned 1 [0115.087] lstrcmpiW (lpString1="MSFax", lpString2="rsa") returned -1 [0115.087] lstrcmpiW (lpString1="MSFax", lpString2="log") returned 1 [0115.088] lstrcmpiW (lpString1="MSFax", lpString2="NTDETECT.COM") returned -1 [0115.088] lstrcmpiW (lpString1="MSFax", lpString2="ntldr") returned -1 [0115.088] lstrcmpiW (lpString1="MSFax", lpString2="MSDOS.SYS") returned 1 [0115.088] lstrcmpiW (lpString1="MSFax", lpString2="IO.SYS") returned 1 [0115.088] lstrcmpiW (lpString1="MSFax", lpString2="boot.ini") returned 1 [0115.088] lstrcmpiW (lpString1="MSFax", lpString2="AUTOEXEC.BAT") returned 1 [0115.088] lstrcmpiW (lpString1="MSFax", lpString2="ntuser.dat") returned -1 [0115.088] lstrcmpiW (lpString1="MSFax", lpString2="desktop.ini") returned 1 [0115.088] lstrcmpiW (lpString1="MSFax", lpString2="CONFIG.SYS") returned 1 [0115.088] lstrcmpiW (lpString1="MSFax", lpString2="RECYCLER") returned -1 [0115.088] lstrcmpiW (lpString1="MSFax", lpString2="BOOTSECT.BAK") returned 1 [0115.088] lstrcmpiW (lpString1="MSFax", lpString2="bootmgr") returned 1 [0115.088] lstrcmpiW (lpString1="MSFax", lpString2="programdata") returned -1 [0115.088] lstrcmpiW (lpString1="MSFax", lpString2="appdata") returned 1 [0115.088] lstrcmpiW (lpString1="MSFax", lpString2="program files") returned -1 [0115.088] lstrcmpiW (lpString1="MSFax", lpString2="program files (x86)") returned -1 [0115.088] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Microsoft\\Windows NT\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\" [0115.088] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\", lpString2="MSFax" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax" [0115.088] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\" [0115.088] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\" [0115.088] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*.*" [0115.088] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x24de260, cFileName=".", cAlternateFileName="")) returned 0x50a980 [0115.091] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.091] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 1 [0115.091] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.091] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.091] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x24de260, cFileName="ActivityLog", cAlternateFileName="ACTIVI~1")) returned 1 [0115.092] lstrcmpiW (lpString1="ActivityLog", lpString2=".") returned 1 [0115.092] lstrcmpiW (lpString1="ActivityLog", lpString2="..") returned 1 [0115.092] lstrcmpiW (lpString1="ActivityLog", lpString2="...") returned 1 [0115.092] lstrcmpiW (lpString1="ActivityLog", lpString2="windows") returned -1 [0115.092] lstrcmpiW (lpString1="ActivityLog", lpString2="$RECYCLE.BIN") returned 1 [0115.092] lstrcmpiW (lpString1="ActivityLog", lpString2="rsa") returned -1 [0115.092] lstrcmpiW (lpString1="ActivityLog", lpString2="log") returned -1 [0115.092] lstrcmpiW (lpString1="ActivityLog", lpString2="NTDETECT.COM") returned -1 [0115.092] lstrcmpiW (lpString1="ActivityLog", lpString2="ntldr") returned -1 [0115.092] lstrcmpiW (lpString1="ActivityLog", lpString2="MSDOS.SYS") returned -1 [0115.092] lstrcmpiW (lpString1="ActivityLog", lpString2="IO.SYS") returned -1 [0115.092] lstrcmpiW (lpString1="ActivityLog", lpString2="boot.ini") returned -1 [0115.092] lstrcmpiW (lpString1="ActivityLog", lpString2="AUTOEXEC.BAT") returned -1 [0115.092] lstrcmpiW (lpString1="ActivityLog", lpString2="ntuser.dat") returned -1 [0115.092] lstrcmpiW (lpString1="ActivityLog", lpString2="desktop.ini") returned -1 [0115.092] lstrcmpiW (lpString1="ActivityLog", lpString2="CONFIG.SYS") returned -1 [0115.092] lstrcmpiW (lpString1="ActivityLog", lpString2="RECYCLER") returned -1 [0115.092] lstrcmpiW (lpString1="ActivityLog", lpString2="BOOTSECT.BAK") returned -1 [0115.092] lstrcmpiW (lpString1="ActivityLog", lpString2="bootmgr") returned -1 [0115.092] lstrcmpiW (lpString1="ActivityLog", lpString2="programdata") returned -1 [0115.092] lstrcmpiW (lpString1="ActivityLog", lpString2="appdata") returned -1 [0115.092] lstrcmpiW (lpString1="ActivityLog", lpString2="program files") returned -1 [0115.092] lstrcmpiW (lpString1="ActivityLog", lpString2="program files (x86)") returned -1 [0115.092] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\" [0115.092] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\", lpString2="ActivityLog" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog" [0115.092] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\" [0115.093] lstrcpyW (in: lpString1=0x24dd560, lpString2="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\" [0115.093] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\*.*" [0115.093] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\*.*", lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x24ddbe0, cFileName=".", cAlternateFileName="")) returned 0x50a9c0 [0115.093] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.093] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x24ddbe0, cFileName="..", cAlternateFileName="")) returned 1 [0115.093] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.093] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.093] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x24ddbe0, cFileName="..", cAlternateFileName="")) returned 0 [0115.093] FindClose (in: hFindFile=0x50a9c0 | out: hFindFile=0x50a9c0) returned 1 [0115.093] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x24de260, cFileName="Common Coverpages", cAlternateFileName="COMMON~1")) returned 1 [0115.093] lstrcmpiW (lpString1="Common Coverpages", lpString2=".") returned 1 [0115.093] lstrcmpiW (lpString1="Common Coverpages", lpString2="..") returned 1 [0115.093] lstrcmpiW (lpString1="Common Coverpages", lpString2="...") returned 1 [0115.093] lstrcmpiW (lpString1="Common Coverpages", lpString2="windows") returned -1 [0115.093] lstrcmpiW (lpString1="Common Coverpages", lpString2="$RECYCLE.BIN") returned 1 [0115.094] lstrcmpiW (lpString1="Common Coverpages", lpString2="rsa") returned -1 [0115.094] lstrcmpiW (lpString1="Common Coverpages", lpString2="log") returned -1 [0115.094] lstrcmpiW (lpString1="Common Coverpages", lpString2="NTDETECT.COM") returned -1 [0115.094] lstrcmpiW (lpString1="Common Coverpages", lpString2="ntldr") returned -1 [0115.094] lstrcmpiW (lpString1="Common Coverpages", lpString2="MSDOS.SYS") returned -1 [0115.094] lstrcmpiW (lpString1="Common Coverpages", lpString2="IO.SYS") returned -1 [0115.094] lstrcmpiW (lpString1="Common Coverpages", lpString2="boot.ini") returned 1 [0115.094] lstrcmpiW (lpString1="Common Coverpages", lpString2="AUTOEXEC.BAT") returned 1 [0115.094] lstrcmpiW (lpString1="Common Coverpages", lpString2="ntuser.dat") returned -1 [0115.094] lstrcmpiW (lpString1="Common Coverpages", lpString2="desktop.ini") returned -1 [0115.094] lstrcmpiW (lpString1="Common Coverpages", lpString2="CONFIG.SYS") returned -1 [0115.094] lstrcmpiW (lpString1="Common Coverpages", lpString2="RECYCLER") returned -1 [0115.094] lstrcmpiW (lpString1="Common Coverpages", lpString2="BOOTSECT.BAK") returned 1 [0115.094] lstrcmpiW (lpString1="Common Coverpages", lpString2="bootmgr") returned 1 [0115.094] lstrcmpiW (lpString1="Common Coverpages", lpString2="programdata") returned -1 [0115.094] lstrcmpiW (lpString1="Common Coverpages", lpString2="appdata") returned 1 [0115.094] lstrcmpiW (lpString1="Common Coverpages", lpString2="program files") returned -1 [0115.094] lstrcmpiW (lpString1="Common Coverpages", lpString2="program files (x86)") returned -1 [0115.094] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\" [0115.094] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\", lpString2="Common Coverpages" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages" [0115.094] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\" [0115.094] lstrcpyW (in: lpString1=0x24dd560, lpString2="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\" [0115.094] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*.*" [0115.094] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*.*", lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x24ddbe0, cFileName=".", cAlternateFileName="")) returned 0x50a9c0 [0115.095] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.095] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x24ddbe0, cFileName="..", cAlternateFileName="")) returned 1 [0115.095] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.095] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.095] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x21cf2d38, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x24ddbe0, cFileName="en-US", cAlternateFileName="")) returned 1 [0115.095] lstrcmpiW (lpString1="en-US", lpString2=".") returned 1 [0115.095] lstrcmpiW (lpString1="en-US", lpString2="..") returned 1 [0115.095] lstrcmpiW (lpString1="en-US", lpString2="...") returned 1 [0115.095] lstrcmpiW (lpString1="en-US", lpString2="windows") returned -1 [0115.095] lstrcmpiW (lpString1="en-US", lpString2="$RECYCLE.BIN") returned 1 [0115.095] lstrcmpiW (lpString1="en-US", lpString2="rsa") returned -1 [0115.095] lstrcmpiW (lpString1="en-US", lpString2="log") returned -1 [0115.095] lstrcmpiW (lpString1="en-US", lpString2="NTDETECT.COM") returned -1 [0115.095] lstrcmpiW (lpString1="en-US", lpString2="ntldr") returned -1 [0115.095] lstrcmpiW (lpString1="en-US", lpString2="MSDOS.SYS") returned -1 [0115.095] lstrcmpiW (lpString1="en-US", lpString2="IO.SYS") returned -1 [0115.095] lstrcmpiW (lpString1="en-US", lpString2="boot.ini") returned 1 [0115.095] lstrcmpiW (lpString1="en-US", lpString2="AUTOEXEC.BAT") returned 1 [0115.095] lstrcmpiW (lpString1="en-US", lpString2="ntuser.dat") returned -1 [0115.095] lstrcmpiW (lpString1="en-US", lpString2="desktop.ini") returned 1 [0115.096] lstrcmpiW (lpString1="en-US", lpString2="CONFIG.SYS") returned 1 [0115.096] lstrcmpiW (lpString1="en-US", lpString2="RECYCLER") returned -1 [0115.096] lstrcmpiW (lpString1="en-US", lpString2="BOOTSECT.BAK") returned 1 [0115.096] lstrcmpiW (lpString1="en-US", lpString2="bootmgr") returned 1 [0115.096] lstrcmpiW (lpString1="en-US", lpString2="programdata") returned -1 [0115.096] lstrcmpiW (lpString1="en-US", lpString2="appdata") returned 1 [0115.096] lstrcmpiW (lpString1="en-US", lpString2="program files") returned -1 [0115.096] lstrcmpiW (lpString1="en-US", lpString2="program files (x86)") returned -1 [0115.096] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\" [0115.096] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\", lpString2="en-US" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US" [0115.096] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\" [0115.096] lstrcpyW (in: lpString1=0x24dcee0, lpString2="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\" [0115.096] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\*.*" [0115.096] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\*.*", lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x21cf2d38, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x880086, dwReserved1=0x24dd560, cFileName=".", cAlternateFileName="")) returned 0x50aa00 [0115.096] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.096] FindNextFileW (in: hFindFile=0x50aa00, lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x21cf2d38, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x880086, dwReserved1=0x24dd560, cFileName="..", cAlternateFileName="")) returned 1 [0115.097] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.097] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.097] FindNextFileW (in: hFindFile=0x50aa00, lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe3998d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfe3998d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x28aa, dwReserved0=0x880086, dwReserved1=0x24dd560, cFileName="confident.cov", cAlternateFileName="")) returned 1 [0115.097] lstrcmpiW (lpString1="confident.cov", lpString2=".") returned 1 [0115.097] lstrcmpiW (lpString1="confident.cov", lpString2="..") returned 1 [0115.097] lstrcmpiW (lpString1="confident.cov", lpString2="...") returned 1 [0115.097] lstrcmpiW (lpString1="confident.cov", lpString2="windows") returned -1 [0115.097] lstrcmpiW (lpString1="confident.cov", lpString2="$RECYCLE.BIN") returned 1 [0115.097] lstrcmpiW (lpString1="confident.cov", lpString2="rsa") returned -1 [0115.097] lstrcmpiW (lpString1="confident.cov", lpString2="log") returned -1 [0115.097] lstrcmpiW (lpString1="confident.cov", lpString2="NTDETECT.COM") returned -1 [0115.097] lstrcmpiW (lpString1="confident.cov", lpString2="ntldr") returned -1 [0115.097] lstrcmpiW (lpString1="confident.cov", lpString2="MSDOS.SYS") returned -1 [0115.097] lstrcmpiW (lpString1="confident.cov", lpString2="IO.SYS") returned -1 [0115.097] lstrcmpiW (lpString1="confident.cov", lpString2="boot.ini") returned 1 [0115.097] lstrcmpiW (lpString1="confident.cov", lpString2="AUTOEXEC.BAT") returned 1 [0115.097] lstrcmpiW (lpString1="confident.cov", lpString2="ntuser.dat") returned -1 [0115.097] lstrcmpiW (lpString1="confident.cov", lpString2="desktop.ini") returned -1 [0115.097] lstrcmpiW (lpString1="confident.cov", lpString2="CONFIG.SYS") returned -1 [0115.097] lstrcmpiW (lpString1="confident.cov", lpString2="RECYCLER") returned -1 [0115.097] lstrcmpiW (lpString1="confident.cov", lpString2="BOOTSECT.BAK") returned 1 [0115.097] lstrcmpiW (lpString1="confident.cov", lpString2="bootmgr") returned 1 [0115.097] lstrcmpiW (lpString1="confident.cov", lpString2="programdata") returned -1 [0115.097] lstrcmpiW (lpString1="confident.cov", lpString2="appdata") returned 1 [0115.097] lstrcmpiW (lpString1="confident.cov", lpString2="program files") returned -1 [0115.098] lstrcmpiW (lpString1="confident.cov", lpString2="program files (x86)") returned -1 [0115.098] lstrcpyW (in: lpString1=0x24dccd8, lpString2="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\" [0115.098] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\", lpString2="confident.cov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\confident.cov") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\confident.cov" [0115.098] PathFindExtensionW (pszPath="confident.cov") returned=".cov" [0115.098] lstrcmpiW (lpString1=".cov", lpString2=".exe") returned -1 [0115.098] lstrcmpiW (lpString1=".cov", lpString2=".log") returned -1 [0115.098] lstrcmpiW (lpString1=".cov", lpString2=".cab") returned 1 [0115.098] lstrcmpiW (lpString1=".cov", lpString2=".cmd") returned 1 [0115.098] lstrcmpiW (lpString1=".cov", lpString2=".com") returned 1 [0115.098] lstrcmpiW (lpString1=".cov", lpString2=".cpl") returned -1 [0115.098] lstrcmpiW (lpString1=".cov", lpString2=".ini") returned -1 [0115.098] lstrcmpiW (lpString1=".cov", lpString2=".dll") returned -1 [0115.098] lstrcmpiW (lpString1=".cov", lpString2=".url") returned -1 [0115.098] lstrcmpiW (lpString1=".cov", lpString2=".ttf") returned -1 [0115.098] lstrcmpiW (lpString1=".cov", lpString2=".mp3") returned -1 [0115.098] lstrcmpiW (lpString1=".cov", lpString2=".pif") returned -1 [0115.098] lstrcmpiW (lpString1=".cov", lpString2=".mp4") returned -1 [0115.098] lstrcmpiW (lpString1=".cov", lpString2=".NEPHILIM") returned -1 [0115.098] lstrcmpiW (lpString1=".cov", lpString2=".msi") returned -1 [0115.098] lstrcmpiW (lpString1=".cov", lpString2=".lnk") returned -1 [0115.098] lstrcmpiW (lpString1="confident.cov", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0115.098] lstrlenA (lpString="NEPHILIM") returned 8 [0115.098] GetProcessHeap () returned 0x4e0000 [0115.098] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f818 [0115.099] lstrlenA (lpString="NEPHILIM") returned 8 [0115.099] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\confident.cov" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\confident.cov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0115.100] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dca48 | out: lpFileSize=0x24dca48*=4294968320) returned 0 [0115.100] GetProcessHeap () returned 0x4e0000 [0115.100] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dd90 [0115.100] GetProcessHeap () returned 0x4e0000 [0115.100] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dda8 [0115.100] SystemFunction036 (in: RandomBuffer=0x50dd90, RandomBufferLength=0x10 | out: RandomBuffer=0x50dd90) returned 1 [0115.100] SystemFunction036 (in: RandomBuffer=0x50dda8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dda8) returned 1 [0115.100] GetProcessHeap () returned 0x4e0000 [0115.100] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51d620 [0115.100] GetProcessHeap () returned 0x4e0000 [0115.100] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51d728 [0115.100] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51d620*, pdwDataLen=0x24dc808*=0x10, dwBufLen=0x100 | out: pbData=0x51d620*, pdwDataLen=0x24dc808*=0x100) returned 1 [0115.100] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51d728*, pdwDataLen=0x24dc804*=0x10, dwBufLen=0x100 | out: pbData=0x51d728*, pdwDataLen=0x24dc804*=0x100) returned 1 [0115.101] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0115.101] SetLastError (dwErrCode=0x0) [0115.101] WriteFile (in: hFile=0xffffffff, lpBuffer=0x51d620, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0) returned 0 [0115.101] GetLastError () returned 0x6 [0115.101] FindNextFileW (in: hFindFile=0x50aa00, lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe3998d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfe3998d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2a09, dwReserved0=0x880086, dwReserved1=0x24dd560, cFileName="fyi.cov", cAlternateFileName="")) returned 1 [0115.101] lstrcmpiW (lpString1="fyi.cov", lpString2=".") returned 1 [0115.101] lstrcmpiW (lpString1="fyi.cov", lpString2="..") returned 1 [0115.101] lstrcmpiW (lpString1="fyi.cov", lpString2="...") returned 1 [0115.101] lstrcmpiW (lpString1="fyi.cov", lpString2="windows") returned -1 [0115.101] lstrcmpiW (lpString1="fyi.cov", lpString2="$RECYCLE.BIN") returned 1 [0115.101] lstrcmpiW (lpString1="fyi.cov", lpString2="rsa") returned -1 [0115.101] lstrcmpiW (lpString1="fyi.cov", lpString2="log") returned -1 [0115.101] lstrcmpiW (lpString1="fyi.cov", lpString2="NTDETECT.COM") returned -1 [0115.101] lstrcmpiW (lpString1="fyi.cov", lpString2="ntldr") returned -1 [0115.101] lstrcmpiW (lpString1="fyi.cov", lpString2="MSDOS.SYS") returned -1 [0115.101] lstrcmpiW (lpString1="fyi.cov", lpString2="IO.SYS") returned -1 [0115.101] lstrcmpiW (lpString1="fyi.cov", lpString2="boot.ini") returned 1 [0115.101] lstrcmpiW (lpString1="fyi.cov", lpString2="AUTOEXEC.BAT") returned 1 [0115.101] lstrcmpiW (lpString1="fyi.cov", lpString2="ntuser.dat") returned -1 [0115.102] lstrcmpiW (lpString1="fyi.cov", lpString2="desktop.ini") returned 1 [0115.102] lstrcmpiW (lpString1="fyi.cov", lpString2="CONFIG.SYS") returned 1 [0115.102] lstrcmpiW (lpString1="fyi.cov", lpString2="RECYCLER") returned -1 [0115.102] lstrcmpiW (lpString1="fyi.cov", lpString2="BOOTSECT.BAK") returned 1 [0115.102] lstrcmpiW (lpString1="fyi.cov", lpString2="bootmgr") returned 1 [0115.102] lstrcmpiW (lpString1="fyi.cov", lpString2="programdata") returned -1 [0115.102] lstrcmpiW (lpString1="fyi.cov", lpString2="appdata") returned 1 [0115.102] lstrcmpiW (lpString1="fyi.cov", lpString2="program files") returned -1 [0115.102] lstrcmpiW (lpString1="fyi.cov", lpString2="program files (x86)") returned -1 [0115.102] lstrcpyW (in: lpString1=0x24dccd8, lpString2="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\" [0115.102] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\", lpString2="fyi.cov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\fyi.cov") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\fyi.cov" [0115.102] PathFindExtensionW (pszPath="fyi.cov") returned=".cov" [0115.102] lstrcmpiW (lpString1=".cov", lpString2=".exe") returned -1 [0115.102] lstrcmpiW (lpString1=".cov", lpString2=".log") returned -1 [0115.102] lstrcmpiW (lpString1=".cov", lpString2=".cab") returned 1 [0115.102] lstrcmpiW (lpString1=".cov", lpString2=".cmd") returned 1 [0115.102] lstrcmpiW (lpString1=".cov", lpString2=".com") returned 1 [0115.102] lstrcmpiW (lpString1=".cov", lpString2=".cpl") returned -1 [0115.102] lstrcmpiW (lpString1=".cov", lpString2=".ini") returned -1 [0115.102] lstrcmpiW (lpString1=".cov", lpString2=".dll") returned -1 [0115.102] lstrcmpiW (lpString1=".cov", lpString2=".url") returned -1 [0115.102] lstrcmpiW (lpString1=".cov", lpString2=".ttf") returned -1 [0115.102] lstrcmpiW (lpString1=".cov", lpString2=".mp3") returned -1 [0115.102] lstrcmpiW (lpString1=".cov", lpString2=".pif") returned -1 [0115.102] lstrcmpiW (lpString1=".cov", lpString2=".mp4") returned -1 [0115.102] lstrcmpiW (lpString1=".cov", lpString2=".NEPHILIM") returned -1 [0115.103] lstrcmpiW (lpString1=".cov", lpString2=".msi") returned -1 [0115.103] lstrcmpiW (lpString1=".cov", lpString2=".lnk") returned -1 [0115.103] lstrcmpiW (lpString1="fyi.cov", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0115.103] lstrlenA (lpString="NEPHILIM") returned 8 [0115.103] GetProcessHeap () returned 0x4e0000 [0115.103] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f828 [0115.103] lstrlenA (lpString="NEPHILIM") returned 8 [0115.103] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\fyi.cov" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\fyi.cov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0115.103] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dca48 | out: lpFileSize=0x24dca48*=4294968320) returned 0 [0115.103] GetProcessHeap () returned 0x4e0000 [0115.103] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50ddc0 [0115.103] GetProcessHeap () returned 0x4e0000 [0115.103] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50ddd8 [0115.103] SystemFunction036 (in: RandomBuffer=0x50ddc0, RandomBufferLength=0x10 | out: RandomBuffer=0x50ddc0) returned 1 [0115.103] SystemFunction036 (in: RandomBuffer=0x50ddd8, RandomBufferLength=0x10 | out: RandomBuffer=0x50ddd8) returned 1 [0115.103] GetProcessHeap () returned 0x4e0000 [0115.103] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51d830 [0115.104] GetProcessHeap () returned 0x4e0000 [0115.104] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51d938 [0115.104] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51d830*, pdwDataLen=0x24dc808*=0x10, dwBufLen=0x100 | out: pbData=0x51d830*, pdwDataLen=0x24dc808*=0x100) returned 1 [0115.104] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51d938*, pdwDataLen=0x24dc804*=0x10, dwBufLen=0x100 | out: pbData=0x51d938*, pdwDataLen=0x24dc804*=0x100) returned 1 [0115.104] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0115.104] SetLastError (dwErrCode=0x0) [0115.104] WriteFile (in: hFile=0xffffffff, lpBuffer=0x51d830, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0) returned 0 [0115.104] GetLastError () returned 0x6 [0115.104] FindNextFileW (in: hFindFile=0x50aa00, lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe3998d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfe3998d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x3aa0, dwReserved0=0x880086, dwReserved1=0x24dd560, cFileName="generic.cov", cAlternateFileName="")) returned 1 [0115.104] lstrcmpiW (lpString1="generic.cov", lpString2=".") returned 1 [0115.104] lstrcmpiW (lpString1="generic.cov", lpString2="..") returned 1 [0115.104] lstrcmpiW (lpString1="generic.cov", lpString2="...") returned 1 [0115.105] lstrcmpiW (lpString1="generic.cov", lpString2="windows") returned -1 [0115.105] lstrcmpiW (lpString1="generic.cov", lpString2="$RECYCLE.BIN") returned 1 [0115.105] lstrcmpiW (lpString1="generic.cov", lpString2="rsa") returned -1 [0115.105] lstrcmpiW (lpString1="generic.cov", lpString2="log") returned -1 [0115.105] lstrcmpiW (lpString1="generic.cov", lpString2="NTDETECT.COM") returned -1 [0115.105] lstrcmpiW (lpString1="generic.cov", lpString2="ntldr") returned -1 [0115.105] lstrcmpiW (lpString1="generic.cov", lpString2="MSDOS.SYS") returned -1 [0115.105] lstrcmpiW (lpString1="generic.cov", lpString2="IO.SYS") returned -1 [0115.105] lstrcmpiW (lpString1="generic.cov", lpString2="boot.ini") returned 1 [0115.105] lstrcmpiW (lpString1="generic.cov", lpString2="AUTOEXEC.BAT") returned 1 [0115.105] lstrcmpiW (lpString1="generic.cov", lpString2="ntuser.dat") returned -1 [0115.105] lstrcmpiW (lpString1="generic.cov", lpString2="desktop.ini") returned 1 [0115.105] lstrcmpiW (lpString1="generic.cov", lpString2="CONFIG.SYS") returned 1 [0115.105] lstrcmpiW (lpString1="generic.cov", lpString2="RECYCLER") returned -1 [0115.105] lstrcmpiW (lpString1="generic.cov", lpString2="BOOTSECT.BAK") returned 1 [0115.105] lstrcmpiW (lpString1="generic.cov", lpString2="bootmgr") returned 1 [0115.105] lstrcmpiW (lpString1="generic.cov", lpString2="programdata") returned -1 [0115.105] lstrcmpiW (lpString1="generic.cov", lpString2="appdata") returned 1 [0115.105] lstrcmpiW (lpString1="generic.cov", lpString2="program files") returned -1 [0115.105] lstrcmpiW (lpString1="generic.cov", lpString2="program files (x86)") returned -1 [0115.105] lstrcpyW (in: lpString1=0x24dccd8, lpString2="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\" [0115.105] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\", lpString2="generic.cov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\generic.cov") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\generic.cov" [0115.105] PathFindExtensionW (pszPath="generic.cov") returned=".cov" [0115.105] lstrcmpiW (lpString1=".cov", lpString2=".exe") returned -1 [0115.105] lstrcmpiW (lpString1=".cov", lpString2=".log") returned -1 [0115.105] lstrcmpiW (lpString1=".cov", lpString2=".cab") returned 1 [0115.106] lstrcmpiW (lpString1=".cov", lpString2=".cmd") returned 1 [0115.106] lstrcmpiW (lpString1=".cov", lpString2=".com") returned 1 [0115.106] lstrcmpiW (lpString1=".cov", lpString2=".cpl") returned -1 [0115.106] lstrcmpiW (lpString1=".cov", lpString2=".ini") returned -1 [0115.106] lstrcmpiW (lpString1=".cov", lpString2=".dll") returned -1 [0115.106] lstrcmpiW (lpString1=".cov", lpString2=".url") returned -1 [0115.106] lstrcmpiW (lpString1=".cov", lpString2=".ttf") returned -1 [0115.106] lstrcmpiW (lpString1=".cov", lpString2=".mp3") returned -1 [0115.106] lstrcmpiW (lpString1=".cov", lpString2=".pif") returned -1 [0115.106] lstrcmpiW (lpString1=".cov", lpString2=".mp4") returned -1 [0115.106] lstrcmpiW (lpString1=".cov", lpString2=".NEPHILIM") returned -1 [0115.106] lstrcmpiW (lpString1=".cov", lpString2=".msi") returned -1 [0115.106] lstrcmpiW (lpString1=".cov", lpString2=".lnk") returned -1 [0115.106] lstrcmpiW (lpString1="generic.cov", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0115.106] lstrlenA (lpString="NEPHILIM") returned 8 [0115.106] GetProcessHeap () returned 0x4e0000 [0115.106] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f838 [0115.106] lstrlenA (lpString="NEPHILIM") returned 8 [0115.106] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\generic.cov" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\generic.cov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0115.117] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dca48 | out: lpFileSize=0x24dca48*=4294968320) returned 0 [0115.117] GetProcessHeap () returned 0x4e0000 [0115.117] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50ddf0 [0115.117] GetProcessHeap () returned 0x4e0000 [0115.117] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50de08 [0115.117] SystemFunction036 (in: RandomBuffer=0x50ddf0, RandomBufferLength=0x10 | out: RandomBuffer=0x50ddf0) returned 1 [0115.117] SystemFunction036 (in: RandomBuffer=0x50de08, RandomBufferLength=0x10 | out: RandomBuffer=0x50de08) returned 1 [0115.117] GetProcessHeap () returned 0x4e0000 [0115.117] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51da40 [0115.117] GetProcessHeap () returned 0x4e0000 [0115.117] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51db48 [0115.117] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51da40*, pdwDataLen=0x24dc808*=0x10, dwBufLen=0x100 | out: pbData=0x51da40*, pdwDataLen=0x24dc808*=0x100) returned 1 [0115.117] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51db48*, pdwDataLen=0x24dc804*=0x10, dwBufLen=0x100 | out: pbData=0x51db48*, pdwDataLen=0x24dc804*=0x100) returned 1 [0115.118] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0115.118] SetLastError (dwErrCode=0x0) [0115.118] WriteFile (in: hFile=0xffffffff, lpBuffer=0x51da40, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0) returned 0 [0115.118] GetLastError () returned 0x6 [0115.118] FindNextFileW (in: hFindFile=0x50aa00, lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe3998d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfe3998d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2886, dwReserved0=0x880086, dwReserved1=0x24dd560, cFileName="urgent.cov", cAlternateFileName="")) returned 1 [0115.118] lstrcmpiW (lpString1="urgent.cov", lpString2=".") returned 1 [0115.118] lstrcmpiW (lpString1="urgent.cov", lpString2="..") returned 1 [0115.118] lstrcmpiW (lpString1="urgent.cov", lpString2="...") returned 1 [0115.118] lstrcmpiW (lpString1="urgent.cov", lpString2="windows") returned -1 [0115.118] lstrcmpiW (lpString1="urgent.cov", lpString2="$RECYCLE.BIN") returned 1 [0115.118] lstrcmpiW (lpString1="urgent.cov", lpString2="rsa") returned 1 [0115.118] lstrcmpiW (lpString1="urgent.cov", lpString2="log") returned 1 [0115.118] lstrcmpiW (lpString1="urgent.cov", lpString2="NTDETECT.COM") returned 1 [0115.118] lstrcmpiW (lpString1="urgent.cov", lpString2="ntldr") returned 1 [0115.118] lstrcmpiW (lpString1="urgent.cov", lpString2="MSDOS.SYS") returned 1 [0115.118] lstrcmpiW (lpString1="urgent.cov", lpString2="IO.SYS") returned 1 [0115.118] lstrcmpiW (lpString1="urgent.cov", lpString2="boot.ini") returned 1 [0115.118] lstrcmpiW (lpString1="urgent.cov", lpString2="AUTOEXEC.BAT") returned 1 [0115.118] lstrcmpiW (lpString1="urgent.cov", lpString2="ntuser.dat") returned 1 [0115.118] lstrcmpiW (lpString1="urgent.cov", lpString2="desktop.ini") returned 1 [0115.118] lstrcmpiW (lpString1="urgent.cov", lpString2="CONFIG.SYS") returned 1 [0115.118] lstrcmpiW (lpString1="urgent.cov", lpString2="RECYCLER") returned 1 [0115.118] lstrcmpiW (lpString1="urgent.cov", lpString2="BOOTSECT.BAK") returned 1 [0115.118] lstrcmpiW (lpString1="urgent.cov", lpString2="bootmgr") returned 1 [0115.118] lstrcmpiW (lpString1="urgent.cov", lpString2="programdata") returned 1 [0115.118] lstrcmpiW (lpString1="urgent.cov", lpString2="appdata") returned 1 [0115.119] lstrcmpiW (lpString1="urgent.cov", lpString2="program files") returned 1 [0115.119] lstrcmpiW (lpString1="urgent.cov", lpString2="program files (x86)") returned 1 [0115.119] lstrcpyW (in: lpString1=0x24dccd8, lpString2="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\" [0115.119] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\", lpString2="urgent.cov" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\urgent.cov") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\urgent.cov" [0115.119] PathFindExtensionW (pszPath="urgent.cov") returned=".cov" [0115.119] lstrcmpiW (lpString1=".cov", lpString2=".exe") returned -1 [0115.119] lstrcmpiW (lpString1=".cov", lpString2=".log") returned -1 [0115.119] lstrcmpiW (lpString1=".cov", lpString2=".cab") returned 1 [0115.119] lstrcmpiW (lpString1=".cov", lpString2=".cmd") returned 1 [0115.119] lstrcmpiW (lpString1=".cov", lpString2=".com") returned 1 [0115.119] lstrcmpiW (lpString1=".cov", lpString2=".cpl") returned -1 [0115.119] lstrcmpiW (lpString1=".cov", lpString2=".ini") returned -1 [0115.119] lstrcmpiW (lpString1=".cov", lpString2=".dll") returned -1 [0115.119] lstrcmpiW (lpString1=".cov", lpString2=".url") returned -1 [0115.119] lstrcmpiW (lpString1=".cov", lpString2=".ttf") returned -1 [0115.119] lstrcmpiW (lpString1=".cov", lpString2=".mp3") returned -1 [0115.119] lstrcmpiW (lpString1=".cov", lpString2=".pif") returned -1 [0115.119] lstrcmpiW (lpString1=".cov", lpString2=".mp4") returned -1 [0115.119] lstrcmpiW (lpString1=".cov", lpString2=".NEPHILIM") returned -1 [0115.119] lstrcmpiW (lpString1=".cov", lpString2=".msi") returned -1 [0115.119] lstrcmpiW (lpString1=".cov", lpString2=".lnk") returned -1 [0115.119] lstrcmpiW (lpString1="urgent.cov", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0115.119] lstrlenA (lpString="NEPHILIM") returned 8 [0115.119] GetProcessHeap () returned 0x4e0000 [0115.119] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f848 [0115.119] lstrlenA (lpString="NEPHILIM") returned 8 [0115.120] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\urgent.cov" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\urgent.cov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0115.120] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dca48 | out: lpFileSize=0x24dca48*=4294968320) returned 0 [0115.120] GetProcessHeap () returned 0x4e0000 [0115.120] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50de20 [0115.120] GetProcessHeap () returned 0x4e0000 [0115.120] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50de38 [0115.120] SystemFunction036 (in: RandomBuffer=0x50de20, RandomBufferLength=0x10 | out: RandomBuffer=0x50de20) returned 1 [0115.120] SystemFunction036 (in: RandomBuffer=0x50de38, RandomBufferLength=0x10 | out: RandomBuffer=0x50de38) returned 1 [0115.120] GetProcessHeap () returned 0x4e0000 [0115.120] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51dc50 [0115.120] GetProcessHeap () returned 0x4e0000 [0115.120] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51dd58 [0115.120] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51dc50*, pdwDataLen=0x24dc808*=0x10, dwBufLen=0x100 | out: pbData=0x51dc50*, pdwDataLen=0x24dc808*=0x100) returned 1 [0115.120] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51dd58*, pdwDataLen=0x24dc804*=0x10, dwBufLen=0x100 | out: pbData=0x51dd58*, pdwDataLen=0x24dc804*=0x100) returned 1 [0115.121] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0115.121] SetLastError (dwErrCode=0x0) [0115.121] WriteFile (in: hFile=0xffffffff, lpBuffer=0x51dc50, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0) returned 0 [0115.121] GetLastError () returned 0x6 [0115.121] FindNextFileW (in: hFindFile=0x50aa00, lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe3998d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfe3998d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2886, dwReserved0=0x880086, dwReserved1=0x24dd560, cFileName="urgent.cov", cAlternateFileName="")) returned 0 [0115.121] FindClose (in: hFindFile=0x50aa00 | out: hFindFile=0x50aa00) returned 1 [0115.121] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x21cf2d38, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x24ddbe0, cFileName="en-US", cAlternateFileName="")) returned 0 [0115.121] FindClose (in: hFindFile=0x50a9c0 | out: hFindFile=0x50a9c0) returned 1 [0115.121] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x24de260, cFileName="Inbox", cAlternateFileName="")) returned 1 [0115.121] lstrcmpiW (lpString1="Inbox", lpString2=".") returned 1 [0115.121] lstrcmpiW (lpString1="Inbox", lpString2="..") returned 1 [0115.121] lstrcmpiW (lpString1="Inbox", lpString2="...") returned 1 [0115.121] lstrcmpiW (lpString1="Inbox", lpString2="windows") returned -1 [0115.121] lstrcmpiW (lpString1="Inbox", lpString2="$RECYCLE.BIN") returned 1 [0115.121] lstrcmpiW (lpString1="Inbox", lpString2="rsa") returned -1 [0115.121] lstrcmpiW (lpString1="Inbox", lpString2="log") returned -1 [0115.121] lstrcmpiW (lpString1="Inbox", lpString2="NTDETECT.COM") returned -1 [0115.121] lstrcmpiW (lpString1="Inbox", lpString2="ntldr") returned -1 [0115.121] lstrcmpiW (lpString1="Inbox", lpString2="MSDOS.SYS") returned -1 [0115.122] lstrcmpiW (lpString1="Inbox", lpString2="IO.SYS") returned -1 [0115.122] lstrcmpiW (lpString1="Inbox", lpString2="boot.ini") returned 1 [0115.122] lstrcmpiW (lpString1="Inbox", lpString2="AUTOEXEC.BAT") returned 1 [0115.122] lstrcmpiW (lpString1="Inbox", lpString2="ntuser.dat") returned -1 [0115.122] lstrcmpiW (lpString1="Inbox", lpString2="desktop.ini") returned 1 [0115.122] lstrcmpiW (lpString1="Inbox", lpString2="CONFIG.SYS") returned 1 [0115.122] lstrcmpiW (lpString1="Inbox", lpString2="RECYCLER") returned -1 [0115.122] lstrcmpiW (lpString1="Inbox", lpString2="BOOTSECT.BAK") returned 1 [0115.122] lstrcmpiW (lpString1="Inbox", lpString2="bootmgr") returned 1 [0115.122] lstrcmpiW (lpString1="Inbox", lpString2="programdata") returned -1 [0115.122] lstrcmpiW (lpString1="Inbox", lpString2="appdata") returned 1 [0115.122] lstrcmpiW (lpString1="Inbox", lpString2="program files") returned -1 [0115.122] lstrcmpiW (lpString1="Inbox", lpString2="program files (x86)") returned -1 [0115.122] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\" [0115.122] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\", lpString2="Inbox" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox" [0115.122] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\" [0115.122] lstrcpyW (in: lpString1=0x24dd560, lpString2="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\" [0115.123] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\*.*" [0115.123] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\*.*", lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x24ddbe0, cFileName=".", cAlternateFileName="")) returned 0x50a9c0 [0115.124] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.124] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x24ddbe0, cFileName="..", cAlternateFileName="")) returned 1 [0115.125] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.125] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.125] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x24ddbe0, cFileName="..", cAlternateFileName="")) returned 0 [0115.125] FindClose (in: hFindFile=0x50a9c0 | out: hFindFile=0x50a9c0) returned 1 [0115.125] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x24de260, cFileName="Queue", cAlternateFileName="")) returned 1 [0115.125] lstrcmpiW (lpString1="Queue", lpString2=".") returned 1 [0115.125] lstrcmpiW (lpString1="Queue", lpString2="..") returned 1 [0115.125] lstrcmpiW (lpString1="Queue", lpString2="...") returned 1 [0115.125] lstrcmpiW (lpString1="Queue", lpString2="windows") returned -1 [0115.125] lstrcmpiW (lpString1="Queue", lpString2="$RECYCLE.BIN") returned 1 [0115.125] lstrcmpiW (lpString1="Queue", lpString2="rsa") returned -1 [0115.125] lstrcmpiW (lpString1="Queue", lpString2="log") returned 1 [0115.125] lstrcmpiW (lpString1="Queue", lpString2="NTDETECT.COM") returned 1 [0115.125] lstrcmpiW (lpString1="Queue", lpString2="ntldr") returned 1 [0115.125] lstrcmpiW (lpString1="Queue", lpString2="MSDOS.SYS") returned 1 [0115.125] lstrcmpiW (lpString1="Queue", lpString2="IO.SYS") returned 1 [0115.125] lstrcmpiW (lpString1="Queue", lpString2="boot.ini") returned 1 [0115.125] lstrcmpiW (lpString1="Queue", lpString2="AUTOEXEC.BAT") returned 1 [0115.125] lstrcmpiW (lpString1="Queue", lpString2="ntuser.dat") returned 1 [0115.125] lstrcmpiW (lpString1="Queue", lpString2="desktop.ini") returned 1 [0115.125] lstrcmpiW (lpString1="Queue", lpString2="CONFIG.SYS") returned 1 [0115.125] lstrcmpiW (lpString1="Queue", lpString2="RECYCLER") returned -1 [0115.125] lstrcmpiW (lpString1="Queue", lpString2="BOOTSECT.BAK") returned 1 [0115.125] lstrcmpiW (lpString1="Queue", lpString2="bootmgr") returned 1 [0115.125] lstrcmpiW (lpString1="Queue", lpString2="programdata") returned 1 [0115.125] lstrcmpiW (lpString1="Queue", lpString2="appdata") returned 1 [0115.125] lstrcmpiW (lpString1="Queue", lpString2="program files") returned 1 [0115.126] lstrcmpiW (lpString1="Queue", lpString2="program files (x86)") returned 1 [0115.126] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\" [0115.126] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\", lpString2="Queue" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue" [0115.126] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\" [0115.126] lstrcpyW (in: lpString1=0x24dd560, lpString2="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\" [0115.126] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\*.*" [0115.126] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\*.*", lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x24ddbe0, cFileName=".", cAlternateFileName="")) returned 0x50a9c0 [0115.126] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.126] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x24ddbe0, cFileName="..", cAlternateFileName="")) returned 1 [0115.126] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.126] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.126] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x24ddbe0, cFileName="..", cAlternateFileName="")) returned 0 [0115.126] FindClose (in: hFindFile=0x50a9c0 | out: hFindFile=0x50a9c0) returned 1 [0115.126] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x24de260, cFileName="SentItems", cAlternateFileName="SENTIT~1")) returned 1 [0115.126] lstrcmpiW (lpString1="SentItems", lpString2=".") returned 1 [0115.126] lstrcmpiW (lpString1="SentItems", lpString2="..") returned 1 [0115.126] lstrcmpiW (lpString1="SentItems", lpString2="...") returned 1 [0115.127] lstrcmpiW (lpString1="SentItems", lpString2="windows") returned -1 [0115.127] lstrcmpiW (lpString1="SentItems", lpString2="$RECYCLE.BIN") returned 1 [0115.127] lstrcmpiW (lpString1="SentItems", lpString2="rsa") returned 1 [0115.127] lstrcmpiW (lpString1="SentItems", lpString2="log") returned 1 [0115.127] lstrcmpiW (lpString1="SentItems", lpString2="NTDETECT.COM") returned 1 [0115.127] lstrcmpiW (lpString1="SentItems", lpString2="ntldr") returned 1 [0115.127] lstrcmpiW (lpString1="SentItems", lpString2="MSDOS.SYS") returned 1 [0115.127] lstrcmpiW (lpString1="SentItems", lpString2="IO.SYS") returned 1 [0115.127] lstrcmpiW (lpString1="SentItems", lpString2="boot.ini") returned 1 [0115.127] lstrcmpiW (lpString1="SentItems", lpString2="AUTOEXEC.BAT") returned 1 [0115.127] lstrcmpiW (lpString1="SentItems", lpString2="ntuser.dat") returned 1 [0115.127] lstrcmpiW (lpString1="SentItems", lpString2="desktop.ini") returned 1 [0115.127] lstrcmpiW (lpString1="SentItems", lpString2="CONFIG.SYS") returned 1 [0115.127] lstrcmpiW (lpString1="SentItems", lpString2="RECYCLER") returned 1 [0115.127] lstrcmpiW (lpString1="SentItems", lpString2="BOOTSECT.BAK") returned 1 [0115.127] lstrcmpiW (lpString1="SentItems", lpString2="bootmgr") returned 1 [0115.127] lstrcmpiW (lpString1="SentItems", lpString2="programdata") returned 1 [0115.127] lstrcmpiW (lpString1="SentItems", lpString2="appdata") returned 1 [0115.127] lstrcmpiW (lpString1="SentItems", lpString2="program files") returned 1 [0115.127] lstrcmpiW (lpString1="SentItems", lpString2="program files (x86)") returned 1 [0115.127] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\" [0115.127] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\", lpString2="SentItems" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems" [0115.127] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\" [0115.127] lstrcpyW (in: lpString1=0x24dd560, lpString2="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\" [0115.127] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\*.*" [0115.127] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\*.*", lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x24ddbe0, cFileName=".", cAlternateFileName="")) returned 0x50a9c0 [0115.128] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.128] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x24ddbe0, cFileName="..", cAlternateFileName="")) returned 1 [0115.128] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.128] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.128] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x24ddbe0, cFileName="..", cAlternateFileName="")) returned 0 [0115.128] FindClose (in: hFindFile=0x50a9c0 | out: hFindFile=0x50a9c0) returned 1 [0115.128] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x24de260, cFileName="VirtualInbox", cAlternateFileName="VIRTUA~1")) returned 1 [0115.128] lstrcmpiW (lpString1="VirtualInbox", lpString2=".") returned 1 [0115.128] lstrcmpiW (lpString1="VirtualInbox", lpString2="..") returned 1 [0115.128] lstrcmpiW (lpString1="VirtualInbox", lpString2="...") returned 1 [0115.128] lstrcmpiW (lpString1="VirtualInbox", lpString2="windows") returned -1 [0115.128] lstrcmpiW (lpString1="VirtualInbox", lpString2="$RECYCLE.BIN") returned 1 [0115.128] lstrcmpiW (lpString1="VirtualInbox", lpString2="rsa") returned 1 [0115.128] lstrcmpiW (lpString1="VirtualInbox", lpString2="log") returned 1 [0115.128] lstrcmpiW (lpString1="VirtualInbox", lpString2="NTDETECT.COM") returned 1 [0115.128] lstrcmpiW (lpString1="VirtualInbox", lpString2="ntldr") returned 1 [0115.128] lstrcmpiW (lpString1="VirtualInbox", lpString2="MSDOS.SYS") returned 1 [0115.128] lstrcmpiW (lpString1="VirtualInbox", lpString2="IO.SYS") returned 1 [0115.128] lstrcmpiW (lpString1="VirtualInbox", lpString2="boot.ini") returned 1 [0115.128] lstrcmpiW (lpString1="VirtualInbox", lpString2="AUTOEXEC.BAT") returned 1 [0115.128] lstrcmpiW (lpString1="VirtualInbox", lpString2="ntuser.dat") returned 1 [0115.128] lstrcmpiW (lpString1="VirtualInbox", lpString2="desktop.ini") returned 1 [0115.128] lstrcmpiW (lpString1="VirtualInbox", lpString2="CONFIG.SYS") returned 1 [0115.129] lstrcmpiW (lpString1="VirtualInbox", lpString2="RECYCLER") returned 1 [0115.129] lstrcmpiW (lpString1="VirtualInbox", lpString2="BOOTSECT.BAK") returned 1 [0115.129] lstrcmpiW (lpString1="VirtualInbox", lpString2="bootmgr") returned 1 [0115.129] lstrcmpiW (lpString1="VirtualInbox", lpString2="programdata") returned 1 [0115.129] lstrcmpiW (lpString1="VirtualInbox", lpString2="appdata") returned 1 [0115.129] lstrcmpiW (lpString1="VirtualInbox", lpString2="program files") returned 1 [0115.129] lstrcmpiW (lpString1="VirtualInbox", lpString2="program files (x86)") returned 1 [0115.129] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\" [0115.129] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\", lpString2="VirtualInbox" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox" [0115.129] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\" [0115.129] lstrcpyW (in: lpString1=0x24dd560, lpString2="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\" [0115.129] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\*.*" [0115.129] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\*.*", lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x24ddbe0, cFileName=".", cAlternateFileName="")) returned 0x50a9c0 [0115.129] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.129] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x24ddbe0, cFileName="..", cAlternateFileName="")) returned 1 [0115.129] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.129] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.129] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x21cf2d38, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x24ddbe0, cFileName="en-US", cAlternateFileName="")) returned 1 [0115.130] lstrcmpiW (lpString1="en-US", lpString2=".") returned 1 [0115.130] lstrcmpiW (lpString1="en-US", lpString2="..") returned 1 [0115.130] lstrcmpiW (lpString1="en-US", lpString2="...") returned 1 [0115.130] lstrcmpiW (lpString1="en-US", lpString2="windows") returned -1 [0115.130] lstrcmpiW (lpString1="en-US", lpString2="$RECYCLE.BIN") returned 1 [0115.130] lstrcmpiW (lpString1="en-US", lpString2="rsa") returned -1 [0115.130] lstrcmpiW (lpString1="en-US", lpString2="log") returned -1 [0115.130] lstrcmpiW (lpString1="en-US", lpString2="NTDETECT.COM") returned -1 [0115.130] lstrcmpiW (lpString1="en-US", lpString2="ntldr") returned -1 [0115.130] lstrcmpiW (lpString1="en-US", lpString2="MSDOS.SYS") returned -1 [0115.130] lstrcmpiW (lpString1="en-US", lpString2="IO.SYS") returned -1 [0115.130] lstrcmpiW (lpString1="en-US", lpString2="boot.ini") returned 1 [0115.130] lstrcmpiW (lpString1="en-US", lpString2="AUTOEXEC.BAT") returned 1 [0115.130] lstrcmpiW (lpString1="en-US", lpString2="ntuser.dat") returned -1 [0115.130] lstrcmpiW (lpString1="en-US", lpString2="desktop.ini") returned 1 [0115.130] lstrcmpiW (lpString1="en-US", lpString2="CONFIG.SYS") returned 1 [0115.130] lstrcmpiW (lpString1="en-US", lpString2="RECYCLER") returned -1 [0115.130] lstrcmpiW (lpString1="en-US", lpString2="BOOTSECT.BAK") returned 1 [0115.130] lstrcmpiW (lpString1="en-US", lpString2="bootmgr") returned 1 [0115.130] lstrcmpiW (lpString1="en-US", lpString2="programdata") returned -1 [0115.130] lstrcmpiW (lpString1="en-US", lpString2="appdata") returned 1 [0115.130] lstrcmpiW (lpString1="en-US", lpString2="program files") returned -1 [0115.130] lstrcmpiW (lpString1="en-US", lpString2="program files (x86)") returned -1 [0115.130] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\" [0115.130] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\", lpString2="en-US" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US" [0115.130] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\" [0115.130] lstrcpyW (in: lpString1=0x24dcee0, lpString2="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\" [0115.130] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\*.*" [0115.131] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\*.*", lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x21cf2d38, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e007c, dwReserved1=0x24dd560, cFileName=".", cAlternateFileName="")) returned 0x50aa00 [0115.138] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.138] FindNextFileW (in: hFindFile=0x50aa00, lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x21cf2d38, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e007c, dwReserved1=0x24dd560, cFileName="..", cAlternateFileName="")) returned 1 [0115.138] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.138] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.138] FindNextFileW (in: hFindFile=0x50aa00, lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe3998d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfe3998d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x15dbe, dwReserved0=0x7e007c, dwReserved1=0x24dd560, cFileName="WelcomeFax.tif", cAlternateFileName="")) returned 1 [0115.138] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2=".") returned 1 [0115.138] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="..") returned 1 [0115.138] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="...") returned 1 [0115.138] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="windows") returned -1 [0115.138] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="$RECYCLE.BIN") returned 1 [0115.138] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="rsa") returned 1 [0115.138] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="log") returned 1 [0115.138] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="NTDETECT.COM") returned 1 [0115.138] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="ntldr") returned 1 [0115.138] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="MSDOS.SYS") returned 1 [0115.138] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="IO.SYS") returned 1 [0115.138] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="boot.ini") returned 1 [0115.138] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="AUTOEXEC.BAT") returned 1 [0115.139] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="ntuser.dat") returned 1 [0115.139] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="desktop.ini") returned 1 [0115.139] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="CONFIG.SYS") returned 1 [0115.139] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="RECYCLER") returned 1 [0115.139] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="BOOTSECT.BAK") returned 1 [0115.139] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="bootmgr") returned 1 [0115.139] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="programdata") returned 1 [0115.139] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="appdata") returned 1 [0115.139] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="program files") returned 1 [0115.139] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="program files (x86)") returned 1 [0115.139] lstrcpyW (in: lpString1=0x24dccd8, lpString2="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\" [0115.139] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\", lpString2="WelcomeFax.tif" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\WelcomeFax.tif") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\WelcomeFax.tif" [0115.139] PathFindExtensionW (pszPath="WelcomeFax.tif") returned=".tif" [0115.139] lstrcmpiW (lpString1=".tif", lpString2=".exe") returned 1 [0115.139] lstrcmpiW (lpString1=".tif", lpString2=".log") returned 1 [0115.139] lstrcmpiW (lpString1=".tif", lpString2=".cab") returned 1 [0115.139] lstrcmpiW (lpString1=".tif", lpString2=".cmd") returned 1 [0115.139] lstrcmpiW (lpString1=".tif", lpString2=".com") returned 1 [0115.139] lstrcmpiW (lpString1=".tif", lpString2=".cpl") returned 1 [0115.139] lstrcmpiW (lpString1=".tif", lpString2=".ini") returned 1 [0115.139] lstrcmpiW (lpString1=".tif", lpString2=".dll") returned 1 [0115.139] lstrcmpiW (lpString1=".tif", lpString2=".url") returned -1 [0115.139] lstrcmpiW (lpString1=".tif", lpString2=".ttf") returned -1 [0115.139] lstrcmpiW (lpString1=".tif", lpString2=".mp3") returned 1 [0115.139] lstrcmpiW (lpString1=".tif", lpString2=".pif") returned 1 [0115.139] lstrcmpiW (lpString1=".tif", lpString2=".mp4") returned 1 [0115.139] lstrcmpiW (lpString1=".tif", lpString2=".NEPHILIM") returned 1 [0115.139] lstrcmpiW (lpString1=".tif", lpString2=".msi") returned 1 [0115.139] lstrcmpiW (lpString1=".tif", lpString2=".lnk") returned 1 [0115.139] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0115.140] lstrlenA (lpString="NEPHILIM") returned 8 [0115.140] GetProcessHeap () returned 0x4e0000 [0115.140] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f858 [0115.140] lstrlenA (lpString="NEPHILIM") returned 8 [0115.140] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\WelcomeFax.tif" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\virtualinbox\\en-us\\welcomefax.tif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0115.140] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dca48 | out: lpFileSize=0x24dca48*=4294968320) returned 0 [0115.140] GetProcessHeap () returned 0x4e0000 [0115.140] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50de50 [0115.140] GetProcessHeap () returned 0x4e0000 [0115.140] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50de68 [0115.140] SystemFunction036 (in: RandomBuffer=0x50de50, RandomBufferLength=0x10 | out: RandomBuffer=0x50de50) returned 1 [0115.140] SystemFunction036 (in: RandomBuffer=0x50de68, RandomBufferLength=0x10 | out: RandomBuffer=0x50de68) returned 1 [0115.140] GetProcessHeap () returned 0x4e0000 [0115.140] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51de60 [0115.140] GetProcessHeap () returned 0x4e0000 [0115.140] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51df68 [0115.140] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51de60*, pdwDataLen=0x24dc808*=0x10, dwBufLen=0x100 | out: pbData=0x51de60*, pdwDataLen=0x24dc808*=0x100) returned 1 [0115.141] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51df68*, pdwDataLen=0x24dc804*=0x10, dwBufLen=0x100 | out: pbData=0x51df68*, pdwDataLen=0x24dc804*=0x100) returned 1 [0115.141] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0115.141] SetLastError (dwErrCode=0x0) [0115.141] WriteFile (in: hFile=0xffffffff, lpBuffer=0x51de60, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0) returned 0 [0115.141] GetLastError () returned 0x6 [0115.141] FindNextFileW (in: hFindFile=0x50aa00, lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe3998d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfe3998d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x15dbe, dwReserved0=0x7e007c, dwReserved1=0x24dd560, cFileName="WelcomeFax.tif", cAlternateFileName="")) returned 0 [0115.141] FindClose (in: hFindFile=0x50aa00 | out: hFindFile=0x50aa00) returned 1 [0115.141] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x21cf2d38, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x24ddbe0, cFileName="en-US", cAlternateFileName="")) returned 0 [0115.141] FindClose (in: hFindFile=0x50a9c0 | out: hFindFile=0x50a9c0) returned 1 [0115.141] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x24de260, cFileName="VirtualInbox", cAlternateFileName="VIRTUA~1")) returned 0 [0115.141] FindClose (in: hFindFile=0x50a980 | out: hFindFile=0x50a980) returned 1 [0115.142] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80340916, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="MSScan", cAlternateFileName="")) returned 1 [0115.142] lstrcmpiW (lpString1="MSScan", lpString2=".") returned 1 [0115.142] lstrcmpiW (lpString1="MSScan", lpString2="..") returned 1 [0115.142] lstrcmpiW (lpString1="MSScan", lpString2="...") returned 1 [0115.142] lstrcmpiW (lpString1="MSScan", lpString2="windows") returned -1 [0115.142] lstrcmpiW (lpString1="MSScan", lpString2="$RECYCLE.BIN") returned 1 [0115.142] lstrcmpiW (lpString1="MSScan", lpString2="rsa") returned -1 [0115.142] lstrcmpiW (lpString1="MSScan", lpString2="log") returned 1 [0115.142] lstrcmpiW (lpString1="MSScan", lpString2="NTDETECT.COM") returned -1 [0115.142] lstrcmpiW (lpString1="MSScan", lpString2="ntldr") returned -1 [0115.142] lstrcmpiW (lpString1="MSScan", lpString2="MSDOS.SYS") returned 1 [0115.142] lstrcmpiW (lpString1="MSScan", lpString2="IO.SYS") returned 1 [0115.142] lstrcmpiW (lpString1="MSScan", lpString2="boot.ini") returned 1 [0115.142] lstrcmpiW (lpString1="MSScan", lpString2="AUTOEXEC.BAT") returned 1 [0115.142] lstrcmpiW (lpString1="MSScan", lpString2="ntuser.dat") returned -1 [0115.142] lstrcmpiW (lpString1="MSScan", lpString2="desktop.ini") returned 1 [0115.142] lstrcmpiW (lpString1="MSScan", lpString2="CONFIG.SYS") returned 1 [0115.142] lstrcmpiW (lpString1="MSScan", lpString2="RECYCLER") returned -1 [0115.142] lstrcmpiW (lpString1="MSScan", lpString2="BOOTSECT.BAK") returned 1 [0115.142] lstrcmpiW (lpString1="MSScan", lpString2="bootmgr") returned 1 [0115.142] lstrcmpiW (lpString1="MSScan", lpString2="programdata") returned -1 [0115.142] lstrcmpiW (lpString1="MSScan", lpString2="appdata") returned 1 [0115.142] lstrcmpiW (lpString1="MSScan", lpString2="program files") returned -1 [0115.142] lstrcmpiW (lpString1="MSScan", lpString2="program files (x86)") returned -1 [0115.142] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Microsoft\\Windows NT\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\" [0115.143] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\", lpString2="MSScan" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan" [0115.143] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\" [0115.143] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\" [0115.143] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\*.*") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\*.*" [0115.143] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80340916, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x24de260, cFileName=".", cAlternateFileName="")) returned 0x50a980 [0115.143] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.143] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80340916, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 1 [0115.143] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.143] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.143] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea12c467, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0xea12c467, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0xea1525c5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x7e148, dwReserved0=0x580056, dwReserved1=0x24de260, cFileName="WelcomeScan.jpg", cAlternateFileName="")) returned 1 [0115.143] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2=".") returned 1 [0115.143] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="..") returned 1 [0115.143] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="...") returned 1 [0115.143] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="windows") returned -1 [0115.143] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="$RECYCLE.BIN") returned 1 [0115.143] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="rsa") returned 1 [0115.143] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="log") returned 1 [0115.143] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="NTDETECT.COM") returned 1 [0115.143] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="ntldr") returned 1 [0115.143] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="MSDOS.SYS") returned 1 [0115.143] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="IO.SYS") returned 1 [0115.143] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="boot.ini") returned 1 [0115.143] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="AUTOEXEC.BAT") returned 1 [0115.144] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="ntuser.dat") returned 1 [0115.144] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="desktop.ini") returned 1 [0115.144] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="CONFIG.SYS") returned 1 [0115.144] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="RECYCLER") returned 1 [0115.144] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="BOOTSECT.BAK") returned 1 [0115.144] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="bootmgr") returned 1 [0115.144] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="programdata") returned 1 [0115.144] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="appdata") returned 1 [0115.144] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="program files") returned 1 [0115.144] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="program files (x86)") returned 1 [0115.144] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\" [0115.144] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\", lpString2="WelcomeScan.jpg" | out: lpString1="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg") returned="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg" [0115.144] PathFindExtensionW (pszPath="WelcomeScan.jpg") returned=".jpg" [0115.144] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0115.144] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0115.144] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0115.144] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0115.144] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0115.144] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0115.144] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0115.144] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0115.144] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0115.144] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0115.144] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0115.144] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0115.144] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0115.144] lstrcmpiW (lpString1=".jpg", lpString2=".NEPHILIM") returned -1 [0115.144] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0115.144] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0115.144] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0115.144] lstrlenA (lpString="NEPHILIM") returned 8 [0115.144] GetProcessHeap () returned 0x4e0000 [0115.145] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f868 [0115.145] lstrlenA (lpString="NEPHILIM") returned 8 [0115.145] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msscan\\welcomescan.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0115.145] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=4294968320) returned 0 [0115.145] GetProcessHeap () returned 0x4e0000 [0115.145] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50de80 [0115.145] GetProcessHeap () returned 0x4e0000 [0115.145] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50de98 [0115.145] SystemFunction036 (in: RandomBuffer=0x50de80, RandomBufferLength=0x10 | out: RandomBuffer=0x50de80) returned 1 [0115.145] SystemFunction036 (in: RandomBuffer=0x50de98, RandomBufferLength=0x10 | out: RandomBuffer=0x50de98) returned 1 [0115.145] GetProcessHeap () returned 0x4e0000 [0115.145] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e070 [0115.145] GetProcessHeap () returned 0x4e0000 [0115.145] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e178 [0115.145] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e070*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x51e070*, pdwDataLen=0x24dd508*=0x100) returned 1 [0115.145] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e178*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x51e178*, pdwDataLen=0x24dd504*=0x100) returned 1 [0115.146] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0115.146] SetLastError (dwErrCode=0x0) [0115.146] WriteFile (in: hFile=0xffffffff, lpBuffer=0x51e070, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0) returned 0 [0115.146] GetLastError () returned 0x6 [0115.146] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea12c467, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0xea12c467, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0xea1525c5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x7e148, dwReserved0=0x580056, dwReserved1=0x24de260, cFileName="WelcomeScan.jpg", cAlternateFileName="")) returned 0 [0115.146] FindClose (in: hFindFile=0x50a980 | out: hFindFile=0x50a980) returned 1 [0115.146] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80340916, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="MSScan", cAlternateFileName="")) returned 0 [0115.146] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0115.146] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="WwanSvc", cAlternateFileName="")) returned 1 [0115.146] lstrcmpiW (lpString1="WwanSvc", lpString2=".") returned 1 [0115.146] lstrcmpiW (lpString1="WwanSvc", lpString2="..") returned 1 [0115.146] lstrcmpiW (lpString1="WwanSvc", lpString2="...") returned 1 [0115.146] lstrcmpiW (lpString1="WwanSvc", lpString2="windows") returned 1 [0115.146] lstrcmpiW (lpString1="WwanSvc", lpString2="$RECYCLE.BIN") returned 1 [0115.146] lstrcmpiW (lpString1="WwanSvc", lpString2="rsa") returned 1 [0115.146] lstrcmpiW (lpString1="WwanSvc", lpString2="log") returned 1 [0115.146] lstrcmpiW (lpString1="WwanSvc", lpString2="NTDETECT.COM") returned 1 [0115.146] lstrcmpiW (lpString1="WwanSvc", lpString2="ntldr") returned 1 [0115.146] lstrcmpiW (lpString1="WwanSvc", lpString2="MSDOS.SYS") returned 1 [0115.146] lstrcmpiW (lpString1="WwanSvc", lpString2="IO.SYS") returned 1 [0115.146] lstrcmpiW (lpString1="WwanSvc", lpString2="boot.ini") returned 1 [0115.146] lstrcmpiW (lpString1="WwanSvc", lpString2="AUTOEXEC.BAT") returned 1 [0115.146] lstrcmpiW (lpString1="WwanSvc", lpString2="ntuser.dat") returned 1 [0115.146] lstrcmpiW (lpString1="WwanSvc", lpString2="desktop.ini") returned 1 [0115.146] lstrcmpiW (lpString1="WwanSvc", lpString2="CONFIG.SYS") returned 1 [0115.146] lstrcmpiW (lpString1="WwanSvc", lpString2="RECYCLER") returned 1 [0115.146] lstrcmpiW (lpString1="WwanSvc", lpString2="BOOTSECT.BAK") returned 1 [0115.146] lstrcmpiW (lpString1="WwanSvc", lpString2="bootmgr") returned 1 [0115.147] lstrcmpiW (lpString1="WwanSvc", lpString2="programdata") returned 1 [0115.147] lstrcmpiW (lpString1="WwanSvc", lpString2="appdata") returned 1 [0115.147] lstrcmpiW (lpString1="WwanSvc", lpString2="program files") returned 1 [0115.147] lstrcmpiW (lpString1="WwanSvc", lpString2="program files (x86)") returned 1 [0115.147] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\") returned="C:\\Users\\All Users\\Microsoft\\" [0115.147] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\", lpString2="WwanSvc" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc") returned="C:\\Users\\All Users\\Microsoft\\WwanSvc" [0115.147] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\") returned="C:\\Users\\All Users\\Microsoft\\WwanSvc\\" [0115.147] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Microsoft\\WwanSvc\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\") returned="C:\\Users\\All Users\\Microsoft\\WwanSvc\\" [0115.147] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\*.*") returned="C:\\Users\\All Users\\Microsoft\\WwanSvc\\*.*" [0115.147] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\WwanSvc\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0115.147] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.147] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0115.147] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.147] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.147] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="Profiles", cAlternateFileName="")) returned 1 [0115.147] lstrcmpiW (lpString1="Profiles", lpString2=".") returned 1 [0115.147] lstrcmpiW (lpString1="Profiles", lpString2="..") returned 1 [0115.147] lstrcmpiW (lpString1="Profiles", lpString2="...") returned 1 [0115.147] lstrcmpiW (lpString1="Profiles", lpString2="windows") returned -1 [0115.147] lstrcmpiW (lpString1="Profiles", lpString2="$RECYCLE.BIN") returned 1 [0115.147] lstrcmpiW (lpString1="Profiles", lpString2="rsa") returned -1 [0115.147] lstrcmpiW (lpString1="Profiles", lpString2="log") returned 1 [0115.147] lstrcmpiW (lpString1="Profiles", lpString2="NTDETECT.COM") returned 1 [0115.148] lstrcmpiW (lpString1="Profiles", lpString2="ntldr") returned 1 [0115.148] lstrcmpiW (lpString1="Profiles", lpString2="MSDOS.SYS") returned 1 [0115.148] lstrcmpiW (lpString1="Profiles", lpString2="IO.SYS") returned 1 [0115.148] lstrcmpiW (lpString1="Profiles", lpString2="boot.ini") returned 1 [0115.148] lstrcmpiW (lpString1="Profiles", lpString2="AUTOEXEC.BAT") returned 1 [0115.148] lstrcmpiW (lpString1="Profiles", lpString2="ntuser.dat") returned 1 [0115.148] lstrcmpiW (lpString1="Profiles", lpString2="desktop.ini") returned 1 [0115.148] lstrcmpiW (lpString1="Profiles", lpString2="CONFIG.SYS") returned 1 [0115.148] lstrcmpiW (lpString1="Profiles", lpString2="RECYCLER") returned -1 [0115.148] lstrcmpiW (lpString1="Profiles", lpString2="BOOTSECT.BAK") returned 1 [0115.148] lstrcmpiW (lpString1="Profiles", lpString2="bootmgr") returned 1 [0115.148] lstrcmpiW (lpString1="Profiles", lpString2="programdata") returned -1 [0115.148] lstrcmpiW (lpString1="Profiles", lpString2="appdata") returned 1 [0115.148] lstrcmpiW (lpString1="Profiles", lpString2="program files") returned -1 [0115.148] lstrcmpiW (lpString1="Profiles", lpString2="program files (x86)") returned -1 [0115.148] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Microsoft\\WwanSvc\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\") returned="C:\\Users\\All Users\\Microsoft\\WwanSvc\\" [0115.148] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\", lpString2="Profiles" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles") returned="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles" [0115.148] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\") returned="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\" [0115.148] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\") returned="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\" [0115.148] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\*.*") returned="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\*.*" [0115.148] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x520050, dwReserved1=0x24de260, cFileName=".", cAlternateFileName="")) returned 0x50a980 [0115.148] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.148] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x520050, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 1 [0115.149] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.149] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.149] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x520050, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 0 [0115.149] FindClose (in: hFindFile=0x50a980 | out: hFindFile=0x50a980) returned 1 [0115.149] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x24de8e0, cFileName="Profiles", cAlternateFileName="")) returned 0 [0115.149] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0115.149] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="WwanSvc", cAlternateFileName="")) returned 0 [0115.149] FindClose (in: hFindFile=0x50a900 | out: hFindFile=0x50a900) returned 1 [0115.149] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe79db030, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xed25d0a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xed25d0a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Microsoft Help", cAlternateFileName="MICROS~2")) returned 1 [0115.149] lstrcmpiW (lpString1="Microsoft Help", lpString2=".") returned 1 [0115.149] lstrcmpiW (lpString1="Microsoft Help", lpString2="..") returned 1 [0115.149] lstrcmpiW (lpString1="Microsoft Help", lpString2="...") returned 1 [0115.149] lstrcmpiW (lpString1="Microsoft Help", lpString2="windows") returned -1 [0115.149] lstrcmpiW (lpString1="Microsoft Help", lpString2="$RECYCLE.BIN") returned 1 [0115.149] lstrcmpiW (lpString1="Microsoft Help", lpString2="rsa") returned -1 [0115.149] lstrcmpiW (lpString1="Microsoft Help", lpString2="log") returned 1 [0115.149] lstrcmpiW (lpString1="Microsoft Help", lpString2="NTDETECT.COM") returned -1 [0115.149] lstrcmpiW (lpString1="Microsoft Help", lpString2="ntldr") returned -1 [0115.149] lstrcmpiW (lpString1="Microsoft Help", lpString2="MSDOS.SYS") returned -1 [0115.149] lstrcmpiW (lpString1="Microsoft Help", lpString2="IO.SYS") returned 1 [0115.149] lstrcmpiW (lpString1="Microsoft Help", lpString2="boot.ini") returned 1 [0115.149] lstrcmpiW (lpString1="Microsoft Help", lpString2="AUTOEXEC.BAT") returned 1 [0115.149] lstrcmpiW (lpString1="Microsoft Help", lpString2="ntuser.dat") returned -1 [0115.149] lstrcmpiW (lpString1="Microsoft Help", lpString2="desktop.ini") returned 1 [0115.149] lstrcmpiW (lpString1="Microsoft Help", lpString2="CONFIG.SYS") returned 1 [0115.149] lstrcmpiW (lpString1="Microsoft Help", lpString2="RECYCLER") returned -1 [0115.149] lstrcmpiW (lpString1="Microsoft Help", lpString2="BOOTSECT.BAK") returned 1 [0115.149] lstrcmpiW (lpString1="Microsoft Help", lpString2="bootmgr") returned 1 [0115.149] lstrcmpiW (lpString1="Microsoft Help", lpString2="programdata") returned -1 [0115.150] lstrcmpiW (lpString1="Microsoft Help", lpString2="appdata") returned 1 [0115.150] lstrcmpiW (lpString1="Microsoft Help", lpString2="program files") returned -1 [0115.150] lstrcmpiW (lpString1="Microsoft Help", lpString2="program files (x86)") returned -1 [0115.150] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\All Users\\" | out: lpString1="C:\\Users\\All Users\\") returned="C:\\Users\\All Users\\" [0115.150] lstrcatW (in: lpString1="C:\\Users\\All Users\\", lpString2="Microsoft Help" | out: lpString1="C:\\Users\\All Users\\Microsoft Help") returned="C:\\Users\\All Users\\Microsoft Help" [0115.150] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\" [0115.150] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\" [0115.150] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\*.*") returned="C:\\Users\\All Users\\Microsoft Help\\*.*" [0115.150] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft Help\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe79db030, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xed25d0a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xed25d0a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x50a900 [0115.208] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.208] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe79db030, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xed25d0a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xed25d0a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0115.229] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.229] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.229] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x896b9210, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x896b9210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe8b8c220, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x186, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="Hx.hxn", cAlternateFileName="")) returned 1 [0115.229] lstrcmpiW (lpString1="Hx.hxn", lpString2=".") returned 1 [0115.229] lstrcmpiW (lpString1="Hx.hxn", lpString2="..") returned 1 [0115.229] lstrcmpiW (lpString1="Hx.hxn", lpString2="...") returned 1 [0115.230] lstrcmpiW (lpString1="Hx.hxn", lpString2="windows") returned -1 [0115.230] lstrcmpiW (lpString1="Hx.hxn", lpString2="$RECYCLE.BIN") returned 1 [0115.230] lstrcmpiW (lpString1="Hx.hxn", lpString2="rsa") returned -1 [0115.230] lstrcmpiW (lpString1="Hx.hxn", lpString2="log") returned -1 [0115.230] lstrcmpiW (lpString1="Hx.hxn", lpString2="NTDETECT.COM") returned -1 [0115.230] lstrcmpiW (lpString1="Hx.hxn", lpString2="ntldr") returned -1 [0115.230] lstrcmpiW (lpString1="Hx.hxn", lpString2="MSDOS.SYS") returned -1 [0115.230] lstrcmpiW (lpString1="Hx.hxn", lpString2="IO.SYS") returned -1 [0115.230] lstrcmpiW (lpString1="Hx.hxn", lpString2="boot.ini") returned 1 [0115.230] lstrcmpiW (lpString1="Hx.hxn", lpString2="AUTOEXEC.BAT") returned 1 [0115.230] lstrcmpiW (lpString1="Hx.hxn", lpString2="ntuser.dat") returned -1 [0115.230] lstrcmpiW (lpString1="Hx.hxn", lpString2="desktop.ini") returned 1 [0115.230] lstrcmpiW (lpString1="Hx.hxn", lpString2="CONFIG.SYS") returned 1 [0115.230] lstrcmpiW (lpString1="Hx.hxn", lpString2="RECYCLER") returned -1 [0115.230] lstrcmpiW (lpString1="Hx.hxn", lpString2="BOOTSECT.BAK") returned 1 [0115.230] lstrcmpiW (lpString1="Hx.hxn", lpString2="bootmgr") returned 1 [0115.230] lstrcmpiW (lpString1="Hx.hxn", lpString2="programdata") returned -1 [0115.230] lstrcmpiW (lpString1="Hx.hxn", lpString2="appdata") returned 1 [0115.230] lstrcmpiW (lpString1="Hx.hxn", lpString2="program files") returned -1 [0115.230] lstrcmpiW (lpString1="Hx.hxn", lpString2="program files (x86)") returned -1 [0115.230] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\" [0115.230] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="Hx.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\Hx.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\Hx.hxn" [0115.230] PathFindExtensionW (pszPath="Hx.hxn") returned=".hxn" [0115.231] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0115.231] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0115.231] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0115.231] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0115.231] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0115.231] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0115.231] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0115.231] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0115.231] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0115.231] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0115.231] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0115.231] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0115.231] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0115.231] lstrcmpiW (lpString1=".hxn", lpString2=".NEPHILIM") returned -1 [0115.231] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0115.231] lstrcmpiW (lpString1=".hxn", lpString2=".lnk") returned -1 [0115.231] lstrcmpiW (lpString1="Hx.hxn", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0115.231] lstrlenA (lpString="NEPHILIM") returned 8 [0115.231] GetProcessHeap () returned 0x4e0000 [0115.231] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f878 [0115.231] lstrlenA (lpString="NEPHILIM") returned 8 [0115.231] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\Hx.hxn" (normalized: "c:\\users\\all users\\microsoft help\\hx.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0115.232] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=390) returned 1 [0115.232] GetProcessHeap () returned 0x4e0000 [0115.232] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0115.232] GetProcessHeap () returned 0x4e0000 [0115.232] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0115.233] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0115.233] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0115.233] GetProcessHeap () returned 0x4e0000 [0115.233] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0115.233] GetProcessHeap () returned 0x4e0000 [0115.233] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0115.233] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24de208*=0x100) returned 1 [0115.233] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24de204*=0x100) returned 1 [0115.233] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x186, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.233] SetLastError (dwErrCode=0x0) [0115.233] WriteFile (in: hFile=0xec, lpBuffer=0x51e280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e280*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.235] GetLastError () returned 0x0 [0115.235] GetLastError () returned 0x0 [0115.235] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x286, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.236] WriteFile (in: hFile=0xec, lpBuffer=0x51e388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e388*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.236] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x386, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.236] lstrlenA (lpString="NEPHILIM") returned 8 [0115.236] WriteFile (in: hFile=0xec, lpBuffer=0x50f878*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50f878*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0115.236] GetProcessHeap () returned 0x4e0000 [0115.236] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x186) returned 0x50fd10 [0115.236] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.236] ReadFile (in: hFile=0xec, lpBuffer=0x50fd10, nNumberOfBytesToRead=0x186, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesRead=0x24de430*=0x186, lpOverlapped=0x0) returned 1 [0115.236] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.236] WriteFile (in: hFile=0xec, lpBuffer=0x50fd10*, nNumberOfBytesToWrite=0x186, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesWritten=0x24de43c*=0x186, lpOverlapped=0x0) returned 1 [0115.236] GetProcessHeap () returned 0x4e0000 [0115.237] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50fd10 | out: hHeap=0x4e0000) returned 1 [0115.237] CloseHandle (hObject=0xec) returned 1 [0115.237] GetProcessHeap () returned 0x4e0000 [0115.237] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e280 | out: hHeap=0x4e0000) returned 1 [0115.237] GetProcessHeap () returned 0x4e0000 [0115.237] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e388 | out: hHeap=0x4e0000) returned 1 [0115.237] GetProcessHeap () returned 0x4e0000 [0115.237] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50deb0 | out: hHeap=0x4e0000) returned 1 [0115.237] GetProcessHeap () returned 0x4e0000 [0115.237] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dec8 | out: hHeap=0x4e0000) returned 1 [0115.237] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\All Users\\Microsoft Help\\Hx.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\Hx.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\Hx.hxn" [0115.237] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\Hx.hxn", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\Hx.hxn.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft Help\\Hx.hxn.NEPHILIM" [0115.237] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft Help\\Hx.hxn" (normalized: "c:\\users\\all users\\microsoft help\\hx.hxn"), lpNewFileName="C:\\Users\\All Users\\Microsoft Help\\Hx.hxn.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft help\\hx.hxn.nephilim")) returned 1 [0115.238] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xfa72fc10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa72fc10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa7a2030, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="MS.EXCEL.14.1033.hxn", cAlternateFileName="MSEXCE~1.HXN")) returned 1 [0115.238] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2=".") returned 1 [0115.238] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="..") returned 1 [0115.238] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="...") returned 1 [0115.238] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="windows") returned -1 [0115.238] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="$RECYCLE.BIN") returned 1 [0115.238] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="rsa") returned -1 [0115.239] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="log") returned 1 [0115.239] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="NTDETECT.COM") returned -1 [0115.239] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="ntldr") returned -1 [0115.239] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="MSDOS.SYS") returned -1 [0115.239] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="IO.SYS") returned 1 [0115.239] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="boot.ini") returned 1 [0115.239] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="AUTOEXEC.BAT") returned 1 [0115.239] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0115.239] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="desktop.ini") returned 1 [0115.239] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="CONFIG.SYS") returned 1 [0115.239] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="RECYCLER") returned -1 [0115.239] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="BOOTSECT.BAK") returned 1 [0115.239] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="bootmgr") returned 1 [0115.239] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="programdata") returned -1 [0115.239] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="appdata") returned 1 [0115.239] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="program files") returned -1 [0115.239] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="program files (x86)") returned -1 [0115.239] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\" [0115.239] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.EXCEL.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn" [0115.239] PathFindExtensionW (pszPath="MS.EXCEL.14.1033.hxn") returned=".hxn" [0115.239] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0115.239] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0115.239] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0115.239] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0115.240] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0115.240] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0115.240] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0115.240] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0115.240] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0115.240] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0115.240] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0115.240] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0115.240] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0115.240] lstrcmpiW (lpString1=".hxn", lpString2=".NEPHILIM") returned -1 [0115.240] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0115.240] lstrcmpiW (lpString1=".hxn", lpString2=".lnk") returned -1 [0115.240] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0115.240] lstrlenA (lpString="NEPHILIM") returned 8 [0115.240] GetProcessHeap () returned 0x4e0000 [0115.240] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f888 [0115.240] lstrlenA (lpString="NEPHILIM") returned 8 [0115.240] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.excel.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0115.270] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=326) returned 1 [0115.270] GetProcessHeap () returned 0x4e0000 [0115.270] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0115.271] GetProcessHeap () returned 0x4e0000 [0115.271] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0115.271] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0115.271] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0115.271] GetProcessHeap () returned 0x4e0000 [0115.271] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0115.271] GetProcessHeap () returned 0x4e0000 [0115.271] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0115.271] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24de208*=0x100) returned 1 [0115.271] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24de204*=0x100) returned 1 [0115.272] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x146, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.272] SetLastError (dwErrCode=0x0) [0115.272] WriteFile (in: hFile=0xec, lpBuffer=0x51e388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e388*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.279] GetLastError () returned 0x0 [0115.279] GetLastError () returned 0x0 [0115.279] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x246, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.279] WriteFile (in: hFile=0xec, lpBuffer=0x51e280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e280*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.279] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x346, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.279] lstrlenA (lpString="NEPHILIM") returned 8 [0115.279] WriteFile (in: hFile=0xec, lpBuffer=0x50f888*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50f888*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0115.279] GetProcessHeap () returned 0x4e0000 [0115.279] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x146) returned 0x50fd10 [0115.280] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.280] ReadFile (in: hFile=0xec, lpBuffer=0x50fd10, nNumberOfBytesToRead=0x146, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesRead=0x24de430*=0x146, lpOverlapped=0x0) returned 1 [0115.280] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.280] WriteFile (in: hFile=0xec, lpBuffer=0x50fd10*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesWritten=0x24de43c*=0x146, lpOverlapped=0x0) returned 1 [0115.280] GetProcessHeap () returned 0x4e0000 [0115.280] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50fd10 | out: hHeap=0x4e0000) returned 1 [0115.280] CloseHandle (hObject=0xec) returned 1 [0115.280] GetProcessHeap () returned 0x4e0000 [0115.280] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e388 | out: hHeap=0x4e0000) returned 1 [0115.280] GetProcessHeap () returned 0x4e0000 [0115.280] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e280 | out: hHeap=0x4e0000) returned 1 [0115.280] GetProcessHeap () returned 0x4e0000 [0115.280] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dec8 | out: hHeap=0x4e0000) returned 1 [0115.281] GetProcessHeap () returned 0x4e0000 [0115.281] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50deb0 | out: hHeap=0x4e0000) returned 1 [0115.281] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn" [0115.281] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn.NEPHILIM" [0115.281] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.excel.14.1033.hxn"), lpNewFileName="C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft help\\ms.excel.14.1033.hxn.nephilim")) returned 1 [0115.282] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xfa755d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa755d70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa7a2030, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x15e, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="MS.EXCEL.DEV.14.1033.hxn", cAlternateFileName="MSEXCE~2.HXN")) returned 1 [0115.282] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2=".") returned 1 [0115.282] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="..") returned 1 [0115.282] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="...") returned 1 [0115.282] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="windows") returned -1 [0115.282] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="$RECYCLE.BIN") returned 1 [0115.282] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="rsa") returned -1 [0115.282] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="log") returned 1 [0115.282] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="NTDETECT.COM") returned -1 [0115.282] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="ntldr") returned -1 [0115.282] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="MSDOS.SYS") returned -1 [0115.282] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="IO.SYS") returned 1 [0115.282] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="boot.ini") returned 1 [0115.282] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="AUTOEXEC.BAT") returned 1 [0115.282] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0115.282] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="desktop.ini") returned 1 [0115.282] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="CONFIG.SYS") returned 1 [0115.282] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="RECYCLER") returned -1 [0115.282] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="BOOTSECT.BAK") returned 1 [0115.282] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="bootmgr") returned 1 [0115.282] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="programdata") returned -1 [0115.282] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="appdata") returned 1 [0115.282] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="program files") returned -1 [0115.283] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="program files (x86)") returned -1 [0115.283] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\" [0115.283] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.EXCEL.DEV.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn" [0115.283] PathFindExtensionW (pszPath="MS.EXCEL.DEV.14.1033.hxn") returned=".hxn" [0115.283] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0115.283] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0115.283] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0115.283] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0115.283] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0115.283] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0115.283] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0115.283] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0115.283] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0115.283] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0115.283] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0115.283] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0115.283] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0115.283] lstrcmpiW (lpString1=".hxn", lpString2=".NEPHILIM") returned -1 [0115.283] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0115.283] lstrcmpiW (lpString1=".hxn", lpString2=".lnk") returned -1 [0115.283] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0115.283] lstrlenA (lpString="NEPHILIM") returned 8 [0115.283] GetProcessHeap () returned 0x4e0000 [0115.283] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f898 [0115.284] lstrlenA (lpString="NEPHILIM") returned 8 [0115.284] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.excel.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0115.284] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=350) returned 1 [0115.284] GetProcessHeap () returned 0x4e0000 [0115.284] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0115.284] GetProcessHeap () returned 0x4e0000 [0115.284] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0115.284] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0115.284] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0115.284] GetProcessHeap () returned 0x4e0000 [0115.284] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0115.285] GetProcessHeap () returned 0x4e0000 [0115.285] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0115.285] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24de208*=0x100) returned 1 [0115.285] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24de204*=0x100) returned 1 [0115.285] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x15e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.285] SetLastError (dwErrCode=0x0) [0115.285] WriteFile (in: hFile=0xec, lpBuffer=0x51e280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e280*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.287] GetLastError () returned 0x0 [0115.287] GetLastError () returned 0x0 [0115.287] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x25e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.287] WriteFile (in: hFile=0xec, lpBuffer=0x51e388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e388*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.287] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x35e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.287] lstrlenA (lpString="NEPHILIM") returned 8 [0115.287] WriteFile (in: hFile=0xec, lpBuffer=0x50f898*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50f898*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0115.287] GetProcessHeap () returned 0x4e0000 [0115.287] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x15e) returned 0x50fd10 [0115.287] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.287] ReadFile (in: hFile=0xec, lpBuffer=0x50fd10, nNumberOfBytesToRead=0x15e, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesRead=0x24de430*=0x15e, lpOverlapped=0x0) returned 1 [0115.287] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.287] WriteFile (in: hFile=0xec, lpBuffer=0x50fd10*, nNumberOfBytesToWrite=0x15e, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesWritten=0x24de43c*=0x15e, lpOverlapped=0x0) returned 1 [0115.288] GetProcessHeap () returned 0x4e0000 [0115.288] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50fd10 | out: hHeap=0x4e0000) returned 1 [0115.288] CloseHandle (hObject=0xec) returned 1 [0115.288] GetProcessHeap () returned 0x4e0000 [0115.288] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e280 | out: hHeap=0x4e0000) returned 1 [0115.288] GetProcessHeap () returned 0x4e0000 [0115.288] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e388 | out: hHeap=0x4e0000) returned 1 [0115.288] GetProcessHeap () returned 0x4e0000 [0115.288] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50deb0 | out: hHeap=0x4e0000) returned 1 [0115.288] GetProcessHeap () returned 0x4e0000 [0115.288] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dec8 | out: hHeap=0x4e0000) returned 1 [0115.288] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn" [0115.288] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn.NEPHILIM" [0115.288] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.excel.dev.14.1033.hxn"), lpNewFileName="C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft help\\ms.excel.dev.14.1033.hxn.nephilim")) returned 1 [0115.289] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xef377f10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef377f10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef3ea330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="MS.GRAPH.14.1033.hxn", cAlternateFileName="MSGRAP~1.HXN")) returned 1 [0115.289] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2=".") returned 1 [0115.289] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="..") returned 1 [0115.289] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="...") returned 1 [0115.289] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="windows") returned -1 [0115.289] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="$RECYCLE.BIN") returned 1 [0115.289] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="rsa") returned -1 [0115.289] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="log") returned 1 [0115.289] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="NTDETECT.COM") returned -1 [0115.289] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="ntldr") returned -1 [0115.289] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="MSDOS.SYS") returned -1 [0115.290] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="IO.SYS") returned 1 [0115.290] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="boot.ini") returned 1 [0115.290] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="AUTOEXEC.BAT") returned 1 [0115.290] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0115.290] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="desktop.ini") returned 1 [0115.290] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="CONFIG.SYS") returned 1 [0115.290] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="RECYCLER") returned -1 [0115.290] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="BOOTSECT.BAK") returned 1 [0115.290] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="bootmgr") returned 1 [0115.290] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="programdata") returned -1 [0115.290] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="appdata") returned 1 [0115.290] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="program files") returned -1 [0115.290] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="program files (x86)") returned -1 [0115.290] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\" [0115.290] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.GRAPH.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn" [0115.290] PathFindExtensionW (pszPath="MS.GRAPH.14.1033.hxn") returned=".hxn" [0115.290] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0115.290] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0115.290] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0115.290] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0115.290] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0115.290] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0115.290] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0115.290] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0115.291] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0115.291] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0115.291] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0115.291] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0115.291] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0115.291] lstrcmpiW (lpString1=".hxn", lpString2=".NEPHILIM") returned -1 [0115.291] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0115.291] lstrcmpiW (lpString1=".hxn", lpString2=".lnk") returned -1 [0115.291] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0115.291] lstrlenA (lpString="NEPHILIM") returned 8 [0115.291] GetProcessHeap () returned 0x4e0000 [0115.291] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f8a8 [0115.291] lstrlenA (lpString="NEPHILIM") returned 8 [0115.291] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.graph.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0115.299] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=326) returned 1 [0115.299] GetProcessHeap () returned 0x4e0000 [0115.299] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0115.300] GetProcessHeap () returned 0x4e0000 [0115.300] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0115.300] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0115.300] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0115.300] GetProcessHeap () returned 0x4e0000 [0115.300] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0115.300] GetProcessHeap () returned 0x4e0000 [0115.300] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0115.300] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24de208*=0x100) returned 1 [0115.300] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24de204*=0x100) returned 1 [0115.300] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x146, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.301] SetLastError (dwErrCode=0x0) [0115.301] WriteFile (in: hFile=0xec, lpBuffer=0x51e388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e388*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.302] GetLastError () returned 0x0 [0115.302] GetLastError () returned 0x0 [0115.303] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x246, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.303] WriteFile (in: hFile=0xec, lpBuffer=0x51e280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e280*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.303] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x346, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.303] lstrlenA (lpString="NEPHILIM") returned 8 [0115.303] WriteFile (in: hFile=0xec, lpBuffer=0x50f8a8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50f8a8*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0115.303] GetProcessHeap () returned 0x4e0000 [0115.303] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x146) returned 0x50fd10 [0115.303] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.303] ReadFile (in: hFile=0xec, lpBuffer=0x50fd10, nNumberOfBytesToRead=0x146, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesRead=0x24de430*=0x146, lpOverlapped=0x0) returned 1 [0115.303] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.355] WriteFile (in: hFile=0xec, lpBuffer=0x50fd10*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesWritten=0x24de43c*=0x146, lpOverlapped=0x0) returned 1 [0115.355] GetProcessHeap () returned 0x4e0000 [0115.356] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50fd10 | out: hHeap=0x4e0000) returned 1 [0115.356] CloseHandle (hObject=0xec) returned 1 [0115.356] GetProcessHeap () returned 0x4e0000 [0115.356] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e388 | out: hHeap=0x4e0000) returned 1 [0115.356] GetProcessHeap () returned 0x4e0000 [0115.356] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e280 | out: hHeap=0x4e0000) returned 1 [0115.356] GetProcessHeap () returned 0x4e0000 [0115.356] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dec8 | out: hHeap=0x4e0000) returned 1 [0115.356] GetProcessHeap () returned 0x4e0000 [0115.356] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50deb0 | out: hHeap=0x4e0000) returned 1 [0115.356] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn" [0115.356] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn.NEPHILIM" [0115.356] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.graph.14.1033.hxn"), lpNewFileName="C:\\Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft help\\ms.graph.14.1033.hxn.nephilim")) returned 1 [0115.357] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xfd789af0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfd789af0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfd822070, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x14c, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="MS.GROOVE.14.1033.hxn", cAlternateFileName="MSGROO~1.HXN")) returned 1 [0115.357] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2=".") returned 1 [0115.357] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="..") returned 1 [0115.357] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="...") returned 1 [0115.357] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="windows") returned -1 [0115.358] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="$RECYCLE.BIN") returned 1 [0115.358] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="rsa") returned -1 [0115.358] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="log") returned 1 [0115.358] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="NTDETECT.COM") returned -1 [0115.358] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="ntldr") returned -1 [0115.358] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="MSDOS.SYS") returned -1 [0115.358] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="IO.SYS") returned 1 [0115.358] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="boot.ini") returned 1 [0115.358] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="AUTOEXEC.BAT") returned 1 [0115.358] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0115.358] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="desktop.ini") returned 1 [0115.358] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="CONFIG.SYS") returned 1 [0115.358] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="RECYCLER") returned -1 [0115.358] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="BOOTSECT.BAK") returned 1 [0115.358] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="bootmgr") returned 1 [0115.358] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="programdata") returned -1 [0115.358] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="appdata") returned 1 [0115.358] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="program files") returned -1 [0115.358] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="program files (x86)") returned -1 [0115.358] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\" [0115.358] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.GROOVE.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn" [0115.358] PathFindExtensionW (pszPath="MS.GROOVE.14.1033.hxn") returned=".hxn" [0115.358] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0115.358] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0115.358] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0115.358] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0115.359] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0115.359] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0115.360] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0115.361] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0115.361] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0115.361] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0115.361] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0115.361] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0115.361] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0115.361] lstrcmpiW (lpString1=".hxn", lpString2=".NEPHILIM") returned -1 [0115.361] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0115.361] lstrcmpiW (lpString1=".hxn", lpString2=".lnk") returned -1 [0115.361] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0115.361] lstrlenA (lpString="NEPHILIM") returned 8 [0115.361] GetProcessHeap () returned 0x4e0000 [0115.361] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f8b8 [0115.361] lstrlenA (lpString="NEPHILIM") returned 8 [0115.361] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.groove.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0115.362] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=332) returned 1 [0115.362] GetProcessHeap () returned 0x4e0000 [0115.362] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0115.362] GetProcessHeap () returned 0x4e0000 [0115.362] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0115.362] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0115.362] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0115.362] GetProcessHeap () returned 0x4e0000 [0115.362] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0115.362] GetProcessHeap () returned 0x4e0000 [0115.362] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0115.362] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24de208*=0x100) returned 1 [0115.363] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24de204*=0x100) returned 1 [0115.363] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x14c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.363] SetLastError (dwErrCode=0x0) [0115.363] WriteFile (in: hFile=0xec, lpBuffer=0x51e280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e280*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.364] GetLastError () returned 0x0 [0115.364] GetLastError () returned 0x0 [0115.364] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x24c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.364] WriteFile (in: hFile=0xec, lpBuffer=0x51e388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e388*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.365] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x34c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.365] lstrlenA (lpString="NEPHILIM") returned 8 [0115.365] WriteFile (in: hFile=0xec, lpBuffer=0x50f8b8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50f8b8*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0115.365] GetProcessHeap () returned 0x4e0000 [0115.365] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x14c) returned 0x50fd10 [0115.365] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.365] ReadFile (in: hFile=0xec, lpBuffer=0x50fd10, nNumberOfBytesToRead=0x14c, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesRead=0x24de430*=0x14c, lpOverlapped=0x0) returned 1 [0115.365] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.365] WriteFile (in: hFile=0xec, lpBuffer=0x50fd10*, nNumberOfBytesToWrite=0x14c, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesWritten=0x24de43c*=0x14c, lpOverlapped=0x0) returned 1 [0115.365] GetProcessHeap () returned 0x4e0000 [0115.365] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50fd10 | out: hHeap=0x4e0000) returned 1 [0115.365] CloseHandle (hObject=0xec) returned 1 [0115.366] GetProcessHeap () returned 0x4e0000 [0115.366] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e280 | out: hHeap=0x4e0000) returned 1 [0115.366] GetProcessHeap () returned 0x4e0000 [0115.366] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e388 | out: hHeap=0x4e0000) returned 1 [0115.366] GetProcessHeap () returned 0x4e0000 [0115.366] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50deb0 | out: hHeap=0x4e0000) returned 1 [0115.366] GetProcessHeap () returned 0x4e0000 [0115.366] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dec8 | out: hHeap=0x4e0000) returned 1 [0115.366] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn" [0115.366] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn.NEPHILIM" [0115.366] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.groove.14.1033.hxn"), lpNewFileName="C:\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft help\\ms.groove.14.1033.hxn.nephilim")) returned 1 [0115.367] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x113ae4d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x113ae4d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x11446a50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x158, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="MS.INFOPATH.14.1033.hxn", cAlternateFileName="MSINFO~1.HXN")) returned 1 [0115.367] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2=".") returned 1 [0115.367] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="..") returned 1 [0115.367] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="...") returned 1 [0115.367] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="windows") returned -1 [0115.367] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="$RECYCLE.BIN") returned 1 [0115.367] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="rsa") returned -1 [0115.367] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="log") returned 1 [0115.367] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="NTDETECT.COM") returned -1 [0115.367] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="ntldr") returned -1 [0115.368] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="MSDOS.SYS") returned -1 [0115.368] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="IO.SYS") returned 1 [0115.368] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="boot.ini") returned 1 [0115.368] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="AUTOEXEC.BAT") returned 1 [0115.368] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0115.368] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="desktop.ini") returned 1 [0115.368] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="CONFIG.SYS") returned 1 [0115.368] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="RECYCLER") returned -1 [0115.368] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="BOOTSECT.BAK") returned 1 [0115.368] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="bootmgr") returned 1 [0115.368] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="programdata") returned -1 [0115.368] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="appdata") returned 1 [0115.368] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="program files") returned -1 [0115.368] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="program files (x86)") returned -1 [0115.368] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\" [0115.368] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.INFOPATH.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn" [0115.368] PathFindExtensionW (pszPath="MS.INFOPATH.14.1033.hxn") returned=".hxn" [0115.368] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0115.368] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0115.368] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0115.368] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0115.368] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0115.368] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0115.368] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0115.368] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0115.369] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0115.369] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0115.369] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0115.369] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0115.369] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0115.369] lstrcmpiW (lpString1=".hxn", lpString2=".NEPHILIM") returned -1 [0115.369] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0115.369] lstrcmpiW (lpString1=".hxn", lpString2=".lnk") returned -1 [0115.369] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0115.369] lstrlenA (lpString="NEPHILIM") returned 8 [0115.369] GetProcessHeap () returned 0x4e0000 [0115.369] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f8c8 [0115.369] lstrlenA (lpString="NEPHILIM") returned 8 [0115.369] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.infopath.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0115.374] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=344) returned 1 [0115.375] GetProcessHeap () returned 0x4e0000 [0115.375] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0115.375] GetProcessHeap () returned 0x4e0000 [0115.375] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0115.375] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0115.375] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0115.375] GetProcessHeap () returned 0x4e0000 [0115.375] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0115.375] GetProcessHeap () returned 0x4e0000 [0115.375] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0115.375] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24de208*=0x100) returned 1 [0115.375] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24de204*=0x100) returned 1 [0115.379] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x158, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.379] SetLastError (dwErrCode=0x0) [0115.379] WriteFile (in: hFile=0xec, lpBuffer=0x51e388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e388*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.381] GetLastError () returned 0x0 [0115.381] GetLastError () returned 0x0 [0115.381] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x258, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.381] WriteFile (in: hFile=0xec, lpBuffer=0x51e280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e280*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.381] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x358, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.381] lstrlenA (lpString="NEPHILIM") returned 8 [0115.381] WriteFile (in: hFile=0xec, lpBuffer=0x50f8c8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50f8c8*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0115.381] GetProcessHeap () returned 0x4e0000 [0115.381] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x158) returned 0x50fd10 [0115.382] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.382] ReadFile (in: hFile=0xec, lpBuffer=0x50fd10, nNumberOfBytesToRead=0x158, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesRead=0x24de430*=0x158, lpOverlapped=0x0) returned 1 [0115.382] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.382] WriteFile (in: hFile=0xec, lpBuffer=0x50fd10*, nNumberOfBytesToWrite=0x158, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesWritten=0x24de43c*=0x158, lpOverlapped=0x0) returned 1 [0115.382] GetProcessHeap () returned 0x4e0000 [0115.382] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50fd10 | out: hHeap=0x4e0000) returned 1 [0115.382] CloseHandle (hObject=0xec) returned 1 [0115.382] GetProcessHeap () returned 0x4e0000 [0115.382] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e388 | out: hHeap=0x4e0000) returned 1 [0115.382] GetProcessHeap () returned 0x4e0000 [0115.382] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e280 | out: hHeap=0x4e0000) returned 1 [0115.382] GetProcessHeap () returned 0x4e0000 [0115.382] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dec8 | out: hHeap=0x4e0000) returned 1 [0115.382] GetProcessHeap () returned 0x4e0000 [0115.383] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50deb0 | out: hHeap=0x4e0000) returned 1 [0115.383] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn" [0115.383] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn.NEPHILIM" [0115.383] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.infopath.14.1033.hxn"), lpNewFileName="C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft help\\ms.infopath.14.1033.hxn.nephilim")) returned 1 [0115.384] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x113ae4d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x113ae4d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1146cbb0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="MS.INFOPATHEDITOR.14.1033.hxn", cAlternateFileName="MSINFO~2.HXN")) returned 1 [0115.384] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2=".") returned 1 [0115.384] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="..") returned 1 [0115.384] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="...") returned 1 [0115.384] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="windows") returned -1 [0115.384] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="$RECYCLE.BIN") returned 1 [0115.384] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="rsa") returned -1 [0115.384] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="log") returned 1 [0115.384] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="NTDETECT.COM") returned -1 [0115.384] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="ntldr") returned -1 [0115.384] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="MSDOS.SYS") returned -1 [0115.384] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="IO.SYS") returned 1 [0115.384] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="boot.ini") returned 1 [0115.384] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="AUTOEXEC.BAT") returned 1 [0115.384] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0115.384] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="desktop.ini") returned 1 [0115.384] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="CONFIG.SYS") returned 1 [0115.384] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="RECYCLER") returned -1 [0115.384] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="BOOTSECT.BAK") returned 1 [0115.384] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="bootmgr") returned 1 [0115.384] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="programdata") returned -1 [0115.385] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="appdata") returned 1 [0115.385] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="program files") returned -1 [0115.385] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="program files (x86)") returned -1 [0115.385] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\" [0115.385] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.INFOPATHEDITOR.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn" [0115.385] PathFindExtensionW (pszPath="MS.INFOPATHEDITOR.14.1033.hxn") returned=".hxn" [0115.385] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0115.385] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0115.385] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0115.385] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0115.385] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0115.385] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0115.385] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0115.385] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0115.385] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0115.385] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0115.385] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0115.385] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0115.385] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0115.385] lstrcmpiW (lpString1=".hxn", lpString2=".NEPHILIM") returned -1 [0115.385] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0115.385] lstrcmpiW (lpString1=".hxn", lpString2=".lnk") returned -1 [0115.385] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0115.385] lstrlenA (lpString="NEPHILIM") returned 8 [0115.385] GetProcessHeap () returned 0x4e0000 [0115.385] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f8d8 [0115.386] lstrlenA (lpString="NEPHILIM") returned 8 [0115.386] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.infopatheditor.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0115.386] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=380) returned 1 [0115.386] GetProcessHeap () returned 0x4e0000 [0115.386] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0115.386] GetProcessHeap () returned 0x4e0000 [0115.386] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0115.386] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0115.386] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0115.386] GetProcessHeap () returned 0x4e0000 [0115.386] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0115.387] GetProcessHeap () returned 0x4e0000 [0115.387] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0115.387] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24de208*=0x100) returned 1 [0115.387] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24de204*=0x100) returned 1 [0115.387] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x17c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.388] SetLastError (dwErrCode=0x0) [0115.388] WriteFile (in: hFile=0xec, lpBuffer=0x51e280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e280*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.389] GetLastError () returned 0x0 [0115.389] GetLastError () returned 0x0 [0115.389] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x27c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.389] WriteFile (in: hFile=0xec, lpBuffer=0x51e388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e388*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.389] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x37c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.389] lstrlenA (lpString="NEPHILIM") returned 8 [0115.389] WriteFile (in: hFile=0xec, lpBuffer=0x50f8d8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50f8d8*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0115.390] GetProcessHeap () returned 0x4e0000 [0115.390] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x17c) returned 0x50fd10 [0115.390] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.390] ReadFile (in: hFile=0xec, lpBuffer=0x50fd10, nNumberOfBytesToRead=0x17c, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesRead=0x24de430*=0x17c, lpOverlapped=0x0) returned 1 [0115.390] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.390] WriteFile (in: hFile=0xec, lpBuffer=0x50fd10*, nNumberOfBytesToWrite=0x17c, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesWritten=0x24de43c*=0x17c, lpOverlapped=0x0) returned 1 [0115.390] GetProcessHeap () returned 0x4e0000 [0115.390] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50fd10 | out: hHeap=0x4e0000) returned 1 [0115.390] CloseHandle (hObject=0xec) returned 1 [0115.390] GetProcessHeap () returned 0x4e0000 [0115.390] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e280 | out: hHeap=0x4e0000) returned 1 [0115.390] GetProcessHeap () returned 0x4e0000 [0115.390] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e388 | out: hHeap=0x4e0000) returned 1 [0115.390] GetProcessHeap () returned 0x4e0000 [0115.391] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50deb0 | out: hHeap=0x4e0000) returned 1 [0115.391] GetProcessHeap () returned 0x4e0000 [0115.391] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dec8 | out: hHeap=0x4e0000) returned 1 [0115.391] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn" [0115.391] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn.NEPHILIM" [0115.391] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.infopatheditor.14.1033.hxn"), lpNewFileName="C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft help\\ms.infopatheditor.14.1033.hxn.nephilim")) returned 1 [0115.392] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x15f8e210, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x15f8e210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1604c8f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x158, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="MS.MSACCESS.14.1033.hxn", cAlternateFileName="MSMSAC~1.HXN")) returned 1 [0115.392] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2=".") returned 1 [0115.392] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="..") returned 1 [0115.392] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="...") returned 1 [0115.392] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="windows") returned -1 [0115.392] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="$RECYCLE.BIN") returned 1 [0115.392] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="rsa") returned -1 [0115.392] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="log") returned 1 [0115.392] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="NTDETECT.COM") returned -1 [0115.392] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="ntldr") returned -1 [0115.392] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="MSDOS.SYS") returned -1 [0115.392] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="IO.SYS") returned 1 [0115.392] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="boot.ini") returned 1 [0115.392] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="AUTOEXEC.BAT") returned 1 [0115.392] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0115.392] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="desktop.ini") returned 1 [0115.392] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="CONFIG.SYS") returned 1 [0115.392] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="RECYCLER") returned -1 [0115.392] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="BOOTSECT.BAK") returned 1 [0115.393] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="bootmgr") returned 1 [0115.393] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="programdata") returned -1 [0115.393] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="appdata") returned 1 [0115.393] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="program files") returned -1 [0115.393] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="program files (x86)") returned -1 [0115.393] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\" [0115.393] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.MSACCESS.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn" [0115.393] PathFindExtensionW (pszPath="MS.MSACCESS.14.1033.hxn") returned=".hxn" [0115.393] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0115.393] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0115.393] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0115.393] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0115.393] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0115.393] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0115.393] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0115.393] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0115.393] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0115.393] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0115.393] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0115.393] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0115.394] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0115.394] lstrcmpiW (lpString1=".hxn", lpString2=".NEPHILIM") returned -1 [0115.394] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0115.394] lstrcmpiW (lpString1=".hxn", lpString2=".lnk") returned -1 [0115.394] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0115.394] lstrlenA (lpString="NEPHILIM") returned 8 [0115.394] GetProcessHeap () returned 0x4e0000 [0115.394] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f8e8 [0115.394] lstrlenA (lpString="NEPHILIM") returned 8 [0115.394] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.msaccess.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0115.428] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=344) returned 1 [0115.428] GetProcessHeap () returned 0x4e0000 [0115.428] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0115.429] GetProcessHeap () returned 0x4e0000 [0115.429] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0115.429] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0115.429] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0115.429] GetProcessHeap () returned 0x4e0000 [0115.429] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0115.429] GetProcessHeap () returned 0x4e0000 [0115.429] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0115.429] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24de208*=0x100) returned 1 [0115.429] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24de204*=0x100) returned 1 [0115.430] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x158, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.430] SetLastError (dwErrCode=0x0) [0115.430] WriteFile (in: hFile=0xec, lpBuffer=0x51e388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e388*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.432] GetLastError () returned 0x0 [0115.432] GetLastError () returned 0x0 [0115.432] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x258, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.432] WriteFile (in: hFile=0xec, lpBuffer=0x51e280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e280*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.432] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x358, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.432] lstrlenA (lpString="NEPHILIM") returned 8 [0115.432] WriteFile (in: hFile=0xec, lpBuffer=0x50f8e8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50f8e8*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0115.432] GetProcessHeap () returned 0x4e0000 [0115.432] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x158) returned 0x50fd10 [0115.432] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.432] ReadFile (in: hFile=0xec, lpBuffer=0x50fd10, nNumberOfBytesToRead=0x158, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesRead=0x24de430*=0x158, lpOverlapped=0x0) returned 1 [0115.433] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.433] WriteFile (in: hFile=0xec, lpBuffer=0x50fd10*, nNumberOfBytesToWrite=0x158, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesWritten=0x24de43c*=0x158, lpOverlapped=0x0) returned 1 [0115.433] GetProcessHeap () returned 0x4e0000 [0115.433] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50fd10 | out: hHeap=0x4e0000) returned 1 [0115.433] CloseHandle (hObject=0xec) returned 1 [0115.433] GetProcessHeap () returned 0x4e0000 [0115.433] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e388 | out: hHeap=0x4e0000) returned 1 [0115.433] GetProcessHeap () returned 0x4e0000 [0115.433] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e280 | out: hHeap=0x4e0000) returned 1 [0115.433] GetProcessHeap () returned 0x4e0000 [0115.433] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dec8 | out: hHeap=0x4e0000) returned 1 [0115.433] GetProcessHeap () returned 0x4e0000 [0115.433] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50deb0 | out: hHeap=0x4e0000) returned 1 [0115.433] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn" [0115.433] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn.NEPHILIM" [0115.433] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.msaccess.14.1033.hxn"), lpNewFileName="C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft help\\ms.msaccess.14.1033.hxn.nephilim")) returned 1 [0115.436] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x15f8e210, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x15f8e210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1604c8f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x170, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="MS.MSACCESS.DEV.14.1033.hxn", cAlternateFileName="MSMSAC~2.HXN")) returned 1 [0115.436] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2=".") returned 1 [0115.436] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="..") returned 1 [0115.436] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="...") returned 1 [0115.436] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="windows") returned -1 [0115.436] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="$RECYCLE.BIN") returned 1 [0115.436] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="rsa") returned -1 [0115.436] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="log") returned 1 [0115.436] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="NTDETECT.COM") returned -1 [0115.436] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="ntldr") returned -1 [0115.436] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="MSDOS.SYS") returned -1 [0115.436] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="IO.SYS") returned 1 [0115.436] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="boot.ini") returned 1 [0115.436] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="AUTOEXEC.BAT") returned 1 [0115.436] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0115.436] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="desktop.ini") returned 1 [0115.436] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="CONFIG.SYS") returned 1 [0115.436] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="RECYCLER") returned -1 [0115.436] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="BOOTSECT.BAK") returned 1 [0115.436] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="bootmgr") returned 1 [0115.437] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="programdata") returned -1 [0115.437] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="appdata") returned 1 [0115.437] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="program files") returned -1 [0115.437] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="program files (x86)") returned -1 [0115.437] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\" [0115.437] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.MSACCESS.DEV.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn" [0115.437] PathFindExtensionW (pszPath="MS.MSACCESS.DEV.14.1033.hxn") returned=".hxn" [0115.437] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0115.437] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0115.437] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0115.437] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0115.437] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0115.437] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0115.437] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0115.437] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0115.437] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0115.437] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0115.437] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0115.437] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0115.437] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0115.437] lstrcmpiW (lpString1=".hxn", lpString2=".NEPHILIM") returned -1 [0115.437] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0115.437] lstrcmpiW (lpString1=".hxn", lpString2=".lnk") returned -1 [0115.437] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0115.437] lstrlenA (lpString="NEPHILIM") returned 8 [0115.438] GetProcessHeap () returned 0x4e0000 [0115.438] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50f8f8 [0115.438] lstrlenA (lpString="NEPHILIM") returned 8 [0115.438] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.msaccess.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0115.438] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=368) returned 1 [0115.438] GetProcessHeap () returned 0x4e0000 [0115.438] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0115.439] GetProcessHeap () returned 0x4e0000 [0115.439] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0115.439] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0115.439] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0115.439] GetProcessHeap () returned 0x4e0000 [0115.439] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0115.439] GetProcessHeap () returned 0x4e0000 [0115.439] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0115.439] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24de208*=0x100) returned 1 [0115.439] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24de204*=0x100) returned 1 [0115.439] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x170, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.439] SetLastError (dwErrCode=0x0) [0115.440] WriteFile (in: hFile=0xec, lpBuffer=0x51e280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e280*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.441] GetLastError () returned 0x0 [0115.441] GetLastError () returned 0x0 [0115.441] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x270, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.441] WriteFile (in: hFile=0xec, lpBuffer=0x51e388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e388*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.441] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x370, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.441] lstrlenA (lpString="NEPHILIM") returned 8 [0115.441] WriteFile (in: hFile=0xec, lpBuffer=0x50f8f8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50f8f8*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0115.442] GetProcessHeap () returned 0x4e0000 [0115.442] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x170) returned 0x50fd10 [0115.442] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.442] ReadFile (in: hFile=0xec, lpBuffer=0x50fd10, nNumberOfBytesToRead=0x170, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesRead=0x24de430*=0x170, lpOverlapped=0x0) returned 1 [0115.442] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.442] WriteFile (in: hFile=0xec, lpBuffer=0x50fd10*, nNumberOfBytesToWrite=0x170, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesWritten=0x24de43c*=0x170, lpOverlapped=0x0) returned 1 [0115.442] GetProcessHeap () returned 0x4e0000 [0115.442] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50fd10 | out: hHeap=0x4e0000) returned 1 [0115.442] CloseHandle (hObject=0xec) returned 1 [0115.442] GetProcessHeap () returned 0x4e0000 [0115.442] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e280 | out: hHeap=0x4e0000) returned 1 [0115.442] GetProcessHeap () returned 0x4e0000 [0115.442] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e388 | out: hHeap=0x4e0000) returned 1 [0115.442] GetProcessHeap () returned 0x4e0000 [0115.442] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50deb0 | out: hHeap=0x4e0000) returned 1 [0115.443] GetProcessHeap () returned 0x4e0000 [0115.443] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dec8 | out: hHeap=0x4e0000) returned 1 [0115.443] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn" [0115.443] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn.NEPHILIM" [0115.443] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.msaccess.dev.14.1033.hxn"), lpNewFileName="C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft help\\ms.msaccess.dev.14.1033.hxn.nephilim")) returned 1 [0115.444] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xef377f10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef377f10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef3ea330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="MS.MSOUC.14.1033.hxn", cAlternateFileName="MSMSOU~1.HXN")) returned 1 [0115.444] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2=".") returned 1 [0115.444] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="..") returned 1 [0115.444] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="...") returned 1 [0115.444] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="windows") returned -1 [0115.444] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="$RECYCLE.BIN") returned 1 [0115.444] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="rsa") returned -1 [0115.444] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="log") returned 1 [0115.444] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="NTDETECT.COM") returned -1 [0115.444] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="ntldr") returned -1 [0115.444] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="MSDOS.SYS") returned -1 [0115.444] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="IO.SYS") returned 1 [0115.444] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="boot.ini") returned 1 [0115.444] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="AUTOEXEC.BAT") returned 1 [0115.444] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0115.444] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="desktop.ini") returned 1 [0115.444] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="CONFIG.SYS") returned 1 [0115.444] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="RECYCLER") returned -1 [0115.444] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="BOOTSECT.BAK") returned 1 [0115.444] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="bootmgr") returned 1 [0115.444] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="programdata") returned -1 [0115.444] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="appdata") returned 1 [0115.444] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="program files") returned -1 [0115.444] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="program files (x86)") returned -1 [0115.444] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\" [0115.444] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.MSOUC.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn" [0115.445] PathFindExtensionW (pszPath="MS.MSOUC.14.1033.hxn") returned=".hxn" [0115.445] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0115.445] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0115.445] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0115.445] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0115.445] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0115.445] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0115.445] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0115.445] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0115.445] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0115.445] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0115.445] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0115.445] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0115.445] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0115.445] lstrcmpiW (lpString1=".hxn", lpString2=".NEPHILIM") returned -1 [0115.445] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0115.445] lstrcmpiW (lpString1=".hxn", lpString2=".lnk") returned -1 [0115.445] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0115.445] lstrlenA (lpString="NEPHILIM") returned 8 [0115.445] GetProcessHeap () returned 0x4e0000 [0115.445] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bcc0 [0115.445] lstrlenA (lpString="NEPHILIM") returned 8 [0115.445] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.msouc.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0115.446] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=326) returned 1 [0115.446] GetProcessHeap () returned 0x4e0000 [0115.446] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0115.446] GetProcessHeap () returned 0x4e0000 [0115.446] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0115.446] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0115.446] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0115.446] GetProcessHeap () returned 0x4e0000 [0115.446] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0115.446] GetProcessHeap () returned 0x4e0000 [0115.446] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0115.446] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24de208*=0x100) returned 1 [0115.446] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24de204*=0x100) returned 1 [0115.447] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x146, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.447] SetLastError (dwErrCode=0x0) [0115.447] WriteFile (in: hFile=0xec, lpBuffer=0x51e388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e388*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.448] GetLastError () returned 0x0 [0115.449] GetLastError () returned 0x0 [0115.449] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x246, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.449] WriteFile (in: hFile=0xec, lpBuffer=0x51e280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e280*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.449] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x346, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.449] lstrlenA (lpString="NEPHILIM") returned 8 [0115.449] WriteFile (in: hFile=0xec, lpBuffer=0x50bcc0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50bcc0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0115.449] GetProcessHeap () returned 0x4e0000 [0115.449] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x146) returned 0x50fd10 [0115.449] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.449] ReadFile (in: hFile=0xec, lpBuffer=0x50fd10, nNumberOfBytesToRead=0x146, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesRead=0x24de430*=0x146, lpOverlapped=0x0) returned 1 [0115.450] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.450] WriteFile (in: hFile=0xec, lpBuffer=0x50fd10*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesWritten=0x24de43c*=0x146, lpOverlapped=0x0) returned 1 [0115.450] GetProcessHeap () returned 0x4e0000 [0115.450] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50fd10 | out: hHeap=0x4e0000) returned 1 [0115.450] CloseHandle (hObject=0xec) returned 1 [0115.450] GetProcessHeap () returned 0x4e0000 [0115.451] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e388 | out: hHeap=0x4e0000) returned 1 [0115.451] GetProcessHeap () returned 0x4e0000 [0115.451] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e280 | out: hHeap=0x4e0000) returned 1 [0115.451] GetProcessHeap () returned 0x4e0000 [0115.451] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dec8 | out: hHeap=0x4e0000) returned 1 [0115.451] GetProcessHeap () returned 0x4e0000 [0115.451] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50deb0 | out: hHeap=0x4e0000) returned 1 [0115.451] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn" [0115.451] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn.NEPHILIM" [0115.451] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.msouc.14.1033.hxn"), lpNewFileName="C:\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft help\\ms.msouc.14.1033.hxn.nephilim")) returned 1 [0115.452] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x1beeb370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1beeb370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1bf5d790, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="MS.MSPUB.14.1033.hxn", cAlternateFileName="MSMSPU~1.HXN")) returned 1 [0115.452] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2=".") returned 1 [0115.452] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="..") returned 1 [0115.452] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="...") returned 1 [0115.452] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="windows") returned -1 [0115.452] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="$RECYCLE.BIN") returned 1 [0115.452] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="rsa") returned -1 [0115.452] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="log") returned 1 [0115.452] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="NTDETECT.COM") returned -1 [0115.452] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="ntldr") returned -1 [0115.452] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="MSDOS.SYS") returned -1 [0115.452] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="IO.SYS") returned 1 [0115.452] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="boot.ini") returned 1 [0115.452] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="AUTOEXEC.BAT") returned 1 [0115.452] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0115.452] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="desktop.ini") returned 1 [0115.452] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="CONFIG.SYS") returned 1 [0115.452] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="RECYCLER") returned -1 [0115.452] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="BOOTSECT.BAK") returned 1 [0115.453] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="bootmgr") returned 1 [0115.453] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="programdata") returned -1 [0115.453] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="appdata") returned 1 [0115.453] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="program files") returned -1 [0115.453] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="program files (x86)") returned -1 [0115.453] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\" [0115.453] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.MSPUB.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn" [0115.453] PathFindExtensionW (pszPath="MS.MSPUB.14.1033.hxn") returned=".hxn" [0115.453] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0115.453] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0115.453] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0115.453] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0115.453] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0115.453] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0115.453] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0115.453] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0115.453] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0115.453] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0115.453] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0115.453] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0115.453] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0115.453] lstrcmpiW (lpString1=".hxn", lpString2=".NEPHILIM") returned -1 [0115.453] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0115.453] lstrcmpiW (lpString1=".hxn", lpString2=".lnk") returned -1 [0115.453] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0115.454] lstrlenA (lpString="NEPHILIM") returned 8 [0115.454] GetProcessHeap () returned 0x4e0000 [0115.454] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bcd0 [0115.454] lstrlenA (lpString="NEPHILIM") returned 8 [0115.454] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.mspub.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0115.456] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=326) returned 1 [0115.456] GetProcessHeap () returned 0x4e0000 [0115.456] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0115.456] GetProcessHeap () returned 0x4e0000 [0115.456] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0115.456] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0115.456] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0115.456] GetProcessHeap () returned 0x4e0000 [0115.456] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0115.456] GetProcessHeap () returned 0x4e0000 [0115.456] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0115.456] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24de208*=0x100) returned 1 [0115.456] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24de204*=0x100) returned 1 [0115.457] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x146, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.457] SetLastError (dwErrCode=0x0) [0115.457] WriteFile (in: hFile=0xec, lpBuffer=0x51e280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e280*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.459] GetLastError () returned 0x0 [0115.459] GetLastError () returned 0x0 [0115.459] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x246, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.459] WriteFile (in: hFile=0xec, lpBuffer=0x51e388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e388*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.459] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x346, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.459] lstrlenA (lpString="NEPHILIM") returned 8 [0115.459] WriteFile (in: hFile=0xec, lpBuffer=0x50bcd0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50bcd0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0115.459] GetProcessHeap () returned 0x4e0000 [0115.459] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x146) returned 0x50fd10 [0115.459] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.459] ReadFile (in: hFile=0xec, lpBuffer=0x50fd10, nNumberOfBytesToRead=0x146, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesRead=0x24de430*=0x146, lpOverlapped=0x0) returned 1 [0115.460] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.460] WriteFile (in: hFile=0xec, lpBuffer=0x50fd10*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesWritten=0x24de43c*=0x146, lpOverlapped=0x0) returned 1 [0115.460] GetProcessHeap () returned 0x4e0000 [0115.460] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50fd10 | out: hHeap=0x4e0000) returned 1 [0115.460] CloseHandle (hObject=0xec) returned 1 [0115.460] GetProcessHeap () returned 0x4e0000 [0115.460] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e280 | out: hHeap=0x4e0000) returned 1 [0115.460] GetProcessHeap () returned 0x4e0000 [0115.460] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e388 | out: hHeap=0x4e0000) returned 1 [0115.460] GetProcessHeap () returned 0x4e0000 [0115.460] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50deb0 | out: hHeap=0x4e0000) returned 1 [0115.460] GetProcessHeap () returned 0x4e0000 [0115.460] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dec8 | out: hHeap=0x4e0000) returned 1 [0115.460] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn" [0115.460] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn.NEPHILIM" [0115.460] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.mspub.14.1033.hxn"), lpNewFileName="C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft help\\ms.mspub.14.1033.hxn.nephilim")) returned 1 [0115.463] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x1beeb370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1beeb370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1bf5d790, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x15e, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="MS.MSPUB.DEV.14.1033.hxn", cAlternateFileName="MSMSPU~2.HXN")) returned 1 [0115.463] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2=".") returned 1 [0115.463] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="..") returned 1 [0115.463] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="...") returned 1 [0115.463] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="windows") returned -1 [0115.463] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="$RECYCLE.BIN") returned 1 [0115.463] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="rsa") returned -1 [0115.463] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="log") returned 1 [0115.463] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="NTDETECT.COM") returned -1 [0115.463] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="ntldr") returned -1 [0115.463] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="MSDOS.SYS") returned -1 [0115.463] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="IO.SYS") returned 1 [0115.463] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="boot.ini") returned 1 [0115.464] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="AUTOEXEC.BAT") returned 1 [0115.464] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0115.464] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="desktop.ini") returned 1 [0115.464] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="CONFIG.SYS") returned 1 [0115.464] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="RECYCLER") returned -1 [0115.464] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="BOOTSECT.BAK") returned 1 [0115.464] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="bootmgr") returned 1 [0115.464] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="programdata") returned -1 [0115.464] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="appdata") returned 1 [0115.464] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="program files") returned -1 [0115.464] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="program files (x86)") returned -1 [0115.464] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\" [0115.464] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.MSPUB.DEV.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn" [0115.464] PathFindExtensionW (pszPath="MS.MSPUB.DEV.14.1033.hxn") returned=".hxn" [0115.464] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0115.464] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0115.464] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0115.464] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0115.464] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0115.464] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0115.464] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0115.464] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0115.464] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0115.464] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0115.465] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0115.465] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0115.465] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0115.465] lstrcmpiW (lpString1=".hxn", lpString2=".NEPHILIM") returned -1 [0115.465] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0115.465] lstrcmpiW (lpString1=".hxn", lpString2=".lnk") returned -1 [0115.465] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0115.465] lstrlenA (lpString="NEPHILIM") returned 8 [0115.465] GetProcessHeap () returned 0x4e0000 [0115.465] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bce0 [0115.465] lstrlenA (lpString="NEPHILIM") returned 8 [0115.465] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.mspub.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0115.466] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=350) returned 1 [0115.466] GetProcessHeap () returned 0x4e0000 [0115.466] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0115.467] GetProcessHeap () returned 0x4e0000 [0115.467] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0115.467] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0115.467] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0115.467] GetProcessHeap () returned 0x4e0000 [0115.467] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0115.467] GetProcessHeap () returned 0x4e0000 [0115.467] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0115.467] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24de208*=0x100) returned 1 [0115.467] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24de204*=0x100) returned 1 [0115.468] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x15e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.468] SetLastError (dwErrCode=0x0) [0115.468] WriteFile (in: hFile=0xec, lpBuffer=0x51e388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e388*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.469] GetLastError () returned 0x0 [0115.469] GetLastError () returned 0x0 [0115.469] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x25e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.469] WriteFile (in: hFile=0xec, lpBuffer=0x51e280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e280*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.470] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x35e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.470] lstrlenA (lpString="NEPHILIM") returned 8 [0115.470] WriteFile (in: hFile=0xec, lpBuffer=0x50bce0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50bce0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0115.470] GetProcessHeap () returned 0x4e0000 [0115.470] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x15e) returned 0x50fd10 [0115.470] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.470] ReadFile (in: hFile=0xec, lpBuffer=0x50fd10, nNumberOfBytesToRead=0x15e, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesRead=0x24de430*=0x15e, lpOverlapped=0x0) returned 1 [0115.470] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.470] WriteFile (in: hFile=0xec, lpBuffer=0x50fd10*, nNumberOfBytesToWrite=0x15e, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesWritten=0x24de43c*=0x15e, lpOverlapped=0x0) returned 1 [0115.470] GetProcessHeap () returned 0x4e0000 [0115.470] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50fd10 | out: hHeap=0x4e0000) returned 1 [0115.470] CloseHandle (hObject=0xec) returned 1 [0115.471] GetProcessHeap () returned 0x4e0000 [0115.471] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e388 | out: hHeap=0x4e0000) returned 1 [0115.471] GetProcessHeap () returned 0x4e0000 [0115.471] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e280 | out: hHeap=0x4e0000) returned 1 [0115.471] GetProcessHeap () returned 0x4e0000 [0115.471] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dec8 | out: hHeap=0x4e0000) returned 1 [0115.471] GetProcessHeap () returned 0x4e0000 [0115.471] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50deb0 | out: hHeap=0x4e0000) returned 1 [0115.471] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn" [0115.471] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn.NEPHILIM" [0115.471] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.mspub.dev.14.1033.hxn"), lpNewFileName="C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft help\\ms.mspub.dev.14.1033.hxn.nephilim")) returned 1 [0115.472] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xef377f10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef377f10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef3ea330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x14c, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="MS.MSTORE.14.1033.hxn", cAlternateFileName="MSMSTO~1.HXN")) returned 1 [0115.472] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2=".") returned 1 [0115.472] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="..") returned 1 [0115.472] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="...") returned 1 [0115.472] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="windows") returned -1 [0115.472] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="$RECYCLE.BIN") returned 1 [0115.472] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="rsa") returned -1 [0115.472] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="log") returned 1 [0115.472] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="NTDETECT.COM") returned -1 [0115.472] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="ntldr") returned -1 [0115.472] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="MSDOS.SYS") returned -1 [0115.473] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="IO.SYS") returned 1 [0115.473] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="boot.ini") returned 1 [0115.473] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="AUTOEXEC.BAT") returned 1 [0115.473] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0115.473] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="desktop.ini") returned 1 [0115.473] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="CONFIG.SYS") returned 1 [0115.473] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="RECYCLER") returned -1 [0115.473] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="BOOTSECT.BAK") returned 1 [0115.473] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="bootmgr") returned 1 [0115.473] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="programdata") returned -1 [0115.473] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="appdata") returned 1 [0115.473] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="program files") returned -1 [0115.473] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="program files (x86)") returned -1 [0115.473] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\" [0115.473] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.MSTORE.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn" [0115.473] PathFindExtensionW (pszPath="MS.MSTORE.14.1033.hxn") returned=".hxn" [0115.473] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0115.473] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0115.473] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0115.473] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0115.473] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0115.473] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0115.473] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0115.473] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0115.473] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0115.474] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0115.474] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0115.474] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0115.474] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0115.474] lstrcmpiW (lpString1=".hxn", lpString2=".NEPHILIM") returned -1 [0115.474] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0115.474] lstrcmpiW (lpString1=".hxn", lpString2=".lnk") returned -1 [0115.474] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0115.474] lstrlenA (lpString="NEPHILIM") returned 8 [0115.474] GetProcessHeap () returned 0x4e0000 [0115.474] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bcf0 [0115.474] lstrlenA (lpString="NEPHILIM") returned 8 [0115.474] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.mstore.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0115.475] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=332) returned 1 [0115.475] GetProcessHeap () returned 0x4e0000 [0115.475] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0115.475] GetProcessHeap () returned 0x4e0000 [0115.475] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0115.475] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0115.475] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0115.475] GetProcessHeap () returned 0x4e0000 [0115.475] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0115.475] GetProcessHeap () returned 0x4e0000 [0115.475] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0115.475] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24de208*=0x100) returned 1 [0115.475] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24de204*=0x100) returned 1 [0115.476] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x14c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.476] SetLastError (dwErrCode=0x0) [0115.476] WriteFile (in: hFile=0xec, lpBuffer=0x51e280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e280*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.478] GetLastError () returned 0x0 [0115.478] GetLastError () returned 0x0 [0115.478] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x24c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.478] WriteFile (in: hFile=0xec, lpBuffer=0x51e388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e388*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.478] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x34c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.478] lstrlenA (lpString="NEPHILIM") returned 8 [0115.479] WriteFile (in: hFile=0xec, lpBuffer=0x50bcf0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50bcf0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0115.479] GetProcessHeap () returned 0x4e0000 [0115.479] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x14c) returned 0x50fd10 [0115.479] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.479] ReadFile (in: hFile=0xec, lpBuffer=0x50fd10, nNumberOfBytesToRead=0x14c, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesRead=0x24de430*=0x14c, lpOverlapped=0x0) returned 1 [0115.479] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.479] WriteFile (in: hFile=0xec, lpBuffer=0x50fd10*, nNumberOfBytesToWrite=0x14c, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesWritten=0x24de43c*=0x14c, lpOverlapped=0x0) returned 1 [0115.479] GetProcessHeap () returned 0x4e0000 [0115.479] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50fd10 | out: hHeap=0x4e0000) returned 1 [0115.479] CloseHandle (hObject=0xec) returned 1 [0115.480] GetProcessHeap () returned 0x4e0000 [0115.480] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e280 | out: hHeap=0x4e0000) returned 1 [0115.480] GetProcessHeap () returned 0x4e0000 [0115.480] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e388 | out: hHeap=0x4e0000) returned 1 [0115.480] GetProcessHeap () returned 0x4e0000 [0115.480] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50deb0 | out: hHeap=0x4e0000) returned 1 [0115.480] GetProcessHeap () returned 0x4e0000 [0115.480] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dec8 | out: hHeap=0x4e0000) returned 1 [0115.480] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn" [0115.480] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn.NEPHILIM" [0115.480] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.mstore.14.1033.hxn"), lpNewFileName="C:\\Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft help\\ms.mstore.14.1033.hxn.nephilim")) returned 1 [0115.481] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xef377f10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef377f10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef3ea330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x13a, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="MS.OIS.14.1033.hxn", cAlternateFileName="MSOIS1~1.HXN")) returned 1 [0115.481] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2=".") returned 1 [0115.481] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="..") returned 1 [0115.481] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="...") returned 1 [0115.481] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="windows") returned -1 [0115.481] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="$RECYCLE.BIN") returned 1 [0115.481] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="rsa") returned -1 [0115.481] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="log") returned 1 [0115.481] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="NTDETECT.COM") returned -1 [0115.481] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="ntldr") returned -1 [0115.481] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="MSDOS.SYS") returned -1 [0115.481] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="IO.SYS") returned 1 [0115.481] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="boot.ini") returned 1 [0115.481] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="AUTOEXEC.BAT") returned 1 [0115.482] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0115.482] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="desktop.ini") returned 1 [0115.482] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="CONFIG.SYS") returned 1 [0115.482] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="RECYCLER") returned -1 [0115.482] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="BOOTSECT.BAK") returned 1 [0115.482] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="bootmgr") returned 1 [0115.482] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="programdata") returned -1 [0115.482] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="appdata") returned 1 [0115.482] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="program files") returned -1 [0115.482] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="program files (x86)") returned -1 [0115.482] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\" [0115.482] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.OIS.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn" [0115.482] PathFindExtensionW (pszPath="MS.OIS.14.1033.hxn") returned=".hxn" [0115.482] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0115.482] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0115.482] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0115.482] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0115.482] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0115.482] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0115.482] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0115.482] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0115.482] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0115.482] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0115.483] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0115.483] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0115.483] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0115.483] lstrcmpiW (lpString1=".hxn", lpString2=".NEPHILIM") returned -1 [0115.483] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0115.483] lstrcmpiW (lpString1=".hxn", lpString2=".lnk") returned -1 [0115.483] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0115.483] lstrlenA (lpString="NEPHILIM") returned 8 [0115.483] GetProcessHeap () returned 0x4e0000 [0115.483] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bd00 [0115.483] lstrlenA (lpString="NEPHILIM") returned 8 [0115.483] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.ois.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0115.484] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=314) returned 1 [0115.484] GetProcessHeap () returned 0x4e0000 [0115.484] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0115.484] GetProcessHeap () returned 0x4e0000 [0115.484] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0115.484] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0115.484] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0115.484] GetProcessHeap () returned 0x4e0000 [0115.484] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0115.484] GetProcessHeap () returned 0x4e0000 [0115.484] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0115.484] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24de208*=0x100) returned 1 [0115.484] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24de204*=0x100) returned 1 [0115.485] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x13a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.485] SetLastError (dwErrCode=0x0) [0115.485] WriteFile (in: hFile=0xec, lpBuffer=0x51e388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e388*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.487] GetLastError () returned 0x0 [0115.487] GetLastError () returned 0x0 [0115.487] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x23a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.487] WriteFile (in: hFile=0xec, lpBuffer=0x51e280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e280*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.487] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x33a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.487] lstrlenA (lpString="NEPHILIM") returned 8 [0115.487] WriteFile (in: hFile=0xec, lpBuffer=0x50bd00*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50bd00*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0115.487] GetProcessHeap () returned 0x4e0000 [0115.487] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x13a) returned 0x50fd10 [0115.487] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.487] ReadFile (in: hFile=0xec, lpBuffer=0x50fd10, nNumberOfBytesToRead=0x13a, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesRead=0x24de430*=0x13a, lpOverlapped=0x0) returned 1 [0115.487] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.488] WriteFile (in: hFile=0xec, lpBuffer=0x50fd10*, nNumberOfBytesToWrite=0x13a, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesWritten=0x24de43c*=0x13a, lpOverlapped=0x0) returned 1 [0115.488] GetProcessHeap () returned 0x4e0000 [0115.488] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50fd10 | out: hHeap=0x4e0000) returned 1 [0115.488] CloseHandle (hObject=0xec) returned 1 [0115.488] GetProcessHeap () returned 0x4e0000 [0115.488] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e388 | out: hHeap=0x4e0000) returned 1 [0115.488] GetProcessHeap () returned 0x4e0000 [0115.488] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e280 | out: hHeap=0x4e0000) returned 1 [0115.488] GetProcessHeap () returned 0x4e0000 [0115.488] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dec8 | out: hHeap=0x4e0000) returned 1 [0115.488] GetProcessHeap () returned 0x4e0000 [0115.488] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50deb0 | out: hHeap=0x4e0000) returned 1 [0115.488] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn" [0115.488] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn.NEPHILIM" [0115.488] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.ois.14.1033.hxn"), lpNewFileName="C:\\Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft help\\ms.ois.14.1033.hxn.nephilim")) returned 1 [0115.489] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xc997810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xc997810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc9e3ad0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x152, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="MS.ONENOTE.14.1033.hxn", cAlternateFileName="MSONEN~1.HXN")) returned 1 [0115.489] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2=".") returned 1 [0115.490] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="..") returned 1 [0115.490] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="...") returned 1 [0115.490] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="windows") returned -1 [0115.490] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="$RECYCLE.BIN") returned 1 [0115.490] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="rsa") returned -1 [0115.490] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="log") returned 1 [0115.490] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="NTDETECT.COM") returned -1 [0115.490] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="ntldr") returned -1 [0115.490] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="MSDOS.SYS") returned -1 [0115.490] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="IO.SYS") returned 1 [0115.490] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="boot.ini") returned 1 [0115.490] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="AUTOEXEC.BAT") returned 1 [0115.490] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0115.490] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="desktop.ini") returned 1 [0115.490] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="CONFIG.SYS") returned 1 [0115.490] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="RECYCLER") returned -1 [0115.490] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="BOOTSECT.BAK") returned 1 [0115.490] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="bootmgr") returned 1 [0115.490] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="programdata") returned -1 [0115.490] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="appdata") returned 1 [0115.490] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="program files") returned -1 [0115.490] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="program files (x86)") returned -1 [0115.490] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\" [0115.490] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.ONENOTE.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn" [0115.491] PathFindExtensionW (pszPath="MS.ONENOTE.14.1033.hxn") returned=".hxn" [0115.491] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0115.491] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0115.491] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0115.491] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0115.491] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0115.491] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0115.491] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0115.491] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0115.491] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0115.491] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0115.491] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0115.491] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0115.491] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0115.491] lstrcmpiW (lpString1=".hxn", lpString2=".NEPHILIM") returned -1 [0115.491] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0115.491] lstrcmpiW (lpString1=".hxn", lpString2=".lnk") returned -1 [0115.491] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0115.491] lstrlenA (lpString="NEPHILIM") returned 8 [0115.491] GetProcessHeap () returned 0x4e0000 [0115.491] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bd10 [0115.491] lstrlenA (lpString="NEPHILIM") returned 8 [0115.491] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.onenote.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0115.493] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=338) returned 1 [0115.493] GetProcessHeap () returned 0x4e0000 [0115.493] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0115.493] GetProcessHeap () returned 0x4e0000 [0115.493] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0115.493] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0115.493] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0115.493] GetProcessHeap () returned 0x4e0000 [0115.493] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0115.493] GetProcessHeap () returned 0x4e0000 [0115.493] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0115.494] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24de208*=0x100) returned 1 [0115.494] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24de204*=0x100) returned 1 [0115.494] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x152, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.494] SetLastError (dwErrCode=0x0) [0115.494] WriteFile (in: hFile=0xec, lpBuffer=0x51e280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e280*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.496] GetLastError () returned 0x0 [0115.496] GetLastError () returned 0x0 [0115.496] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x252, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.496] WriteFile (in: hFile=0xec, lpBuffer=0x51e388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e388*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.496] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x352, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.496] lstrlenA (lpString="NEPHILIM") returned 8 [0115.496] WriteFile (in: hFile=0xec, lpBuffer=0x50bd10*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50bd10*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0115.497] GetProcessHeap () returned 0x4e0000 [0115.497] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x152) returned 0x50fd10 [0115.497] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.497] ReadFile (in: hFile=0xec, lpBuffer=0x50fd10, nNumberOfBytesToRead=0x152, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesRead=0x24de430*=0x152, lpOverlapped=0x0) returned 1 [0115.497] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.497] WriteFile (in: hFile=0xec, lpBuffer=0x50fd10*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesWritten=0x24de43c*=0x152, lpOverlapped=0x0) returned 1 [0115.497] GetProcessHeap () returned 0x4e0000 [0115.497] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50fd10 | out: hHeap=0x4e0000) returned 1 [0115.497] CloseHandle (hObject=0xec) returned 1 [0115.498] GetProcessHeap () returned 0x4e0000 [0115.498] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e280 | out: hHeap=0x4e0000) returned 1 [0115.498] GetProcessHeap () returned 0x4e0000 [0115.498] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e388 | out: hHeap=0x4e0000) returned 1 [0115.498] GetProcessHeap () returned 0x4e0000 [0115.498] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50deb0 | out: hHeap=0x4e0000) returned 1 [0115.498] GetProcessHeap () returned 0x4e0000 [0115.498] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dec8 | out: hHeap=0x4e0000) returned 1 [0115.498] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn" [0115.498] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn.NEPHILIM" [0115.498] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.onenote.14.1033.hxn"), lpNewFileName="C:\\Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft help\\ms.onenote.14.1033.hxn.nephilim")) returned 1 [0115.502] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x25328b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x25328b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2689510, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x152, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="MS.OUTLOOK.14.1033.hxn", cAlternateFileName="MSOUTL~1.HXN")) returned 1 [0115.502] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2=".") returned 1 [0115.502] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="..") returned 1 [0115.502] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="...") returned 1 [0115.503] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="windows") returned -1 [0115.503] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="$RECYCLE.BIN") returned 1 [0115.503] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="rsa") returned -1 [0115.503] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="log") returned 1 [0115.503] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="NTDETECT.COM") returned -1 [0115.503] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="ntldr") returned -1 [0115.503] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="MSDOS.SYS") returned -1 [0115.503] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="IO.SYS") returned 1 [0115.503] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="boot.ini") returned 1 [0115.503] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="AUTOEXEC.BAT") returned 1 [0115.503] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0115.503] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="desktop.ini") returned 1 [0115.503] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="CONFIG.SYS") returned 1 [0115.503] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="RECYCLER") returned -1 [0115.503] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="BOOTSECT.BAK") returned 1 [0115.503] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="bootmgr") returned 1 [0115.503] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="programdata") returned -1 [0115.503] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="appdata") returned 1 [0115.503] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="program files") returned -1 [0115.503] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="program files (x86)") returned -1 [0115.503] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\" [0115.503] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.OUTLOOK.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn" [0115.504] PathFindExtensionW (pszPath="MS.OUTLOOK.14.1033.hxn") returned=".hxn" [0115.504] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0115.504] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0115.504] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0115.504] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0115.504] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0115.504] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0115.504] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0115.504] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0115.504] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0115.504] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0115.504] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0115.504] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0115.504] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0115.504] lstrcmpiW (lpString1=".hxn", lpString2=".NEPHILIM") returned -1 [0115.504] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0115.504] lstrcmpiW (lpString1=".hxn", lpString2=".lnk") returned -1 [0115.504] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0115.504] lstrlenA (lpString="NEPHILIM") returned 8 [0115.504] GetProcessHeap () returned 0x4e0000 [0115.504] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bd20 [0115.505] lstrlenA (lpString="NEPHILIM") returned 8 [0115.505] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.outlook.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0115.506] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=338) returned 1 [0115.506] GetProcessHeap () returned 0x4e0000 [0115.506] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0115.506] GetProcessHeap () returned 0x4e0000 [0115.506] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0115.506] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0115.506] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0115.506] GetProcessHeap () returned 0x4e0000 [0115.506] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0115.506] GetProcessHeap () returned 0x4e0000 [0115.506] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0115.506] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24de208*=0x100) returned 1 [0115.507] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24de204*=0x100) returned 1 [0115.507] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x152, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.507] SetLastError (dwErrCode=0x0) [0115.507] WriteFile (in: hFile=0xec, lpBuffer=0x51e388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e388*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.509] GetLastError () returned 0x0 [0115.509] GetLastError () returned 0x0 [0115.509] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x252, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.509] WriteFile (in: hFile=0xec, lpBuffer=0x51e280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e280*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.509] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x352, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.509] lstrlenA (lpString="NEPHILIM") returned 8 [0115.509] WriteFile (in: hFile=0xec, lpBuffer=0x50bd20*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50bd20*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0115.509] GetProcessHeap () returned 0x4e0000 [0115.509] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x152) returned 0x50fd10 [0115.509] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.509] ReadFile (in: hFile=0xec, lpBuffer=0x50fd10, nNumberOfBytesToRead=0x152, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesRead=0x24de430*=0x152, lpOverlapped=0x0) returned 1 [0115.510] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.510] WriteFile (in: hFile=0xec, lpBuffer=0x50fd10*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesWritten=0x24de43c*=0x152, lpOverlapped=0x0) returned 1 [0115.510] GetProcessHeap () returned 0x4e0000 [0115.510] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50fd10 | out: hHeap=0x4e0000) returned 1 [0115.510] CloseHandle (hObject=0xec) returned 1 [0115.510] GetProcessHeap () returned 0x4e0000 [0115.510] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e388 | out: hHeap=0x4e0000) returned 1 [0115.510] GetProcessHeap () returned 0x4e0000 [0115.510] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e280 | out: hHeap=0x4e0000) returned 1 [0115.510] GetProcessHeap () returned 0x4e0000 [0115.510] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dec8 | out: hHeap=0x4e0000) returned 1 [0115.510] GetProcessHeap () returned 0x4e0000 [0115.510] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50deb0 | out: hHeap=0x4e0000) returned 1 [0115.510] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn" [0115.510] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn.NEPHILIM" [0115.510] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.outlook.14.1033.hxn"), lpNewFileName="C:\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft help\\ms.outlook.14.1033.hxn.nephilim")) returned 1 [0115.511] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x25328b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x25328b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x26af670, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x16a, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="MS.OUTLOOK.DEV.14.1033.hxn", cAlternateFileName="MSOUTL~2.HXN")) returned 1 [0115.511] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2=".") returned 1 [0115.511] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="..") returned 1 [0115.511] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="...") returned 1 [0115.511] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="windows") returned -1 [0115.512] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="$RECYCLE.BIN") returned 1 [0115.512] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="rsa") returned -1 [0115.512] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="log") returned 1 [0115.512] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="NTDETECT.COM") returned -1 [0115.512] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="ntldr") returned -1 [0115.512] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="MSDOS.SYS") returned -1 [0115.512] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="IO.SYS") returned 1 [0115.512] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="boot.ini") returned 1 [0115.512] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="AUTOEXEC.BAT") returned 1 [0115.512] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0115.512] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="desktop.ini") returned 1 [0115.512] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="CONFIG.SYS") returned 1 [0115.512] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="RECYCLER") returned -1 [0115.512] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="BOOTSECT.BAK") returned 1 [0115.512] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="bootmgr") returned 1 [0115.512] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="programdata") returned -1 [0115.512] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="appdata") returned 1 [0115.512] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="program files") returned -1 [0115.512] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="program files (x86)") returned -1 [0115.513] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\" [0115.513] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.OUTLOOK.DEV.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn" [0115.513] PathFindExtensionW (pszPath="MS.OUTLOOK.DEV.14.1033.hxn") returned=".hxn" [0115.513] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0115.513] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0115.513] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0115.513] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0115.513] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0115.513] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0115.513] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0115.513] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0115.513] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0115.513] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0115.513] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0115.513] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0115.513] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0115.513] lstrcmpiW (lpString1=".hxn", lpString2=".NEPHILIM") returned -1 [0115.513] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0115.513] lstrcmpiW (lpString1=".hxn", lpString2=".lnk") returned -1 [0115.513] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0115.513] lstrlenA (lpString="NEPHILIM") returned 8 [0115.513] GetProcessHeap () returned 0x4e0000 [0115.513] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bd30 [0115.513] lstrlenA (lpString="NEPHILIM") returned 8 [0115.514] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.outlook.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0115.514] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=362) returned 1 [0115.514] GetProcessHeap () returned 0x4e0000 [0115.514] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0115.514] GetProcessHeap () returned 0x4e0000 [0115.514] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0115.514] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0115.514] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0115.514] GetProcessHeap () returned 0x4e0000 [0115.515] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0115.515] GetProcessHeap () returned 0x4e0000 [0115.515] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0115.515] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24de208*=0x100) returned 1 [0115.515] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24de204*=0x100) returned 1 [0115.515] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x16a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.515] SetLastError (dwErrCode=0x0) [0115.515] WriteFile (in: hFile=0xec, lpBuffer=0x51e280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e280*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.517] GetLastError () returned 0x0 [0115.517] GetLastError () returned 0x0 [0115.517] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x26a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.517] WriteFile (in: hFile=0xec, lpBuffer=0x51e388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e388*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.517] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x36a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.517] lstrlenA (lpString="NEPHILIM") returned 8 [0115.517] WriteFile (in: hFile=0xec, lpBuffer=0x50bd30*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50bd30*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0115.517] GetProcessHeap () returned 0x4e0000 [0115.517] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x16a) returned 0x50fd10 [0115.518] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.518] ReadFile (in: hFile=0xec, lpBuffer=0x50fd10, nNumberOfBytesToRead=0x16a, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesRead=0x24de430*=0x16a, lpOverlapped=0x0) returned 1 [0115.518] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.518] WriteFile (in: hFile=0xec, lpBuffer=0x50fd10*, nNumberOfBytesToWrite=0x16a, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesWritten=0x24de43c*=0x16a, lpOverlapped=0x0) returned 1 [0115.518] GetProcessHeap () returned 0x4e0000 [0115.518] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50fd10 | out: hHeap=0x4e0000) returned 1 [0115.518] CloseHandle (hObject=0xec) returned 1 [0115.518] GetProcessHeap () returned 0x4e0000 [0115.518] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e280 | out: hHeap=0x4e0000) returned 1 [0115.518] GetProcessHeap () returned 0x4e0000 [0115.518] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e388 | out: hHeap=0x4e0000) returned 1 [0115.518] GetProcessHeap () returned 0x4e0000 [0115.518] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50deb0 | out: hHeap=0x4e0000) returned 1 [0115.518] GetProcessHeap () returned 0x4e0000 [0115.518] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dec8 | out: hHeap=0x4e0000) returned 1 [0115.518] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn" [0115.519] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn.NEPHILIM" [0115.519] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.outlook.dev.14.1033.hxn"), lpNewFileName="C:\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft help\\ms.outlook.dev.14.1033.hxn.nephilim")) returned 1 [0115.520] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xf5fa06b0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf5fa06b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf5fec970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x158, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="MS.POWERPNT.14.1033.hxn", cAlternateFileName="MSPOWE~1.HXN")) returned 1 [0115.520] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2=".") returned 1 [0115.520] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="..") returned 1 [0115.520] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="...") returned 1 [0115.520] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="windows") returned -1 [0115.520] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="$RECYCLE.BIN") returned 1 [0115.520] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="rsa") returned -1 [0115.520] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="log") returned 1 [0115.520] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="NTDETECT.COM") returned -1 [0115.520] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="ntldr") returned -1 [0115.520] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="MSDOS.SYS") returned -1 [0115.520] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="IO.SYS") returned 1 [0115.520] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="boot.ini") returned 1 [0115.520] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="AUTOEXEC.BAT") returned 1 [0115.520] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0115.520] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="desktop.ini") returned 1 [0115.520] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="CONFIG.SYS") returned 1 [0115.520] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="RECYCLER") returned -1 [0115.520] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="BOOTSECT.BAK") returned 1 [0115.520] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="bootmgr") returned 1 [0115.520] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="programdata") returned -1 [0115.520] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="appdata") returned 1 [0115.521] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="program files") returned -1 [0115.521] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="program files (x86)") returned -1 [0115.521] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\" [0115.521] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.POWERPNT.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn" [0115.521] PathFindExtensionW (pszPath="MS.POWERPNT.14.1033.hxn") returned=".hxn" [0115.521] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0115.521] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0115.521] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0115.521] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0115.521] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0115.521] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0115.521] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0115.521] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0115.521] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0115.521] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0115.521] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0115.521] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0115.521] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0115.521] lstrcmpiW (lpString1=".hxn", lpString2=".NEPHILIM") returned -1 [0115.521] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0115.521] lstrcmpiW (lpString1=".hxn", lpString2=".lnk") returned -1 [0115.521] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0115.521] lstrlenA (lpString="NEPHILIM") returned 8 [0115.521] GetProcessHeap () returned 0x4e0000 [0115.521] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bd40 [0115.522] lstrlenA (lpString="NEPHILIM") returned 8 [0115.522] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.powerpnt.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0115.523] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=344) returned 1 [0115.523] GetProcessHeap () returned 0x4e0000 [0115.523] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0115.523] GetProcessHeap () returned 0x4e0000 [0115.523] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0115.523] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0115.523] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0115.523] GetProcessHeap () returned 0x4e0000 [0115.523] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0115.523] GetProcessHeap () returned 0x4e0000 [0115.523] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0115.523] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24de208*=0x100) returned 1 [0115.524] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24de204*=0x100) returned 1 [0115.524] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x158, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.524] SetLastError (dwErrCode=0x0) [0115.524] WriteFile (in: hFile=0xec, lpBuffer=0x51e388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e388*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.526] GetLastError () returned 0x0 [0115.526] GetLastError () returned 0x0 [0115.526] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x258, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.526] WriteFile (in: hFile=0xec, lpBuffer=0x51e280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e280*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.526] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x358, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.526] lstrlenA (lpString="NEPHILIM") returned 8 [0115.526] WriteFile (in: hFile=0xec, lpBuffer=0x50bd40*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50bd40*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0115.526] GetProcessHeap () returned 0x4e0000 [0115.526] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x158) returned 0x50fd10 [0115.526] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.526] ReadFile (in: hFile=0xec, lpBuffer=0x50fd10, nNumberOfBytesToRead=0x158, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesRead=0x24de430*=0x158, lpOverlapped=0x0) returned 1 [0115.526] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.526] WriteFile (in: hFile=0xec, lpBuffer=0x50fd10*, nNumberOfBytesToWrite=0x158, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesWritten=0x24de43c*=0x158, lpOverlapped=0x0) returned 1 [0115.527] GetProcessHeap () returned 0x4e0000 [0115.527] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50fd10 | out: hHeap=0x4e0000) returned 1 [0115.527] CloseHandle (hObject=0xec) returned 1 [0115.527] GetProcessHeap () returned 0x4e0000 [0115.527] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e388 | out: hHeap=0x4e0000) returned 1 [0115.527] GetProcessHeap () returned 0x4e0000 [0115.527] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e280 | out: hHeap=0x4e0000) returned 1 [0115.527] GetProcessHeap () returned 0x4e0000 [0115.527] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dec8 | out: hHeap=0x4e0000) returned 1 [0115.527] GetProcessHeap () returned 0x4e0000 [0115.527] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50deb0 | out: hHeap=0x4e0000) returned 1 [0115.527] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn" [0115.527] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn.NEPHILIM" [0115.527] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.powerpnt.14.1033.hxn"), lpNewFileName="C:\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft help\\ms.powerpnt.14.1033.hxn.nephilim")) returned 1 [0115.528] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xf5fa06b0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf5fa06b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf5fec970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x170, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="MS.POWERPNT.DEV.14.1033.hxn", cAlternateFileName="MSPOWE~2.HXN")) returned 1 [0115.528] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2=".") returned 1 [0115.528] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="..") returned 1 [0115.528] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="...") returned 1 [0115.528] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="windows") returned -1 [0115.528] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="$RECYCLE.BIN") returned 1 [0115.528] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="rsa") returned -1 [0115.528] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="log") returned 1 [0115.529] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="NTDETECT.COM") returned -1 [0115.529] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="ntldr") returned -1 [0115.529] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="MSDOS.SYS") returned -1 [0115.529] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="IO.SYS") returned 1 [0115.529] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="boot.ini") returned 1 [0115.529] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="AUTOEXEC.BAT") returned 1 [0115.529] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0115.529] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="desktop.ini") returned 1 [0115.529] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="CONFIG.SYS") returned 1 [0115.529] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="RECYCLER") returned -1 [0115.529] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="BOOTSECT.BAK") returned 1 [0115.529] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="bootmgr") returned 1 [0115.529] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="programdata") returned -1 [0115.529] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="appdata") returned 1 [0115.529] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="program files") returned -1 [0115.529] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="program files (x86)") returned -1 [0115.529] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\" [0115.529] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.POWERPNT.DEV.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn" [0115.529] PathFindExtensionW (pszPath="MS.POWERPNT.DEV.14.1033.hxn") returned=".hxn" [0115.529] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0115.529] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0115.529] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0115.529] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0115.529] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0115.529] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0115.530] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0115.530] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0115.530] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0115.530] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0115.530] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0115.530] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0115.530] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0115.530] lstrcmpiW (lpString1=".hxn", lpString2=".NEPHILIM") returned -1 [0115.530] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0115.530] lstrcmpiW (lpString1=".hxn", lpString2=".lnk") returned -1 [0115.530] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0115.530] lstrlenA (lpString="NEPHILIM") returned 8 [0115.530] GetProcessHeap () returned 0x4e0000 [0115.530] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bd50 [0115.530] lstrlenA (lpString="NEPHILIM") returned 8 [0115.530] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.powerpnt.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0115.531] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=368) returned 1 [0115.531] GetProcessHeap () returned 0x4e0000 [0115.531] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0115.531] GetProcessHeap () returned 0x4e0000 [0115.531] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0115.531] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0115.531] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0115.531] GetProcessHeap () returned 0x4e0000 [0115.531] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0115.531] GetProcessHeap () returned 0x4e0000 [0115.532] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0115.532] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24de208*=0x100) returned 1 [0115.532] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24de204*=0x100) returned 1 [0115.532] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x170, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.532] SetLastError (dwErrCode=0x0) [0115.532] WriteFile (in: hFile=0xec, lpBuffer=0x51e280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e280*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.534] GetLastError () returned 0x0 [0115.534] GetLastError () returned 0x0 [0115.534] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x270, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.534] WriteFile (in: hFile=0xec, lpBuffer=0x51e388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e388*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.534] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x370, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.534] lstrlenA (lpString="NEPHILIM") returned 8 [0115.534] WriteFile (in: hFile=0xec, lpBuffer=0x50bd50*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50bd50*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0115.534] GetProcessHeap () returned 0x4e0000 [0115.534] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x170) returned 0x50fd10 [0115.534] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.535] ReadFile (in: hFile=0xec, lpBuffer=0x50fd10, nNumberOfBytesToRead=0x170, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesRead=0x24de430*=0x170, lpOverlapped=0x0) returned 1 [0115.535] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.535] WriteFile (in: hFile=0xec, lpBuffer=0x50fd10*, nNumberOfBytesToWrite=0x170, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesWritten=0x24de43c*=0x170, lpOverlapped=0x0) returned 1 [0115.535] GetProcessHeap () returned 0x4e0000 [0115.535] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50fd10 | out: hHeap=0x4e0000) returned 1 [0115.535] CloseHandle (hObject=0xec) returned 1 [0115.535] GetProcessHeap () returned 0x4e0000 [0115.535] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e280 | out: hHeap=0x4e0000) returned 1 [0115.535] GetProcessHeap () returned 0x4e0000 [0115.535] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e388 | out: hHeap=0x4e0000) returned 1 [0115.535] GetProcessHeap () returned 0x4e0000 [0115.535] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50deb0 | out: hHeap=0x4e0000) returned 1 [0115.535] GetProcessHeap () returned 0x4e0000 [0115.535] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dec8 | out: hHeap=0x4e0000) returned 1 [0115.535] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn" [0115.536] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn.NEPHILIM" [0115.536] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.powerpnt.dev.14.1033.hxn"), lpNewFileName="C:\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft help\\ms.powerpnt.dev.14.1033.hxn.nephilim")) returned 1 [0115.536] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xef377f10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef377f10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef3ea330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x152, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="MS.SETLANG.14.1033.hxn", cAlternateFileName="MSSETL~1.HXN")) returned 1 [0115.537] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2=".") returned 1 [0115.537] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="..") returned 1 [0115.537] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="...") returned 1 [0115.537] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="windows") returned -1 [0115.537] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="$RECYCLE.BIN") returned 1 [0115.537] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="rsa") returned -1 [0115.537] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="log") returned 1 [0115.537] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="NTDETECT.COM") returned -1 [0115.537] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="ntldr") returned -1 [0115.537] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="MSDOS.SYS") returned -1 [0115.537] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="IO.SYS") returned 1 [0115.537] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="boot.ini") returned 1 [0115.537] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="AUTOEXEC.BAT") returned 1 [0115.537] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0115.537] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="desktop.ini") returned 1 [0115.537] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="CONFIG.SYS") returned 1 [0115.537] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="RECYCLER") returned -1 [0115.537] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="BOOTSECT.BAK") returned 1 [0115.537] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="bootmgr") returned 1 [0115.537] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="programdata") returned -1 [0115.537] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="appdata") returned 1 [0115.537] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="program files") returned -1 [0115.537] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="program files (x86)") returned -1 [0115.537] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\" [0115.538] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.SETLANG.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn" [0115.538] PathFindExtensionW (pszPath="MS.SETLANG.14.1033.hxn") returned=".hxn" [0115.538] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0115.538] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0115.538] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0115.538] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0115.538] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0115.538] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0115.538] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0115.538] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0115.538] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0115.538] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0115.538] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0115.538] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0115.538] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0115.538] lstrcmpiW (lpString1=".hxn", lpString2=".NEPHILIM") returned -1 [0115.538] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0115.538] lstrcmpiW (lpString1=".hxn", lpString2=".lnk") returned -1 [0115.538] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0115.538] lstrlenA (lpString="NEPHILIM") returned 8 [0115.538] GetProcessHeap () returned 0x4e0000 [0115.538] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bd60 [0115.538] lstrlenA (lpString="NEPHILIM") returned 8 [0115.539] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.setlang.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0115.539] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=338) returned 1 [0115.539] GetProcessHeap () returned 0x4e0000 [0115.539] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0115.539] GetProcessHeap () returned 0x4e0000 [0115.539] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0115.539] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0115.539] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0115.539] GetProcessHeap () returned 0x4e0000 [0115.539] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0115.539] GetProcessHeap () returned 0x4e0000 [0115.539] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0115.539] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24de208*=0x100) returned 1 [0115.540] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24de204*=0x100) returned 1 [0115.540] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x152, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.540] SetLastError (dwErrCode=0x0) [0115.540] WriteFile (in: hFile=0xec, lpBuffer=0x51e388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e388*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.544] GetLastError () returned 0x0 [0115.544] GetLastError () returned 0x0 [0115.544] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x252, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.544] WriteFile (in: hFile=0xec, lpBuffer=0x51e280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e280*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.544] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x352, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.544] lstrlenA (lpString="NEPHILIM") returned 8 [0115.544] WriteFile (in: hFile=0xec, lpBuffer=0x50bd60*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50bd60*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0115.544] GetProcessHeap () returned 0x4e0000 [0115.544] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x152) returned 0x50fd10 [0115.545] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.545] ReadFile (in: hFile=0xec, lpBuffer=0x50fd10, nNumberOfBytesToRead=0x152, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesRead=0x24de430*=0x152, lpOverlapped=0x0) returned 1 [0115.545] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.545] WriteFile (in: hFile=0xec, lpBuffer=0x50fd10*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesWritten=0x24de43c*=0x152, lpOverlapped=0x0) returned 1 [0115.545] GetProcessHeap () returned 0x4e0000 [0115.545] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50fd10 | out: hHeap=0x4e0000) returned 1 [0115.545] CloseHandle (hObject=0xec) returned 1 [0115.545] GetProcessHeap () returned 0x4e0000 [0115.545] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e388 | out: hHeap=0x4e0000) returned 1 [0115.545] GetProcessHeap () returned 0x4e0000 [0115.545] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e280 | out: hHeap=0x4e0000) returned 1 [0115.545] GetProcessHeap () returned 0x4e0000 [0115.546] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dec8 | out: hHeap=0x4e0000) returned 1 [0115.546] GetProcessHeap () returned 0x4e0000 [0115.546] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50deb0 | out: hHeap=0x4e0000) returned 1 [0115.546] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn" [0115.546] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn.NEPHILIM" [0115.546] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.setlang.14.1033.hxn"), lpNewFileName="C:\\Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft help\\ms.setlang.14.1033.hxn.nephilim")) returned 1 [0115.547] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x523a6340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x523a6340, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x5269fec0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="MS.VISIO.14.1033.hxn", cAlternateFileName="MSVISI~1.HXN")) returned 1 [0115.547] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2=".") returned 1 [0115.547] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="..") returned 1 [0115.547] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="...") returned 1 [0115.547] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="windows") returned -1 [0115.547] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="$RECYCLE.BIN") returned 1 [0115.547] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="rsa") returned -1 [0115.547] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="log") returned 1 [0115.547] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="NTDETECT.COM") returned -1 [0115.547] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="ntldr") returned -1 [0115.547] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="MSDOS.SYS") returned -1 [0115.547] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="IO.SYS") returned 1 [0115.547] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="boot.ini") returned 1 [0115.547] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="AUTOEXEC.BAT") returned 1 [0115.547] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0115.547] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="desktop.ini") returned 1 [0115.547] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="CONFIG.SYS") returned 1 [0115.547] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="RECYCLER") returned -1 [0115.547] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="BOOTSECT.BAK") returned 1 [0115.548] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="bootmgr") returned 1 [0115.548] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="programdata") returned -1 [0115.548] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="appdata") returned 1 [0115.548] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="program files") returned -1 [0115.548] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="program files (x86)") returned -1 [0115.548] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\" [0115.548] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.VISIO.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn" [0115.548] PathFindExtensionW (pszPath="MS.VISIO.14.1033.hxn") returned=".hxn" [0115.548] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0115.548] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0115.548] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0115.548] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0115.548] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0115.548] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0115.548] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0115.548] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0115.548] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0115.548] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0115.548] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0115.548] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0115.548] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0115.548] lstrcmpiW (lpString1=".hxn", lpString2=".NEPHILIM") returned -1 [0115.549] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0115.549] lstrcmpiW (lpString1=".hxn", lpString2=".lnk") returned -1 [0115.549] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0115.549] lstrlenA (lpString="NEPHILIM") returned 8 [0115.549] GetProcessHeap () returned 0x4e0000 [0115.549] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bd70 [0115.549] lstrlenA (lpString="NEPHILIM") returned 8 [0115.549] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0115.550] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=326) returned 1 [0115.550] GetProcessHeap () returned 0x4e0000 [0115.550] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0115.550] GetProcessHeap () returned 0x4e0000 [0115.550] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0115.550] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0115.550] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0115.551] GetProcessHeap () returned 0x4e0000 [0115.551] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0115.551] GetProcessHeap () returned 0x4e0000 [0115.551] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0115.551] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24de208*=0x100) returned 1 [0115.551] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24de204*=0x100) returned 1 [0115.551] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x146, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.551] SetLastError (dwErrCode=0x0) [0115.551] WriteFile (in: hFile=0xec, lpBuffer=0x51e280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e280*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.553] GetLastError () returned 0x0 [0115.553] GetLastError () returned 0x0 [0115.553] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x246, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.553] WriteFile (in: hFile=0xec, lpBuffer=0x51e388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e388*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.554] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x346, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.554] lstrlenA (lpString="NEPHILIM") returned 8 [0115.554] WriteFile (in: hFile=0xec, lpBuffer=0x50bd70*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50bd70*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0115.554] GetProcessHeap () returned 0x4e0000 [0115.554] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x146) returned 0x50fd10 [0115.554] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.554] ReadFile (in: hFile=0xec, lpBuffer=0x50fd10, nNumberOfBytesToRead=0x146, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesRead=0x24de430*=0x146, lpOverlapped=0x0) returned 1 [0115.554] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.554] WriteFile (in: hFile=0xec, lpBuffer=0x50fd10*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesWritten=0x24de43c*=0x146, lpOverlapped=0x0) returned 1 [0115.554] GetProcessHeap () returned 0x4e0000 [0115.554] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50fd10 | out: hHeap=0x4e0000) returned 1 [0115.554] CloseHandle (hObject=0xec) returned 1 [0115.554] GetProcessHeap () returned 0x4e0000 [0115.555] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e280 | out: hHeap=0x4e0000) returned 1 [0115.555] GetProcessHeap () returned 0x4e0000 [0115.555] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e388 | out: hHeap=0x4e0000) returned 1 [0115.555] GetProcessHeap () returned 0x4e0000 [0115.555] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50deb0 | out: hHeap=0x4e0000) returned 1 [0115.555] GetProcessHeap () returned 0x4e0000 [0115.555] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dec8 | out: hHeap=0x4e0000) returned 1 [0115.555] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn" [0115.555] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn.NEPHILIM" [0115.555] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio.14.1033.hxn"), lpNewFileName="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio.14.1033.hxn.nephilim")) returned 1 [0115.556] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x523a6340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x523a6340, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x527122e0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x15e, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="MS.VISIO.DEV.14.1033.hxn", cAlternateFileName="MSVISI~3.HXN")) returned 1 [0115.556] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2=".") returned 1 [0115.556] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="..") returned 1 [0115.556] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="...") returned 1 [0115.556] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="windows") returned -1 [0115.556] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="$RECYCLE.BIN") returned 1 [0115.556] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="rsa") returned -1 [0115.556] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="log") returned 1 [0115.556] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="NTDETECT.COM") returned -1 [0115.556] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="ntldr") returned -1 [0115.556] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="MSDOS.SYS") returned -1 [0115.556] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="IO.SYS") returned 1 [0115.556] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="boot.ini") returned 1 [0115.556] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="AUTOEXEC.BAT") returned 1 [0115.557] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0115.557] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="desktop.ini") returned 1 [0115.557] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="CONFIG.SYS") returned 1 [0115.557] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="RECYCLER") returned -1 [0115.557] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="BOOTSECT.BAK") returned 1 [0115.557] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="bootmgr") returned 1 [0115.557] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="programdata") returned -1 [0115.557] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="appdata") returned 1 [0115.557] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="program files") returned -1 [0115.557] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="program files (x86)") returned -1 [0115.557] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\" [0115.557] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.VISIO.DEV.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn" [0115.557] PathFindExtensionW (pszPath="MS.VISIO.DEV.14.1033.hxn") returned=".hxn" [0115.557] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0115.557] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0115.557] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0115.557] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0115.557] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0115.557] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0115.557] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0115.557] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0115.557] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0115.557] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0115.557] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0115.557] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0115.558] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0115.558] lstrcmpiW (lpString1=".hxn", lpString2=".NEPHILIM") returned -1 [0115.558] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0115.558] lstrcmpiW (lpString1=".hxn", lpString2=".lnk") returned -1 [0115.558] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0115.558] lstrlenA (lpString="NEPHILIM") returned 8 [0115.558] GetProcessHeap () returned 0x4e0000 [0115.558] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bd80 [0115.558] lstrlenA (lpString="NEPHILIM") returned 8 [0115.558] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0115.559] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=350) returned 1 [0115.559] GetProcessHeap () returned 0x4e0000 [0115.559] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0115.559] GetProcessHeap () returned 0x4e0000 [0115.559] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0115.559] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0115.559] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0115.559] GetProcessHeap () returned 0x4e0000 [0115.559] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0115.559] GetProcessHeap () returned 0x4e0000 [0115.559] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0115.559] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24de208*=0x100) returned 1 [0115.560] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24de204*=0x100) returned 1 [0115.560] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x15e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.560] SetLastError (dwErrCode=0x0) [0115.560] WriteFile (in: hFile=0xec, lpBuffer=0x51e388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e388*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.562] GetLastError () returned 0x0 [0115.562] GetLastError () returned 0x0 [0115.562] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x25e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.562] WriteFile (in: hFile=0xec, lpBuffer=0x51e280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e280*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.562] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x35e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.562] lstrlenA (lpString="NEPHILIM") returned 8 [0115.562] WriteFile (in: hFile=0xec, lpBuffer=0x50bd80*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50bd80*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0115.562] GetProcessHeap () returned 0x4e0000 [0115.562] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x15e) returned 0x50fd10 [0115.562] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.562] ReadFile (in: hFile=0xec, lpBuffer=0x50fd10, nNumberOfBytesToRead=0x15e, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesRead=0x24de430*=0x15e, lpOverlapped=0x0) returned 1 [0115.562] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.562] WriteFile (in: hFile=0xec, lpBuffer=0x50fd10*, nNumberOfBytesToWrite=0x15e, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesWritten=0x24de43c*=0x15e, lpOverlapped=0x0) returned 1 [0115.563] GetProcessHeap () returned 0x4e0000 [0115.563] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50fd10 | out: hHeap=0x4e0000) returned 1 [0115.563] CloseHandle (hObject=0xec) returned 1 [0115.563] GetProcessHeap () returned 0x4e0000 [0115.563] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e388 | out: hHeap=0x4e0000) returned 1 [0115.563] GetProcessHeap () returned 0x4e0000 [0115.563] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e280 | out: hHeap=0x4e0000) returned 1 [0115.563] GetProcessHeap () returned 0x4e0000 [0115.563] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dec8 | out: hHeap=0x4e0000) returned 1 [0115.563] GetProcessHeap () returned 0x4e0000 [0115.563] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50deb0 | out: hHeap=0x4e0000) returned 1 [0115.563] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn" [0115.563] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn.NEPHILIM" [0115.563] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio.dev.14.1033.hxn"), lpNewFileName="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio.dev.14.1033.hxn.nephilim")) returned 1 [0115.564] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x523a6340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x523a6340, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x52738440, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x188, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="MS.VISIO.SHAPESHEET.14.1033.hxn", cAlternateFileName="MSVISI~4.HXN")) returned 1 [0115.564] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2=".") returned 1 [0115.564] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="..") returned 1 [0115.564] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="...") returned 1 [0115.564] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="windows") returned -1 [0115.564] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="$RECYCLE.BIN") returned 1 [0115.564] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="rsa") returned -1 [0115.565] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="log") returned 1 [0115.565] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="NTDETECT.COM") returned -1 [0115.565] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="ntldr") returned -1 [0115.565] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="MSDOS.SYS") returned -1 [0115.565] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="IO.SYS") returned 1 [0115.565] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="boot.ini") returned 1 [0115.565] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="AUTOEXEC.BAT") returned 1 [0115.565] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0115.565] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="desktop.ini") returned 1 [0115.565] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="CONFIG.SYS") returned 1 [0115.565] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="RECYCLER") returned -1 [0115.565] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="BOOTSECT.BAK") returned 1 [0115.565] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="bootmgr") returned 1 [0115.565] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="programdata") returned -1 [0115.565] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="appdata") returned 1 [0115.565] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="program files") returned -1 [0115.565] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="program files (x86)") returned -1 [0115.565] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\" [0115.565] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.VISIO.SHAPESHEET.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn" [0115.565] PathFindExtensionW (pszPath="MS.VISIO.SHAPESHEET.14.1033.hxn") returned=".hxn" [0115.565] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0115.565] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0115.565] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0115.566] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0115.566] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0115.566] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0115.566] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0115.566] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0115.566] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0115.566] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0115.566] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0115.566] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0115.566] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0115.566] lstrcmpiW (lpString1=".hxn", lpString2=".NEPHILIM") returned -1 [0115.566] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0115.566] lstrcmpiW (lpString1=".hxn", lpString2=".lnk") returned -1 [0115.566] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0115.566] lstrlenA (lpString="NEPHILIM") returned 8 [0115.566] GetProcessHeap () returned 0x4e0000 [0115.566] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bd90 [0115.566] lstrlenA (lpString="NEPHILIM") returned 8 [0115.566] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio.shapesheet.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0115.567] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=392) returned 1 [0115.567] GetProcessHeap () returned 0x4e0000 [0115.567] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0115.567] GetProcessHeap () returned 0x4e0000 [0115.567] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0115.567] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0115.567] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0115.567] GetProcessHeap () returned 0x4e0000 [0115.567] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0115.567] GetProcessHeap () returned 0x4e0000 [0115.567] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0115.567] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24de208*=0x100) returned 1 [0115.568] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24de204*=0x100) returned 1 [0115.568] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x188, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.568] SetLastError (dwErrCode=0x0) [0115.568] WriteFile (in: hFile=0xec, lpBuffer=0x51e280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e280*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.570] GetLastError () returned 0x0 [0115.570] GetLastError () returned 0x0 [0115.570] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x288, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.570] WriteFile (in: hFile=0xec, lpBuffer=0x51e388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e388*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.570] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x388, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.570] lstrlenA (lpString="NEPHILIM") returned 8 [0115.570] WriteFile (in: hFile=0xec, lpBuffer=0x50bd90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50bd90*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0115.570] GetProcessHeap () returned 0x4e0000 [0115.570] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x188) returned 0x50fd10 [0115.570] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.570] ReadFile (in: hFile=0xec, lpBuffer=0x50fd10, nNumberOfBytesToRead=0x188, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesRead=0x24de430*=0x188, lpOverlapped=0x0) returned 1 [0115.570] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.571] WriteFile (in: hFile=0xec, lpBuffer=0x50fd10*, nNumberOfBytesToWrite=0x188, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesWritten=0x24de43c*=0x188, lpOverlapped=0x0) returned 1 [0115.571] GetProcessHeap () returned 0x4e0000 [0115.571] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50fd10 | out: hHeap=0x4e0000) returned 1 [0115.571] CloseHandle (hObject=0xec) returned 1 [0115.571] GetProcessHeap () returned 0x4e0000 [0115.571] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e280 | out: hHeap=0x4e0000) returned 1 [0115.571] GetProcessHeap () returned 0x4e0000 [0115.571] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e388 | out: hHeap=0x4e0000) returned 1 [0115.571] GetProcessHeap () returned 0x4e0000 [0115.571] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50deb0 | out: hHeap=0x4e0000) returned 1 [0115.571] GetProcessHeap () returned 0x4e0000 [0115.571] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dec8 | out: hHeap=0x4e0000) returned 1 [0115.571] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn" [0115.571] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn.NEPHILIM" [0115.572] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio.shapesheet.14.1033.hxn"), lpNewFileName="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio.shapesheet.14.1033.hxn.nephilim")) returned 1 [0115.572] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x523a6340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x523a6340, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x52738440, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x15e, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="MS.VISIO_PRM.14.1033.hxn", cAlternateFileName="MSE1C9~1.HXN")) returned 1 [0115.572] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2=".") returned 1 [0115.573] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="..") returned 1 [0115.573] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="...") returned 1 [0115.573] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="windows") returned -1 [0115.573] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="$RECYCLE.BIN") returned 1 [0115.573] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="rsa") returned -1 [0115.573] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="log") returned 1 [0115.573] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="NTDETECT.COM") returned -1 [0115.573] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="ntldr") returned -1 [0115.573] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="MSDOS.SYS") returned -1 [0115.573] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="IO.SYS") returned 1 [0115.573] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="boot.ini") returned 1 [0115.573] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="AUTOEXEC.BAT") returned 1 [0115.573] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0115.573] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="desktop.ini") returned 1 [0115.573] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="CONFIG.SYS") returned 1 [0115.573] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="RECYCLER") returned -1 [0115.573] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="BOOTSECT.BAK") returned 1 [0115.573] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="bootmgr") returned 1 [0115.573] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="programdata") returned -1 [0115.573] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="appdata") returned 1 [0115.573] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="program files") returned -1 [0115.573] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="program files (x86)") returned -1 [0115.573] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\" [0115.573] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.VISIO_PRM.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn" [0115.574] PathFindExtensionW (pszPath="MS.VISIO_PRM.14.1033.hxn") returned=".hxn" [0115.574] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0115.574] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0115.574] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0115.574] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0115.574] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0115.574] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0115.574] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0115.574] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0115.574] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0115.574] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0115.574] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0115.574] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0115.574] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0115.574] lstrcmpiW (lpString1=".hxn", lpString2=".NEPHILIM") returned -1 [0115.574] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0115.574] lstrcmpiW (lpString1=".hxn", lpString2=".lnk") returned -1 [0115.574] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0115.574] lstrlenA (lpString="NEPHILIM") returned 8 [0115.574] GetProcessHeap () returned 0x4e0000 [0115.574] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bda0 [0115.574] lstrlenA (lpString="NEPHILIM") returned 8 [0115.575] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio_prm.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0115.576] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=350) returned 1 [0115.576] GetProcessHeap () returned 0x4e0000 [0115.576] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0115.576] GetProcessHeap () returned 0x4e0000 [0115.576] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0115.577] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0115.577] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0115.577] GetProcessHeap () returned 0x4e0000 [0115.577] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0115.577] GetProcessHeap () returned 0x4e0000 [0115.577] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0115.577] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24de208*=0x100) returned 1 [0115.577] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24de204*=0x100) returned 1 [0115.577] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x15e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.577] SetLastError (dwErrCode=0x0) [0115.577] WriteFile (in: hFile=0xec, lpBuffer=0x51e388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e388*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.580] GetLastError () returned 0x0 [0115.580] GetLastError () returned 0x0 [0115.580] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x25e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.580] WriteFile (in: hFile=0xec, lpBuffer=0x51e280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e280*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.580] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x35e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.580] lstrlenA (lpString="NEPHILIM") returned 8 [0115.580] WriteFile (in: hFile=0xec, lpBuffer=0x50bda0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50bda0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0115.580] GetProcessHeap () returned 0x4e0000 [0115.580] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x15e) returned 0x50fd10 [0115.580] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.580] ReadFile (in: hFile=0xec, lpBuffer=0x50fd10, nNumberOfBytesToRead=0x15e, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesRead=0x24de430*=0x15e, lpOverlapped=0x0) returned 1 [0115.580] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.580] WriteFile (in: hFile=0xec, lpBuffer=0x50fd10*, nNumberOfBytesToWrite=0x15e, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesWritten=0x24de43c*=0x15e, lpOverlapped=0x0) returned 1 [0115.581] GetProcessHeap () returned 0x4e0000 [0115.581] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50fd10 | out: hHeap=0x4e0000) returned 1 [0115.581] CloseHandle (hObject=0xec) returned 1 [0115.581] GetProcessHeap () returned 0x4e0000 [0115.581] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e388 | out: hHeap=0x4e0000) returned 1 [0115.581] GetProcessHeap () returned 0x4e0000 [0115.581] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e280 | out: hHeap=0x4e0000) returned 1 [0115.581] GetProcessHeap () returned 0x4e0000 [0115.581] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dec8 | out: hHeap=0x4e0000) returned 1 [0115.581] GetProcessHeap () returned 0x4e0000 [0115.581] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50deb0 | out: hHeap=0x4e0000) returned 1 [0115.581] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn" [0115.581] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn.NEPHILIM" [0115.581] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio_prm.14.1033.hxn"), lpNewFileName="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio_prm.14.1033.hxn.nephilim")) returned 1 [0115.582] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x523a6340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x523a6340, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x527122e0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x15e, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="MS.VISIO_STD.14.1033.hxn", cAlternateFileName="MSVISI~2.HXN")) returned 1 [0115.582] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2=".") returned 1 [0115.582] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="..") returned 1 [0115.582] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="...") returned 1 [0115.582] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="windows") returned -1 [0115.583] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="$RECYCLE.BIN") returned 1 [0115.583] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="rsa") returned -1 [0115.583] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="log") returned 1 [0115.583] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="NTDETECT.COM") returned -1 [0115.583] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="ntldr") returned -1 [0115.583] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="MSDOS.SYS") returned -1 [0115.583] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="IO.SYS") returned 1 [0115.583] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="boot.ini") returned 1 [0115.583] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="AUTOEXEC.BAT") returned 1 [0115.583] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0115.583] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="desktop.ini") returned 1 [0115.583] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="CONFIG.SYS") returned 1 [0115.583] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="RECYCLER") returned -1 [0115.583] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="BOOTSECT.BAK") returned 1 [0115.583] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="bootmgr") returned 1 [0115.583] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="programdata") returned -1 [0115.583] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="appdata") returned 1 [0115.583] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="program files") returned -1 [0115.583] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="program files (x86)") returned -1 [0115.583] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\" [0115.583] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.VISIO_STD.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn" [0115.583] PathFindExtensionW (pszPath="MS.VISIO_STD.14.1033.hxn") returned=".hxn" [0115.583] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0115.584] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0115.584] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0115.584] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0115.584] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0115.584] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0115.584] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0115.584] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0115.584] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0115.584] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0115.584] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0115.584] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0115.584] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0115.584] lstrcmpiW (lpString1=".hxn", lpString2=".NEPHILIM") returned -1 [0115.584] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0115.584] lstrcmpiW (lpString1=".hxn", lpString2=".lnk") returned -1 [0115.584] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0115.584] lstrlenA (lpString="NEPHILIM") returned 8 [0115.584] GetProcessHeap () returned 0x4e0000 [0115.584] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bdb0 [0115.584] lstrlenA (lpString="NEPHILIM") returned 8 [0115.584] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio_std.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0115.585] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=350) returned 1 [0115.585] GetProcessHeap () returned 0x4e0000 [0115.585] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0115.585] GetProcessHeap () returned 0x4e0000 [0115.585] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0115.585] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0115.585] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0115.585] GetProcessHeap () returned 0x4e0000 [0115.585] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0115.585] GetProcessHeap () returned 0x4e0000 [0115.585] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0115.585] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24de208*=0x100) returned 1 [0115.586] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24de204*=0x100) returned 1 [0115.586] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x15e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.586] SetLastError (dwErrCode=0x0) [0115.586] WriteFile (in: hFile=0xec, lpBuffer=0x51e280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e280*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.588] GetLastError () returned 0x0 [0115.588] GetLastError () returned 0x0 [0115.588] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x25e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.588] WriteFile (in: hFile=0xec, lpBuffer=0x51e388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e388*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.588] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x35e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.588] lstrlenA (lpString="NEPHILIM") returned 8 [0115.588] WriteFile (in: hFile=0xec, lpBuffer=0x50bdb0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50bdb0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0115.588] GetProcessHeap () returned 0x4e0000 [0115.588] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x15e) returned 0x50fd10 [0115.588] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.588] ReadFile (in: hFile=0xec, lpBuffer=0x50fd10, nNumberOfBytesToRead=0x15e, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesRead=0x24de430*=0x15e, lpOverlapped=0x0) returned 1 [0115.588] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.589] WriteFile (in: hFile=0xec, lpBuffer=0x50fd10*, nNumberOfBytesToWrite=0x15e, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesWritten=0x24de43c*=0x15e, lpOverlapped=0x0) returned 1 [0115.589] GetProcessHeap () returned 0x4e0000 [0115.589] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50fd10 | out: hHeap=0x4e0000) returned 1 [0115.589] CloseHandle (hObject=0xec) returned 1 [0115.589] GetProcessHeap () returned 0x4e0000 [0115.589] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e280 | out: hHeap=0x4e0000) returned 1 [0115.589] GetProcessHeap () returned 0x4e0000 [0115.589] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e388 | out: hHeap=0x4e0000) returned 1 [0115.589] GetProcessHeap () returned 0x4e0000 [0115.589] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50deb0 | out: hHeap=0x4e0000) returned 1 [0115.589] GetProcessHeap () returned 0x4e0000 [0115.589] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dec8 | out: hHeap=0x4e0000) returned 1 [0115.589] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn" [0115.589] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn.NEPHILIM" [0115.589] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio_std.14.1033.hxn"), lpNewFileName="C:\\Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio_std.14.1033.hxn.nephilim")) returned 1 [0115.591] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xaf766ee0, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xaf766ee0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xaf7d9300, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x152, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="MS.WINPROJ.14.1033.hxn", cAlternateFileName="MSWINP~1.HXN")) returned 1 [0115.591] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2=".") returned 1 [0115.591] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="..") returned 1 [0115.591] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="...") returned 1 [0115.591] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="windows") returned -1 [0115.591] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="$RECYCLE.BIN") returned 1 [0115.591] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="rsa") returned -1 [0115.591] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="log") returned 1 [0115.591] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="NTDETECT.COM") returned -1 [0115.591] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="ntldr") returned -1 [0115.591] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="MSDOS.SYS") returned -1 [0115.591] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="IO.SYS") returned 1 [0115.591] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="boot.ini") returned 1 [0115.591] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="AUTOEXEC.BAT") returned 1 [0115.591] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0115.591] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="desktop.ini") returned 1 [0115.591] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="CONFIG.SYS") returned 1 [0115.591] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="RECYCLER") returned -1 [0115.591] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="BOOTSECT.BAK") returned 1 [0115.591] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="bootmgr") returned 1 [0115.591] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="programdata") returned -1 [0115.591] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="appdata") returned 1 [0115.591] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="program files") returned -1 [0115.592] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="program files (x86)") returned -1 [0115.592] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\" [0115.592] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.WINPROJ.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn" [0115.592] PathFindExtensionW (pszPath="MS.WINPROJ.14.1033.hxn") returned=".hxn" [0115.592] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0115.592] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0115.592] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0115.592] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0115.592] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0115.592] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0115.592] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0115.592] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0115.592] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0115.592] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0115.592] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0115.592] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0115.592] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0115.592] lstrcmpiW (lpString1=".hxn", lpString2=".NEPHILIM") returned -1 [0115.592] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0115.592] lstrcmpiW (lpString1=".hxn", lpString2=".lnk") returned -1 [0115.592] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0115.592] lstrlenA (lpString="NEPHILIM") returned 8 [0115.592] GetProcessHeap () returned 0x4e0000 [0115.592] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bdc0 [0115.593] lstrlenA (lpString="NEPHILIM") returned 8 [0115.593] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.winproj.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0115.593] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=338) returned 1 [0115.593] GetProcessHeap () returned 0x4e0000 [0115.593] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0115.593] GetProcessHeap () returned 0x4e0000 [0115.593] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0115.593] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0115.593] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0115.593] GetProcessHeap () returned 0x4e0000 [0115.593] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0115.593] GetProcessHeap () returned 0x4e0000 [0115.594] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0115.594] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24de208*=0x100) returned 1 [0115.594] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24de204*=0x100) returned 1 [0115.594] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x152, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.594] SetLastError (dwErrCode=0x0) [0115.594] WriteFile (in: hFile=0xec, lpBuffer=0x51e388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e388*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.596] GetLastError () returned 0x0 [0115.596] GetLastError () returned 0x0 [0115.596] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x252, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.596] WriteFile (in: hFile=0xec, lpBuffer=0x51e280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e280*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.596] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x352, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.596] lstrlenA (lpString="NEPHILIM") returned 8 [0115.596] WriteFile (in: hFile=0xec, lpBuffer=0x50bdc0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50bdc0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0115.596] GetProcessHeap () returned 0x4e0000 [0115.596] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x152) returned 0x50fd10 [0115.596] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.597] ReadFile (in: hFile=0xec, lpBuffer=0x50fd10, nNumberOfBytesToRead=0x152, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesRead=0x24de430*=0x152, lpOverlapped=0x0) returned 1 [0115.597] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.597] WriteFile (in: hFile=0xec, lpBuffer=0x50fd10*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesWritten=0x24de43c*=0x152, lpOverlapped=0x0) returned 1 [0115.597] GetProcessHeap () returned 0x4e0000 [0115.597] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50fd10 | out: hHeap=0x4e0000) returned 1 [0115.597] CloseHandle (hObject=0xec) returned 1 [0115.597] GetProcessHeap () returned 0x4e0000 [0115.597] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e388 | out: hHeap=0x4e0000) returned 1 [0115.597] GetProcessHeap () returned 0x4e0000 [0115.597] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e280 | out: hHeap=0x4e0000) returned 1 [0115.597] GetProcessHeap () returned 0x4e0000 [0115.597] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dec8 | out: hHeap=0x4e0000) returned 1 [0115.597] GetProcessHeap () returned 0x4e0000 [0115.597] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50deb0 | out: hHeap=0x4e0000) returned 1 [0115.597] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn" [0115.597] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn.NEPHILIM" [0115.598] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.winproj.14.1033.hxn"), lpNewFileName="C:\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft help\\ms.winproj.14.1033.hxn.nephilim")) returned 1 [0115.598] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xaf766ee0, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xaf766ee0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xaf7d9300, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x16a, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="MS.WINPROJ.DEV.14.1033.hxn", cAlternateFileName="MSWINP~2.HXN")) returned 1 [0115.598] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2=".") returned 1 [0115.599] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="..") returned 1 [0115.599] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="...") returned 1 [0115.599] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="windows") returned -1 [0115.599] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="$RECYCLE.BIN") returned 1 [0115.599] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="rsa") returned -1 [0115.599] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="log") returned 1 [0115.599] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="NTDETECT.COM") returned -1 [0115.599] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="ntldr") returned -1 [0115.599] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="MSDOS.SYS") returned -1 [0115.599] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="IO.SYS") returned 1 [0115.599] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="boot.ini") returned 1 [0115.599] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="AUTOEXEC.BAT") returned 1 [0115.599] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0115.599] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="desktop.ini") returned 1 [0115.599] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="CONFIG.SYS") returned 1 [0115.599] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="RECYCLER") returned -1 [0115.599] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="BOOTSECT.BAK") returned 1 [0115.599] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="bootmgr") returned 1 [0115.599] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="programdata") returned -1 [0115.599] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="appdata") returned 1 [0115.599] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="program files") returned -1 [0115.599] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="program files (x86)") returned -1 [0115.600] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\" [0115.600] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.WINPROJ.DEV.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn" [0115.600] PathFindExtensionW (pszPath="MS.WINPROJ.DEV.14.1033.hxn") returned=".hxn" [0115.600] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0115.600] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0115.600] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0115.600] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0115.600] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0115.600] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0115.600] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0115.600] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0115.600] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0115.600] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0115.600] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0115.600] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0115.600] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0115.600] lstrcmpiW (lpString1=".hxn", lpString2=".NEPHILIM") returned -1 [0115.600] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0115.600] lstrcmpiW (lpString1=".hxn", lpString2=".lnk") returned -1 [0115.600] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0115.600] lstrlenA (lpString="NEPHILIM") returned 8 [0115.600] GetProcessHeap () returned 0x4e0000 [0115.600] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bdd0 [0115.601] lstrlenA (lpString="NEPHILIM") returned 8 [0115.601] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.winproj.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0115.602] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=362) returned 1 [0115.602] GetProcessHeap () returned 0x4e0000 [0115.602] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0115.602] GetProcessHeap () returned 0x4e0000 [0115.602] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0115.602] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0115.602] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0115.602] GetProcessHeap () returned 0x4e0000 [0115.602] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0115.603] GetProcessHeap () returned 0x4e0000 [0115.603] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0115.603] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24de208*=0x100) returned 1 [0115.603] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24de204*=0x100) returned 1 [0115.603] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x16a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.603] SetLastError (dwErrCode=0x0) [0115.603] WriteFile (in: hFile=0xec, lpBuffer=0x51e280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e280*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.605] GetLastError () returned 0x0 [0115.605] GetLastError () returned 0x0 [0115.605] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x26a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.605] WriteFile (in: hFile=0xec, lpBuffer=0x51e388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e388*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.605] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x36a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.605] lstrlenA (lpString="NEPHILIM") returned 8 [0115.605] WriteFile (in: hFile=0xec, lpBuffer=0x50bdd0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50bdd0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0115.606] GetProcessHeap () returned 0x4e0000 [0115.606] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x16a) returned 0x50fd10 [0115.606] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.606] ReadFile (in: hFile=0xec, lpBuffer=0x50fd10, nNumberOfBytesToRead=0x16a, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesRead=0x24de430*=0x16a, lpOverlapped=0x0) returned 1 [0115.606] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.606] WriteFile (in: hFile=0xec, lpBuffer=0x50fd10*, nNumberOfBytesToWrite=0x16a, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesWritten=0x24de43c*=0x16a, lpOverlapped=0x0) returned 1 [0115.606] GetProcessHeap () returned 0x4e0000 [0115.606] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50fd10 | out: hHeap=0x4e0000) returned 1 [0115.606] CloseHandle (hObject=0xec) returned 1 [0115.606] GetProcessHeap () returned 0x4e0000 [0115.606] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e280 | out: hHeap=0x4e0000) returned 1 [0115.606] GetProcessHeap () returned 0x4e0000 [0115.607] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e388 | out: hHeap=0x4e0000) returned 1 [0115.607] GetProcessHeap () returned 0x4e0000 [0115.607] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50deb0 | out: hHeap=0x4e0000) returned 1 [0115.607] GetProcessHeap () returned 0x4e0000 [0115.607] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dec8 | out: hHeap=0x4e0000) returned 1 [0115.607] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn" [0115.607] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn.NEPHILIM" [0115.607] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.winproj.dev.14.1033.hxn"), lpNewFileName="C:\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft help\\ms.winproj.dev.14.1033.hxn.nephilim")) returned 1 [0115.608] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x1e67e130, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1e67e130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1e6f0550, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x152, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="MS.WINWORD.14.1033.hxn", cAlternateFileName="MSWINW~1.HXN")) returned 1 [0115.608] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2=".") returned 1 [0115.608] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="..") returned 1 [0115.608] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="...") returned 1 [0115.608] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="windows") returned -1 [0115.608] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="$RECYCLE.BIN") returned 1 [0115.608] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="rsa") returned -1 [0115.608] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="log") returned 1 [0115.608] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="NTDETECT.COM") returned -1 [0115.608] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="ntldr") returned -1 [0115.608] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="MSDOS.SYS") returned -1 [0115.608] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="IO.SYS") returned 1 [0115.608] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="boot.ini") returned 1 [0115.608] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="AUTOEXEC.BAT") returned 1 [0115.608] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0115.608] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="desktop.ini") returned 1 [0115.608] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="CONFIG.SYS") returned 1 [0115.609] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="RECYCLER") returned -1 [0115.609] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="BOOTSECT.BAK") returned 1 [0115.609] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="bootmgr") returned 1 [0115.609] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="programdata") returned -1 [0115.609] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="appdata") returned 1 [0115.609] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="program files") returned -1 [0115.609] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="program files (x86)") returned -1 [0115.609] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\" [0115.609] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.WINWORD.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn" [0115.609] PathFindExtensionW (pszPath="MS.WINWORD.14.1033.hxn") returned=".hxn" [0115.609] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0115.609] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0115.609] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0115.609] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0115.609] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0115.609] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0115.609] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0115.609] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0115.609] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0115.609] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0115.609] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0115.609] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0115.610] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0115.610] lstrcmpiW (lpString1=".hxn", lpString2=".NEPHILIM") returned -1 [0115.610] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0115.610] lstrcmpiW (lpString1=".hxn", lpString2=".lnk") returned -1 [0115.610] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0115.610] lstrlenA (lpString="NEPHILIM") returned 8 [0115.610] GetProcessHeap () returned 0x4e0000 [0115.610] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bde0 [0115.610] lstrlenA (lpString="NEPHILIM") returned 8 [0115.610] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.winword.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0115.612] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=338) returned 1 [0115.612] GetProcessHeap () returned 0x4e0000 [0115.612] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0115.612] GetProcessHeap () returned 0x4e0000 [0115.612] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0115.612] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0115.612] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0115.612] GetProcessHeap () returned 0x4e0000 [0115.612] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0115.612] GetProcessHeap () returned 0x4e0000 [0115.612] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0115.612] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24de208*=0x100) returned 1 [0115.612] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24de204*=0x100) returned 1 [0115.613] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x152, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.613] SetLastError (dwErrCode=0x0) [0115.613] WriteFile (in: hFile=0xec, lpBuffer=0x51e388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e388*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.614] GetLastError () returned 0x0 [0115.615] GetLastError () returned 0x0 [0115.615] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x252, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.615] WriteFile (in: hFile=0xec, lpBuffer=0x51e280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e280*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.615] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x352, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.615] lstrlenA (lpString="NEPHILIM") returned 8 [0115.615] WriteFile (in: hFile=0xec, lpBuffer=0x50bde0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50bde0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0115.615] GetProcessHeap () returned 0x4e0000 [0115.615] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x152) returned 0x50fd10 [0115.615] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.615] ReadFile (in: hFile=0xec, lpBuffer=0x50fd10, nNumberOfBytesToRead=0x152, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesRead=0x24de430*=0x152, lpOverlapped=0x0) returned 1 [0115.615] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.615] WriteFile (in: hFile=0xec, lpBuffer=0x50fd10*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesWritten=0x24de43c*=0x152, lpOverlapped=0x0) returned 1 [0115.616] GetProcessHeap () returned 0x4e0000 [0115.616] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50fd10 | out: hHeap=0x4e0000) returned 1 [0115.616] CloseHandle (hObject=0xec) returned 1 [0115.616] GetProcessHeap () returned 0x4e0000 [0115.616] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e388 | out: hHeap=0x4e0000) returned 1 [0115.616] GetProcessHeap () returned 0x4e0000 [0115.616] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e280 | out: hHeap=0x4e0000) returned 1 [0115.616] GetProcessHeap () returned 0x4e0000 [0115.616] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dec8 | out: hHeap=0x4e0000) returned 1 [0115.616] GetProcessHeap () returned 0x4e0000 [0115.616] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50deb0 | out: hHeap=0x4e0000) returned 1 [0115.616] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn" [0115.616] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn.NEPHILIM" [0115.616] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.winword.14.1033.hxn"), lpNewFileName="C:\\Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft help\\ms.winword.14.1033.hxn.nephilim")) returned 1 [0115.617] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x1e67e130, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1e67e130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1e6f0550, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x16a, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="MS.WINWORD.DEV.14.1033.hxn", cAlternateFileName="MSWINW~2.HXN")) returned 1 [0115.617] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2=".") returned 1 [0115.617] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="..") returned 1 [0115.617] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="...") returned 1 [0115.617] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="windows") returned -1 [0115.618] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="$RECYCLE.BIN") returned 1 [0115.618] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="rsa") returned -1 [0115.618] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="log") returned 1 [0115.618] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="NTDETECT.COM") returned -1 [0115.618] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="ntldr") returned -1 [0115.618] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="MSDOS.SYS") returned -1 [0115.618] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="IO.SYS") returned 1 [0115.618] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="boot.ini") returned 1 [0115.618] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="AUTOEXEC.BAT") returned 1 [0115.618] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0115.618] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="desktop.ini") returned 1 [0115.618] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="CONFIG.SYS") returned 1 [0115.618] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="RECYCLER") returned -1 [0115.618] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="BOOTSECT.BAK") returned 1 [0115.618] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="bootmgr") returned 1 [0115.618] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="programdata") returned -1 [0115.618] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="appdata") returned 1 [0115.618] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="program files") returned -1 [0115.618] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="program files (x86)") returned -1 [0115.618] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\" [0115.618] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.WINWORD.DEV.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn" [0115.618] PathFindExtensionW (pszPath="MS.WINWORD.DEV.14.1033.hxn") returned=".hxn" [0115.618] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0115.618] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0115.619] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0115.619] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0115.619] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0115.619] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0115.619] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0115.619] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0115.619] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0115.619] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0115.619] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0115.619] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0115.619] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0115.619] lstrcmpiW (lpString1=".hxn", lpString2=".NEPHILIM") returned -1 [0115.619] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0115.619] lstrcmpiW (lpString1=".hxn", lpString2=".lnk") returned -1 [0115.619] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0115.619] lstrlenA (lpString="NEPHILIM") returned 8 [0115.619] GetProcessHeap () returned 0x4e0000 [0115.619] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bdf0 [0115.619] lstrlenA (lpString="NEPHILIM") returned 8 [0115.619] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.winword.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0115.620] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=362) returned 1 [0115.620] GetProcessHeap () returned 0x4e0000 [0115.620] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0115.620] GetProcessHeap () returned 0x4e0000 [0115.620] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0115.620] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0115.620] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0115.620] GetProcessHeap () returned 0x4e0000 [0115.620] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0115.620] GetProcessHeap () returned 0x4e0000 [0115.620] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0115.621] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24de208*=0x100) returned 1 [0115.621] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24de204*=0x100) returned 1 [0115.621] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x16a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.621] SetLastError (dwErrCode=0x0) [0115.622] WriteFile (in: hFile=0xec, lpBuffer=0x51e280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e280*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.623] GetLastError () returned 0x0 [0115.623] GetLastError () returned 0x0 [0115.624] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x26a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.624] WriteFile (in: hFile=0xec, lpBuffer=0x51e388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e388*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.624] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x36a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.624] lstrlenA (lpString="NEPHILIM") returned 8 [0115.624] WriteFile (in: hFile=0xec, lpBuffer=0x50bdf0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50bdf0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0115.624] GetProcessHeap () returned 0x4e0000 [0115.624] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x16a) returned 0x50fd10 [0115.624] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.624] ReadFile (in: hFile=0xec, lpBuffer=0x50fd10, nNumberOfBytesToRead=0x16a, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesRead=0x24de430*=0x16a, lpOverlapped=0x0) returned 1 [0115.624] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.624] WriteFile (in: hFile=0xec, lpBuffer=0x50fd10*, nNumberOfBytesToWrite=0x16a, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesWritten=0x24de43c*=0x16a, lpOverlapped=0x0) returned 1 [0115.625] GetProcessHeap () returned 0x4e0000 [0115.625] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50fd10 | out: hHeap=0x4e0000) returned 1 [0115.625] CloseHandle (hObject=0xec) returned 1 [0115.625] GetProcessHeap () returned 0x4e0000 [0115.625] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e280 | out: hHeap=0x4e0000) returned 1 [0115.625] GetProcessHeap () returned 0x4e0000 [0115.625] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e388 | out: hHeap=0x4e0000) returned 1 [0115.625] GetProcessHeap () returned 0x4e0000 [0115.625] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50deb0 | out: hHeap=0x4e0000) returned 1 [0115.625] GetProcessHeap () returned 0x4e0000 [0115.625] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dec8 | out: hHeap=0x4e0000) returned 1 [0115.625] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn") returned="C:\\Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn" [0115.625] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn.NEPHILIM" [0115.625] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.winword.dev.14.1033.hxn"), lpNewFileName="C:\\Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft help\\ms.winword.dev.14.1033.hxn.nephilim")) returned 1 [0115.628] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xe80ff230, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xe80ff230, ftLastAccessTime.dwHighDateTime=0x1d2dda1, ftLastWriteTime.dwLowDateTime=0xe8b8c220, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x21dc, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="nslist.hxl", cAlternateFileName="")) returned 1 [0115.628] lstrcmpiW (lpString1="nslist.hxl", lpString2=".") returned 1 [0115.628] lstrcmpiW (lpString1="nslist.hxl", lpString2="..") returned 1 [0115.628] lstrcmpiW (lpString1="nslist.hxl", lpString2="...") returned 1 [0115.628] lstrcmpiW (lpString1="nslist.hxl", lpString2="windows") returned -1 [0115.628] lstrcmpiW (lpString1="nslist.hxl", lpString2="$RECYCLE.BIN") returned 1 [0115.628] lstrcmpiW (lpString1="nslist.hxl", lpString2="rsa") returned -1 [0115.628] lstrcmpiW (lpString1="nslist.hxl", lpString2="log") returned 1 [0115.628] lstrcmpiW (lpString1="nslist.hxl", lpString2="NTDETECT.COM") returned -1 [0115.628] lstrcmpiW (lpString1="nslist.hxl", lpString2="ntldr") returned -1 [0115.628] lstrcmpiW (lpString1="nslist.hxl", lpString2="MSDOS.SYS") returned 1 [0115.628] lstrcmpiW (lpString1="nslist.hxl", lpString2="IO.SYS") returned 1 [0115.628] lstrcmpiW (lpString1="nslist.hxl", lpString2="boot.ini") returned 1 [0115.628] lstrcmpiW (lpString1="nslist.hxl", lpString2="AUTOEXEC.BAT") returned 1 [0115.628] lstrcmpiW (lpString1="nslist.hxl", lpString2="ntuser.dat") returned -1 [0115.628] lstrcmpiW (lpString1="nslist.hxl", lpString2="desktop.ini") returned 1 [0115.628] lstrcmpiW (lpString1="nslist.hxl", lpString2="CONFIG.SYS") returned 1 [0115.628] lstrcmpiW (lpString1="nslist.hxl", lpString2="RECYCLER") returned -1 [0115.628] lstrcmpiW (lpString1="nslist.hxl", lpString2="BOOTSECT.BAK") returned 1 [0115.628] lstrcmpiW (lpString1="nslist.hxl", lpString2="bootmgr") returned 1 [0115.628] lstrcmpiW (lpString1="nslist.hxl", lpString2="programdata") returned -1 [0115.629] lstrcmpiW (lpString1="nslist.hxl", lpString2="appdata") returned 1 [0115.629] lstrcmpiW (lpString1="nslist.hxl", lpString2="program files") returned -1 [0115.629] lstrcmpiW (lpString1="nslist.hxl", lpString2="program files (x86)") returned -1 [0115.629] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Microsoft Help\\" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\") returned="C:\\Users\\All Users\\Microsoft Help\\" [0115.629] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\", lpString2="nslist.hxl" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\nslist.hxl") returned="C:\\Users\\All Users\\Microsoft Help\\nslist.hxl" [0115.629] PathFindExtensionW (pszPath="nslist.hxl") returned=".hxl" [0115.629] lstrcmpiW (lpString1=".hxl", lpString2=".exe") returned 1 [0115.629] lstrcmpiW (lpString1=".hxl", lpString2=".log") returned -1 [0115.629] lstrcmpiW (lpString1=".hxl", lpString2=".cab") returned 1 [0115.629] lstrcmpiW (lpString1=".hxl", lpString2=".cmd") returned 1 [0115.629] lstrcmpiW (lpString1=".hxl", lpString2=".com") returned 1 [0115.629] lstrcmpiW (lpString1=".hxl", lpString2=".cpl") returned 1 [0115.629] lstrcmpiW (lpString1=".hxl", lpString2=".ini") returned -1 [0115.629] lstrcmpiW (lpString1=".hxl", lpString2=".dll") returned 1 [0115.629] lstrcmpiW (lpString1=".hxl", lpString2=".url") returned -1 [0115.629] lstrcmpiW (lpString1=".hxl", lpString2=".ttf") returned -1 [0115.629] lstrcmpiW (lpString1=".hxl", lpString2=".mp3") returned -1 [0115.629] lstrcmpiW (lpString1=".hxl", lpString2=".pif") returned -1 [0115.629] lstrcmpiW (lpString1=".hxl", lpString2=".mp4") returned -1 [0115.629] lstrcmpiW (lpString1=".hxl", lpString2=".NEPHILIM") returned -1 [0115.629] lstrcmpiW (lpString1=".hxl", lpString2=".msi") returned -1 [0115.629] lstrcmpiW (lpString1=".hxl", lpString2=".lnk") returned -1 [0115.630] lstrcmpiW (lpString1="nslist.hxl", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0115.630] lstrlenA (lpString="NEPHILIM") returned 8 [0115.630] GetProcessHeap () returned 0x4e0000 [0115.630] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50be00 [0115.630] lstrlenA (lpString="NEPHILIM") returned 8 [0115.630] CreateFileW (lpFileName="C:\\Users\\All Users\\Microsoft Help\\nslist.hxl" (normalized: "c:\\users\\all users\\microsoft help\\nslist.hxl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0115.630] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=8668) returned 1 [0115.630] GetProcessHeap () returned 0x4e0000 [0115.630] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0115.631] GetProcessHeap () returned 0x4e0000 [0115.631] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0115.631] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0115.631] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0115.631] GetProcessHeap () returned 0x4e0000 [0115.631] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0115.631] GetProcessHeap () returned 0x4e0000 [0115.631] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0115.631] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24de208*=0x100) returned 1 [0115.631] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24de204*=0x100) returned 1 [0115.631] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x21dc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.632] SetLastError (dwErrCode=0x0) [0115.632] WriteFile (in: hFile=0xec, lpBuffer=0x51e388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e388*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.638] GetLastError () returned 0x0 [0115.638] GetLastError () returned 0x0 [0115.639] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x22dc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.639] WriteFile (in: hFile=0xec, lpBuffer=0x51e280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e280*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0115.639] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x23dc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.639] lstrlenA (lpString="NEPHILIM") returned 8 [0115.639] WriteFile (in: hFile=0xec, lpBuffer=0x50be00*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50be00*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0115.639] GetProcessHeap () returned 0x4e0000 [0115.639] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x21dc) returned 0x51efd8 [0115.639] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.639] ReadFile (in: hFile=0xec, lpBuffer=0x51efd8, nNumberOfBytesToRead=0x21dc, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x51efd8*, lpNumberOfBytesRead=0x24de430*=0x21dc, lpOverlapped=0x0) returned 1 [0115.647] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.648] WriteFile (in: hFile=0xec, lpBuffer=0x51efd8*, nNumberOfBytesToWrite=0x21dc, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51efd8*, lpNumberOfBytesWritten=0x24de43c*=0x21dc, lpOverlapped=0x0) returned 1 [0115.648] GetProcessHeap () returned 0x4e0000 [0115.648] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51efd8 | out: hHeap=0x4e0000) returned 1 [0115.648] CloseHandle (hObject=0xec) returned 1 [0115.648] GetProcessHeap () returned 0x4e0000 [0115.648] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e388 | out: hHeap=0x4e0000) returned 1 [0115.648] GetProcessHeap () returned 0x4e0000 [0115.648] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e280 | out: hHeap=0x4e0000) returned 1 [0115.648] GetProcessHeap () returned 0x4e0000 [0115.648] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dec8 | out: hHeap=0x4e0000) returned 1 [0115.648] GetProcessHeap () returned 0x4e0000 [0115.648] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50deb0 | out: hHeap=0x4e0000) returned 1 [0115.649] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\All Users\\Microsoft Help\\nslist.hxl" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\nslist.hxl") returned="C:\\Users\\All Users\\Microsoft Help\\nslist.hxl" [0115.649] lstrcatW (in: lpString1="C:\\Users\\All Users\\Microsoft Help\\nslist.hxl", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Microsoft Help\\nslist.hxl.NEPHILIM") returned="C:\\Users\\All Users\\Microsoft Help\\nslist.hxl.NEPHILIM" [0115.649] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Microsoft Help\\nslist.hxl" (normalized: "c:\\users\\all users\\microsoft help\\nslist.hxl"), lpNewFileName="C:\\Users\\All Users\\Microsoft Help\\nslist.hxl.NEPHILIM" (normalized: "c:\\users\\all users\\microsoft help\\nslist.hxl.nephilim")) returned 1 [0115.650] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xe80ff230, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xe80ff230, ftLastAccessTime.dwHighDateTime=0x1d2dda1, ftLastWriteTime.dwLowDateTime=0xe8b8c220, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x21dc, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="nslist.hxl", cAlternateFileName="")) returned 0 [0115.650] FindClose (in: hFindFile=0x50a900 | out: hFindFile=0x50a900) returned 1 [0115.650] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf8556a0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Mozilla", cAlternateFileName="")) returned 1 [0115.650] lstrcmpiW (lpString1="Mozilla", lpString2=".") returned 1 [0115.650] lstrcmpiW (lpString1="Mozilla", lpString2="..") returned 1 [0115.650] lstrcmpiW (lpString1="Mozilla", lpString2="...") returned 1 [0115.650] lstrcmpiW (lpString1="Mozilla", lpString2="windows") returned -1 [0115.650] lstrcmpiW (lpString1="Mozilla", lpString2="$RECYCLE.BIN") returned 1 [0115.650] lstrcmpiW (lpString1="Mozilla", lpString2="rsa") returned -1 [0115.650] lstrcmpiW (lpString1="Mozilla", lpString2="log") returned 1 [0115.650] lstrcmpiW (lpString1="Mozilla", lpString2="NTDETECT.COM") returned -1 [0115.650] lstrcmpiW (lpString1="Mozilla", lpString2="ntldr") returned -1 [0115.650] lstrcmpiW (lpString1="Mozilla", lpString2="MSDOS.SYS") returned -1 [0115.650] lstrcmpiW (lpString1="Mozilla", lpString2="IO.SYS") returned 1 [0115.650] lstrcmpiW (lpString1="Mozilla", lpString2="boot.ini") returned 1 [0115.650] lstrcmpiW (lpString1="Mozilla", lpString2="AUTOEXEC.BAT") returned 1 [0115.650] lstrcmpiW (lpString1="Mozilla", lpString2="ntuser.dat") returned -1 [0115.650] lstrcmpiW (lpString1="Mozilla", lpString2="desktop.ini") returned 1 [0115.650] lstrcmpiW (lpString1="Mozilla", lpString2="CONFIG.SYS") returned 1 [0115.650] lstrcmpiW (lpString1="Mozilla", lpString2="RECYCLER") returned -1 [0115.650] lstrcmpiW (lpString1="Mozilla", lpString2="BOOTSECT.BAK") returned 1 [0115.651] lstrcmpiW (lpString1="Mozilla", lpString2="bootmgr") returned 1 [0115.651] lstrcmpiW (lpString1="Mozilla", lpString2="programdata") returned -1 [0115.651] lstrcmpiW (lpString1="Mozilla", lpString2="appdata") returned 1 [0115.651] lstrcmpiW (lpString1="Mozilla", lpString2="program files") returned -1 [0115.651] lstrcmpiW (lpString1="Mozilla", lpString2="program files (x86)") returned -1 [0115.651] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\All Users\\" | out: lpString1="C:\\Users\\All Users\\") returned="C:\\Users\\All Users\\" [0115.651] lstrcatW (in: lpString1="C:\\Users\\All Users\\", lpString2="Mozilla" | out: lpString1="C:\\Users\\All Users\\Mozilla") returned="C:\\Users\\All Users\\Mozilla" [0115.651] lstrcatW (in: lpString1="C:\\Users\\All Users\\Mozilla", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Mozilla\\") returned="C:\\Users\\All Users\\Mozilla\\" [0115.651] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\All Users\\Mozilla\\" | out: lpString1="C:\\Users\\All Users\\Mozilla\\") returned="C:\\Users\\All Users\\Mozilla\\" [0115.651] lstrcatW (in: lpString1="C:\\Users\\All Users\\Mozilla\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Mozilla\\*.*") returned="C:\\Users\\All Users\\Mozilla\\*.*" [0115.651] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Mozilla\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf8556a0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x50a900 [0115.651] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.651] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf8556a0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0115.651] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.651] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.652] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf8556a0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="logs", cAlternateFileName="")) returned 1 [0115.652] lstrcmpiW (lpString1="logs", lpString2=".") returned 1 [0115.652] lstrcmpiW (lpString1="logs", lpString2="..") returned 1 [0115.652] lstrcmpiW (lpString1="logs", lpString2="...") returned 1 [0115.652] lstrcmpiW (lpString1="logs", lpString2="windows") returned -1 [0115.652] lstrcmpiW (lpString1="logs", lpString2="$RECYCLE.BIN") returned 1 [0115.652] lstrcmpiW (lpString1="logs", lpString2="rsa") returned -1 [0115.652] lstrcmpiW (lpString1="logs", lpString2="log") returned 1 [0115.652] lstrcmpiW (lpString1="logs", lpString2="NTDETECT.COM") returned -1 [0115.652] lstrcmpiW (lpString1="logs", lpString2="ntldr") returned -1 [0115.652] lstrcmpiW (lpString1="logs", lpString2="MSDOS.SYS") returned -1 [0115.652] lstrcmpiW (lpString1="logs", lpString2="IO.SYS") returned 1 [0115.652] lstrcmpiW (lpString1="logs", lpString2="boot.ini") returned 1 [0115.652] lstrcmpiW (lpString1="logs", lpString2="AUTOEXEC.BAT") returned 1 [0115.652] lstrcmpiW (lpString1="logs", lpString2="ntuser.dat") returned -1 [0115.652] lstrcmpiW (lpString1="logs", lpString2="desktop.ini") returned 1 [0115.652] lstrcmpiW (lpString1="logs", lpString2="CONFIG.SYS") returned 1 [0115.652] lstrcmpiW (lpString1="logs", lpString2="RECYCLER") returned -1 [0115.652] lstrcmpiW (lpString1="logs", lpString2="BOOTSECT.BAK") returned 1 [0115.652] lstrcmpiW (lpString1="logs", lpString2="bootmgr") returned 1 [0115.652] lstrcmpiW (lpString1="logs", lpString2="programdata") returned -1 [0115.652] lstrcmpiW (lpString1="logs", lpString2="appdata") returned 1 [0115.652] lstrcmpiW (lpString1="logs", lpString2="program files") returned -1 [0115.652] lstrcmpiW (lpString1="logs", lpString2="program files (x86)") returned -1 [0115.652] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Mozilla\\" | out: lpString1="C:\\Users\\All Users\\Mozilla\\") returned="C:\\Users\\All Users\\Mozilla\\" [0115.652] lstrcatW (in: lpString1="C:\\Users\\All Users\\Mozilla\\", lpString2="logs" | out: lpString1="C:\\Users\\All Users\\Mozilla\\logs") returned="C:\\Users\\All Users\\Mozilla\\logs" [0115.652] lstrcatW (in: lpString1="C:\\Users\\All Users\\Mozilla\\logs", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Mozilla\\logs\\") returned="C:\\Users\\All Users\\Mozilla\\logs\\" [0115.652] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Mozilla\\logs\\" | out: lpString1="C:\\Users\\All Users\\Mozilla\\logs\\") returned="C:\\Users\\All Users\\Mozilla\\logs\\" [0115.652] lstrcatW (in: lpString1="C:\\Users\\All Users\\Mozilla\\logs\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Mozilla\\logs\\*.*") returned="C:\\Users\\All Users\\Mozilla\\logs\\*.*" [0115.653] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Mozilla\\logs\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf8556a0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3e003c, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0115.654] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.654] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf8556a0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3e003c, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0115.654] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.654] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.654] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb07822e0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0xa4, dwReserved0=0x3e003c, dwReserved1=0x24de8e0, cFileName="maintenanceservice-install.log", cAlternateFileName="MAINTE~1.LOG")) returned 1 [0115.654] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2=".") returned 1 [0115.654] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="..") returned 1 [0115.654] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="...") returned 1 [0115.654] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="windows") returned -1 [0115.654] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="$RECYCLE.BIN") returned 1 [0115.654] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="rsa") returned -1 [0115.654] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="log") returned 1 [0115.654] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="NTDETECT.COM") returned -1 [0115.654] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="ntldr") returned -1 [0115.654] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="MSDOS.SYS") returned -1 [0115.654] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="IO.SYS") returned 1 [0115.655] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="boot.ini") returned 1 [0115.655] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="AUTOEXEC.BAT") returned 1 [0115.655] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="ntuser.dat") returned -1 [0115.655] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="desktop.ini") returned 1 [0115.655] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="CONFIG.SYS") returned 1 [0115.655] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="RECYCLER") returned -1 [0115.655] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="BOOTSECT.BAK") returned 1 [0115.655] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="bootmgr") returned 1 [0115.655] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="programdata") returned -1 [0115.655] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="appdata") returned 1 [0115.655] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="program files") returned -1 [0115.655] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="program files (x86)") returned -1 [0115.655] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Mozilla\\logs\\" | out: lpString1="C:\\Users\\All Users\\Mozilla\\logs\\") returned="C:\\Users\\All Users\\Mozilla\\logs\\" [0115.655] lstrcatW (in: lpString1="C:\\Users\\All Users\\Mozilla\\logs\\", lpString2="maintenanceservice-install.log" | out: lpString1="C:\\Users\\All Users\\Mozilla\\logs\\maintenanceservice-install.log") returned="C:\\Users\\All Users\\Mozilla\\logs\\maintenanceservice-install.log" [0115.659] PathFindExtensionW (pszPath="maintenanceservice-install.log") returned=".log" [0115.659] lstrcmpiW (lpString1=".log", lpString2=".exe") returned 1 [0115.659] lstrcmpiW (lpString1=".log", lpString2=".log") returned 0 [0115.659] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb07822e0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0xa4, dwReserved0=0x3e003c, dwReserved1=0x24de8e0, cFileName="maintenanceservice-install.log", cAlternateFileName="MAINTE~1.LOG")) returned 0 [0115.659] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0115.660] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf8556a0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="logs", cAlternateFileName="")) returned 0 [0115.660] FindClose (in: hFindFile=0x50a900 | out: hFindFile=0x50a900) returned 1 [0115.660] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7e3c6d00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7e3c6d00, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7eea3160, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Oracle", cAlternateFileName="")) returned 1 [0115.660] lstrcmpiW (lpString1="Oracle", lpString2=".") returned 1 [0115.660] lstrcmpiW (lpString1="Oracle", lpString2="..") returned 1 [0115.660] lstrcmpiW (lpString1="Oracle", lpString2="...") returned 1 [0115.660] lstrcmpiW (lpString1="Oracle", lpString2="windows") returned -1 [0115.660] lstrcmpiW (lpString1="Oracle", lpString2="$RECYCLE.BIN") returned 1 [0115.660] lstrcmpiW (lpString1="Oracle", lpString2="rsa") returned -1 [0115.660] lstrcmpiW (lpString1="Oracle", lpString2="log") returned 1 [0115.660] lstrcmpiW (lpString1="Oracle", lpString2="NTDETECT.COM") returned 1 [0115.660] lstrcmpiW (lpString1="Oracle", lpString2="ntldr") returned 1 [0115.660] lstrcmpiW (lpString1="Oracle", lpString2="MSDOS.SYS") returned 1 [0115.660] lstrcmpiW (lpString1="Oracle", lpString2="IO.SYS") returned 1 [0115.660] lstrcmpiW (lpString1="Oracle", lpString2="boot.ini") returned 1 [0115.660] lstrcmpiW (lpString1="Oracle", lpString2="AUTOEXEC.BAT") returned 1 [0115.660] lstrcmpiW (lpString1="Oracle", lpString2="ntuser.dat") returned 1 [0115.660] lstrcmpiW (lpString1="Oracle", lpString2="desktop.ini") returned 1 [0115.660] lstrcmpiW (lpString1="Oracle", lpString2="CONFIG.SYS") returned 1 [0115.660] lstrcmpiW (lpString1="Oracle", lpString2="RECYCLER") returned -1 [0115.660] lstrcmpiW (lpString1="Oracle", lpString2="BOOTSECT.BAK") returned 1 [0115.660] lstrcmpiW (lpString1="Oracle", lpString2="bootmgr") returned 1 [0115.660] lstrcmpiW (lpString1="Oracle", lpString2="programdata") returned -1 [0115.661] lstrcmpiW (lpString1="Oracle", lpString2="appdata") returned 1 [0115.661] lstrcmpiW (lpString1="Oracle", lpString2="program files") returned -1 [0115.661] lstrcmpiW (lpString1="Oracle", lpString2="program files (x86)") returned -1 [0115.661] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\All Users\\" | out: lpString1="C:\\Users\\All Users\\") returned="C:\\Users\\All Users\\" [0115.661] lstrcatW (in: lpString1="C:\\Users\\All Users\\", lpString2="Oracle" | out: lpString1="C:\\Users\\All Users\\Oracle") returned="C:\\Users\\All Users\\Oracle" [0115.661] lstrcatW (in: lpString1="C:\\Users\\All Users\\Oracle", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Oracle\\") returned="C:\\Users\\All Users\\Oracle\\" [0115.661] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\All Users\\Oracle\\" | out: lpString1="C:\\Users\\All Users\\Oracle\\") returned="C:\\Users\\All Users\\Oracle\\" [0115.661] lstrcatW (in: lpString1="C:\\Users\\All Users\\Oracle\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Oracle\\*.*") returned="C:\\Users\\All Users\\Oracle\\*.*" [0115.661] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Oracle\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7e3c6d00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7e3c6d00, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7eea3160, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x50a900 [0115.661] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.661] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7e3c6d00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7e3c6d00, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7eea3160, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0115.661] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.661] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.662] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7e3c6d00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7e3c6d00, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7eea3160, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 0 [0115.662] FindClose (in: hFindFile=0x50a900 | out: hFindFile=0x50a900) returned 1 [0115.662] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xecce51e0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0x4819be0, ftLastAccessTime.dwHighDateTime=0x1d2fc28, ftLastWriteTime.dwLowDateTime=0x4819be0, ftLastWriteTime.dwHighDateTime=0x1d2fc28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Package Cache", cAlternateFileName="PACKAG~1")) returned 1 [0115.662] lstrcmpiW (lpString1="Package Cache", lpString2=".") returned 1 [0115.662] lstrcmpiW (lpString1="Package Cache", lpString2="..") returned 1 [0115.662] lstrcmpiW (lpString1="Package Cache", lpString2="...") returned 1 [0115.662] lstrcmpiW (lpString1="Package Cache", lpString2="windows") returned -1 [0115.662] lstrcmpiW (lpString1="Package Cache", lpString2="$RECYCLE.BIN") returned 1 [0115.662] lstrcmpiW (lpString1="Package Cache", lpString2="rsa") returned -1 [0115.662] lstrcmpiW (lpString1="Package Cache", lpString2="log") returned 1 [0115.662] lstrcmpiW (lpString1="Package Cache", lpString2="NTDETECT.COM") returned 1 [0115.662] lstrcmpiW (lpString1="Package Cache", lpString2="ntldr") returned 1 [0115.662] lstrcmpiW (lpString1="Package Cache", lpString2="MSDOS.SYS") returned 1 [0115.662] lstrcmpiW (lpString1="Package Cache", lpString2="IO.SYS") returned 1 [0115.662] lstrcmpiW (lpString1="Package Cache", lpString2="boot.ini") returned 1 [0115.662] lstrcmpiW (lpString1="Package Cache", lpString2="AUTOEXEC.BAT") returned 1 [0115.662] lstrcmpiW (lpString1="Package Cache", lpString2="ntuser.dat") returned 1 [0115.662] lstrcmpiW (lpString1="Package Cache", lpString2="desktop.ini") returned 1 [0115.662] lstrcmpiW (lpString1="Package Cache", lpString2="CONFIG.SYS") returned 1 [0115.662] lstrcmpiW (lpString1="Package Cache", lpString2="RECYCLER") returned -1 [0115.662] lstrcmpiW (lpString1="Package Cache", lpString2="BOOTSECT.BAK") returned 1 [0115.662] lstrcmpiW (lpString1="Package Cache", lpString2="bootmgr") returned 1 [0115.662] lstrcmpiW (lpString1="Package Cache", lpString2="programdata") returned -1 [0115.662] lstrcmpiW (lpString1="Package Cache", lpString2="appdata") returned 1 [0115.662] lstrcmpiW (lpString1="Package Cache", lpString2="program files") returned -1 [0115.663] lstrcmpiW (lpString1="Package Cache", lpString2="program files (x86)") returned -1 [0115.663] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\All Users\\" | out: lpString1="C:\\Users\\All Users\\") returned="C:\\Users\\All Users\\" [0115.663] lstrcatW (in: lpString1="C:\\Users\\All Users\\", lpString2="Package Cache" | out: lpString1="C:\\Users\\All Users\\Package Cache") returned="C:\\Users\\All Users\\Package Cache" [0115.663] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\") returned="C:\\Users\\All Users\\Package Cache\\" [0115.663] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\All Users\\Package Cache\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\") returned="C:\\Users\\All Users\\Package Cache\\" [0115.663] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\*.*") returned="C:\\Users\\All Users\\Package Cache\\*.*" [0115.663] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xecce51e0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0x4819be0, ftLastAccessTime.dwHighDateTime=0x1d2fc28, ftLastWriteTime.dwLowDateTime=0x4819be0, ftLastWriteTime.dwHighDateTime=0x1d2fc28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x50a900 [0115.669] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.669] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xecce51e0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0x4819be0, ftLastAccessTime.dwHighDateTime=0x1d2fc28, ftLastWriteTime.dwLowDateTime=0x4819be0, ftLastWriteTime.dwHighDateTime=0x1d2fc28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0115.670] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.670] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.670] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2924cac0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="42D5BEC7DDFBD49E76467529CBC2868987BF8460", cAlternateFileName="42D5BE~1")) returned 1 [0115.670] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2=".") returned 1 [0115.670] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="..") returned 1 [0115.670] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="...") returned 1 [0115.670] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="windows") returned -1 [0115.671] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="$RECYCLE.BIN") returned 1 [0115.671] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="rsa") returned -1 [0115.671] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="log") returned -1 [0115.671] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="NTDETECT.COM") returned -1 [0115.671] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="ntldr") returned -1 [0115.671] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="MSDOS.SYS") returned -1 [0115.671] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="IO.SYS") returned -1 [0115.671] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="boot.ini") returned -1 [0115.671] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="AUTOEXEC.BAT") returned -1 [0115.671] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="ntuser.dat") returned -1 [0115.671] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="desktop.ini") returned -1 [0115.671] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="CONFIG.SYS") returned -1 [0115.671] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="RECYCLER") returned -1 [0115.671] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="BOOTSECT.BAK") returned -1 [0115.671] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="bootmgr") returned -1 [0115.671] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="programdata") returned -1 [0115.671] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="appdata") returned -1 [0115.671] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="program files") returned -1 [0115.671] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="program files (x86)") returned -1 [0115.671] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Package Cache\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\") returned="C:\\Users\\All Users\\Package Cache\\" [0115.671] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\", lpString2="42D5BEC7DDFBD49E76467529CBC2868987BF8460" | out: lpString1="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460") returned="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460" [0115.671] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\") returned="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\" [0115.671] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\") returned="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\" [0115.672] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\*.*") returned="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\*.*" [0115.672] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2924cac0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0115.672] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.672] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2924cac0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0115.672] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.672] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.672] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="packages", cAlternateFileName="")) returned 1 [0115.672] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0115.672] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0115.672] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0115.672] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0115.672] lstrcmpiW (lpString1="packages", lpString2="$RECYCLE.BIN") returned 1 [0115.672] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0115.672] lstrcmpiW (lpString1="packages", lpString2="log") returned 1 [0115.672] lstrcmpiW (lpString1="packages", lpString2="NTDETECT.COM") returned 1 [0115.673] lstrcmpiW (lpString1="packages", lpString2="ntldr") returned 1 [0115.673] lstrcmpiW (lpString1="packages", lpString2="MSDOS.SYS") returned 1 [0115.673] lstrcmpiW (lpString1="packages", lpString2="IO.SYS") returned 1 [0115.673] lstrcmpiW (lpString1="packages", lpString2="boot.ini") returned 1 [0115.673] lstrcmpiW (lpString1="packages", lpString2="AUTOEXEC.BAT") returned 1 [0115.673] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0115.673] lstrcmpiW (lpString1="packages", lpString2="desktop.ini") returned 1 [0115.673] lstrcmpiW (lpString1="packages", lpString2="CONFIG.SYS") returned 1 [0115.673] lstrcmpiW (lpString1="packages", lpString2="RECYCLER") returned -1 [0115.673] lstrcmpiW (lpString1="packages", lpString2="BOOTSECT.BAK") returned 1 [0115.673] lstrcmpiW (lpString1="packages", lpString2="bootmgr") returned 1 [0115.673] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0115.673] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0115.673] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0115.673] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0115.673] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\") returned="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\" [0115.673] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\", lpString2="packages" | out: lpString1="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages") returned="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages" [0115.673] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\") returned="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\" [0115.673] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\") returned="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\" [0115.673] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\*.*") returned="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\*.*" [0115.673] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x9c009a, dwReserved1=0x24de260, cFileName=".", cAlternateFileName="")) returned 0x50a980 [0115.674] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.674] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x9c009a, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 1 [0115.674] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.674] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.674] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x9c009a, dwReserved1=0x24de260, cFileName="Patch", cAlternateFileName="")) returned 1 [0115.674] lstrcmpiW (lpString1="Patch", lpString2=".") returned 1 [0115.674] lstrcmpiW (lpString1="Patch", lpString2="..") returned 1 [0115.674] lstrcmpiW (lpString1="Patch", lpString2="...") returned 1 [0115.674] lstrcmpiW (lpString1="Patch", lpString2="windows") returned -1 [0115.674] lstrcmpiW (lpString1="Patch", lpString2="$RECYCLE.BIN") returned 1 [0115.674] lstrcmpiW (lpString1="Patch", lpString2="rsa") returned -1 [0115.674] lstrcmpiW (lpString1="Patch", lpString2="log") returned 1 [0115.674] lstrcmpiW (lpString1="Patch", lpString2="NTDETECT.COM") returned 1 [0115.674] lstrcmpiW (lpString1="Patch", lpString2="ntldr") returned 1 [0115.674] lstrcmpiW (lpString1="Patch", lpString2="MSDOS.SYS") returned 1 [0115.674] lstrcmpiW (lpString1="Patch", lpString2="IO.SYS") returned 1 [0115.674] lstrcmpiW (lpString1="Patch", lpString2="boot.ini") returned 1 [0115.674] lstrcmpiW (lpString1="Patch", lpString2="AUTOEXEC.BAT") returned 1 [0115.674] lstrcmpiW (lpString1="Patch", lpString2="ntuser.dat") returned 1 [0115.674] lstrcmpiW (lpString1="Patch", lpString2="desktop.ini") returned 1 [0115.674] lstrcmpiW (lpString1="Patch", lpString2="CONFIG.SYS") returned 1 [0115.675] lstrcmpiW (lpString1="Patch", lpString2="RECYCLER") returned -1 [0115.675] lstrcmpiW (lpString1="Patch", lpString2="BOOTSECT.BAK") returned 1 [0115.675] lstrcmpiW (lpString1="Patch", lpString2="bootmgr") returned 1 [0115.675] lstrcmpiW (lpString1="Patch", lpString2="programdata") returned -1 [0115.675] lstrcmpiW (lpString1="Patch", lpString2="appdata") returned 1 [0115.675] lstrcmpiW (lpString1="Patch", lpString2="program files") returned -1 [0115.675] lstrcmpiW (lpString1="Patch", lpString2="program files (x86)") returned -1 [0115.675] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\") returned="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\" [0115.675] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\", lpString2="Patch" | out: lpString1="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch") returned="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch" [0115.675] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\") returned="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\" [0115.675] lstrcpyW (in: lpString1=0x24dd560, lpString2="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\") returned="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\" [0115.675] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\*.*") returned="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\*.*" [0115.675] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\*.*", lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x24ddbe0, cFileName=".", cAlternateFileName="")) returned 0x50a9c0 [0115.675] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.675] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x24ddbe0, cFileName="..", cAlternateFileName="")) returned 1 [0115.675] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.676] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.676] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x24ddbe0, cFileName="x64", cAlternateFileName="")) returned 1 [0115.676] lstrcmpiW (lpString1="x64", lpString2=".") returned 1 [0115.676] lstrcmpiW (lpString1="x64", lpString2="..") returned 1 [0115.676] lstrcmpiW (lpString1="x64", lpString2="...") returned 1 [0115.676] lstrcmpiW (lpString1="x64", lpString2="windows") returned 1 [0115.676] lstrcmpiW (lpString1="x64", lpString2="$RECYCLE.BIN") returned 1 [0115.676] lstrcmpiW (lpString1="x64", lpString2="rsa") returned 1 [0115.676] lstrcmpiW (lpString1="x64", lpString2="log") returned 1 [0115.676] lstrcmpiW (lpString1="x64", lpString2="NTDETECT.COM") returned 1 [0115.676] lstrcmpiW (lpString1="x64", lpString2="ntldr") returned 1 [0115.676] lstrcmpiW (lpString1="x64", lpString2="MSDOS.SYS") returned 1 [0115.676] lstrcmpiW (lpString1="x64", lpString2="IO.SYS") returned 1 [0115.676] lstrcmpiW (lpString1="x64", lpString2="boot.ini") returned 1 [0115.676] lstrcmpiW (lpString1="x64", lpString2="AUTOEXEC.BAT") returned 1 [0115.676] lstrcmpiW (lpString1="x64", lpString2="ntuser.dat") returned 1 [0115.676] lstrcmpiW (lpString1="x64", lpString2="desktop.ini") returned 1 [0115.676] lstrcmpiW (lpString1="x64", lpString2="CONFIG.SYS") returned 1 [0115.676] lstrcmpiW (lpString1="x64", lpString2="RECYCLER") returned 1 [0115.676] lstrcmpiW (lpString1="x64", lpString2="BOOTSECT.BAK") returned 1 [0115.676] lstrcmpiW (lpString1="x64", lpString2="bootmgr") returned 1 [0115.676] lstrcmpiW (lpString1="x64", lpString2="programdata") returned 1 [0115.676] lstrcmpiW (lpString1="x64", lpString2="appdata") returned 1 [0115.676] lstrcmpiW (lpString1="x64", lpString2="program files") returned 1 [0115.676] lstrcmpiW (lpString1="x64", lpString2="program files (x86)") returned 1 [0115.676] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\") returned="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\" [0115.676] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\", lpString2="x64" | out: lpString1="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64") returned="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64" [0115.676] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\") returned="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\" [0115.676] lstrcpyW (in: lpString1=0x24dcee0, lpString2="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\") returned="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\" [0115.677] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\*.*") returned="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\*.*" [0115.677] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\*.*", lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xba00b8, dwReserved1=0x24dd560, cFileName=".", cAlternateFileName="")) returned 0x50aa00 [0115.677] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.677] FindNextFileW (in: hFindFile=0x50aa00, lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xba00b8, dwReserved1=0x24dd560, cFileName="..", cAlternateFileName="")) returned 1 [0115.677] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.677] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.677] FindNextFileW (in: hFindFile=0x50aa00, lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59d2100, ftCreationTime.dwHighDateTime=0x1d0a100, ftLastAccessTime.dwLowDateTime=0x59d2100, ftLastAccessTime.dwHighDateTime=0x1d0a100, ftLastWriteTime.dwLowDateTime=0x59d2100, ftLastWriteTime.dwHighDateTime=0x1d0a100, nFileSizeHigh=0x0, nFileSizeLow=0xf7139, dwReserved0=0xba00b8, dwReserved1=0x24dd560, cFileName="Windows6.1-KB2999226-x64.msu", cAlternateFileName="WINDOW~1.MSU")) returned 1 [0115.677] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2=".") returned 1 [0115.677] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="..") returned 1 [0115.677] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="...") returned 1 [0115.677] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="windows") returned 1 [0115.677] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="$RECYCLE.BIN") returned 1 [0115.677] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="rsa") returned 1 [0115.677] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="log") returned 1 [0115.677] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="NTDETECT.COM") returned 1 [0115.677] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="ntldr") returned 1 [0115.677] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="MSDOS.SYS") returned 1 [0115.677] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="IO.SYS") returned 1 [0115.677] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="boot.ini") returned 1 [0115.678] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="AUTOEXEC.BAT") returned 1 [0115.678] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="ntuser.dat") returned 1 [0115.678] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="desktop.ini") returned 1 [0115.678] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="CONFIG.SYS") returned 1 [0115.678] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="RECYCLER") returned 1 [0115.678] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="BOOTSECT.BAK") returned 1 [0115.678] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="bootmgr") returned 1 [0115.678] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="programdata") returned 1 [0115.678] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="appdata") returned 1 [0115.678] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="program files") returned 1 [0115.678] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="program files (x86)") returned 1 [0115.678] lstrcpyW (in: lpString1=0x24dccd8, lpString2="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\") returned="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\" [0115.678] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\", lpString2="Windows6.1-KB2999226-x64.msu" | out: lpString1="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu") returned="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" [0115.678] PathFindExtensionW (pszPath="Windows6.1-KB2999226-x64.msu") returned=".msu" [0115.678] lstrcmpiW (lpString1=".msu", lpString2=".exe") returned 1 [0115.678] lstrcmpiW (lpString1=".msu", lpString2=".log") returned 1 [0115.678] lstrcmpiW (lpString1=".msu", lpString2=".cab") returned 1 [0115.678] lstrcmpiW (lpString1=".msu", lpString2=".cmd") returned 1 [0115.678] lstrcmpiW (lpString1=".msu", lpString2=".com") returned 1 [0115.678] lstrcmpiW (lpString1=".msu", lpString2=".cpl") returned 1 [0115.678] lstrcmpiW (lpString1=".msu", lpString2=".ini") returned 1 [0115.678] lstrcmpiW (lpString1=".msu", lpString2=".dll") returned 1 [0115.678] lstrcmpiW (lpString1=".msu", lpString2=".url") returned -1 [0115.678] lstrcmpiW (lpString1=".msu", lpString2=".ttf") returned -1 [0115.678] lstrcmpiW (lpString1=".msu", lpString2=".mp3") returned 1 [0115.678] lstrcmpiW (lpString1=".msu", lpString2=".pif") returned -1 [0115.678] lstrcmpiW (lpString1=".msu", lpString2=".mp4") returned 1 [0115.678] lstrcmpiW (lpString1=".msu", lpString2=".NEPHILIM") returned -1 [0115.678] lstrcmpiW (lpString1=".msu", lpString2=".msi") returned 1 [0115.679] lstrcmpiW (lpString1=".msu", lpString2=".lnk") returned 1 [0115.679] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0115.679] lstrlenA (lpString="NEPHILIM") returned 8 [0115.679] GetProcessHeap () returned 0x4e0000 [0115.679] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50be10 [0115.679] lstrlenA (lpString="NEPHILIM") returned 8 [0115.679] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" (normalized: "c:\\users\\all users\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\patch\\x64\\windows6.1-kb2999226-x64.msu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xfc [0115.679] GetFileSizeEx (in: hFile=0xfc, lpFileSize=0x24dca48 | out: lpFileSize=0x24dca48*=1012025) returned 1 [0115.679] GetProcessHeap () returned 0x4e0000 [0115.679] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0115.680] GetProcessHeap () returned 0x4e0000 [0115.680] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0115.680] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0115.680] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0115.680] GetProcessHeap () returned 0x4e0000 [0115.680] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0115.680] GetProcessHeap () returned 0x4e0000 [0115.680] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0115.680] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24dc808*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24dc808*=0x100) returned 1 [0115.680] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24dc804*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24dc804*=0x100) returned 1 [0115.680] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0xf7139, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.680] SetLastError (dwErrCode=0x0) [0115.680] WriteFile (in: hFile=0xfc, lpBuffer=0x51e280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpBuffer=0x51e280*, lpNumberOfBytesWritten=0x24dca3c*=0x100, lpOverlapped=0x0) returned 1 [0115.779] GetLastError () returned 0x0 [0115.779] GetLastError () returned 0x0 [0115.779] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0xf7239, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.779] WriteFile (in: hFile=0xfc, lpBuffer=0x51e388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpBuffer=0x51e388*, lpNumberOfBytesWritten=0x24dca3c*=0x100, lpOverlapped=0x0) returned 1 [0115.779] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0xf7339, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.779] lstrlenA (lpString="NEPHILIM") returned 8 [0115.779] WriteFile (in: hFile=0xfc, lpBuffer=0x50be10*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpBuffer=0x50be10*, lpNumberOfBytesWritten=0x24dca3c*=0x8, lpOverlapped=0x0) returned 1 [0115.780] GetProcessHeap () returned 0x4e0000 [0115.780] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xf7139) returned 0x22b0020 [0115.780] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.780] ReadFile (in: hFile=0xfc, lpBuffer=0x22b0020, nNumberOfBytesToRead=0xf7139, lpNumberOfBytesRead=0x24dca30, lpOverlapped=0x0 | out: lpBuffer=0x22b0020*, lpNumberOfBytesRead=0x24dca30*=0xf7139, lpOverlapped=0x0) returned 1 [0115.885] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.885] WriteFile (in: hFile=0xfc, lpBuffer=0x22b0020*, nNumberOfBytesToWrite=0xf7139, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpBuffer=0x22b0020*, lpNumberOfBytesWritten=0x24dca3c*=0xf7139, lpOverlapped=0x0) returned 1 [0115.888] GetProcessHeap () returned 0x4e0000 [0115.889] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x22b0020 | out: hHeap=0x4e0000) returned 1 [0115.894] CloseHandle (hObject=0xfc) returned 1 [0115.895] GetProcessHeap () returned 0x4e0000 [0115.895] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e280 | out: hHeap=0x4e0000) returned 1 [0115.895] GetProcessHeap () returned 0x4e0000 [0115.895] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e388 | out: hHeap=0x4e0000) returned 1 [0115.895] GetProcessHeap () returned 0x4e0000 [0115.895] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50deb0 | out: hHeap=0x4e0000) returned 1 [0115.895] GetProcessHeap () returned 0x4e0000 [0115.895] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dec8 | out: hHeap=0x4e0000) returned 1 [0115.895] lstrcpyW (in: lpString1=0x24dc828, lpString2="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" | out: lpString1="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu") returned="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" [0115.895] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu.NEPHILIM") returned="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu.NEPHILIM" [0115.895] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" (normalized: "c:\\users\\all users\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\patch\\x64\\windows6.1-kb2999226-x64.msu"), lpNewFileName="C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu.NEPHILIM" (normalized: "c:\\users\\all users\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\patch\\x64\\windows6.1-kb2999226-x64.msu.nephilim")) returned 1 [0115.896] FindNextFileW (in: hFindFile=0x50aa00, lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59d2100, ftCreationTime.dwHighDateTime=0x1d0a100, ftLastAccessTime.dwLowDateTime=0x59d2100, ftLastAccessTime.dwHighDateTime=0x1d0a100, ftLastWriteTime.dwLowDateTime=0x59d2100, ftLastWriteTime.dwHighDateTime=0x1d0a100, nFileSizeHigh=0x0, nFileSizeLow=0xf7139, dwReserved0=0xba00b8, dwReserved1=0x24dd560, cFileName="Windows6.1-KB2999226-x64.msu", cAlternateFileName="WINDOW~1.MSU")) returned 0 [0115.897] FindClose (in: hFindFile=0x50aa00 | out: hFindFile=0x50aa00) returned 1 [0115.898] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x24ddbe0, cFileName="x64", cAlternateFileName="")) returned 0 [0115.898] FindClose (in: hFindFile=0x50a9c0 | out: hFindFile=0x50a9c0) returned 1 [0115.898] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x9c009a, dwReserved1=0x24de260, cFileName="Patch", cAlternateFileName="")) returned 0 [0115.898] FindClose (in: hFindFile=0x50a980 | out: hFindFile=0x50a980) returned 1 [0115.898] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="packages", cAlternateFileName="")) returned 0 [0115.898] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0115.898] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa938e870, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", cAlternateFileName="54050A~1")) returned 1 [0115.898] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2=".") returned 1 [0115.898] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="..") returned 1 [0115.898] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="...") returned 1 [0115.898] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="windows") returned -1 [0115.898] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="$RECYCLE.BIN") returned 1 [0115.898] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="rsa") returned -1 [0115.898] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="log") returned -1 [0115.898] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="NTDETECT.COM") returned -1 [0115.898] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="ntldr") returned -1 [0115.898] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="MSDOS.SYS") returned -1 [0115.898] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="IO.SYS") returned -1 [0115.898] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="boot.ini") returned -1 [0115.898] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="AUTOEXEC.BAT") returned -1 [0115.899] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="ntuser.dat") returned -1 [0115.899] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="desktop.ini") returned -1 [0115.899] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="CONFIG.SYS") returned -1 [0115.899] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="RECYCLER") returned -1 [0115.899] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="BOOTSECT.BAK") returned -1 [0115.899] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="bootmgr") returned -1 [0115.899] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="programdata") returned -1 [0115.899] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="appdata") returned -1 [0115.899] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="program files") returned -1 [0115.899] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="program files (x86)") returned -1 [0115.899] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Package Cache\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\") returned="C:\\Users\\All Users\\Package Cache\\" [0115.899] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\", lpString2="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D" | out: lpString1="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D") returned="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D" [0115.899] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\") returned="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\" [0115.899] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\") returned="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\" [0115.899] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\*.*") returned="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\*.*" [0115.899] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa938e870, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0115.900] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.900] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa938e870, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0115.900] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.900] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.901] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="packages", cAlternateFileName="")) returned 1 [0115.901] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0115.901] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0115.901] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0115.901] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0115.901] lstrcmpiW (lpString1="packages", lpString2="$RECYCLE.BIN") returned 1 [0115.901] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0115.901] lstrcmpiW (lpString1="packages", lpString2="log") returned 1 [0115.901] lstrcmpiW (lpString1="packages", lpString2="NTDETECT.COM") returned 1 [0115.901] lstrcmpiW (lpString1="packages", lpString2="ntldr") returned 1 [0115.901] lstrcmpiW (lpString1="packages", lpString2="MSDOS.SYS") returned 1 [0115.901] lstrcmpiW (lpString1="packages", lpString2="IO.SYS") returned 1 [0115.901] lstrcmpiW (lpString1="packages", lpString2="boot.ini") returned 1 [0115.901] lstrcmpiW (lpString1="packages", lpString2="AUTOEXEC.BAT") returned 1 [0115.901] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0115.901] lstrcmpiW (lpString1="packages", lpString2="desktop.ini") returned 1 [0115.901] lstrcmpiW (lpString1="packages", lpString2="CONFIG.SYS") returned 1 [0115.901] lstrcmpiW (lpString1="packages", lpString2="RECYCLER") returned -1 [0115.901] lstrcmpiW (lpString1="packages", lpString2="BOOTSECT.BAK") returned 1 [0115.901] lstrcmpiW (lpString1="packages", lpString2="bootmgr") returned 1 [0115.901] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0115.901] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0115.901] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0115.902] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0115.902] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\") returned="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\" [0115.902] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\", lpString2="packages" | out: lpString1="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages") returned="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages" [0115.902] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\") returned="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\" [0115.902] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\") returned="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\" [0115.902] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\*.*") returned="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\*.*" [0115.902] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x9c009a, dwReserved1=0x24de260, cFileName=".", cAlternateFileName="")) returned 0x50a980 [0115.902] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.903] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x9c009a, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 1 [0115.903] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.903] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.903] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x9c009a, dwReserved1=0x24de260, cFileName="Patch", cAlternateFileName="")) returned 1 [0115.903] lstrcmpiW (lpString1="Patch", lpString2=".") returned 1 [0115.903] lstrcmpiW (lpString1="Patch", lpString2="..") returned 1 [0115.903] lstrcmpiW (lpString1="Patch", lpString2="...") returned 1 [0115.903] lstrcmpiW (lpString1="Patch", lpString2="windows") returned -1 [0115.903] lstrcmpiW (lpString1="Patch", lpString2="$RECYCLE.BIN") returned 1 [0115.903] lstrcmpiW (lpString1="Patch", lpString2="rsa") returned -1 [0115.903] lstrcmpiW (lpString1="Patch", lpString2="log") returned 1 [0115.903] lstrcmpiW (lpString1="Patch", lpString2="NTDETECT.COM") returned 1 [0115.903] lstrcmpiW (lpString1="Patch", lpString2="ntldr") returned 1 [0115.903] lstrcmpiW (lpString1="Patch", lpString2="MSDOS.SYS") returned 1 [0115.903] lstrcmpiW (lpString1="Patch", lpString2="IO.SYS") returned 1 [0115.903] lstrcmpiW (lpString1="Patch", lpString2="boot.ini") returned 1 [0115.903] lstrcmpiW (lpString1="Patch", lpString2="AUTOEXEC.BAT") returned 1 [0115.903] lstrcmpiW (lpString1="Patch", lpString2="ntuser.dat") returned 1 [0115.903] lstrcmpiW (lpString1="Patch", lpString2="desktop.ini") returned 1 [0115.903] lstrcmpiW (lpString1="Patch", lpString2="CONFIG.SYS") returned 1 [0115.904] lstrcmpiW (lpString1="Patch", lpString2="RECYCLER") returned -1 [0115.904] lstrcmpiW (lpString1="Patch", lpString2="BOOTSECT.BAK") returned 1 [0115.904] lstrcmpiW (lpString1="Patch", lpString2="bootmgr") returned 1 [0115.904] lstrcmpiW (lpString1="Patch", lpString2="programdata") returned -1 [0115.904] lstrcmpiW (lpString1="Patch", lpString2="appdata") returned 1 [0115.904] lstrcmpiW (lpString1="Patch", lpString2="program files") returned -1 [0115.904] lstrcmpiW (lpString1="Patch", lpString2="program files (x86)") returned -1 [0115.904] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\") returned="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\" [0115.904] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\", lpString2="Patch" | out: lpString1="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch") returned="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch" [0115.904] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\") returned="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\" [0115.904] lstrcpyW (in: lpString1=0x24dd560, lpString2="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\") returned="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\" [0115.904] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\*.*") returned="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\*.*" [0115.904] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\*.*", lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x24ddbe0, cFileName=".", cAlternateFileName="")) returned 0x50a9c0 [0115.905] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.905] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x24ddbe0, cFileName="..", cAlternateFileName="")) returned 1 [0115.905] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.905] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.906] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x24ddbe0, cFileName="x64", cAlternateFileName="")) returned 1 [0115.906] lstrcmpiW (lpString1="x64", lpString2=".") returned 1 [0115.906] lstrcmpiW (lpString1="x64", lpString2="..") returned 1 [0115.906] lstrcmpiW (lpString1="x64", lpString2="...") returned 1 [0115.906] lstrcmpiW (lpString1="x64", lpString2="windows") returned 1 [0115.906] lstrcmpiW (lpString1="x64", lpString2="$RECYCLE.BIN") returned 1 [0115.906] lstrcmpiW (lpString1="x64", lpString2="rsa") returned 1 [0115.906] lstrcmpiW (lpString1="x64", lpString2="log") returned 1 [0115.906] lstrcmpiW (lpString1="x64", lpString2="NTDETECT.COM") returned 1 [0115.906] lstrcmpiW (lpString1="x64", lpString2="ntldr") returned 1 [0115.906] lstrcmpiW (lpString1="x64", lpString2="MSDOS.SYS") returned 1 [0115.906] lstrcmpiW (lpString1="x64", lpString2="IO.SYS") returned 1 [0115.906] lstrcmpiW (lpString1="x64", lpString2="boot.ini") returned 1 [0115.906] lstrcmpiW (lpString1="x64", lpString2="AUTOEXEC.BAT") returned 1 [0115.906] lstrcmpiW (lpString1="x64", lpString2="ntuser.dat") returned 1 [0115.906] lstrcmpiW (lpString1="x64", lpString2="desktop.ini") returned 1 [0115.906] lstrcmpiW (lpString1="x64", lpString2="CONFIG.SYS") returned 1 [0115.906] lstrcmpiW (lpString1="x64", lpString2="RECYCLER") returned 1 [0115.906] lstrcmpiW (lpString1="x64", lpString2="BOOTSECT.BAK") returned 1 [0115.906] lstrcmpiW (lpString1="x64", lpString2="bootmgr") returned 1 [0115.906] lstrcmpiW (lpString1="x64", lpString2="programdata") returned 1 [0115.906] lstrcmpiW (lpString1="x64", lpString2="appdata") returned 1 [0115.907] lstrcmpiW (lpString1="x64", lpString2="program files") returned 1 [0115.907] lstrcmpiW (lpString1="x64", lpString2="program files (x86)") returned 1 [0115.907] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\") returned="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\" [0115.907] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\", lpString2="x64" | out: lpString1="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64") returned="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64" [0115.907] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\") returned="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\" [0115.907] lstrcpyW (in: lpString1=0x24dcee0, lpString2="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\") returned="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\" [0115.907] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\*.*") returned="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\*.*" [0115.907] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\*.*", lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xba00b8, dwReserved1=0x24dd560, cFileName=".", cAlternateFileName="")) returned 0x50aa00 [0115.907] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0115.907] FindNextFileW (in: hFindFile=0x50aa00, lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xba00b8, dwReserved1=0x24dd560, cFileName="..", cAlternateFileName="")) returned 1 [0115.907] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0115.907] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0115.907] FindNextFileW (in: hFindFile=0x50aa00, lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ab54b00, ftCreationTime.dwHighDateTime=0x1d1a02d, ftLastAccessTime.dwLowDateTime=0x9ab54b00, ftLastAccessTime.dwHighDateTime=0x1d1a02d, ftLastWriteTime.dwLowDateTime=0x9ab54b00, ftLastWriteTime.dwHighDateTime=0x1d1a02d, nFileSizeHigh=0x0, nFileSizeLow=0xfc93c, dwReserved0=0xba00b8, dwReserved1=0x24dd560, cFileName="Windows6.1-KB2999226-x64.msu", cAlternateFileName="WINDOW~1.MSU")) returned 1 [0115.907] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2=".") returned 1 [0115.907] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="..") returned 1 [0115.908] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="...") returned 1 [0115.908] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="windows") returned 1 [0115.908] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="$RECYCLE.BIN") returned 1 [0115.908] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="rsa") returned 1 [0115.908] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="log") returned 1 [0115.908] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="NTDETECT.COM") returned 1 [0115.908] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="ntldr") returned 1 [0115.908] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="MSDOS.SYS") returned 1 [0115.908] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="IO.SYS") returned 1 [0115.908] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="boot.ini") returned 1 [0115.908] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="AUTOEXEC.BAT") returned 1 [0115.908] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="ntuser.dat") returned 1 [0115.908] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="desktop.ini") returned 1 [0115.908] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="CONFIG.SYS") returned 1 [0115.908] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="RECYCLER") returned 1 [0115.908] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="BOOTSECT.BAK") returned 1 [0115.908] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="bootmgr") returned 1 [0115.908] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="programdata") returned 1 [0115.908] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="appdata") returned 1 [0115.908] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="program files") returned 1 [0115.908] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="program files (x86)") returned 1 [0115.908] lstrcpyW (in: lpString1=0x24dccd8, lpString2="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\") returned="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\" [0115.908] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\", lpString2="Windows6.1-KB2999226-x64.msu" | out: lpString1="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu") returned="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" [0115.908] PathFindExtensionW (pszPath="Windows6.1-KB2999226-x64.msu") returned=".msu" [0115.908] lstrcmpiW (lpString1=".msu", lpString2=".exe") returned 1 [0115.909] lstrcmpiW (lpString1=".msu", lpString2=".log") returned 1 [0115.909] lstrcmpiW (lpString1=".msu", lpString2=".cab") returned 1 [0115.909] lstrcmpiW (lpString1=".msu", lpString2=".cmd") returned 1 [0115.909] lstrcmpiW (lpString1=".msu", lpString2=".com") returned 1 [0115.909] lstrcmpiW (lpString1=".msu", lpString2=".cpl") returned 1 [0115.909] lstrcmpiW (lpString1=".msu", lpString2=".ini") returned 1 [0115.909] lstrcmpiW (lpString1=".msu", lpString2=".dll") returned 1 [0115.909] lstrcmpiW (lpString1=".msu", lpString2=".url") returned -1 [0115.909] lstrcmpiW (lpString1=".msu", lpString2=".ttf") returned -1 [0115.909] lstrcmpiW (lpString1=".msu", lpString2=".mp3") returned 1 [0115.909] lstrcmpiW (lpString1=".msu", lpString2=".pif") returned -1 [0115.909] lstrcmpiW (lpString1=".msu", lpString2=".mp4") returned 1 [0115.909] lstrcmpiW (lpString1=".msu", lpString2=".NEPHILIM") returned -1 [0115.909] lstrcmpiW (lpString1=".msu", lpString2=".msi") returned 1 [0115.909] lstrcmpiW (lpString1=".msu", lpString2=".lnk") returned 1 [0115.909] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0115.909] lstrlenA (lpString="NEPHILIM") returned 8 [0115.909] GetProcessHeap () returned 0x4e0000 [0115.909] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50be20 [0115.909] lstrlenA (lpString="NEPHILIM") returned 8 [0115.909] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" (normalized: "c:\\users\\all users\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\patch\\x64\\windows6.1-kb2999226-x64.msu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xfc [0115.910] GetFileSizeEx (in: hFile=0xfc, lpFileSize=0x24dca48 | out: lpFileSize=0x24dca48*=1034556) returned 1 [0115.910] GetProcessHeap () returned 0x4e0000 [0115.910] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0115.910] GetProcessHeap () returned 0x4e0000 [0115.910] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0115.910] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0115.910] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0115.910] GetProcessHeap () returned 0x4e0000 [0115.910] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0115.911] GetProcessHeap () returned 0x4e0000 [0115.911] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0115.911] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24dc808*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24dc808*=0x100) returned 1 [0115.911] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24dc804*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24dc804*=0x100) returned 1 [0115.911] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0xfc93c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.911] SetLastError (dwErrCode=0x0) [0115.911] WriteFile (in: hFile=0xfc, lpBuffer=0x51e388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpBuffer=0x51e388*, lpNumberOfBytesWritten=0x24dca3c*=0x100, lpOverlapped=0x0) returned 1 [0115.914] GetLastError () returned 0x0 [0115.914] GetLastError () returned 0x0 [0115.914] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0xfca3c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.914] WriteFile (in: hFile=0xfc, lpBuffer=0x51e280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpBuffer=0x51e280*, lpNumberOfBytesWritten=0x24dca3c*=0x100, lpOverlapped=0x0) returned 1 [0115.914] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0xfcb3c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.914] lstrlenA (lpString="NEPHILIM") returned 8 [0115.914] WriteFile (in: hFile=0xfc, lpBuffer=0x50be20*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpBuffer=0x50be20*, lpNumberOfBytesWritten=0x24dca3c*=0x8, lpOverlapped=0x0) returned 1 [0115.914] GetProcessHeap () returned 0x4e0000 [0115.914] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xfc93c) returned 0x22b0020 [0115.915] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.915] ReadFile (in: hFile=0xfc, lpBuffer=0x22b0020, nNumberOfBytesToRead=0xfc93c, lpNumberOfBytesRead=0x24dca30, lpOverlapped=0x0 | out: lpBuffer=0x22b0020*, lpNumberOfBytesRead=0x24dca30*=0xfc93c, lpOverlapped=0x0) returned 1 [0116.010] SetFilePointerEx (in: hFile=0xfc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.010] WriteFile (in: hFile=0xfc, lpBuffer=0x22b0020*, nNumberOfBytesToWrite=0xfc93c, lpNumberOfBytesWritten=0x24dca3c, lpOverlapped=0x0 | out: lpBuffer=0x22b0020*, lpNumberOfBytesWritten=0x24dca3c*=0xfc93c, lpOverlapped=0x0) returned 1 [0116.015] GetProcessHeap () returned 0x4e0000 [0116.015] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x22b0020 | out: hHeap=0x4e0000) returned 1 [0116.021] CloseHandle (hObject=0xfc) returned 1 [0116.021] GetProcessHeap () returned 0x4e0000 [0116.022] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e388 | out: hHeap=0x4e0000) returned 1 [0116.022] GetProcessHeap () returned 0x4e0000 [0116.022] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e280 | out: hHeap=0x4e0000) returned 1 [0116.022] GetProcessHeap () returned 0x4e0000 [0116.022] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dec8 | out: hHeap=0x4e0000) returned 1 [0116.022] GetProcessHeap () returned 0x4e0000 [0116.022] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50deb0 | out: hHeap=0x4e0000) returned 1 [0116.022] lstrcpyW (in: lpString1=0x24dc828, lpString2="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" | out: lpString1="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu") returned="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" [0116.022] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu.NEPHILIM") returned="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu.NEPHILIM" [0116.022] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" (normalized: "c:\\users\\all users\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\patch\\x64\\windows6.1-kb2999226-x64.msu"), lpNewFileName="C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu.NEPHILIM" (normalized: "c:\\users\\all users\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\patch\\x64\\windows6.1-kb2999226-x64.msu.nephilim")) returned 1 [0116.023] FindNextFileW (in: hFindFile=0x50aa00, lpFindFileData=0x24dca88 | out: lpFindFileData=0x24dca88*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ab54b00, ftCreationTime.dwHighDateTime=0x1d1a02d, ftLastAccessTime.dwLowDateTime=0x9ab54b00, ftLastAccessTime.dwHighDateTime=0x1d1a02d, ftLastWriteTime.dwLowDateTime=0x9ab54b00, ftLastWriteTime.dwHighDateTime=0x1d1a02d, nFileSizeHigh=0x0, nFileSizeLow=0xfc93c, dwReserved0=0xba00b8, dwReserved1=0x24dd560, cFileName="Windows6.1-KB2999226-x64.msu", cAlternateFileName="WINDOW~1.MSU")) returned 0 [0116.023] FindClose (in: hFindFile=0x50aa00 | out: hFindFile=0x50aa00) returned 1 [0116.023] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x24ddbe0, cFileName="x64", cAlternateFileName="")) returned 0 [0116.023] FindClose (in: hFindFile=0x50a9c0 | out: hFindFile=0x50a9c0) returned 1 [0116.023] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x9c009a, dwReserved1=0x24de260, cFileName="Patch", cAlternateFileName="")) returned 0 [0116.023] FindClose (in: hFindFile=0x50a980 | out: hFindFile=0x50a980) returned 1 [0116.023] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="packages", cAlternateFileName="")) returned 0 [0116.024] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0116.024] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb49460, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcb95720, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcb95720, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", cAlternateFileName="{13A4E~1.210")) returned 1 [0116.024] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2=".") returned 1 [0116.024] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="..") returned 1 [0116.024] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="...") returned 1 [0116.024] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="windows") returned -1 [0116.024] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="$RECYCLE.BIN") returned 1 [0116.024] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="rsa") returned -1 [0116.024] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="log") returned -1 [0116.024] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="NTDETECT.COM") returned -1 [0116.024] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="ntldr") returned -1 [0116.024] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="MSDOS.SYS") returned -1 [0116.024] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="IO.SYS") returned -1 [0116.024] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="boot.ini") returned -1 [0116.024] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="AUTOEXEC.BAT") returned -1 [0116.024] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="ntuser.dat") returned -1 [0116.024] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="desktop.ini") returned -1 [0116.024] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="CONFIG.SYS") returned -1 [0116.024] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="RECYCLER") returned -1 [0116.024] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="BOOTSECT.BAK") returned -1 [0116.024] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="bootmgr") returned -1 [0116.024] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="programdata") returned -1 [0116.024] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="appdata") returned -1 [0116.024] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="program files") returned -1 [0116.025] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="program files (x86)") returned -1 [0116.025] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Package Cache\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\") returned="C:\\Users\\All Users\\Package Cache\\" [0116.025] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\", lpString2="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005") returned="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005" [0116.025] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\") returned="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\" [0116.025] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\") returned="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\" [0116.025] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*.*") returned="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*.*" [0116.025] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb49460, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcb95720, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcb95720, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0116.025] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.025] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb49460, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcb95720, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcb95720, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0116.025] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.025] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.025] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcb95720, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcb95720, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="packages", cAlternateFileName="")) returned 1 [0116.025] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0116.025] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0116.026] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0116.026] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0116.026] lstrcmpiW (lpString1="packages", lpString2="$RECYCLE.BIN") returned 1 [0116.026] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0116.026] lstrcmpiW (lpString1="packages", lpString2="log") returned 1 [0116.026] lstrcmpiW (lpString1="packages", lpString2="NTDETECT.COM") returned 1 [0116.026] lstrcmpiW (lpString1="packages", lpString2="ntldr") returned 1 [0116.026] lstrcmpiW (lpString1="packages", lpString2="MSDOS.SYS") returned 1 [0116.026] lstrcmpiW (lpString1="packages", lpString2="IO.SYS") returned 1 [0116.026] lstrcmpiW (lpString1="packages", lpString2="boot.ini") returned 1 [0116.026] lstrcmpiW (lpString1="packages", lpString2="AUTOEXEC.BAT") returned 1 [0116.026] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0116.026] lstrcmpiW (lpString1="packages", lpString2="desktop.ini") returned 1 [0116.026] lstrcmpiW (lpString1="packages", lpString2="CONFIG.SYS") returned 1 [0116.026] lstrcmpiW (lpString1="packages", lpString2="RECYCLER") returned -1 [0116.026] lstrcmpiW (lpString1="packages", lpString2="BOOTSECT.BAK") returned 1 [0116.026] lstrcmpiW (lpString1="packages", lpString2="bootmgr") returned 1 [0116.026] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0116.026] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0116.026] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0116.026] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0116.027] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\") returned="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\" [0116.027] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\", lpString2="packages" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages") returned="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages" [0116.027] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\") returned="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\" [0116.027] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\") returned="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\" [0116.027] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*.*") returned="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*.*" [0116.027] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcb95720, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcb95720, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x24de260, cFileName=".", cAlternateFileName="")) returned 0x50a980 [0116.029] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.029] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcb95720, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcb95720, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 1 [0116.029] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.029] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.029] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x24de260, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0116.029] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2=".") returned 1 [0116.029] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="..") returned 1 [0116.029] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="...") returned 1 [0116.029] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="windows") returned -1 [0116.029] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="$RECYCLE.BIN") returned 1 [0116.029] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="rsa") returned 1 [0116.030] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="log") returned 1 [0116.030] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="NTDETECT.COM") returned 1 [0116.030] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="ntldr") returned 1 [0116.030] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="MSDOS.SYS") returned 1 [0116.030] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="IO.SYS") returned 1 [0116.030] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="boot.ini") returned 1 [0116.030] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="AUTOEXEC.BAT") returned 1 [0116.030] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="ntuser.dat") returned 1 [0116.030] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="desktop.ini") returned 1 [0116.030] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="CONFIG.SYS") returned 1 [0116.030] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="RECYCLER") returned 1 [0116.030] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="BOOTSECT.BAK") returned 1 [0116.030] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="bootmgr") returned 1 [0116.030] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="programdata") returned 1 [0116.030] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="appdata") returned 1 [0116.030] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="program files") returned 1 [0116.030] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="program files (x86)") returned 1 [0116.030] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\") returned="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\" [0116.030] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\", lpString2="vcRuntimeMinimum_x86" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86") returned="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86" [0116.030] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\") returned="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\" [0116.030] lstrcpyW (in: lpString1=0x24dd560, lpString2="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\") returned="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\" [0116.030] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*.*") returned="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*.*" [0116.030] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*.*", lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc000be, dwReserved1=0x24ddbe0, cFileName=".", cAlternateFileName="")) returned 0x50a9c0 [0116.031] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.031] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc000be, dwReserved1=0x24ddbe0, cFileName="..", cAlternateFileName="")) returned 1 [0116.031] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.031] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.031] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cc6500, ftCreationTime.dwHighDateTime=0x1cf3dd3, ftLastAccessTime.dwLowDateTime=0x50cc6500, ftLastAccessTime.dwHighDateTime=0x1cf3dd3, ftLastWriteTime.dwLowDateTime=0x50cc6500, ftLastWriteTime.dwHighDateTime=0x1cf3dd3, nFileSizeHigh=0x0, nFileSizeLow=0xf36be, dwReserved0=0xc000be, dwReserved1=0x24ddbe0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0116.031] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0116.031] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0116.031] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0116.031] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0116.031] lstrcmpiW (lpString1="cab1.cab", lpString2="$RECYCLE.BIN") returned 1 [0116.032] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0116.032] lstrcmpiW (lpString1="cab1.cab", lpString2="log") returned -1 [0116.032] lstrcmpiW (lpString1="cab1.cab", lpString2="NTDETECT.COM") returned -1 [0116.032] lstrcmpiW (lpString1="cab1.cab", lpString2="ntldr") returned -1 [0116.032] lstrcmpiW (lpString1="cab1.cab", lpString2="MSDOS.SYS") returned -1 [0116.032] lstrcmpiW (lpString1="cab1.cab", lpString2="IO.SYS") returned -1 [0116.032] lstrcmpiW (lpString1="cab1.cab", lpString2="boot.ini") returned 1 [0116.032] lstrcmpiW (lpString1="cab1.cab", lpString2="AUTOEXEC.BAT") returned 1 [0116.032] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0116.032] lstrcmpiW (lpString1="cab1.cab", lpString2="desktop.ini") returned -1 [0116.032] lstrcmpiW (lpString1="cab1.cab", lpString2="CONFIG.SYS") returned -1 [0116.032] lstrcmpiW (lpString1="cab1.cab", lpString2="RECYCLER") returned -1 [0116.032] lstrcmpiW (lpString1="cab1.cab", lpString2="BOOTSECT.BAK") returned 1 [0116.032] lstrcmpiW (lpString1="cab1.cab", lpString2="bootmgr") returned 1 [0116.032] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0116.032] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0116.032] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0116.033] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0116.033] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\") returned="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\" [0116.033] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\", lpString2="cab1.cab" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab" [0116.033] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0116.033] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0116.033] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0116.033] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0116.033] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cc6500, ftCreationTime.dwHighDateTime=0x1cf3dd3, ftLastAccessTime.dwLowDateTime=0x50cc6500, ftLastAccessTime.dwHighDateTime=0x1cf3dd3, ftLastWriteTime.dwLowDateTime=0x50cc6500, ftLastWriteTime.dwHighDateTime=0x1cf3dd3, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0xc000be, dwReserved1=0x24ddbe0, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0116.033] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2=".") returned 1 [0116.033] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="..") returned 1 [0116.033] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="...") returned 1 [0116.033] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="windows") returned -1 [0116.033] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="$RECYCLE.BIN") returned 1 [0116.033] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="rsa") returned 1 [0116.033] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="log") returned 1 [0116.033] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="NTDETECT.COM") returned 1 [0116.033] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="ntldr") returned 1 [0116.034] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="MSDOS.SYS") returned 1 [0116.034] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="IO.SYS") returned 1 [0116.034] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="boot.ini") returned 1 [0116.034] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="AUTOEXEC.BAT") returned 1 [0116.034] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="ntuser.dat") returned 1 [0116.034] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="desktop.ini") returned 1 [0116.034] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="CONFIG.SYS") returned 1 [0116.034] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="RECYCLER") returned 1 [0116.034] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="BOOTSECT.BAK") returned 1 [0116.034] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="bootmgr") returned 1 [0116.034] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="programdata") returned 1 [0116.034] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="appdata") returned 1 [0116.034] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="program files") returned 1 [0116.034] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="program files (x86)") returned 1 [0116.034] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\") returned="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\" [0116.034] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\", lpString2="vc_runtimeMinimum_x86.msi" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" [0116.035] PathFindExtensionW (pszPath="vc_runtimeMinimum_x86.msi") returned=".msi" [0116.035] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0116.035] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0116.035] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0116.035] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0116.035] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0116.035] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0116.035] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0116.035] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0116.035] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0116.035] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0116.035] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0116.035] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0116.035] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0116.035] lstrcmpiW (lpString1=".msi", lpString2=".NEPHILIM") returned -1 [0116.035] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0116.035] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cc6500, ftCreationTime.dwHighDateTime=0x1cf3dd3, ftLastAccessTime.dwLowDateTime=0x50cc6500, ftLastAccessTime.dwHighDateTime=0x1cf3dd3, ftLastWriteTime.dwLowDateTime=0x50cc6500, ftLastWriteTime.dwHighDateTime=0x1cf3dd3, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0xc000be, dwReserved1=0x24ddbe0, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0116.035] FindClose (in: hFindFile=0x50a9c0 | out: hFindFile=0x50a9c0) returned 1 [0116.036] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x24de260, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0116.036] FindClose (in: hFindFile=0x50a980 | out: hFindFile=0x50a980) returned 1 [0116.036] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcb95720, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcb95720, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="packages", cAlternateFileName="")) returned 0 [0116.036] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0116.036] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd0b340, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xecd314a0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xecd314a0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", cAlternateFileName="{33D1F~1")) returned 1 [0116.036] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2=".") returned 1 [0116.036] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="..") returned 1 [0116.036] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="...") returned 1 [0116.036] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="windows") returned -1 [0116.036] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="$RECYCLE.BIN") returned 1 [0116.036] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="rsa") returned -1 [0116.036] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="log") returned -1 [0116.036] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="NTDETECT.COM") returned -1 [0116.036] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="ntldr") returned -1 [0116.036] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="MSDOS.SYS") returned -1 [0116.036] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="IO.SYS") returned -1 [0116.036] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="boot.ini") returned -1 [0116.036] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="AUTOEXEC.BAT") returned -1 [0116.036] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="ntuser.dat") returned -1 [0116.036] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="desktop.ini") returned -1 [0116.036] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="CONFIG.SYS") returned -1 [0116.036] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="RECYCLER") returned -1 [0116.037] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="BOOTSECT.BAK") returned -1 [0116.037] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="bootmgr") returned -1 [0116.037] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="programdata") returned -1 [0116.037] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="appdata") returned -1 [0116.037] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="program files") returned -1 [0116.037] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="program files (x86)") returned -1 [0116.037] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Package Cache\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\") returned="C:\\Users\\All Users\\Package Cache\\" [0116.037] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\", lpString2="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}") returned="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}" [0116.037] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\") returned="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\" [0116.037] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\") returned="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\" [0116.037] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*") returned="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*" [0116.037] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd0b340, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xecd314a0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xecd314a0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0116.037] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.037] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd0b340, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xecd314a0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xecd314a0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0116.037] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.038] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.038] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecd314a0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xecd314a0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xf08b3aa0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x28e, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0116.038] lstrcmpiW (lpString1="state.rsm", lpString2=".") returned 1 [0116.038] lstrcmpiW (lpString1="state.rsm", lpString2="..") returned 1 [0116.038] lstrcmpiW (lpString1="state.rsm", lpString2="...") returned 1 [0116.038] lstrcmpiW (lpString1="state.rsm", lpString2="windows") returned -1 [0116.038] lstrcmpiW (lpString1="state.rsm", lpString2="$RECYCLE.BIN") returned 1 [0116.038] lstrcmpiW (lpString1="state.rsm", lpString2="rsa") returned 1 [0116.038] lstrcmpiW (lpString1="state.rsm", lpString2="log") returned 1 [0116.038] lstrcmpiW (lpString1="state.rsm", lpString2="NTDETECT.COM") returned 1 [0116.038] lstrcmpiW (lpString1="state.rsm", lpString2="ntldr") returned 1 [0116.038] lstrcmpiW (lpString1="state.rsm", lpString2="MSDOS.SYS") returned 1 [0116.038] lstrcmpiW (lpString1="state.rsm", lpString2="IO.SYS") returned 1 [0116.038] lstrcmpiW (lpString1="state.rsm", lpString2="boot.ini") returned 1 [0116.038] lstrcmpiW (lpString1="state.rsm", lpString2="AUTOEXEC.BAT") returned 1 [0116.038] lstrcmpiW (lpString1="state.rsm", lpString2="ntuser.dat") returned 1 [0116.038] lstrcmpiW (lpString1="state.rsm", lpString2="desktop.ini") returned 1 [0116.038] lstrcmpiW (lpString1="state.rsm", lpString2="CONFIG.SYS") returned 1 [0116.038] lstrcmpiW (lpString1="state.rsm", lpString2="RECYCLER") returned 1 [0116.038] lstrcmpiW (lpString1="state.rsm", lpString2="BOOTSECT.BAK") returned 1 [0116.038] lstrcmpiW (lpString1="state.rsm", lpString2="bootmgr") returned 1 [0116.038] lstrcmpiW (lpString1="state.rsm", lpString2="programdata") returned 1 [0116.038] lstrcmpiW (lpString1="state.rsm", lpString2="appdata") returned 1 [0116.038] lstrcmpiW (lpString1="state.rsm", lpString2="program files") returned 1 [0116.038] lstrcmpiW (lpString1="state.rsm", lpString2="program files (x86)") returned 1 [0116.039] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\") returned="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\" [0116.039] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\", lpString2="state.rsm" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm") returned="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" [0116.039] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0116.039] lstrcmpiW (lpString1=".rsm", lpString2=".exe") returned 1 [0116.039] lstrcmpiW (lpString1=".rsm", lpString2=".log") returned 1 [0116.039] lstrcmpiW (lpString1=".rsm", lpString2=".cab") returned 1 [0116.039] lstrcmpiW (lpString1=".rsm", lpString2=".cmd") returned 1 [0116.039] lstrcmpiW (lpString1=".rsm", lpString2=".com") returned 1 [0116.039] lstrcmpiW (lpString1=".rsm", lpString2=".cpl") returned 1 [0116.039] lstrcmpiW (lpString1=".rsm", lpString2=".ini") returned 1 [0116.039] lstrcmpiW (lpString1=".rsm", lpString2=".dll") returned 1 [0116.039] lstrcmpiW (lpString1=".rsm", lpString2=".url") returned -1 [0116.039] lstrcmpiW (lpString1=".rsm", lpString2=".ttf") returned -1 [0116.039] lstrcmpiW (lpString1=".rsm", lpString2=".mp3") returned 1 [0116.039] lstrcmpiW (lpString1=".rsm", lpString2=".pif") returned 1 [0116.039] lstrcmpiW (lpString1=".rsm", lpString2=".mp4") returned 1 [0116.039] lstrcmpiW (lpString1=".rsm", lpString2=".NEPHILIM") returned 1 [0116.039] lstrcmpiW (lpString1=".rsm", lpString2=".msi") returned 1 [0116.039] lstrcmpiW (lpString1=".rsm", lpString2=".lnk") returned 1 [0116.039] lstrcmpiW (lpString1="state.rsm", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0116.039] lstrlenA (lpString="NEPHILIM") returned 8 [0116.039] GetProcessHeap () returned 0x4e0000 [0116.039] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50be30 [0116.040] lstrlenA (lpString="NEPHILIM") returned 8 [0116.040] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0116.042] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=654) returned 1 [0116.042] GetProcessHeap () returned 0x4e0000 [0116.042] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0116.042] GetProcessHeap () returned 0x4e0000 [0116.042] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0116.042] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0116.042] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0116.042] GetProcessHeap () returned 0x4e0000 [0116.042] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0116.042] GetProcessHeap () returned 0x4e0000 [0116.042] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0116.042] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0116.042] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0116.043] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x28e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.043] SetLastError (dwErrCode=0x0) [0116.043] WriteFile (in: hFile=0xf0, lpBuffer=0x51e280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x51e280*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0116.044] GetLastError () returned 0x0 [0116.045] GetLastError () returned 0x0 [0116.045] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x38e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.045] WriteFile (in: hFile=0xf0, lpBuffer=0x51e388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x51e388*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0116.045] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x48e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.045] lstrlenA (lpString="NEPHILIM") returned 8 [0116.045] WriteFile (in: hFile=0xf0, lpBuffer=0x50be30*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50be30*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0116.045] GetProcessHeap () returned 0x4e0000 [0116.045] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x28e) returned 0x50fd10 [0116.045] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.045] ReadFile (in: hFile=0xf0, lpBuffer=0x50fd10, nNumberOfBytesToRead=0x28e, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesRead=0x24dddb0*=0x28e, lpOverlapped=0x0) returned 1 [0116.045] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.045] WriteFile (in: hFile=0xf0, lpBuffer=0x50fd10*, nNumberOfBytesToWrite=0x28e, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesWritten=0x24dddbc*=0x28e, lpOverlapped=0x0) returned 1 [0116.046] GetProcessHeap () returned 0x4e0000 [0116.046] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50fd10 | out: hHeap=0x4e0000) returned 1 [0116.046] CloseHandle (hObject=0xf0) returned 1 [0116.046] GetProcessHeap () returned 0x4e0000 [0116.046] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e280 | out: hHeap=0x4e0000) returned 1 [0116.046] GetProcessHeap () returned 0x4e0000 [0116.046] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e388 | out: hHeap=0x4e0000) returned 1 [0116.046] GetProcessHeap () returned 0x4e0000 [0116.046] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50deb0 | out: hHeap=0x4e0000) returned 1 [0116.046] GetProcessHeap () returned 0x4e0000 [0116.046] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dec8 | out: hHeap=0x4e0000) returned 1 [0116.046] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm") returned="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" [0116.046] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm.NEPHILIM") returned="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm.NEPHILIM" [0116.046] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm"), lpNewFileName="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm.NEPHILIM" (normalized: "c:\\users\\all users\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm.nephilim")) returned 1 [0116.047] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecd0b340, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xecd0b340, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xd3ea4f80, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x6f428, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="vcredist_x86.exe", cAlternateFileName="VCREDI~1.EXE")) returned 1 [0116.047] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2=".") returned 1 [0116.047] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="..") returned 1 [0116.048] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="...") returned 1 [0116.048] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="windows") returned -1 [0116.048] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="$RECYCLE.BIN") returned 1 [0116.048] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="rsa") returned 1 [0116.048] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="log") returned 1 [0116.048] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="NTDETECT.COM") returned 1 [0116.048] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="ntldr") returned 1 [0116.048] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="MSDOS.SYS") returned 1 [0116.048] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="IO.SYS") returned 1 [0116.048] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="boot.ini") returned 1 [0116.048] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="AUTOEXEC.BAT") returned 1 [0116.048] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="ntuser.dat") returned 1 [0116.048] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="desktop.ini") returned 1 [0116.048] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="CONFIG.SYS") returned 1 [0116.048] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="RECYCLER") returned 1 [0116.048] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="BOOTSECT.BAK") returned 1 [0116.048] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="bootmgr") returned 1 [0116.048] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="programdata") returned 1 [0116.049] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="appdata") returned 1 [0116.049] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="program files") returned 1 [0116.049] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="program files (x86)") returned 1 [0116.049] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\") returned="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\" [0116.049] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\", lpString2="vcredist_x86.exe" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe") returned="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe" [0116.049] PathFindExtensionW (pszPath="vcredist_x86.exe") returned=".exe" [0116.049] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0116.049] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecd0b340, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xecd0b340, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xd3ea4f80, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x6f428, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="vcredist_x86.exe", cAlternateFileName="VCREDI~1.EXE")) returned 0 [0116.049] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0116.049] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", cAlternateFileName="{37B8F~1.610")) returned 1 [0116.049] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2=".") returned 1 [0116.049] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="..") returned 1 [0116.049] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="...") returned 1 [0116.049] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="windows") returned -1 [0116.049] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="$RECYCLE.BIN") returned 1 [0116.049] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="rsa") returned -1 [0116.049] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="log") returned -1 [0116.049] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="NTDETECT.COM") returned -1 [0116.050] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="ntldr") returned -1 [0116.050] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="MSDOS.SYS") returned -1 [0116.050] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="IO.SYS") returned -1 [0116.050] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="boot.ini") returned -1 [0116.050] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="AUTOEXEC.BAT") returned -1 [0116.050] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="ntuser.dat") returned -1 [0116.050] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="desktop.ini") returned -1 [0116.050] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="CONFIG.SYS") returned -1 [0116.050] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="RECYCLER") returned -1 [0116.050] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="BOOTSECT.BAK") returned -1 [0116.050] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="bootmgr") returned -1 [0116.050] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="programdata") returned -1 [0116.050] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="appdata") returned -1 [0116.050] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="program files") returned -1 [0116.050] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="program files (x86)") returned -1 [0116.050] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Package Cache\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\") returned="C:\\Users\\All Users\\Package Cache\\" [0116.050] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\", lpString2="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030") returned="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030" [0116.050] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\") returned="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\" [0116.050] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\") returned="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\" [0116.050] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*.*") returned="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*.*" [0116.050] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0116.052] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.052] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0116.052] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.052] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.052] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="packages", cAlternateFileName="")) returned 1 [0116.052] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0116.052] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0116.052] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0116.052] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0116.052] lstrcmpiW (lpString1="packages", lpString2="$RECYCLE.BIN") returned 1 [0116.052] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0116.052] lstrcmpiW (lpString1="packages", lpString2="log") returned 1 [0116.052] lstrcmpiW (lpString1="packages", lpString2="NTDETECT.COM") returned 1 [0116.052] lstrcmpiW (lpString1="packages", lpString2="ntldr") returned 1 [0116.052] lstrcmpiW (lpString1="packages", lpString2="MSDOS.SYS") returned 1 [0116.052] lstrcmpiW (lpString1="packages", lpString2="IO.SYS") returned 1 [0116.052] lstrcmpiW (lpString1="packages", lpString2="boot.ini") returned 1 [0116.052] lstrcmpiW (lpString1="packages", lpString2="AUTOEXEC.BAT") returned 1 [0116.052] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0116.052] lstrcmpiW (lpString1="packages", lpString2="desktop.ini") returned 1 [0116.052] lstrcmpiW (lpString1="packages", lpString2="CONFIG.SYS") returned 1 [0116.053] lstrcmpiW (lpString1="packages", lpString2="RECYCLER") returned -1 [0116.053] lstrcmpiW (lpString1="packages", lpString2="BOOTSECT.BAK") returned 1 [0116.053] lstrcmpiW (lpString1="packages", lpString2="bootmgr") returned 1 [0116.053] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0116.053] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0116.053] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0116.053] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0116.053] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\") returned="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\" [0116.053] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\", lpString2="packages" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages") returned="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages" [0116.053] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\") returned="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\" [0116.053] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\") returned="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\" [0116.053] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*.*") returned="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*.*" [0116.053] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x24de260, cFileName=".", cAlternateFileName="")) returned 0x50a980 [0116.053] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.053] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 1 [0116.053] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.053] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.054] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfac0a1e0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfac0a1e0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x24de260, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0116.054] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2=".") returned 1 [0116.054] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="..") returned 1 [0116.054] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="...") returned 1 [0116.054] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="windows") returned -1 [0116.054] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="$RECYCLE.BIN") returned 1 [0116.054] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="rsa") returned 1 [0116.054] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="log") returned 1 [0116.054] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="NTDETECT.COM") returned 1 [0116.054] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="ntldr") returned 1 [0116.054] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="MSDOS.SYS") returned 1 [0116.054] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="IO.SYS") returned 1 [0116.054] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="boot.ini") returned 1 [0116.054] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="AUTOEXEC.BAT") returned 1 [0116.054] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="ntuser.dat") returned 1 [0116.054] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="desktop.ini") returned 1 [0116.054] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="CONFIG.SYS") returned 1 [0116.054] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="RECYCLER") returned 1 [0116.054] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="BOOTSECT.BAK") returned 1 [0116.054] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="bootmgr") returned 1 [0116.054] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="programdata") returned 1 [0116.054] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="appdata") returned 1 [0116.054] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="program files") returned 1 [0116.054] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="program files (x86)") returned 1 [0116.054] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\") returned="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\" [0116.054] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\", lpString2="vcRuntimeAdditional_amd64" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64") returned="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64" [0116.055] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\") returned="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\" [0116.055] lstrcpyW (in: lpString1=0x24dd560, lpString2="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\") returned="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\" [0116.055] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*.*") returned="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*.*" [0116.055] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*.*", lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfac0a1e0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfac0a1e0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc000be, dwReserved1=0x24ddbe0, cFileName=".", cAlternateFileName="")) returned 0x50a9c0 [0116.055] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.055] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfac0a1e0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfac0a1e0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc000be, dwReserved1=0x24ddbe0, cFileName="..", cAlternateFileName="")) returned 1 [0116.055] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.055] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.055] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa87bcb00, ftCreationTime.dwHighDateTime=0x1ced4d9, ftLastAccessTime.dwLowDateTime=0xa87bcb00, ftLastAccessTime.dwHighDateTime=0x1ced4d9, ftLastWriteTime.dwLowDateTime=0xa87bcb00, ftLastWriteTime.dwHighDateTime=0x1ced4d9, nFileSizeHigh=0x0, nFileSizeLow=0x588124, dwReserved0=0xc000be, dwReserved1=0x24ddbe0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0116.055] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0116.055] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0116.055] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0116.055] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0116.055] lstrcmpiW (lpString1="cab1.cab", lpString2="$RECYCLE.BIN") returned 1 [0116.055] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0116.055] lstrcmpiW (lpString1="cab1.cab", lpString2="log") returned -1 [0116.055] lstrcmpiW (lpString1="cab1.cab", lpString2="NTDETECT.COM") returned -1 [0116.056] lstrcmpiW (lpString1="cab1.cab", lpString2="ntldr") returned -1 [0116.056] lstrcmpiW (lpString1="cab1.cab", lpString2="MSDOS.SYS") returned -1 [0116.056] lstrcmpiW (lpString1="cab1.cab", lpString2="IO.SYS") returned -1 [0116.056] lstrcmpiW (lpString1="cab1.cab", lpString2="boot.ini") returned 1 [0116.056] lstrcmpiW (lpString1="cab1.cab", lpString2="AUTOEXEC.BAT") returned 1 [0116.056] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0116.056] lstrcmpiW (lpString1="cab1.cab", lpString2="desktop.ini") returned -1 [0116.056] lstrcmpiW (lpString1="cab1.cab", lpString2="CONFIG.SYS") returned -1 [0116.056] lstrcmpiW (lpString1="cab1.cab", lpString2="RECYCLER") returned -1 [0116.056] lstrcmpiW (lpString1="cab1.cab", lpString2="BOOTSECT.BAK") returned 1 [0116.056] lstrcmpiW (lpString1="cab1.cab", lpString2="bootmgr") returned 1 [0116.056] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0116.056] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0116.056] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0116.056] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0116.056] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\") returned="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\" [0116.056] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\", lpString2="cab1.cab" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" [0116.056] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0116.056] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0116.056] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0116.056] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0116.056] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4374a500, ftCreationTime.dwHighDateTime=0x1ced4da, ftLastAccessTime.dwLowDateTime=0x4374a500, ftLastAccessTime.dwHighDateTime=0x1ced4da, ftLastWriteTime.dwLowDateTime=0x4374a500, ftLastWriteTime.dwHighDateTime=0x1ced4da, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0xc000be, dwReserved1=0x24ddbe0, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0116.056] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2=".") returned 1 [0116.056] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="..") returned 1 [0116.056] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="...") returned 1 [0116.057] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="windows") returned -1 [0116.057] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="$RECYCLE.BIN") returned 1 [0116.057] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="rsa") returned 1 [0116.057] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="log") returned 1 [0116.057] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="NTDETECT.COM") returned 1 [0116.057] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="ntldr") returned 1 [0116.057] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="MSDOS.SYS") returned 1 [0116.057] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="IO.SYS") returned 1 [0116.057] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="boot.ini") returned 1 [0116.057] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="AUTOEXEC.BAT") returned 1 [0116.057] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="ntuser.dat") returned 1 [0116.057] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="desktop.ini") returned 1 [0116.057] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="CONFIG.SYS") returned 1 [0116.057] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="RECYCLER") returned 1 [0116.057] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="BOOTSECT.BAK") returned 1 [0116.057] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="bootmgr") returned 1 [0116.057] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="programdata") returned 1 [0116.057] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="appdata") returned 1 [0116.057] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="program files") returned 1 [0116.057] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="program files (x86)") returned 1 [0116.057] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\") returned="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\" [0116.057] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\", lpString2="vc_runtimeAdditional_x64.msi" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" [0116.057] PathFindExtensionW (pszPath="vc_runtimeAdditional_x64.msi") returned=".msi" [0116.057] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0116.057] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0116.058] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0116.058] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0116.058] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0116.058] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0116.058] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0116.058] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0116.058] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0116.058] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0116.058] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0116.058] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0116.058] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0116.058] lstrcmpiW (lpString1=".msi", lpString2=".NEPHILIM") returned -1 [0116.058] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0116.058] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4374a500, ftCreationTime.dwHighDateTime=0x1ced4da, ftLastAccessTime.dwLowDateTime=0x4374a500, ftLastAccessTime.dwHighDateTime=0x1ced4da, ftLastWriteTime.dwLowDateTime=0x4374a500, ftLastWriteTime.dwHighDateTime=0x1ced4da, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0xc000be, dwReserved1=0x24ddbe0, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0116.059] FindClose (in: hFindFile=0x50a9c0 | out: hFindFile=0x50a9c0) returned 1 [0116.059] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfac0a1e0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfac0a1e0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x24de260, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0116.059] FindClose (in: hFindFile=0x50a980 | out: hFindFile=0x50a980) returned 1 [0116.059] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="packages", cAlternateFileName="")) returned 0 [0116.059] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0116.059] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a0db1a0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a127460, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a127460, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="{3c3aafc8-d898-43ec-998f-965ffdae065a}", cAlternateFileName="{3C3AA~1")) returned 1 [0116.059] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2=".") returned 1 [0116.059] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="..") returned 1 [0116.059] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="...") returned 1 [0116.059] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="windows") returned -1 [0116.059] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="$RECYCLE.BIN") returned 1 [0116.059] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="rsa") returned -1 [0116.059] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="log") returned -1 [0116.060] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="NTDETECT.COM") returned -1 [0116.060] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="ntldr") returned -1 [0116.060] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="MSDOS.SYS") returned -1 [0116.060] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="IO.SYS") returned -1 [0116.060] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="boot.ini") returned -1 [0116.060] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="AUTOEXEC.BAT") returned -1 [0116.060] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="ntuser.dat") returned -1 [0116.060] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="desktop.ini") returned -1 [0116.060] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="CONFIG.SYS") returned -1 [0116.060] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="RECYCLER") returned -1 [0116.060] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="BOOTSECT.BAK") returned -1 [0116.060] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="bootmgr") returned -1 [0116.060] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="programdata") returned -1 [0116.060] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="appdata") returned -1 [0116.060] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="program files") returned -1 [0116.060] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="program files (x86)") returned -1 [0116.060] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Package Cache\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\") returned="C:\\Users\\All Users\\Package Cache\\" [0116.060] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\", lpString2="{3c3aafc8-d898-43ec-998f-965ffdae065a}" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}") returned="C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}" [0116.060] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\") returned="C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\" [0116.060] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\") returned="C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\" [0116.060] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*") returned="C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*" [0116.060] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a0db1a0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a127460, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a127460, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0116.062] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.062] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a0db1a0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a127460, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a127460, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0116.062] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.062] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.062] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a127460, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a127460, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1c821ca0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x29a, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0116.062] lstrcmpiW (lpString1="state.rsm", lpString2=".") returned 1 [0116.062] lstrcmpiW (lpString1="state.rsm", lpString2="..") returned 1 [0116.062] lstrcmpiW (lpString1="state.rsm", lpString2="...") returned 1 [0116.062] lstrcmpiW (lpString1="state.rsm", lpString2="windows") returned -1 [0116.062] lstrcmpiW (lpString1="state.rsm", lpString2="$RECYCLE.BIN") returned 1 [0116.062] lstrcmpiW (lpString1="state.rsm", lpString2="rsa") returned 1 [0116.062] lstrcmpiW (lpString1="state.rsm", lpString2="log") returned 1 [0116.062] lstrcmpiW (lpString1="state.rsm", lpString2="NTDETECT.COM") returned 1 [0116.062] lstrcmpiW (lpString1="state.rsm", lpString2="ntldr") returned 1 [0116.062] lstrcmpiW (lpString1="state.rsm", lpString2="MSDOS.SYS") returned 1 [0116.062] lstrcmpiW (lpString1="state.rsm", lpString2="IO.SYS") returned 1 [0116.062] lstrcmpiW (lpString1="state.rsm", lpString2="boot.ini") returned 1 [0116.062] lstrcmpiW (lpString1="state.rsm", lpString2="AUTOEXEC.BAT") returned 1 [0116.062] lstrcmpiW (lpString1="state.rsm", lpString2="ntuser.dat") returned 1 [0116.062] lstrcmpiW (lpString1="state.rsm", lpString2="desktop.ini") returned 1 [0116.062] lstrcmpiW (lpString1="state.rsm", lpString2="CONFIG.SYS") returned 1 [0116.063] lstrcmpiW (lpString1="state.rsm", lpString2="RECYCLER") returned 1 [0116.063] lstrcmpiW (lpString1="state.rsm", lpString2="BOOTSECT.BAK") returned 1 [0116.063] lstrcmpiW (lpString1="state.rsm", lpString2="bootmgr") returned 1 [0116.063] lstrcmpiW (lpString1="state.rsm", lpString2="programdata") returned 1 [0116.063] lstrcmpiW (lpString1="state.rsm", lpString2="appdata") returned 1 [0116.063] lstrcmpiW (lpString1="state.rsm", lpString2="program files") returned 1 [0116.063] lstrcmpiW (lpString1="state.rsm", lpString2="program files (x86)") returned 1 [0116.063] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\") returned="C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\" [0116.063] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\", lpString2="state.rsm" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm") returned="C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" [0116.063] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0116.063] lstrcmpiW (lpString1=".rsm", lpString2=".exe") returned 1 [0116.063] lstrcmpiW (lpString1=".rsm", lpString2=".log") returned 1 [0116.063] lstrcmpiW (lpString1=".rsm", lpString2=".cab") returned 1 [0116.063] lstrcmpiW (lpString1=".rsm", lpString2=".cmd") returned 1 [0116.063] lstrcmpiW (lpString1=".rsm", lpString2=".com") returned 1 [0116.063] lstrcmpiW (lpString1=".rsm", lpString2=".cpl") returned 1 [0116.063] lstrcmpiW (lpString1=".rsm", lpString2=".ini") returned 1 [0116.063] lstrcmpiW (lpString1=".rsm", lpString2=".dll") returned 1 [0116.063] lstrcmpiW (lpString1=".rsm", lpString2=".url") returned -1 [0116.063] lstrcmpiW (lpString1=".rsm", lpString2=".ttf") returned -1 [0116.063] lstrcmpiW (lpString1=".rsm", lpString2=".mp3") returned 1 [0116.063] lstrcmpiW (lpString1=".rsm", lpString2=".pif") returned 1 [0116.063] lstrcmpiW (lpString1=".rsm", lpString2=".mp4") returned 1 [0116.063] lstrcmpiW (lpString1=".rsm", lpString2=".NEPHILIM") returned 1 [0116.064] lstrcmpiW (lpString1=".rsm", lpString2=".msi") returned 1 [0116.064] lstrcmpiW (lpString1=".rsm", lpString2=".lnk") returned 1 [0116.064] lstrcmpiW (lpString1="state.rsm", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0116.064] lstrlenA (lpString="NEPHILIM") returned 8 [0116.064] GetProcessHeap () returned 0x4e0000 [0116.064] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50be40 [0116.064] lstrlenA (lpString="NEPHILIM") returned 8 [0116.064] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0116.064] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=666) returned 1 [0116.065] GetProcessHeap () returned 0x4e0000 [0116.065] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0116.065] GetProcessHeap () returned 0x4e0000 [0116.065] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0116.065] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0116.065] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0116.065] GetProcessHeap () returned 0x4e0000 [0116.065] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0116.065] GetProcessHeap () returned 0x4e0000 [0116.065] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0116.065] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0116.065] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0116.066] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x29a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.066] SetLastError (dwErrCode=0x0) [0116.066] WriteFile (in: hFile=0xf0, lpBuffer=0x51e388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x51e388*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0116.068] GetLastError () returned 0x0 [0116.068] GetLastError () returned 0x0 [0116.068] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x39a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.068] WriteFile (in: hFile=0xf0, lpBuffer=0x51e280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x51e280*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0116.068] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x49a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.068] lstrlenA (lpString="NEPHILIM") returned 8 [0116.068] WriteFile (in: hFile=0xf0, lpBuffer=0x50be40*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50be40*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0116.068] GetProcessHeap () returned 0x4e0000 [0116.068] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x29a) returned 0x50fd10 [0116.068] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.068] ReadFile (in: hFile=0xf0, lpBuffer=0x50fd10, nNumberOfBytesToRead=0x29a, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesRead=0x24dddb0*=0x29a, lpOverlapped=0x0) returned 1 [0116.069] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.069] WriteFile (in: hFile=0xf0, lpBuffer=0x50fd10*, nNumberOfBytesToWrite=0x29a, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesWritten=0x24dddbc*=0x29a, lpOverlapped=0x0) returned 1 [0116.069] GetProcessHeap () returned 0x4e0000 [0116.069] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50fd10 | out: hHeap=0x4e0000) returned 1 [0116.069] CloseHandle (hObject=0xf0) returned 1 [0116.069] GetProcessHeap () returned 0x4e0000 [0116.069] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e388 | out: hHeap=0x4e0000) returned 1 [0116.069] GetProcessHeap () returned 0x4e0000 [0116.069] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e280 | out: hHeap=0x4e0000) returned 1 [0116.069] GetProcessHeap () returned 0x4e0000 [0116.069] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dec8 | out: hHeap=0x4e0000) returned 1 [0116.069] GetProcessHeap () returned 0x4e0000 [0116.069] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50deb0 | out: hHeap=0x4e0000) returned 1 [0116.069] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm") returned="C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" [0116.069] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm.NEPHILIM") returned="C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm.NEPHILIM" [0116.069] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm"), lpNewFileName="C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm.NEPHILIM" (normalized: "c:\\users\\all users\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm.nephilim")) returned 1 [0116.070] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a0db1a0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a0db1a0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1073de80, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x710a8, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="vcredist_x64.exe", cAlternateFileName="VCREDI~1.EXE")) returned 1 [0116.071] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2=".") returned 1 [0116.071] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="..") returned 1 [0116.071] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="...") returned 1 [0116.071] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="windows") returned -1 [0116.071] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="$RECYCLE.BIN") returned 1 [0116.071] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="rsa") returned 1 [0116.071] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="log") returned 1 [0116.071] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="NTDETECT.COM") returned 1 [0116.071] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="ntldr") returned 1 [0116.071] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="MSDOS.SYS") returned 1 [0116.071] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="IO.SYS") returned 1 [0116.071] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="boot.ini") returned 1 [0116.071] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="AUTOEXEC.BAT") returned 1 [0116.071] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="ntuser.dat") returned 1 [0116.071] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="desktop.ini") returned 1 [0116.071] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="CONFIG.SYS") returned 1 [0116.071] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="RECYCLER") returned 1 [0116.071] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="BOOTSECT.BAK") returned 1 [0116.071] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="bootmgr") returned 1 [0116.071] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="programdata") returned 1 [0116.071] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="appdata") returned 1 [0116.071] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="program files") returned 1 [0116.071] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="program files (x86)") returned 1 [0116.071] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\") returned="C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\" [0116.071] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\", lpString2="vcredist_x64.exe" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe") returned="C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe" [0116.072] PathFindExtensionW (pszPath="vcredist_x64.exe") returned=".exe" [0116.072] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0116.072] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a0db1a0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a0db1a0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1073de80, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x710a8, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="vcredist_x64.exe", cAlternateFileName="VCREDI~1.EXE")) returned 0 [0116.072] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0116.072] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", cAlternateFileName="{582EA~1.250")) returned 1 [0116.072] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2=".") returned 1 [0116.072] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="..") returned 1 [0116.072] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="...") returned 1 [0116.072] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="windows") returned -1 [0116.072] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="$RECYCLE.BIN") returned 1 [0116.072] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="rsa") returned -1 [0116.072] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="log") returned -1 [0116.072] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="NTDETECT.COM") returned -1 [0116.072] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="ntldr") returned -1 [0116.072] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="MSDOS.SYS") returned -1 [0116.072] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="IO.SYS") returned -1 [0116.072] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="boot.ini") returned -1 [0116.072] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="AUTOEXEC.BAT") returned -1 [0116.072] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="ntuser.dat") returned -1 [0116.072] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="desktop.ini") returned -1 [0116.072] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="CONFIG.SYS") returned -1 [0116.072] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="RECYCLER") returned -1 [0116.073] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="BOOTSECT.BAK") returned -1 [0116.073] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="bootmgr") returned -1 [0116.073] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="programdata") returned -1 [0116.073] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="appdata") returned -1 [0116.073] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="program files") returned -1 [0116.073] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="program files (x86)") returned -1 [0116.073] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Package Cache\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\") returned="C:\\Users\\All Users\\Package Cache\\" [0116.073] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\", lpString2="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017") returned="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017" [0116.073] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\") returned="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\" [0116.073] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\") returned="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\" [0116.073] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\*.*") returned="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\*.*" [0116.073] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0116.073] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.074] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0116.074] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.074] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.074] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="packages", cAlternateFileName="")) returned 1 [0116.074] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0116.074] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0116.074] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0116.074] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0116.074] lstrcmpiW (lpString1="packages", lpString2="$RECYCLE.BIN") returned 1 [0116.074] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0116.074] lstrcmpiW (lpString1="packages", lpString2="log") returned 1 [0116.074] lstrcmpiW (lpString1="packages", lpString2="NTDETECT.COM") returned 1 [0116.074] lstrcmpiW (lpString1="packages", lpString2="ntldr") returned 1 [0116.074] lstrcmpiW (lpString1="packages", lpString2="MSDOS.SYS") returned 1 [0116.074] lstrcmpiW (lpString1="packages", lpString2="IO.SYS") returned 1 [0116.074] lstrcmpiW (lpString1="packages", lpString2="boot.ini") returned 1 [0116.074] lstrcmpiW (lpString1="packages", lpString2="AUTOEXEC.BAT") returned 1 [0116.074] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0116.075] lstrcmpiW (lpString1="packages", lpString2="desktop.ini") returned 1 [0116.075] lstrcmpiW (lpString1="packages", lpString2="CONFIG.SYS") returned 1 [0116.075] lstrcmpiW (lpString1="packages", lpString2="RECYCLER") returned -1 [0116.075] lstrcmpiW (lpString1="packages", lpString2="BOOTSECT.BAK") returned 1 [0116.075] lstrcmpiW (lpString1="packages", lpString2="bootmgr") returned 1 [0116.075] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0116.075] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0116.075] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0116.075] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0116.075] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\") returned="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\" [0116.075] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\", lpString2="packages" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages") returned="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages" [0116.075] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\") returned="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\" [0116.075] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\") returned="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\" [0116.075] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\*.*") returned="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\*.*" [0116.075] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb000ae, dwReserved1=0x24de260, cFileName=".", cAlternateFileName="")) returned 0x50a980 [0116.076] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.076] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb000ae, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 1 [0116.076] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.076] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.076] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb000ae, dwReserved1=0x24de260, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0116.076] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2=".") returned 1 [0116.076] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="..") returned 1 [0116.076] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="...") returned 1 [0116.076] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="windows") returned -1 [0116.076] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="$RECYCLE.BIN") returned 1 [0116.076] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="rsa") returned 1 [0116.076] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="log") returned 1 [0116.076] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="NTDETECT.COM") returned 1 [0116.076] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="ntldr") returned 1 [0116.076] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="MSDOS.SYS") returned 1 [0116.076] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="IO.SYS") returned 1 [0116.076] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="boot.ini") returned 1 [0116.076] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="AUTOEXEC.BAT") returned 1 [0116.076] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="ntuser.dat") returned 1 [0116.076] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="desktop.ini") returned 1 [0116.076] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="CONFIG.SYS") returned 1 [0116.076] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="RECYCLER") returned 1 [0116.076] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="BOOTSECT.BAK") returned 1 [0116.076] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="bootmgr") returned 1 [0116.076] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="programdata") returned 1 [0116.076] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="appdata") returned 1 [0116.077] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="program files") returned 1 [0116.077] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="program files (x86)") returned 1 [0116.077] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\") returned="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\" [0116.077] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\", lpString2="vcRuntimeMinimum_x86" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86") returned="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86" [0116.077] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\") returned="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\" [0116.077] lstrcpyW (in: lpString1=0x24dd560, lpString2="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\") returned="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\" [0116.077] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*.*") returned="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*.*" [0116.077] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*.*", lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc200c0, dwReserved1=0x24ddbe0, cFileName=".", cAlternateFileName="")) returned 0x50a9c0 [0116.077] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.077] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc200c0, dwReserved1=0x24ddbe0, cFileName="..", cAlternateFileName="")) returned 1 [0116.077] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.077] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.077] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd15e8b00, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xd15e8b00, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xd15e8b00, ftLastWriteTime.dwHighDateTime=0x1d28824, nFileSizeHigh=0x0, nFileSizeLow=0x13babb, dwReserved0=0xc200c0, dwReserved1=0x24ddbe0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0116.077] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0116.077] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0116.078] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0116.078] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0116.078] lstrcmpiW (lpString1="cab1.cab", lpString2="$RECYCLE.BIN") returned 1 [0116.078] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0116.078] lstrcmpiW (lpString1="cab1.cab", lpString2="log") returned -1 [0116.078] lstrcmpiW (lpString1="cab1.cab", lpString2="NTDETECT.COM") returned -1 [0116.078] lstrcmpiW (lpString1="cab1.cab", lpString2="ntldr") returned -1 [0116.078] lstrcmpiW (lpString1="cab1.cab", lpString2="MSDOS.SYS") returned -1 [0116.078] lstrcmpiW (lpString1="cab1.cab", lpString2="IO.SYS") returned -1 [0116.078] lstrcmpiW (lpString1="cab1.cab", lpString2="boot.ini") returned 1 [0116.078] lstrcmpiW (lpString1="cab1.cab", lpString2="AUTOEXEC.BAT") returned 1 [0116.078] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0116.078] lstrcmpiW (lpString1="cab1.cab", lpString2="desktop.ini") returned -1 [0116.078] lstrcmpiW (lpString1="cab1.cab", lpString2="CONFIG.SYS") returned -1 [0116.078] lstrcmpiW (lpString1="cab1.cab", lpString2="RECYCLER") returned -1 [0116.078] lstrcmpiW (lpString1="cab1.cab", lpString2="BOOTSECT.BAK") returned 1 [0116.078] lstrcmpiW (lpString1="cab1.cab", lpString2="bootmgr") returned 1 [0116.078] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0116.078] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0116.078] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0116.078] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0116.078] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\") returned="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\" [0116.078] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\", lpString2="cab1.cab" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab" [0116.078] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0116.078] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0116.079] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0116.079] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0116.079] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb17b200, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xfb17b200, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xfb17b200, ftLastWriteTime.dwHighDateTime=0x1d28824, nFileSizeHigh=0x0, nFileSizeLow=0x24000, dwReserved0=0xc200c0, dwReserved1=0x24ddbe0, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0116.079] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2=".") returned 1 [0116.079] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="..") returned 1 [0116.079] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="...") returned 1 [0116.079] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="windows") returned -1 [0116.079] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="$RECYCLE.BIN") returned 1 [0116.079] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="rsa") returned 1 [0116.079] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="log") returned 1 [0116.079] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="NTDETECT.COM") returned 1 [0116.079] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="ntldr") returned 1 [0116.079] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="MSDOS.SYS") returned 1 [0116.079] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="IO.SYS") returned 1 [0116.079] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="boot.ini") returned 1 [0116.079] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="AUTOEXEC.BAT") returned 1 [0116.079] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="ntuser.dat") returned 1 [0116.079] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="desktop.ini") returned 1 [0116.079] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="CONFIG.SYS") returned 1 [0116.079] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="RECYCLER") returned 1 [0116.079] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="BOOTSECT.BAK") returned 1 [0116.079] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="bootmgr") returned 1 [0116.079] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="programdata") returned 1 [0116.079] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="appdata") returned 1 [0116.080] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="program files") returned 1 [0116.080] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="program files (x86)") returned 1 [0116.080] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\") returned="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\" [0116.080] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\", lpString2="vc_runtimeMinimum_x86.msi" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" [0116.080] PathFindExtensionW (pszPath="vc_runtimeMinimum_x86.msi") returned=".msi" [0116.080] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0116.080] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0116.080] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0116.080] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0116.080] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0116.080] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0116.080] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0116.080] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0116.080] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0116.080] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0116.080] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0116.080] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0116.080] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0116.080] lstrcmpiW (lpString1=".msi", lpString2=".NEPHILIM") returned -1 [0116.080] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0116.080] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb17b200, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xfb17b200, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xfb17b200, ftLastWriteTime.dwHighDateTime=0x1d28824, nFileSizeHigh=0x0, nFileSizeLow=0x24000, dwReserved0=0xc200c0, dwReserved1=0x24ddbe0, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0116.080] FindClose (in: hFindFile=0x50a9c0 | out: hFindFile=0x50a9c0) returned 1 [0116.081] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb000ae, dwReserved1=0x24de260, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0116.081] FindClose (in: hFindFile=0x50a980 | out: hFindFile=0x50a980) returned 1 [0116.081] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="packages", cAlternateFileName="")) returned 0 [0116.081] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0116.081] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", cAlternateFileName="{68306~1.250")) returned 1 [0116.081] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2=".") returned 1 [0116.081] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="..") returned 1 [0116.081] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="...") returned 1 [0116.081] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="windows") returned -1 [0116.081] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="$RECYCLE.BIN") returned 1 [0116.081] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="rsa") returned -1 [0116.081] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="log") returned -1 [0116.081] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="NTDETECT.COM") returned -1 [0116.081] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="ntldr") returned -1 [0116.081] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="MSDOS.SYS") returned -1 [0116.081] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="IO.SYS") returned -1 [0116.081] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="boot.ini") returned -1 [0116.081] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="AUTOEXEC.BAT") returned -1 [0116.081] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="ntuser.dat") returned -1 [0116.081] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="desktop.ini") returned -1 [0116.081] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="CONFIG.SYS") returned -1 [0116.081] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="RECYCLER") returned -1 [0116.082] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="BOOTSECT.BAK") returned -1 [0116.082] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="bootmgr") returned -1 [0116.082] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="programdata") returned -1 [0116.082] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="appdata") returned -1 [0116.082] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="program files") returned -1 [0116.082] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="program files (x86)") returned -1 [0116.082] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Package Cache\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\") returned="C:\\Users\\All Users\\Package Cache\\" [0116.082] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\", lpString2="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017") returned="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017" [0116.082] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\") returned="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\" [0116.082] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\") returned="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\" [0116.082] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\*.*") returned="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\*.*" [0116.082] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0116.083] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.083] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0116.083] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.083] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.083] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="packages", cAlternateFileName="")) returned 1 [0116.083] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0116.084] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0116.084] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0116.084] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0116.084] lstrcmpiW (lpString1="packages", lpString2="$RECYCLE.BIN") returned 1 [0116.084] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0116.084] lstrcmpiW (lpString1="packages", lpString2="log") returned 1 [0116.084] lstrcmpiW (lpString1="packages", lpString2="NTDETECT.COM") returned 1 [0116.084] lstrcmpiW (lpString1="packages", lpString2="ntldr") returned 1 [0116.084] lstrcmpiW (lpString1="packages", lpString2="MSDOS.SYS") returned 1 [0116.084] lstrcmpiW (lpString1="packages", lpString2="IO.SYS") returned 1 [0116.084] lstrcmpiW (lpString1="packages", lpString2="boot.ini") returned 1 [0116.084] lstrcmpiW (lpString1="packages", lpString2="AUTOEXEC.BAT") returned 1 [0116.084] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0116.084] lstrcmpiW (lpString1="packages", lpString2="desktop.ini") returned 1 [0116.084] lstrcmpiW (lpString1="packages", lpString2="CONFIG.SYS") returned 1 [0116.084] lstrcmpiW (lpString1="packages", lpString2="RECYCLER") returned -1 [0116.084] lstrcmpiW (lpString1="packages", lpString2="BOOTSECT.BAK") returned 1 [0116.084] lstrcmpiW (lpString1="packages", lpString2="bootmgr") returned 1 [0116.084] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0116.084] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0116.084] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0116.084] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0116.084] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\") returned="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\" [0116.084] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\", lpString2="packages" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages") returned="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages" [0116.084] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\") returned="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\" [0116.085] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\") returned="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\" [0116.085] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\*.*") returned="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\*.*" [0116.085] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb000ae, dwReserved1=0x24de260, cFileName=".", cAlternateFileName="")) returned 0x50a980 [0116.085] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.085] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb000ae, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 1 [0116.085] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.085] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.085] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94fa460, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94fa460, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb000ae, dwReserved1=0x24de260, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0116.085] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2=".") returned 1 [0116.085] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="..") returned 1 [0116.085] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="...") returned 1 [0116.085] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="windows") returned -1 [0116.085] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="$RECYCLE.BIN") returned 1 [0116.085] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="rsa") returned 1 [0116.085] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="log") returned 1 [0116.085] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="NTDETECT.COM") returned 1 [0116.085] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="ntldr") returned 1 [0116.085] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="MSDOS.SYS") returned 1 [0116.086] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="IO.SYS") returned 1 [0116.086] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="boot.ini") returned 1 [0116.086] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="AUTOEXEC.BAT") returned 1 [0116.086] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="ntuser.dat") returned 1 [0116.086] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="desktop.ini") returned 1 [0116.086] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="CONFIG.SYS") returned 1 [0116.086] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="RECYCLER") returned 1 [0116.086] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="BOOTSECT.BAK") returned 1 [0116.086] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="bootmgr") returned 1 [0116.086] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="programdata") returned 1 [0116.086] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="appdata") returned 1 [0116.086] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="program files") returned 1 [0116.086] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="program files (x86)") returned 1 [0116.086] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\") returned="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\" [0116.086] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\", lpString2="vcRuntimeAdditional_x86" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86") returned="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86" [0116.086] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\") returned="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\" [0116.086] lstrcpyW (in: lpString1=0x24dd560, lpString2="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\") returned="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\" [0116.086] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*.*") returned="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*.*" [0116.086] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*.*", lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94fa460, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94fa460, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc200c0, dwReserved1=0x24ddbe0, cFileName=".", cAlternateFileName="")) returned 0x50a9c0 [0116.087] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.087] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94fa460, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94fa460, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc200c0, dwReserved1=0x24ddbe0, cFileName="..", cAlternateFileName="")) returned 1 [0116.087] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.087] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.087] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3c0e500, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xd3c0e500, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xd3c0e500, ftLastWriteTime.dwHighDateTime=0x1d28824, nFileSizeHigh=0x0, nFileSizeLow=0x4f699e, dwReserved0=0xc200c0, dwReserved1=0x24ddbe0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0116.087] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0116.087] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0116.087] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0116.087] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0116.087] lstrcmpiW (lpString1="cab1.cab", lpString2="$RECYCLE.BIN") returned 1 [0116.087] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0116.087] lstrcmpiW (lpString1="cab1.cab", lpString2="log") returned -1 [0116.087] lstrcmpiW (lpString1="cab1.cab", lpString2="NTDETECT.COM") returned -1 [0116.087] lstrcmpiW (lpString1="cab1.cab", lpString2="ntldr") returned -1 [0116.087] lstrcmpiW (lpString1="cab1.cab", lpString2="MSDOS.SYS") returned -1 [0116.087] lstrcmpiW (lpString1="cab1.cab", lpString2="IO.SYS") returned -1 [0116.087] lstrcmpiW (lpString1="cab1.cab", lpString2="boot.ini") returned 1 [0116.087] lstrcmpiW (lpString1="cab1.cab", lpString2="AUTOEXEC.BAT") returned 1 [0116.087] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0116.087] lstrcmpiW (lpString1="cab1.cab", lpString2="desktop.ini") returned -1 [0116.087] lstrcmpiW (lpString1="cab1.cab", lpString2="CONFIG.SYS") returned -1 [0116.088] lstrcmpiW (lpString1="cab1.cab", lpString2="RECYCLER") returned -1 [0116.088] lstrcmpiW (lpString1="cab1.cab", lpString2="BOOTSECT.BAK") returned 1 [0116.088] lstrcmpiW (lpString1="cab1.cab", lpString2="bootmgr") returned 1 [0116.088] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0116.088] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0116.088] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0116.088] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0116.088] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\") returned="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\" [0116.088] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\", lpString2="cab1.cab" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab" [0116.088] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0116.088] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0116.088] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0116.088] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0116.088] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfeab3900, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xfeab3900, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xfeab3900, ftLastWriteTime.dwHighDateTime=0x1d28824, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0xc200c0, dwReserved1=0x24ddbe0, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0116.088] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2=".") returned 1 [0116.088] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="..") returned 1 [0116.088] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="...") returned 1 [0116.088] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="windows") returned -1 [0116.088] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="$RECYCLE.BIN") returned 1 [0116.088] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="rsa") returned 1 [0116.088] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="log") returned 1 [0116.088] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="NTDETECT.COM") returned 1 [0116.088] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="ntldr") returned 1 [0116.088] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="MSDOS.SYS") returned 1 [0116.089] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="IO.SYS") returned 1 [0116.089] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="boot.ini") returned 1 [0116.089] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="AUTOEXEC.BAT") returned 1 [0116.089] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="ntuser.dat") returned 1 [0116.089] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="desktop.ini") returned 1 [0116.089] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="CONFIG.SYS") returned 1 [0116.089] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="RECYCLER") returned 1 [0116.089] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="BOOTSECT.BAK") returned 1 [0116.089] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="bootmgr") returned 1 [0116.089] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="programdata") returned 1 [0116.089] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="appdata") returned 1 [0116.089] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="program files") returned 1 [0116.089] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="program files (x86)") returned 1 [0116.089] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\") returned="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\" [0116.089] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\", lpString2="vc_runtimeAdditional_x86.msi" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" [0116.089] PathFindExtensionW (pszPath="vc_runtimeAdditional_x86.msi") returned=".msi" [0116.089] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0116.089] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0116.089] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0116.089] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0116.089] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0116.089] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0116.089] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0116.089] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0116.089] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0116.090] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0116.090] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0116.090] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0116.090] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0116.090] lstrcmpiW (lpString1=".msi", lpString2=".NEPHILIM") returned -1 [0116.090] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0116.090] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfeab3900, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xfeab3900, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xfeab3900, ftLastWriteTime.dwHighDateTime=0x1d28824, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0xc200c0, dwReserved1=0x24ddbe0, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0116.090] FindClose (in: hFindFile=0x50a9c0 | out: hFindFile=0x50a9c0) returned 1 [0116.090] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94fa460, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94fa460, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb000ae, dwReserved1=0x24de260, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0116.090] FindClose (in: hFindFile=0x50a980 | out: hFindFile=0x50a980) returned 1 [0116.090] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="packages", cAlternateFileName="")) returned 0 [0116.090] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0116.090] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa931c450, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa931c450, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", cAlternateFileName="{8D4F7~1.250")) returned 1 [0116.090] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2=".") returned 1 [0116.090] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="..") returned 1 [0116.090] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="...") returned 1 [0116.090] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="windows") returned -1 [0116.090] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="$RECYCLE.BIN") returned 1 [0116.090] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="rsa") returned -1 [0116.090] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="log") returned -1 [0116.091] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="NTDETECT.COM") returned -1 [0116.091] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="ntldr") returned -1 [0116.091] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="MSDOS.SYS") returned -1 [0116.091] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="IO.SYS") returned -1 [0116.091] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="boot.ini") returned -1 [0116.091] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="AUTOEXEC.BAT") returned -1 [0116.091] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="ntuser.dat") returned -1 [0116.091] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="desktop.ini") returned -1 [0116.091] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="CONFIG.SYS") returned -1 [0116.091] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="RECYCLER") returned -1 [0116.091] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="BOOTSECT.BAK") returned -1 [0116.091] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="bootmgr") returned -1 [0116.091] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="programdata") returned -1 [0116.091] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="appdata") returned -1 [0116.091] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="program files") returned -1 [0116.091] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="program files (x86)") returned -1 [0116.091] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Package Cache\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\") returned="C:\\Users\\All Users\\Package Cache\\" [0116.092] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\", lpString2="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017") returned="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017" [0116.092] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\") returned="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\" [0116.092] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\") returned="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\" [0116.092] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*.*") returned="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*.*" [0116.092] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa931c450, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa931c450, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0116.093] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.093] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa931c450, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa931c450, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0116.093] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.093] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.093] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa931c450, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa931c450, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="packages", cAlternateFileName="")) returned 1 [0116.093] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0116.093] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0116.093] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0116.093] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0116.093] lstrcmpiW (lpString1="packages", lpString2="$RECYCLE.BIN") returned 1 [0116.093] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0116.093] lstrcmpiW (lpString1="packages", lpString2="log") returned 1 [0116.093] lstrcmpiW (lpString1="packages", lpString2="NTDETECT.COM") returned 1 [0116.093] lstrcmpiW (lpString1="packages", lpString2="ntldr") returned 1 [0116.093] lstrcmpiW (lpString1="packages", lpString2="MSDOS.SYS") returned 1 [0116.093] lstrcmpiW (lpString1="packages", lpString2="IO.SYS") returned 1 [0116.093] lstrcmpiW (lpString1="packages", lpString2="boot.ini") returned 1 [0116.094] lstrcmpiW (lpString1="packages", lpString2="AUTOEXEC.BAT") returned 1 [0116.094] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0116.094] lstrcmpiW (lpString1="packages", lpString2="desktop.ini") returned 1 [0116.094] lstrcmpiW (lpString1="packages", lpString2="CONFIG.SYS") returned 1 [0116.094] lstrcmpiW (lpString1="packages", lpString2="RECYCLER") returned -1 [0116.094] lstrcmpiW (lpString1="packages", lpString2="BOOTSECT.BAK") returned 1 [0116.094] lstrcmpiW (lpString1="packages", lpString2="bootmgr") returned 1 [0116.094] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0116.094] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0116.094] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0116.094] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0116.094] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\") returned="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\" [0116.094] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\", lpString2="packages" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages") returned="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages" [0116.094] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\") returned="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\" [0116.094] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\") returned="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\" [0116.094] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\*.*") returned="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\*.*" [0116.094] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa931c450, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa931c450, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb000ae, dwReserved1=0x24de260, cFileName=".", cAlternateFileName="")) returned 0x50a980 [0116.095] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.095] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa931c450, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa931c450, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb000ae, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 1 [0116.095] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.095] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.095] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa93425b0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa93425b0, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb000ae, dwReserved1=0x24de260, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0116.095] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2=".") returned 1 [0116.095] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="..") returned 1 [0116.095] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="...") returned 1 [0116.095] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="windows") returned -1 [0116.095] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="$RECYCLE.BIN") returned 1 [0116.095] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="rsa") returned 1 [0116.095] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="log") returned 1 [0116.095] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="NTDETECT.COM") returned 1 [0116.095] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="ntldr") returned 1 [0116.095] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="MSDOS.SYS") returned 1 [0116.095] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="IO.SYS") returned 1 [0116.095] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="boot.ini") returned 1 [0116.095] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="AUTOEXEC.BAT") returned 1 [0116.095] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="ntuser.dat") returned 1 [0116.095] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="desktop.ini") returned 1 [0116.095] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="CONFIG.SYS") returned 1 [0116.095] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="RECYCLER") returned 1 [0116.095] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="BOOTSECT.BAK") returned 1 [0116.095] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="bootmgr") returned 1 [0116.096] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="programdata") returned 1 [0116.096] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="appdata") returned 1 [0116.096] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="program files") returned 1 [0116.096] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="program files (x86)") returned 1 [0116.096] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\") returned="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\" [0116.096] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\", lpString2="vcRuntimeMinimum_amd64" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64") returned="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64" [0116.096] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\") returned="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\" [0116.096] lstrcpyW (in: lpString1=0x24dd560, lpString2="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\") returned="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\" [0116.096] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*.*") returned="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*.*" [0116.096] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*.*", lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa93425b0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa93425b0, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc200c0, dwReserved1=0x24ddbe0, cFileName=".", cAlternateFileName="")) returned 0x50a9c0 [0116.096] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.096] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa93425b0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa93425b0, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc200c0, dwReserved1=0x24ddbe0, cFileName="..", cAlternateFileName="")) returned 1 [0116.096] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.096] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.096] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3c0e500, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xd3c0e500, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xd3c0e500, ftLastWriteTime.dwHighDateTime=0x1d28824, nFileSizeHigh=0x0, nFileSizeLow=0x165257, dwReserved0=0xc200c0, dwReserved1=0x24ddbe0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0116.097] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0116.097] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0116.097] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0116.097] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0116.097] lstrcmpiW (lpString1="cab1.cab", lpString2="$RECYCLE.BIN") returned 1 [0116.097] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0116.097] lstrcmpiW (lpString1="cab1.cab", lpString2="log") returned -1 [0116.097] lstrcmpiW (lpString1="cab1.cab", lpString2="NTDETECT.COM") returned -1 [0116.097] lstrcmpiW (lpString1="cab1.cab", lpString2="ntldr") returned -1 [0116.097] lstrcmpiW (lpString1="cab1.cab", lpString2="MSDOS.SYS") returned -1 [0116.097] lstrcmpiW (lpString1="cab1.cab", lpString2="IO.SYS") returned -1 [0116.097] lstrcmpiW (lpString1="cab1.cab", lpString2="boot.ini") returned 1 [0116.097] lstrcmpiW (lpString1="cab1.cab", lpString2="AUTOEXEC.BAT") returned 1 [0116.097] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0116.097] lstrcmpiW (lpString1="cab1.cab", lpString2="desktop.ini") returned -1 [0116.097] lstrcmpiW (lpString1="cab1.cab", lpString2="CONFIG.SYS") returned -1 [0116.097] lstrcmpiW (lpString1="cab1.cab", lpString2="RECYCLER") returned -1 [0116.097] lstrcmpiW (lpString1="cab1.cab", lpString2="BOOTSECT.BAK") returned 1 [0116.097] lstrcmpiW (lpString1="cab1.cab", lpString2="bootmgr") returned 1 [0116.097] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0116.097] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0116.097] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0116.097] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0116.098] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\") returned="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\" [0116.098] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\", lpString2="cab1.cab" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" [0116.098] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0116.098] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0116.098] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0116.098] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0116.098] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd7a0c00, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xfd7a0c00, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xfd7a0c00, ftLastWriteTime.dwHighDateTime=0x1d28824, nFileSizeHigh=0x0, nFileSizeLow=0x24000, dwReserved0=0xc200c0, dwReserved1=0x24ddbe0, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0116.098] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2=".") returned 1 [0116.098] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="..") returned 1 [0116.098] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="...") returned 1 [0116.098] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="windows") returned -1 [0116.098] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="$RECYCLE.BIN") returned 1 [0116.098] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="rsa") returned 1 [0116.098] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="log") returned 1 [0116.098] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="NTDETECT.COM") returned 1 [0116.098] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="ntldr") returned 1 [0116.098] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="MSDOS.SYS") returned 1 [0116.099] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="IO.SYS") returned 1 [0116.099] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="boot.ini") returned 1 [0116.099] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="AUTOEXEC.BAT") returned 1 [0116.099] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="ntuser.dat") returned 1 [0116.099] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="desktop.ini") returned 1 [0116.099] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="CONFIG.SYS") returned 1 [0116.099] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="RECYCLER") returned 1 [0116.099] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="BOOTSECT.BAK") returned 1 [0116.099] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="bootmgr") returned 1 [0116.099] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="programdata") returned 1 [0116.099] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="appdata") returned 1 [0116.099] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="program files") returned 1 [0116.099] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="program files (x86)") returned 1 [0116.099] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\") returned="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\" [0116.099] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\", lpString2="vc_runtimeMinimum_x64.msi" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" [0116.099] PathFindExtensionW (pszPath="vc_runtimeMinimum_x64.msi") returned=".msi" [0116.099] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0116.100] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0116.100] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0116.100] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0116.100] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0116.100] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0116.100] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0116.100] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0116.100] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0116.100] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0116.100] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0116.100] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0116.100] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0116.100] lstrcmpiW (lpString1=".msi", lpString2=".NEPHILIM") returned -1 [0116.100] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0116.100] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd7a0c00, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xfd7a0c00, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xfd7a0c00, ftLastWriteTime.dwHighDateTime=0x1d28824, nFileSizeHigh=0x0, nFileSizeLow=0x24000, dwReserved0=0xc200c0, dwReserved1=0x24ddbe0, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0116.100] FindClose (in: hFindFile=0x50a9c0 | out: hFindFile=0x50a9c0) returned 1 [0116.100] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa93425b0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa93425b0, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb000ae, dwReserved1=0x24de260, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0116.100] FindClose (in: hFindFile=0x50a980 | out: hFindFile=0x50a980) returned 1 [0116.101] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa931c450, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa931c450, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="packages", cAlternateFileName="")) returned 0 [0116.101] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0116.101] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a20bca0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a20bca0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", cAlternateFileName="{929FB~1.210")) returned 1 [0116.101] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2=".") returned 1 [0116.101] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="..") returned 1 [0116.101] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="...") returned 1 [0116.101] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="windows") returned -1 [0116.101] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="$RECYCLE.BIN") returned 1 [0116.101] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="rsa") returned -1 [0116.101] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="log") returned -1 [0116.101] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="NTDETECT.COM") returned -1 [0116.101] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="ntldr") returned -1 [0116.101] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="MSDOS.SYS") returned -1 [0116.101] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="IO.SYS") returned -1 [0116.101] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="boot.ini") returned -1 [0116.101] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="AUTOEXEC.BAT") returned -1 [0116.101] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="ntuser.dat") returned -1 [0116.101] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="desktop.ini") returned -1 [0116.101] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="CONFIG.SYS") returned -1 [0116.101] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="RECYCLER") returned -1 [0116.101] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="BOOTSECT.BAK") returned -1 [0116.101] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="bootmgr") returned -1 [0116.101] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="programdata") returned -1 [0116.101] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="appdata") returned -1 [0116.102] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="program files") returned -1 [0116.102] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="program files (x86)") returned -1 [0116.102] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Package Cache\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\") returned="C:\\Users\\All Users\\Package Cache\\" [0116.102] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\", lpString2="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005") returned="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005" [0116.102] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\") returned="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\" [0116.102] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\") returned="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\" [0116.102] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*.*") returned="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*.*" [0116.102] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a20bca0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a20bca0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0116.102] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.102] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a20bca0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a20bca0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0116.102] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.102] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.102] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a20bca0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a20bca0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="packages", cAlternateFileName="")) returned 1 [0116.102] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0116.102] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0116.102] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0116.102] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0116.103] lstrcmpiW (lpString1="packages", lpString2="$RECYCLE.BIN") returned 1 [0116.103] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0116.103] lstrcmpiW (lpString1="packages", lpString2="log") returned 1 [0116.103] lstrcmpiW (lpString1="packages", lpString2="NTDETECT.COM") returned 1 [0116.103] lstrcmpiW (lpString1="packages", lpString2="ntldr") returned 1 [0116.103] lstrcmpiW (lpString1="packages", lpString2="MSDOS.SYS") returned 1 [0116.103] lstrcmpiW (lpString1="packages", lpString2="IO.SYS") returned 1 [0116.103] lstrcmpiW (lpString1="packages", lpString2="boot.ini") returned 1 [0116.103] lstrcmpiW (lpString1="packages", lpString2="AUTOEXEC.BAT") returned 1 [0116.103] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0116.103] lstrcmpiW (lpString1="packages", lpString2="desktop.ini") returned 1 [0116.103] lstrcmpiW (lpString1="packages", lpString2="CONFIG.SYS") returned 1 [0116.103] lstrcmpiW (lpString1="packages", lpString2="RECYCLER") returned -1 [0116.103] lstrcmpiW (lpString1="packages", lpString2="BOOTSECT.BAK") returned 1 [0116.103] lstrcmpiW (lpString1="packages", lpString2="bootmgr") returned 1 [0116.103] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0116.103] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0116.103] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0116.103] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0116.103] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\") returned="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\" [0116.103] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\", lpString2="packages" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages") returned="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages" [0116.103] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\") returned="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\" [0116.103] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\") returned="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\" [0116.103] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*.*") returned="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*.*" [0116.103] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a20bca0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a20bca0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x24de260, cFileName=".", cAlternateFileName="")) returned 0x50a980 [0116.104] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.104] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a20bca0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a20bca0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 1 [0116.104] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.104] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.104] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a257f60, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a257f60, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x24de260, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0116.104] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2=".") returned 1 [0116.104] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="..") returned 1 [0116.104] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="...") returned 1 [0116.104] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="windows") returned -1 [0116.104] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="$RECYCLE.BIN") returned 1 [0116.104] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="rsa") returned 1 [0116.104] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="log") returned 1 [0116.104] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="NTDETECT.COM") returned 1 [0116.104] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="ntldr") returned 1 [0116.104] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="MSDOS.SYS") returned 1 [0116.104] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="IO.SYS") returned 1 [0116.104] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="boot.ini") returned 1 [0116.104] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="AUTOEXEC.BAT") returned 1 [0116.105] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="ntuser.dat") returned 1 [0116.105] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="desktop.ini") returned 1 [0116.105] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="CONFIG.SYS") returned 1 [0116.105] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="RECYCLER") returned 1 [0116.105] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="BOOTSECT.BAK") returned 1 [0116.105] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="bootmgr") returned 1 [0116.105] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="programdata") returned 1 [0116.105] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="appdata") returned 1 [0116.105] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="program files") returned 1 [0116.105] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="program files (x86)") returned 1 [0116.105] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\") returned="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\" [0116.105] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\", lpString2="vcRuntimeAdditional_amd64" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64") returned="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64" [0116.105] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\") returned="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\" [0116.105] lstrcpyW (in: lpString1=0x24dd560, lpString2="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\") returned="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\" [0116.105] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*.*") returned="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*.*" [0116.106] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*.*", lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a257f60, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a257f60, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc000be, dwReserved1=0x24ddbe0, cFileName=".", cAlternateFileName="")) returned 0x50a9c0 [0116.106] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.106] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a257f60, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a257f60, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc000be, dwReserved1=0x24ddbe0, cFileName="..", cAlternateFileName="")) returned 1 [0116.106] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.106] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.106] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c9b1b00, ftCreationTime.dwHighDateTime=0x1cf3dd2, ftLastAccessTime.dwLowDateTime=0x7c9b1b00, ftLastAccessTime.dwHighDateTime=0x1cf3dd2, ftLastWriteTime.dwLowDateTime=0x7c9b1b00, ftLastWriteTime.dwHighDateTime=0x1cf3dd2, nFileSizeHigh=0x0, nFileSizeLow=0x554520, dwReserved0=0xc000be, dwReserved1=0x24ddbe0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0116.106] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0116.106] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0116.106] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0116.106] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0116.106] lstrcmpiW (lpString1="cab1.cab", lpString2="$RECYCLE.BIN") returned 1 [0116.106] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0116.106] lstrcmpiW (lpString1="cab1.cab", lpString2="log") returned -1 [0116.106] lstrcmpiW (lpString1="cab1.cab", lpString2="NTDETECT.COM") returned -1 [0116.106] lstrcmpiW (lpString1="cab1.cab", lpString2="ntldr") returned -1 [0116.106] lstrcmpiW (lpString1="cab1.cab", lpString2="MSDOS.SYS") returned -1 [0116.107] lstrcmpiW (lpString1="cab1.cab", lpString2="IO.SYS") returned -1 [0116.107] lstrcmpiW (lpString1="cab1.cab", lpString2="boot.ini") returned 1 [0116.107] lstrcmpiW (lpString1="cab1.cab", lpString2="AUTOEXEC.BAT") returned 1 [0116.107] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0116.107] lstrcmpiW (lpString1="cab1.cab", lpString2="desktop.ini") returned -1 [0116.107] lstrcmpiW (lpString1="cab1.cab", lpString2="CONFIG.SYS") returned -1 [0116.107] lstrcmpiW (lpString1="cab1.cab", lpString2="RECYCLER") returned -1 [0116.107] lstrcmpiW (lpString1="cab1.cab", lpString2="BOOTSECT.BAK") returned 1 [0116.107] lstrcmpiW (lpString1="cab1.cab", lpString2="bootmgr") returned 1 [0116.107] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0116.107] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0116.107] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0116.107] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0116.107] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\") returned="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\" [0116.107] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\", lpString2="cab1.cab" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" [0116.107] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0116.107] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0116.107] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0116.107] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0116.107] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7a38c100, ftCreationTime.dwHighDateTime=0x1cf3dd2, ftLastAccessTime.dwLowDateTime=0x7a38c100, ftLastAccessTime.dwHighDateTime=0x1cf3dd2, ftLastWriteTime.dwLowDateTime=0x7a38c100, ftLastWriteTime.dwHighDateTime=0x1cf3dd2, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0xc000be, dwReserved1=0x24ddbe0, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0116.107] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2=".") returned 1 [0116.107] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="..") returned 1 [0116.107] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="...") returned 1 [0116.107] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="windows") returned -1 [0116.108] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="$RECYCLE.BIN") returned 1 [0116.108] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="rsa") returned 1 [0116.108] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="log") returned 1 [0116.108] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="NTDETECT.COM") returned 1 [0116.108] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="ntldr") returned 1 [0116.108] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="MSDOS.SYS") returned 1 [0116.108] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="IO.SYS") returned 1 [0116.108] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="boot.ini") returned 1 [0116.108] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="AUTOEXEC.BAT") returned 1 [0116.108] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="ntuser.dat") returned 1 [0116.108] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="desktop.ini") returned 1 [0116.108] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="CONFIG.SYS") returned 1 [0116.108] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="RECYCLER") returned 1 [0116.108] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="BOOTSECT.BAK") returned 1 [0116.108] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="bootmgr") returned 1 [0116.108] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="programdata") returned 1 [0116.108] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="appdata") returned 1 [0116.108] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="program files") returned 1 [0116.108] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="program files (x86)") returned 1 [0116.108] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\") returned="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\" [0116.108] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\", lpString2="vc_runtimeAdditional_x64.msi" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" [0116.108] PathFindExtensionW (pszPath="vc_runtimeAdditional_x64.msi") returned=".msi" [0116.108] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0116.108] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0116.109] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0116.109] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0116.109] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0116.109] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0116.109] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0116.109] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0116.109] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0116.109] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0116.109] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0116.109] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0116.109] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0116.109] lstrcmpiW (lpString1=".msi", lpString2=".NEPHILIM") returned -1 [0116.109] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0116.109] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7a38c100, ftCreationTime.dwHighDateTime=0x1cf3dd2, ftLastAccessTime.dwLowDateTime=0x7a38c100, ftLastAccessTime.dwHighDateTime=0x1cf3dd2, ftLastWriteTime.dwLowDateTime=0x7a38c100, ftLastWriteTime.dwHighDateTime=0x1cf3dd2, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0xc000be, dwReserved1=0x24ddbe0, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0116.109] FindClose (in: hFindFile=0x50a9c0 | out: hFindFile=0x50a9c0) returned 1 [0116.109] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a257f60, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a257f60, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x24de260, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0116.109] FindClose (in: hFindFile=0x50a980 | out: hFindFile=0x50a980) returned 1 [0116.109] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a20bca0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a20bca0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="packages", cAlternateFileName="")) returned 0 [0116.109] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0116.109] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a199880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", cAlternateFileName="{A749D~1.210")) returned 1 [0116.110] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2=".") returned 1 [0116.110] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="..") returned 1 [0116.110] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="...") returned 1 [0116.110] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="windows") returned -1 [0116.110] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="$RECYCLE.BIN") returned 1 [0116.110] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="rsa") returned -1 [0116.110] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="log") returned -1 [0116.110] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="NTDETECT.COM") returned -1 [0116.110] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="ntldr") returned -1 [0116.110] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="MSDOS.SYS") returned -1 [0116.110] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="IO.SYS") returned -1 [0116.110] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="boot.ini") returned -1 [0116.110] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="AUTOEXEC.BAT") returned -1 [0116.110] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="ntuser.dat") returned -1 [0116.110] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="desktop.ini") returned -1 [0116.110] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="CONFIG.SYS") returned -1 [0116.110] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="RECYCLER") returned -1 [0116.110] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="BOOTSECT.BAK") returned -1 [0116.110] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="bootmgr") returned -1 [0116.110] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="programdata") returned -1 [0116.110] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="appdata") returned -1 [0116.110] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="program files") returned -1 [0116.110] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="program files (x86)") returned -1 [0116.110] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Package Cache\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\") returned="C:\\Users\\All Users\\Package Cache\\" [0116.110] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\", lpString2="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005") returned="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005" [0116.111] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\") returned="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\" [0116.111] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\") returned="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\" [0116.111] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*.*") returned="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*.*" [0116.111] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a199880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0116.111] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.111] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a199880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0116.111] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.111] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.111] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="packages", cAlternateFileName="")) returned 1 [0116.111] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0116.111] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0116.111] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0116.111] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0116.111] lstrcmpiW (lpString1="packages", lpString2="$RECYCLE.BIN") returned 1 [0116.112] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0116.112] lstrcmpiW (lpString1="packages", lpString2="log") returned 1 [0116.112] lstrcmpiW (lpString1="packages", lpString2="NTDETECT.COM") returned 1 [0116.112] lstrcmpiW (lpString1="packages", lpString2="ntldr") returned 1 [0116.112] lstrcmpiW (lpString1="packages", lpString2="MSDOS.SYS") returned 1 [0116.112] lstrcmpiW (lpString1="packages", lpString2="IO.SYS") returned 1 [0116.112] lstrcmpiW (lpString1="packages", lpString2="boot.ini") returned 1 [0116.112] lstrcmpiW (lpString1="packages", lpString2="AUTOEXEC.BAT") returned 1 [0116.112] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0116.112] lstrcmpiW (lpString1="packages", lpString2="desktop.ini") returned 1 [0116.112] lstrcmpiW (lpString1="packages", lpString2="CONFIG.SYS") returned 1 [0116.112] lstrcmpiW (lpString1="packages", lpString2="RECYCLER") returned -1 [0116.112] lstrcmpiW (lpString1="packages", lpString2="BOOTSECT.BAK") returned 1 [0116.112] lstrcmpiW (lpString1="packages", lpString2="bootmgr") returned 1 [0116.112] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0116.112] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0116.112] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0116.112] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0116.112] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\") returned="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\" [0116.112] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\", lpString2="packages" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages") returned="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages" [0116.112] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\") returned="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\" [0116.112] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\") returned="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\" [0116.112] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*.*") returned="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*.*" [0116.112] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x24de260, cFileName=".", cAlternateFileName="")) returned 0x50a980 [0116.113] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.113] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 1 [0116.113] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.113] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.113] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x24de260, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0116.113] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2=".") returned 1 [0116.113] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="..") returned 1 [0116.113] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="...") returned 1 [0116.113] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="windows") returned -1 [0116.113] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="$RECYCLE.BIN") returned 1 [0116.113] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="rsa") returned 1 [0116.113] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="log") returned 1 [0116.113] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="NTDETECT.COM") returned 1 [0116.113] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="ntldr") returned 1 [0116.113] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="MSDOS.SYS") returned 1 [0116.113] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="IO.SYS") returned 1 [0116.114] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="boot.ini") returned 1 [0116.114] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="AUTOEXEC.BAT") returned 1 [0116.114] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="ntuser.dat") returned 1 [0116.114] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="desktop.ini") returned 1 [0116.114] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="CONFIG.SYS") returned 1 [0116.114] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="RECYCLER") returned 1 [0116.114] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="BOOTSECT.BAK") returned 1 [0116.114] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="bootmgr") returned 1 [0116.114] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="programdata") returned 1 [0116.114] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="appdata") returned 1 [0116.114] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="program files") returned 1 [0116.114] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="program files (x86)") returned 1 [0116.114] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\") returned="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\" [0116.114] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\", lpString2="vcRuntimeMinimum_amd64" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64") returned="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64" [0116.114] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\") returned="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\" [0116.114] lstrcpyW (in: lpString1=0x24dd560, lpString2="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\") returned="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\" [0116.114] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*.*") returned="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*.*" [0116.114] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*.*", lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc000be, dwReserved1=0x24ddbe0, cFileName=".", cAlternateFileName="")) returned 0x50a9c0 [0116.115] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.115] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc000be, dwReserved1=0x24ddbe0, cFileName="..", cAlternateFileName="")) returned 1 [0116.115] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.115] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.115] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b69ee00, ftCreationTime.dwHighDateTime=0x1cf3dd2, ftLastAccessTime.dwLowDateTime=0x7b69ee00, ftLastAccessTime.dwHighDateTime=0x1cf3dd2, ftLastWriteTime.dwLowDateTime=0x7b69ee00, ftLastWriteTime.dwHighDateTime=0x1cf3dd2, nFileSizeHigh=0x0, nFileSizeLow=0xfc90a, dwReserved0=0xc000be, dwReserved1=0x24ddbe0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0116.115] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0116.115] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0116.115] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0116.115] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0116.115] lstrcmpiW (lpString1="cab1.cab", lpString2="$RECYCLE.BIN") returned 1 [0116.115] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0116.115] lstrcmpiW (lpString1="cab1.cab", lpString2="log") returned -1 [0116.115] lstrcmpiW (lpString1="cab1.cab", lpString2="NTDETECT.COM") returned -1 [0116.115] lstrcmpiW (lpString1="cab1.cab", lpString2="ntldr") returned -1 [0116.115] lstrcmpiW (lpString1="cab1.cab", lpString2="MSDOS.SYS") returned -1 [0116.115] lstrcmpiW (lpString1="cab1.cab", lpString2="IO.SYS") returned -1 [0116.115] lstrcmpiW (lpString1="cab1.cab", lpString2="boot.ini") returned 1 [0116.115] lstrcmpiW (lpString1="cab1.cab", lpString2="AUTOEXEC.BAT") returned 1 [0116.115] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0116.115] lstrcmpiW (lpString1="cab1.cab", lpString2="desktop.ini") returned -1 [0116.115] lstrcmpiW (lpString1="cab1.cab", lpString2="CONFIG.SYS") returned -1 [0116.115] lstrcmpiW (lpString1="cab1.cab", lpString2="RECYCLER") returned -1 [0116.115] lstrcmpiW (lpString1="cab1.cab", lpString2="BOOTSECT.BAK") returned 1 [0116.115] lstrcmpiW (lpString1="cab1.cab", lpString2="bootmgr") returned 1 [0116.116] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0116.116] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0116.116] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0116.116] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0116.116] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\") returned="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\" [0116.116] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\", lpString2="cab1.cab" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" [0116.116] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0116.116] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0116.116] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0116.116] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0116.116] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7a38c100, ftCreationTime.dwHighDateTime=0x1cf3dd2, ftLastAccessTime.dwLowDateTime=0x7a38c100, ftLastAccessTime.dwHighDateTime=0x1cf3dd2, ftLastWriteTime.dwLowDateTime=0x7a38c100, ftLastWriteTime.dwHighDateTime=0x1cf3dd2, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0xc000be, dwReserved1=0x24ddbe0, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0116.116] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2=".") returned 1 [0116.116] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="..") returned 1 [0116.116] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="...") returned 1 [0116.116] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="windows") returned -1 [0116.116] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="$RECYCLE.BIN") returned 1 [0116.116] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="rsa") returned 1 [0116.116] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="log") returned 1 [0116.116] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="NTDETECT.COM") returned 1 [0116.116] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="ntldr") returned 1 [0116.116] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="MSDOS.SYS") returned 1 [0116.116] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="IO.SYS") returned 1 [0116.116] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="boot.ini") returned 1 [0116.116] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="AUTOEXEC.BAT") returned 1 [0116.117] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="ntuser.dat") returned 1 [0116.117] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="desktop.ini") returned 1 [0116.117] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="CONFIG.SYS") returned 1 [0116.117] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="RECYCLER") returned 1 [0116.117] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="BOOTSECT.BAK") returned 1 [0116.117] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="bootmgr") returned 1 [0116.117] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="programdata") returned 1 [0116.117] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="appdata") returned 1 [0116.117] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="program files") returned 1 [0116.117] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="program files (x86)") returned 1 [0116.117] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\") returned="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\" [0116.117] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\", lpString2="vc_runtimeMinimum_x64.msi" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" [0116.117] PathFindExtensionW (pszPath="vc_runtimeMinimum_x64.msi") returned=".msi" [0116.117] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0116.117] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0116.117] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0116.117] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0116.117] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0116.117] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0116.117] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0116.117] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0116.117] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0116.117] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0116.117] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0116.118] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0116.118] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0116.118] lstrcmpiW (lpString1=".msi", lpString2=".NEPHILIM") returned -1 [0116.118] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0116.118] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7a38c100, ftCreationTime.dwHighDateTime=0x1cf3dd2, ftLastAccessTime.dwLowDateTime=0x7a38c100, ftLastAccessTime.dwHighDateTime=0x1cf3dd2, ftLastWriteTime.dwLowDateTime=0x7a38c100, ftLastWriteTime.dwHighDateTime=0x1cf3dd2, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0xc000be, dwReserved1=0x24ddbe0, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0116.118] FindClose (in: hFindFile=0x50a9c0 | out: hFindFile=0x50a9c0) returned 1 [0116.118] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x24de260, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0116.118] FindClose (in: hFindFile=0x50a980 | out: hFindFile=0x50a980) returned 1 [0116.118] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="packages", cAlternateFileName="")) returned 0 [0116.118] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0116.118] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", cAlternateFileName="{B1755~1.610")) returned 1 [0116.118] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2=".") returned 1 [0116.118] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="..") returned 1 [0116.118] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="...") returned 1 [0116.118] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="windows") returned -1 [0116.118] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="$RECYCLE.BIN") returned 1 [0116.118] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="rsa") returned -1 [0116.118] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="log") returned -1 [0116.118] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="NTDETECT.COM") returned -1 [0116.119] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="ntldr") returned -1 [0116.119] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="MSDOS.SYS") returned -1 [0116.119] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="IO.SYS") returned -1 [0116.119] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="boot.ini") returned -1 [0116.119] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="AUTOEXEC.BAT") returned -1 [0116.119] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="ntuser.dat") returned -1 [0116.119] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="desktop.ini") returned -1 [0116.119] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="CONFIG.SYS") returned -1 [0116.119] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="RECYCLER") returned -1 [0116.119] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="BOOTSECT.BAK") returned -1 [0116.119] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="bootmgr") returned -1 [0116.119] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="programdata") returned -1 [0116.119] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="appdata") returned -1 [0116.119] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="program files") returned -1 [0116.119] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="program files (x86)") returned -1 [0116.119] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Package Cache\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\") returned="C:\\Users\\All Users\\Package Cache\\" [0116.119] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\", lpString2="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030") returned="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030" [0116.119] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\") returned="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\" [0116.119] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\") returned="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\" [0116.119] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*.*") returned="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*.*" [0116.119] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0116.132] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.132] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0116.132] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.132] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.132] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="packages", cAlternateFileName="")) returned 1 [0116.132] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0116.132] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0116.132] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0116.132] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0116.132] lstrcmpiW (lpString1="packages", lpString2="$RECYCLE.BIN") returned 1 [0116.132] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0116.132] lstrcmpiW (lpString1="packages", lpString2="log") returned 1 [0116.132] lstrcmpiW (lpString1="packages", lpString2="NTDETECT.COM") returned 1 [0116.132] lstrcmpiW (lpString1="packages", lpString2="ntldr") returned 1 [0116.132] lstrcmpiW (lpString1="packages", lpString2="MSDOS.SYS") returned 1 [0116.132] lstrcmpiW (lpString1="packages", lpString2="IO.SYS") returned 1 [0116.133] lstrcmpiW (lpString1="packages", lpString2="boot.ini") returned 1 [0116.133] lstrcmpiW (lpString1="packages", lpString2="AUTOEXEC.BAT") returned 1 [0116.133] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0116.133] lstrcmpiW (lpString1="packages", lpString2="desktop.ini") returned 1 [0116.133] lstrcmpiW (lpString1="packages", lpString2="CONFIG.SYS") returned 1 [0116.133] lstrcmpiW (lpString1="packages", lpString2="RECYCLER") returned -1 [0116.133] lstrcmpiW (lpString1="packages", lpString2="BOOTSECT.BAK") returned 1 [0116.133] lstrcmpiW (lpString1="packages", lpString2="bootmgr") returned 1 [0116.133] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0116.133] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0116.133] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0116.133] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0116.133] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\") returned="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\" [0116.133] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\", lpString2="packages" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages") returned="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages" [0116.133] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\") returned="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\" [0116.134] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\") returned="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\" [0116.134] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*.*") returned="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*.*" [0116.134] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x24de260, cFileName=".", cAlternateFileName="")) returned 0x50a980 [0116.135] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.135] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 1 [0116.135] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.135] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.135] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedc37f80, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedc37f80, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x24de260, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0116.135] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2=".") returned 1 [0116.135] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="..") returned 1 [0116.135] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="...") returned 1 [0116.135] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="windows") returned -1 [0116.135] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="$RECYCLE.BIN") returned 1 [0116.135] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="rsa") returned 1 [0116.135] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="log") returned 1 [0116.135] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="NTDETECT.COM") returned 1 [0116.136] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="ntldr") returned 1 [0116.136] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="MSDOS.SYS") returned 1 [0116.136] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="IO.SYS") returned 1 [0116.136] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="boot.ini") returned 1 [0116.136] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="AUTOEXEC.BAT") returned 1 [0116.136] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="ntuser.dat") returned 1 [0116.136] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="desktop.ini") returned 1 [0116.136] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="CONFIG.SYS") returned 1 [0116.136] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="RECYCLER") returned 1 [0116.136] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="BOOTSECT.BAK") returned 1 [0116.136] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="bootmgr") returned 1 [0116.136] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="programdata") returned 1 [0116.136] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="appdata") returned 1 [0116.136] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="program files") returned 1 [0116.136] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="program files (x86)") returned 1 [0116.136] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\") returned="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\" [0116.136] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\", lpString2="vcRuntimeAdditional_x86" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86") returned="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86" [0116.136] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\") returned="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\" [0116.137] lstrcpyW (in: lpString1=0x24dd560, lpString2="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\") returned="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\" [0116.137] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*.*") returned="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*.*" [0116.137] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*.*", lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedc37f80, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedc37f80, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc000be, dwReserved1=0x24ddbe0, cFileName=".", cAlternateFileName="")) returned 0x50a9c0 [0116.138] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.138] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedc37f80, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedc37f80, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc000be, dwReserved1=0x24ddbe0, cFileName="..", cAlternateFileName="")) returned 1 [0116.138] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.138] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.138] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8aae6600, ftCreationTime.dwHighDateTime=0x1ced4d9, ftLastAccessTime.dwLowDateTime=0x8aae6600, ftLastAccessTime.dwHighDateTime=0x1ced4d9, ftLastWriteTime.dwLowDateTime=0x8aae6600, ftLastWriteTime.dwHighDateTime=0x1ced4d9, nFileSizeHigh=0x0, nFileSizeLow=0x4ea418, dwReserved0=0xc000be, dwReserved1=0x24ddbe0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0116.138] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0116.138] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0116.138] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0116.138] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0116.138] lstrcmpiW (lpString1="cab1.cab", lpString2="$RECYCLE.BIN") returned 1 [0116.138] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0116.138] lstrcmpiW (lpString1="cab1.cab", lpString2="log") returned -1 [0116.138] lstrcmpiW (lpString1="cab1.cab", lpString2="NTDETECT.COM") returned -1 [0116.138] lstrcmpiW (lpString1="cab1.cab", lpString2="ntldr") returned -1 [0116.138] lstrcmpiW (lpString1="cab1.cab", lpString2="MSDOS.SYS") returned -1 [0116.138] lstrcmpiW (lpString1="cab1.cab", lpString2="IO.SYS") returned -1 [0116.138] lstrcmpiW (lpString1="cab1.cab", lpString2="boot.ini") returned 1 [0116.139] lstrcmpiW (lpString1="cab1.cab", lpString2="AUTOEXEC.BAT") returned 1 [0116.139] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0116.139] lstrcmpiW (lpString1="cab1.cab", lpString2="desktop.ini") returned -1 [0116.139] lstrcmpiW (lpString1="cab1.cab", lpString2="CONFIG.SYS") returned -1 [0116.139] lstrcmpiW (lpString1="cab1.cab", lpString2="RECYCLER") returned -1 [0116.139] lstrcmpiW (lpString1="cab1.cab", lpString2="BOOTSECT.BAK") returned 1 [0116.139] lstrcmpiW (lpString1="cab1.cab", lpString2="bootmgr") returned 1 [0116.139] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0116.139] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0116.139] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0116.139] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0116.139] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\") returned="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\" [0116.139] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\", lpString2="cab1.cab" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab" [0116.139] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0116.139] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0116.139] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0116.139] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0116.139] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x48395900, ftCreationTime.dwHighDateTime=0x1ced4da, ftLastAccessTime.dwLowDateTime=0x48395900, ftLastAccessTime.dwHighDateTime=0x1ced4da, ftLastWriteTime.dwLowDateTime=0x48395900, ftLastWriteTime.dwHighDateTime=0x1ced4da, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0xc000be, dwReserved1=0x24ddbe0, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0116.139] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2=".") returned 1 [0116.139] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="..") returned 1 [0116.139] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="...") returned 1 [0116.140] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="windows") returned -1 [0116.140] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="$RECYCLE.BIN") returned 1 [0116.140] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="rsa") returned 1 [0116.140] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="log") returned 1 [0116.140] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="NTDETECT.COM") returned 1 [0116.140] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="ntldr") returned 1 [0116.140] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="MSDOS.SYS") returned 1 [0116.140] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="IO.SYS") returned 1 [0116.140] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="boot.ini") returned 1 [0116.140] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="AUTOEXEC.BAT") returned 1 [0116.140] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="ntuser.dat") returned 1 [0116.140] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="desktop.ini") returned 1 [0116.140] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="CONFIG.SYS") returned 1 [0116.140] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="RECYCLER") returned 1 [0116.140] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="BOOTSECT.BAK") returned 1 [0116.140] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="bootmgr") returned 1 [0116.140] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="programdata") returned 1 [0116.140] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="appdata") returned 1 [0116.140] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="program files") returned 1 [0116.140] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="program files (x86)") returned 1 [0116.140] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\") returned="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\" [0116.140] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\", lpString2="vc_runtimeAdditional_x86.msi" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" [0116.140] PathFindExtensionW (pszPath="vc_runtimeAdditional_x86.msi") returned=".msi" [0116.140] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0116.140] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0116.141] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0116.141] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0116.141] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0116.141] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0116.141] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0116.141] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0116.141] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0116.141] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0116.141] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0116.141] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0116.141] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0116.141] lstrcmpiW (lpString1=".msi", lpString2=".NEPHILIM") returned -1 [0116.141] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0116.141] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x48395900, ftCreationTime.dwHighDateTime=0x1ced4da, ftLastAccessTime.dwLowDateTime=0x48395900, ftLastAccessTime.dwHighDateTime=0x1ced4da, ftLastWriteTime.dwLowDateTime=0x48395900, ftLastWriteTime.dwHighDateTime=0x1ced4da, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0xc000be, dwReserved1=0x24ddbe0, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0116.141] FindClose (in: hFindFile=0x50a9c0 | out: hFindFile=0x50a9c0) returned 1 [0116.141] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedc37f80, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedc37f80, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x24de260, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0116.141] FindClose (in: hFindFile=0x50a980 | out: hFindFile=0x50a980) returned 1 [0116.141] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="packages", cAlternateFileName="")) returned 0 [0116.141] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0116.141] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd7d760, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", cAlternateFileName="{BD95A~1.610")) returned 1 [0116.142] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2=".") returned 1 [0116.142] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="..") returned 1 [0116.142] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="...") returned 1 [0116.142] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="windows") returned -1 [0116.142] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="$RECYCLE.BIN") returned 1 [0116.142] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="rsa") returned -1 [0116.142] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="log") returned -1 [0116.142] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="NTDETECT.COM") returned -1 [0116.142] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="ntldr") returned -1 [0116.142] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="MSDOS.SYS") returned -1 [0116.142] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="IO.SYS") returned -1 [0116.142] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="boot.ini") returned -1 [0116.142] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="AUTOEXEC.BAT") returned -1 [0116.142] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="ntuser.dat") returned -1 [0116.142] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="desktop.ini") returned -1 [0116.142] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="CONFIG.SYS") returned -1 [0116.142] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="RECYCLER") returned -1 [0116.142] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="BOOTSECT.BAK") returned -1 [0116.142] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="bootmgr") returned -1 [0116.142] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="programdata") returned -1 [0116.142] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="appdata") returned -1 [0116.142] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="program files") returned -1 [0116.142] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="program files (x86)") returned -1 [0116.143] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Package Cache\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\") returned="C:\\Users\\All Users\\Package Cache\\" [0116.143] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\", lpString2="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030") returned="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030" [0116.143] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\") returned="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\" [0116.143] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\") returned="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\" [0116.143] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*.*") returned="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*.*" [0116.143] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd7d760, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0116.143] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.143] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd7d760, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0116.143] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.143] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.143] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="packages", cAlternateFileName="")) returned 1 [0116.144] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0116.144] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0116.144] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0116.144] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0116.144] lstrcmpiW (lpString1="packages", lpString2="$RECYCLE.BIN") returned 1 [0116.144] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0116.144] lstrcmpiW (lpString1="packages", lpString2="log") returned 1 [0116.144] lstrcmpiW (lpString1="packages", lpString2="NTDETECT.COM") returned 1 [0116.144] lstrcmpiW (lpString1="packages", lpString2="ntldr") returned 1 [0116.144] lstrcmpiW (lpString1="packages", lpString2="MSDOS.SYS") returned 1 [0116.144] lstrcmpiW (lpString1="packages", lpString2="IO.SYS") returned 1 [0116.144] lstrcmpiW (lpString1="packages", lpString2="boot.ini") returned 1 [0116.144] lstrcmpiW (lpString1="packages", lpString2="AUTOEXEC.BAT") returned 1 [0116.144] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0116.144] lstrcmpiW (lpString1="packages", lpString2="desktop.ini") returned 1 [0116.144] lstrcmpiW (lpString1="packages", lpString2="CONFIG.SYS") returned 1 [0116.144] lstrcmpiW (lpString1="packages", lpString2="RECYCLER") returned -1 [0116.144] lstrcmpiW (lpString1="packages", lpString2="BOOTSECT.BAK") returned 1 [0116.144] lstrcmpiW (lpString1="packages", lpString2="bootmgr") returned 1 [0116.144] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0116.144] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0116.144] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0116.145] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0116.145] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\") returned="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\" [0116.145] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\", lpString2="packages" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages") returned="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages" [0116.145] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\") returned="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\" [0116.145] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\") returned="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\" [0116.145] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*.*") returned="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*.*" [0116.145] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x24de260, cFileName=".", cAlternateFileName="")) returned 0x50a980 [0116.155] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.155] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 1 [0116.155] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.155] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.155] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x24de260, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0116.155] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2=".") returned 1 [0116.155] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="..") returned 1 [0116.156] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="...") returned 1 [0116.156] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="windows") returned -1 [0116.156] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="$RECYCLE.BIN") returned 1 [0116.156] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="rsa") returned 1 [0116.156] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="log") returned 1 [0116.156] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="NTDETECT.COM") returned 1 [0116.156] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="ntldr") returned 1 [0116.156] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="MSDOS.SYS") returned 1 [0116.156] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="IO.SYS") returned 1 [0116.156] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="boot.ini") returned 1 [0116.156] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="AUTOEXEC.BAT") returned 1 [0116.156] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="ntuser.dat") returned 1 [0116.156] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="desktop.ini") returned 1 [0116.156] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="CONFIG.SYS") returned 1 [0116.156] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="RECYCLER") returned 1 [0116.156] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="BOOTSECT.BAK") returned 1 [0116.156] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="bootmgr") returned 1 [0116.156] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="programdata") returned 1 [0116.156] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="appdata") returned 1 [0116.156] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="program files") returned 1 [0116.156] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="program files (x86)") returned 1 [0116.156] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\") returned="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\" [0116.156] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\", lpString2="vcRuntimeMinimum_x86" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86") returned="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86" [0116.156] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\") returned="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\" [0116.156] lstrcpyW (in: lpString1=0x24dd560, lpString2="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\") returned="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\" [0116.157] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*.*") returned="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*.*" [0116.157] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*.*", lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc000be, dwReserved1=0x24ddbe0, cFileName=".", cAlternateFileName="")) returned 0x50a9c0 [0116.165] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.165] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc000be, dwReserved1=0x24ddbe0, cFileName="..", cAlternateFileName="")) returned 1 [0116.165] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.165] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.165] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x884c0c00, ftCreationTime.dwHighDateTime=0x1ced4d9, ftLastAccessTime.dwLowDateTime=0x884c0c00, ftLastAccessTime.dwHighDateTime=0x1ced4d9, ftLastWriteTime.dwLowDateTime=0x884c0c00, ftLastWriteTime.dwHighDateTime=0x1ced4d9, nFileSizeHigh=0x0, nFileSizeLow=0xc89b1, dwReserved0=0xc000be, dwReserved1=0x24ddbe0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0116.165] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0116.165] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0116.165] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0116.165] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0116.165] lstrcmpiW (lpString1="cab1.cab", lpString2="$RECYCLE.BIN") returned 1 [0116.165] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0116.165] lstrcmpiW (lpString1="cab1.cab", lpString2="log") returned -1 [0116.165] lstrcmpiW (lpString1="cab1.cab", lpString2="NTDETECT.COM") returned -1 [0116.166] lstrcmpiW (lpString1="cab1.cab", lpString2="ntldr") returned -1 [0116.166] lstrcmpiW (lpString1="cab1.cab", lpString2="MSDOS.SYS") returned -1 [0116.166] lstrcmpiW (lpString1="cab1.cab", lpString2="IO.SYS") returned -1 [0116.166] lstrcmpiW (lpString1="cab1.cab", lpString2="boot.ini") returned 1 [0116.166] lstrcmpiW (lpString1="cab1.cab", lpString2="AUTOEXEC.BAT") returned 1 [0116.166] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0116.166] lstrcmpiW (lpString1="cab1.cab", lpString2="desktop.ini") returned -1 [0116.166] lstrcmpiW (lpString1="cab1.cab", lpString2="CONFIG.SYS") returned -1 [0116.166] lstrcmpiW (lpString1="cab1.cab", lpString2="RECYCLER") returned -1 [0116.166] lstrcmpiW (lpString1="cab1.cab", lpString2="BOOTSECT.BAK") returned 1 [0116.166] lstrcmpiW (lpString1="cab1.cab", lpString2="bootmgr") returned 1 [0116.166] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0116.166] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0116.166] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0116.166] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0116.166] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\") returned="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\" [0116.166] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\", lpString2="cab1.cab" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab" [0116.166] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0116.166] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0116.166] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0116.166] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0116.166] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x48395900, ftCreationTime.dwHighDateTime=0x1ced4da, ftLastAccessTime.dwLowDateTime=0x48395900, ftLastAccessTime.dwHighDateTime=0x1ced4da, ftLastWriteTime.dwLowDateTime=0x48395900, ftLastWriteTime.dwHighDateTime=0x1ced4da, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0xc000be, dwReserved1=0x24ddbe0, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0116.166] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2=".") returned 1 [0116.167] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="..") returned 1 [0116.167] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="...") returned 1 [0116.167] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="windows") returned -1 [0116.167] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="$RECYCLE.BIN") returned 1 [0116.167] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="rsa") returned 1 [0116.167] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="log") returned 1 [0116.167] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="NTDETECT.COM") returned 1 [0116.167] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="ntldr") returned 1 [0116.167] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="MSDOS.SYS") returned 1 [0116.167] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="IO.SYS") returned 1 [0116.167] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="boot.ini") returned 1 [0116.167] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="AUTOEXEC.BAT") returned 1 [0116.167] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="ntuser.dat") returned 1 [0116.167] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="desktop.ini") returned 1 [0116.167] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="CONFIG.SYS") returned 1 [0116.167] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="RECYCLER") returned 1 [0116.167] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="BOOTSECT.BAK") returned 1 [0116.167] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="bootmgr") returned 1 [0116.168] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="programdata") returned 1 [0116.168] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="appdata") returned 1 [0116.168] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="program files") returned 1 [0116.168] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="program files (x86)") returned 1 [0116.168] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\") returned="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\" [0116.168] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\", lpString2="vc_runtimeMinimum_x86.msi" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" [0116.168] PathFindExtensionW (pszPath="vc_runtimeMinimum_x86.msi") returned=".msi" [0116.168] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0116.168] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0116.168] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0116.168] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0116.168] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0116.168] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0116.168] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0116.168] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0116.168] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0116.168] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0116.168] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0116.168] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0116.168] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0116.168] lstrcmpiW (lpString1=".msi", lpString2=".NEPHILIM") returned -1 [0116.168] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0116.168] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x48395900, ftCreationTime.dwHighDateTime=0x1ced4da, ftLastAccessTime.dwLowDateTime=0x48395900, ftLastAccessTime.dwHighDateTime=0x1ced4da, ftLastWriteTime.dwLowDateTime=0x48395900, ftLastWriteTime.dwHighDateTime=0x1ced4da, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0xc000be, dwReserved1=0x24ddbe0, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0116.169] FindClose (in: hFindFile=0x50a9c0 | out: hFindFile=0x50a9c0) returned 1 [0116.169] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x24de260, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0116.169] FindClose (in: hFindFile=0x50a980 | out: hFindFile=0x50a980) returned 1 [0116.169] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="packages", cAlternateFileName="")) returned 0 [0116.169] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0116.169] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfaaff840, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfaaff840, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfaaff840, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", cAlternateFileName="{CA675~1")) returned 1 [0116.169] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2=".") returned 1 [0116.169] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="..") returned 1 [0116.169] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="...") returned 1 [0116.169] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="windows") returned -1 [0116.169] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="$RECYCLE.BIN") returned 1 [0116.169] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="rsa") returned -1 [0116.169] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="log") returned -1 [0116.169] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="NTDETECT.COM") returned -1 [0116.169] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="ntldr") returned -1 [0116.169] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="MSDOS.SYS") returned -1 [0116.169] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="IO.SYS") returned -1 [0116.169] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="boot.ini") returned -1 [0116.169] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="AUTOEXEC.BAT") returned -1 [0116.170] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="ntuser.dat") returned -1 [0116.170] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="desktop.ini") returned -1 [0116.170] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="CONFIG.SYS") returned -1 [0116.170] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="RECYCLER") returned -1 [0116.170] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="BOOTSECT.BAK") returned -1 [0116.170] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="bootmgr") returned -1 [0116.170] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="programdata") returned -1 [0116.170] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="appdata") returned -1 [0116.170] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="program files") returned -1 [0116.170] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="program files (x86)") returned -1 [0116.170] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Package Cache\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\") returned="C:\\Users\\All Users\\Package Cache\\" [0116.170] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\", lpString2="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}") returned="C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" [0116.170] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\") returned="C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\" [0116.170] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\") returned="C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\" [0116.170] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*") returned="C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*" [0116.170] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfaaff840, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfaaff840, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfaaff840, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0116.172] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.172] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfaaff840, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfaaff840, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfaaff840, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0116.172] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.172] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.172] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfaaff840, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfaaff840, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfe3882c0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x28e, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0116.172] lstrcmpiW (lpString1="state.rsm", lpString2=".") returned 1 [0116.172] lstrcmpiW (lpString1="state.rsm", lpString2="..") returned 1 [0116.172] lstrcmpiW (lpString1="state.rsm", lpString2="...") returned 1 [0116.172] lstrcmpiW (lpString1="state.rsm", lpString2="windows") returned -1 [0116.172] lstrcmpiW (lpString1="state.rsm", lpString2="$RECYCLE.BIN") returned 1 [0116.172] lstrcmpiW (lpString1="state.rsm", lpString2="rsa") returned 1 [0116.172] lstrcmpiW (lpString1="state.rsm", lpString2="log") returned 1 [0116.173] lstrcmpiW (lpString1="state.rsm", lpString2="NTDETECT.COM") returned 1 [0116.173] lstrcmpiW (lpString1="state.rsm", lpString2="ntldr") returned 1 [0116.173] lstrcmpiW (lpString1="state.rsm", lpString2="MSDOS.SYS") returned 1 [0116.173] lstrcmpiW (lpString1="state.rsm", lpString2="IO.SYS") returned 1 [0116.173] lstrcmpiW (lpString1="state.rsm", lpString2="boot.ini") returned 1 [0116.173] lstrcmpiW (lpString1="state.rsm", lpString2="AUTOEXEC.BAT") returned 1 [0116.173] lstrcmpiW (lpString1="state.rsm", lpString2="ntuser.dat") returned 1 [0116.173] lstrcmpiW (lpString1="state.rsm", lpString2="desktop.ini") returned 1 [0116.173] lstrcmpiW (lpString1="state.rsm", lpString2="CONFIG.SYS") returned 1 [0116.173] lstrcmpiW (lpString1="state.rsm", lpString2="RECYCLER") returned 1 [0116.173] lstrcmpiW (lpString1="state.rsm", lpString2="BOOTSECT.BAK") returned 1 [0116.173] lstrcmpiW (lpString1="state.rsm", lpString2="bootmgr") returned 1 [0116.173] lstrcmpiW (lpString1="state.rsm", lpString2="programdata") returned 1 [0116.173] lstrcmpiW (lpString1="state.rsm", lpString2="appdata") returned 1 [0116.173] lstrcmpiW (lpString1="state.rsm", lpString2="program files") returned 1 [0116.173] lstrcmpiW (lpString1="state.rsm", lpString2="program files (x86)") returned 1 [0116.173] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\") returned="C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\" [0116.173] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\", lpString2="state.rsm" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm") returned="C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" [0116.173] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0116.173] lstrcmpiW (lpString1=".rsm", lpString2=".exe") returned 1 [0116.173] lstrcmpiW (lpString1=".rsm", lpString2=".log") returned 1 [0116.174] lstrcmpiW (lpString1=".rsm", lpString2=".cab") returned 1 [0116.174] lstrcmpiW (lpString1=".rsm", lpString2=".cmd") returned 1 [0116.174] lstrcmpiW (lpString1=".rsm", lpString2=".com") returned 1 [0116.174] lstrcmpiW (lpString1=".rsm", lpString2=".cpl") returned 1 [0116.174] lstrcmpiW (lpString1=".rsm", lpString2=".ini") returned 1 [0116.174] lstrcmpiW (lpString1=".rsm", lpString2=".dll") returned 1 [0116.174] lstrcmpiW (lpString1=".rsm", lpString2=".url") returned -1 [0116.174] lstrcmpiW (lpString1=".rsm", lpString2=".ttf") returned -1 [0116.174] lstrcmpiW (lpString1=".rsm", lpString2=".mp3") returned 1 [0116.174] lstrcmpiW (lpString1=".rsm", lpString2=".pif") returned 1 [0116.174] lstrcmpiW (lpString1=".rsm", lpString2=".mp4") returned 1 [0116.174] lstrcmpiW (lpString1=".rsm", lpString2=".NEPHILIM") returned 1 [0116.174] lstrcmpiW (lpString1=".rsm", lpString2=".msi") returned 1 [0116.174] lstrcmpiW (lpString1=".rsm", lpString2=".lnk") returned 1 [0116.174] lstrcmpiW (lpString1="state.rsm", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0116.174] lstrlenA (lpString="NEPHILIM") returned 8 [0116.174] GetProcessHeap () returned 0x4e0000 [0116.174] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50be50 [0116.174] lstrlenA (lpString="NEPHILIM") returned 8 [0116.175] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0116.206] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=654) returned 1 [0116.206] GetProcessHeap () returned 0x4e0000 [0116.206] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0116.206] GetProcessHeap () returned 0x4e0000 [0116.207] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0116.207] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0116.207] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0116.207] GetProcessHeap () returned 0x4e0000 [0116.207] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0116.207] GetProcessHeap () returned 0x4e0000 [0116.207] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0116.207] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0116.207] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0116.207] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x28e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.207] SetLastError (dwErrCode=0x0) [0116.207] WriteFile (in: hFile=0xf0, lpBuffer=0x51e280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x51e280*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0116.209] GetLastError () returned 0x0 [0116.209] GetLastError () returned 0x0 [0116.209] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x38e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.209] WriteFile (in: hFile=0xf0, lpBuffer=0x51e388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x51e388*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0116.209] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x48e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.209] lstrlenA (lpString="NEPHILIM") returned 8 [0116.209] WriteFile (in: hFile=0xf0, lpBuffer=0x50be50*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50be50*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0116.209] GetProcessHeap () returned 0x4e0000 [0116.209] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x28e) returned 0x50fd10 [0116.210] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.210] ReadFile (in: hFile=0xf0, lpBuffer=0x50fd10, nNumberOfBytesToRead=0x28e, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesRead=0x24dddb0*=0x28e, lpOverlapped=0x0) returned 1 [0116.210] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.210] WriteFile (in: hFile=0xf0, lpBuffer=0x50fd10*, nNumberOfBytesToWrite=0x28e, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesWritten=0x24dddbc*=0x28e, lpOverlapped=0x0) returned 1 [0116.210] GetProcessHeap () returned 0x4e0000 [0116.210] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50fd10 | out: hHeap=0x4e0000) returned 1 [0116.210] CloseHandle (hObject=0xf0) returned 1 [0116.210] GetProcessHeap () returned 0x4e0000 [0116.210] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e280 | out: hHeap=0x4e0000) returned 1 [0116.210] GetProcessHeap () returned 0x4e0000 [0116.210] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e388 | out: hHeap=0x4e0000) returned 1 [0116.210] GetProcessHeap () returned 0x4e0000 [0116.210] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50deb0 | out: hHeap=0x4e0000) returned 1 [0116.210] GetProcessHeap () returned 0x4e0000 [0116.210] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dec8 | out: hHeap=0x4e0000) returned 1 [0116.210] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm") returned="C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" [0116.210] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm.NEPHILIM") returned="C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm.NEPHILIM" [0116.211] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm"), lpNewFileName="C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm.NEPHILIM" (normalized: "c:\\users\\all users\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm.nephilim")) returned 1 [0116.211] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfaaff840, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfaaff840, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xf0a0a700, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x6f398, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="vcredist_x64.exe", cAlternateFileName="VCREDI~1.EXE")) returned 1 [0116.211] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2=".") returned 1 [0116.211] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="..") returned 1 [0116.211] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="...") returned 1 [0116.211] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="windows") returned -1 [0116.211] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="$RECYCLE.BIN") returned 1 [0116.212] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="rsa") returned 1 [0116.212] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="log") returned 1 [0116.212] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="NTDETECT.COM") returned 1 [0116.212] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="ntldr") returned 1 [0116.212] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="MSDOS.SYS") returned 1 [0116.212] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="IO.SYS") returned 1 [0116.212] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="boot.ini") returned 1 [0116.212] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="AUTOEXEC.BAT") returned 1 [0116.212] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="ntuser.dat") returned 1 [0116.212] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="desktop.ini") returned 1 [0116.212] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="CONFIG.SYS") returned 1 [0116.212] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="RECYCLER") returned 1 [0116.212] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="BOOTSECT.BAK") returned 1 [0116.212] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="bootmgr") returned 1 [0116.212] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="programdata") returned 1 [0116.212] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="appdata") returned 1 [0116.212] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="program files") returned 1 [0116.212] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="program files (x86)") returned 1 [0116.212] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\") returned="C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\" [0116.212] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\", lpString2="vcredist_x64.exe" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe") returned="C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe" [0116.212] PathFindExtensionW (pszPath="vcredist_x64.exe") returned=".exe" [0116.212] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0116.212] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfaaff840, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfaaff840, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xf0a0a700, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x6f398, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="vcredist_x64.exe", cAlternateFileName="VCREDI~1.EXE")) returned 0 [0116.212] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0116.212] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfab71c60, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabbdf20, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabbdf20, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", cAlternateFileName="{CF2BE~1.610")) returned 1 [0116.212] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2=".") returned 1 [0116.213] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="..") returned 1 [0116.213] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="...") returned 1 [0116.213] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="windows") returned -1 [0116.213] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="$RECYCLE.BIN") returned 1 [0116.213] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="rsa") returned -1 [0116.213] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="log") returned -1 [0116.213] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="NTDETECT.COM") returned -1 [0116.213] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="ntldr") returned -1 [0116.213] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="MSDOS.SYS") returned -1 [0116.213] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="IO.SYS") returned -1 [0116.213] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="boot.ini") returned -1 [0116.213] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="AUTOEXEC.BAT") returned -1 [0116.213] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="ntuser.dat") returned -1 [0116.213] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="desktop.ini") returned -1 [0116.213] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="CONFIG.SYS") returned -1 [0116.213] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="RECYCLER") returned -1 [0116.213] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="BOOTSECT.BAK") returned -1 [0116.213] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="bootmgr") returned -1 [0116.213] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="programdata") returned -1 [0116.213] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="appdata") returned -1 [0116.213] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="program files") returned -1 [0116.213] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="program files (x86)") returned -1 [0116.213] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Package Cache\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\") returned="C:\\Users\\All Users\\Package Cache\\" [0116.213] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\", lpString2="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030") returned="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030" [0116.213] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\") returned="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\" [0116.213] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\") returned="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\" [0116.213] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*.*") returned="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*.*" [0116.213] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfab71c60, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabbdf20, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabbdf20, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0116.218] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.218] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfab71c60, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabbdf20, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabbdf20, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0116.218] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.218] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.219] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabbdf20, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabbdf20, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="packages", cAlternateFileName="")) returned 1 [0116.219] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0116.219] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0116.219] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0116.219] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0116.219] lstrcmpiW (lpString1="packages", lpString2="$RECYCLE.BIN") returned 1 [0116.219] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0116.219] lstrcmpiW (lpString1="packages", lpString2="log") returned 1 [0116.219] lstrcmpiW (lpString1="packages", lpString2="NTDETECT.COM") returned 1 [0116.219] lstrcmpiW (lpString1="packages", lpString2="ntldr") returned 1 [0116.219] lstrcmpiW (lpString1="packages", lpString2="MSDOS.SYS") returned 1 [0116.219] lstrcmpiW (lpString1="packages", lpString2="IO.SYS") returned 1 [0116.219] lstrcmpiW (lpString1="packages", lpString2="boot.ini") returned 1 [0116.219] lstrcmpiW (lpString1="packages", lpString2="AUTOEXEC.BAT") returned 1 [0116.219] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0116.219] lstrcmpiW (lpString1="packages", lpString2="desktop.ini") returned 1 [0116.219] lstrcmpiW (lpString1="packages", lpString2="CONFIG.SYS") returned 1 [0116.220] lstrcmpiW (lpString1="packages", lpString2="RECYCLER") returned -1 [0116.220] lstrcmpiW (lpString1="packages", lpString2="BOOTSECT.BAK") returned 1 [0116.220] lstrcmpiW (lpString1="packages", lpString2="bootmgr") returned 1 [0116.220] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0116.220] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0116.220] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0116.220] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0116.220] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\") returned="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\" [0116.220] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\", lpString2="packages" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages") returned="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages" [0116.220] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\") returned="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\" [0116.220] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\") returned="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\" [0116.220] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*.*") returned="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*.*" [0116.220] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabbdf20, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabbdf20, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x24de260, cFileName=".", cAlternateFileName="")) returned 0x50a980 [0116.221] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.221] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabbdf20, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabbdf20, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 1 [0116.221] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.221] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.221] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x24de260, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0116.221] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2=".") returned 1 [0116.221] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="..") returned 1 [0116.221] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="...") returned 1 [0116.221] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="windows") returned -1 [0116.221] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="$RECYCLE.BIN") returned 1 [0116.221] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="rsa") returned 1 [0116.221] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="log") returned 1 [0116.221] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="NTDETECT.COM") returned 1 [0116.221] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="ntldr") returned 1 [0116.221] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="MSDOS.SYS") returned 1 [0116.221] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="IO.SYS") returned 1 [0116.221] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="boot.ini") returned 1 [0116.222] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="AUTOEXEC.BAT") returned 1 [0116.222] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="ntuser.dat") returned 1 [0116.222] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="desktop.ini") returned 1 [0116.222] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="CONFIG.SYS") returned 1 [0116.222] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="RECYCLER") returned 1 [0116.222] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="BOOTSECT.BAK") returned 1 [0116.222] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="bootmgr") returned 1 [0116.222] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="programdata") returned 1 [0116.222] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="appdata") returned 1 [0116.222] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="program files") returned 1 [0116.222] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="program files (x86)") returned 1 [0116.222] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\") returned="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\" [0116.222] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\", lpString2="vcRuntimeMinimum_amd64" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64") returned="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64" [0116.222] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\") returned="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\" [0116.222] lstrcpyW (in: lpString1=0x24dd560, lpString2="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\") returned="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\" [0116.222] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*.*") returned="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*.*" [0116.222] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*.*", lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc000be, dwReserved1=0x24ddbe0, cFileName=".", cAlternateFileName="")) returned 0x50a9c0 [0116.223] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.223] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc000be, dwReserved1=0x24ddbe0, cFileName="..", cAlternateFileName="")) returned 1 [0116.223] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.223] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.223] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x969a2800, ftCreationTime.dwHighDateTime=0x1ced4d9, ftLastAccessTime.dwLowDateTime=0x969a2800, ftLastAccessTime.dwHighDateTime=0x1ced4d9, ftLastWriteTime.dwLowDateTime=0x969a2800, ftLastWriteTime.dwHighDateTime=0x1ced4d9, nFileSizeHigh=0x0, nFileSizeLow=0xc5b25, dwReserved0=0xc000be, dwReserved1=0x24ddbe0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0116.223] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0116.223] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0116.223] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0116.223] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0116.223] lstrcmpiW (lpString1="cab1.cab", lpString2="$RECYCLE.BIN") returned 1 [0116.223] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0116.223] lstrcmpiW (lpString1="cab1.cab", lpString2="log") returned -1 [0116.223] lstrcmpiW (lpString1="cab1.cab", lpString2="NTDETECT.COM") returned -1 [0116.223] lstrcmpiW (lpString1="cab1.cab", lpString2="ntldr") returned -1 [0116.224] lstrcmpiW (lpString1="cab1.cab", lpString2="MSDOS.SYS") returned -1 [0116.224] lstrcmpiW (lpString1="cab1.cab", lpString2="IO.SYS") returned -1 [0116.224] lstrcmpiW (lpString1="cab1.cab", lpString2="boot.ini") returned 1 [0116.224] lstrcmpiW (lpString1="cab1.cab", lpString2="AUTOEXEC.BAT") returned 1 [0116.224] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0116.224] lstrcmpiW (lpString1="cab1.cab", lpString2="desktop.ini") returned -1 [0116.224] lstrcmpiW (lpString1="cab1.cab", lpString2="CONFIG.SYS") returned -1 [0116.224] lstrcmpiW (lpString1="cab1.cab", lpString2="RECYCLER") returned -1 [0116.224] lstrcmpiW (lpString1="cab1.cab", lpString2="BOOTSECT.BAK") returned 1 [0116.224] lstrcmpiW (lpString1="cab1.cab", lpString2="bootmgr") returned 1 [0116.224] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0116.224] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0116.224] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0116.224] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0116.224] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\") returned="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\" [0116.224] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\", lpString2="cab1.cab" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" [0116.224] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0116.224] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0116.224] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0116.224] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0116.224] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a1afc00, ftCreationTime.dwHighDateTime=0x1ced4da, ftLastAccessTime.dwLowDateTime=0x5a1afc00, ftLastAccessTime.dwHighDateTime=0x1ced4da, ftLastWriteTime.dwLowDateTime=0x5a1afc00, ftLastWriteTime.dwHighDateTime=0x1ced4da, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0xc000be, dwReserved1=0x24ddbe0, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0116.224] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2=".") returned 1 [0116.224] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="..") returned 1 [0116.225] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="...") returned 1 [0116.225] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="windows") returned -1 [0116.225] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="$RECYCLE.BIN") returned 1 [0116.225] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="rsa") returned 1 [0116.225] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="log") returned 1 [0116.225] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="NTDETECT.COM") returned 1 [0116.225] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="ntldr") returned 1 [0116.225] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="MSDOS.SYS") returned 1 [0116.225] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="IO.SYS") returned 1 [0116.225] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="boot.ini") returned 1 [0116.225] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="AUTOEXEC.BAT") returned 1 [0116.225] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="ntuser.dat") returned 1 [0116.225] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="desktop.ini") returned 1 [0116.225] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="CONFIG.SYS") returned 1 [0116.225] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="RECYCLER") returned 1 [0116.225] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="BOOTSECT.BAK") returned 1 [0116.225] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="bootmgr") returned 1 [0116.225] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="programdata") returned 1 [0116.225] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="appdata") returned 1 [0116.225] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="program files") returned 1 [0116.225] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="program files (x86)") returned 1 [0116.225] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\") returned="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\" [0116.225] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\", lpString2="vc_runtimeMinimum_x64.msi" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" [0116.225] PathFindExtensionW (pszPath="vc_runtimeMinimum_x64.msi") returned=".msi" [0116.226] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0116.226] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0116.226] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0116.226] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0116.226] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0116.226] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0116.226] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0116.226] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0116.226] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0116.226] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0116.226] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0116.226] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0116.226] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0116.226] lstrcmpiW (lpString1=".msi", lpString2=".NEPHILIM") returned -1 [0116.226] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0116.226] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a1afc00, ftCreationTime.dwHighDateTime=0x1ced4da, ftLastAccessTime.dwLowDateTime=0x5a1afc00, ftLastAccessTime.dwHighDateTime=0x1ced4da, ftLastWriteTime.dwLowDateTime=0x5a1afc00, ftLastWriteTime.dwHighDateTime=0x1ced4da, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0xc000be, dwReserved1=0x24ddbe0, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0116.226] FindClose (in: hFindFile=0x50a9c0 | out: hFindFile=0x50a9c0) returned 1 [0116.226] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x24de260, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0116.226] FindClose (in: hFindFile=0x50a980 | out: hFindFile=0x50a980) returned 1 [0116.226] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabbdf20, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabbdf20, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="packages", cAlternateFileName="")) returned 0 [0116.227] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0116.227] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa93425b0, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa9368710, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa9368710, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", cAlternateFileName="{E5127~1.250")) returned 1 [0116.227] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2=".") returned 1 [0116.227] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="..") returned 1 [0116.227] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="...") returned 1 [0116.227] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="windows") returned -1 [0116.227] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="$RECYCLE.BIN") returned 1 [0116.227] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="rsa") returned -1 [0116.227] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="log") returned -1 [0116.227] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="NTDETECT.COM") returned -1 [0116.227] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="ntldr") returned -1 [0116.227] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="MSDOS.SYS") returned -1 [0116.227] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="IO.SYS") returned -1 [0116.227] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="boot.ini") returned -1 [0116.227] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="AUTOEXEC.BAT") returned -1 [0116.227] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="ntuser.dat") returned -1 [0116.231] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="desktop.ini") returned -1 [0116.231] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="CONFIG.SYS") returned -1 [0116.231] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="RECYCLER") returned -1 [0116.231] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="BOOTSECT.BAK") returned -1 [0116.231] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="bootmgr") returned -1 [0116.231] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="programdata") returned -1 [0116.231] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="appdata") returned -1 [0116.231] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="program files") returned -1 [0116.231] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="program files (x86)") returned -1 [0116.231] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Package Cache\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\") returned="C:\\Users\\All Users\\Package Cache\\" [0116.231] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\", lpString2="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017") returned="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017" [0116.231] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\") returned="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\" [0116.231] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\") returned="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\" [0116.231] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*.*") returned="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*.*" [0116.231] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa93425b0, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa9368710, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa9368710, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0116.232] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.232] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa93425b0, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa9368710, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa9368710, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0116.232] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.232] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.232] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa9368710, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa9368710, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="packages", cAlternateFileName="")) returned 1 [0116.232] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0116.232] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0116.232] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0116.232] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0116.232] lstrcmpiW (lpString1="packages", lpString2="$RECYCLE.BIN") returned 1 [0116.233] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0116.233] lstrcmpiW (lpString1="packages", lpString2="log") returned 1 [0116.233] lstrcmpiW (lpString1="packages", lpString2="NTDETECT.COM") returned 1 [0116.233] lstrcmpiW (lpString1="packages", lpString2="ntldr") returned 1 [0116.233] lstrcmpiW (lpString1="packages", lpString2="MSDOS.SYS") returned 1 [0116.233] lstrcmpiW (lpString1="packages", lpString2="IO.SYS") returned 1 [0116.233] lstrcmpiW (lpString1="packages", lpString2="boot.ini") returned 1 [0116.233] lstrcmpiW (lpString1="packages", lpString2="AUTOEXEC.BAT") returned 1 [0116.233] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0116.233] lstrcmpiW (lpString1="packages", lpString2="desktop.ini") returned 1 [0116.233] lstrcmpiW (lpString1="packages", lpString2="CONFIG.SYS") returned 1 [0116.233] lstrcmpiW (lpString1="packages", lpString2="RECYCLER") returned -1 [0116.233] lstrcmpiW (lpString1="packages", lpString2="BOOTSECT.BAK") returned 1 [0116.233] lstrcmpiW (lpString1="packages", lpString2="bootmgr") returned 1 [0116.233] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0116.233] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0116.233] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0116.233] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0116.233] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\") returned="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\" [0116.233] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\", lpString2="packages" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages") returned="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages" [0116.233] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\") returned="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\" [0116.234] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\") returned="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\" [0116.234] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\*.*") returned="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\*.*" [0116.234] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa9368710, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa9368710, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb000ae, dwReserved1=0x24de260, cFileName=".", cAlternateFileName="")) returned 0x50a980 [0116.235] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.235] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa9368710, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa9368710, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb000ae, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 1 [0116.235] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.235] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.235] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa938e870, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa938e870, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb000ae, dwReserved1=0x24de260, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0116.235] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2=".") returned 1 [0116.235] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="..") returned 1 [0116.235] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="...") returned 1 [0116.235] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="windows") returned -1 [0116.235] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="$RECYCLE.BIN") returned 1 [0116.235] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="rsa") returned 1 [0116.235] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="log") returned 1 [0116.235] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="NTDETECT.COM") returned 1 [0116.235] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="ntldr") returned 1 [0116.235] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="MSDOS.SYS") returned 1 [0116.235] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="IO.SYS") returned 1 [0116.235] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="boot.ini") returned 1 [0116.236] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="AUTOEXEC.BAT") returned 1 [0116.236] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="ntuser.dat") returned 1 [0116.236] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="desktop.ini") returned 1 [0116.236] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="CONFIG.SYS") returned 1 [0116.236] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="RECYCLER") returned 1 [0116.236] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="BOOTSECT.BAK") returned 1 [0116.236] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="bootmgr") returned 1 [0116.236] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="programdata") returned 1 [0116.236] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="appdata") returned 1 [0116.236] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="program files") returned 1 [0116.236] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="program files (x86)") returned 1 [0116.236] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\") returned="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\" [0116.236] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\", lpString2="vcRuntimeAdditional_amd64" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64") returned="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64" [0116.236] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\") returned="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\" [0116.236] lstrcpyW (in: lpString1=0x24dd560, lpString2="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\") returned="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\" [0116.236] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*.*") returned="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*.*" [0116.237] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*.*", lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa938e870, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa938e870, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc200c0, dwReserved1=0x24ddbe0, cFileName=".", cAlternateFileName="")) returned 0x50a9c0 [0116.237] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.237] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa938e870, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa938e870, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc200c0, dwReserved1=0x24ddbe0, cFileName="..", cAlternateFileName="")) returned 1 [0116.237] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.237] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.237] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdae7f300, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xdae7f300, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xdae7f300, ftLastWriteTime.dwHighDateTime=0x1d28824, nFileSizeHigh=0x0, nFileSizeLow=0x59bde5, dwReserved0=0xc200c0, dwReserved1=0x24ddbe0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0116.237] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0116.237] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0116.237] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0116.237] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0116.237] lstrcmpiW (lpString1="cab1.cab", lpString2="$RECYCLE.BIN") returned 1 [0116.238] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0116.238] lstrcmpiW (lpString1="cab1.cab", lpString2="log") returned -1 [0116.238] lstrcmpiW (lpString1="cab1.cab", lpString2="NTDETECT.COM") returned -1 [0116.238] lstrcmpiW (lpString1="cab1.cab", lpString2="ntldr") returned -1 [0116.238] lstrcmpiW (lpString1="cab1.cab", lpString2="MSDOS.SYS") returned -1 [0116.238] lstrcmpiW (lpString1="cab1.cab", lpString2="IO.SYS") returned -1 [0116.238] lstrcmpiW (lpString1="cab1.cab", lpString2="boot.ini") returned 1 [0116.238] lstrcmpiW (lpString1="cab1.cab", lpString2="AUTOEXEC.BAT") returned 1 [0116.238] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0116.238] lstrcmpiW (lpString1="cab1.cab", lpString2="desktop.ini") returned -1 [0116.238] lstrcmpiW (lpString1="cab1.cab", lpString2="CONFIG.SYS") returned -1 [0116.238] lstrcmpiW (lpString1="cab1.cab", lpString2="RECYCLER") returned -1 [0116.238] lstrcmpiW (lpString1="cab1.cab", lpString2="BOOTSECT.BAK") returned 1 [0116.238] lstrcmpiW (lpString1="cab1.cab", lpString2="bootmgr") returned 1 [0116.238] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0116.238] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0116.238] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0116.238] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0116.238] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\") returned="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\" [0116.238] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\", lpString2="cab1.cab" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" [0116.239] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0116.239] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0116.239] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0116.239] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0116.239] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36fed00, ftCreationTime.dwHighDateTime=0x1d28825, ftLastAccessTime.dwLowDateTime=0x36fed00, ftLastAccessTime.dwHighDateTime=0x1d28825, ftLastWriteTime.dwLowDateTime=0x36fed00, ftLastWriteTime.dwHighDateTime=0x1d28825, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0xc200c0, dwReserved1=0x24ddbe0, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0116.239] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2=".") returned 1 [0116.239] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="..") returned 1 [0116.239] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="...") returned 1 [0116.239] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="windows") returned -1 [0116.239] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="$RECYCLE.BIN") returned 1 [0116.239] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="rsa") returned 1 [0116.239] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="log") returned 1 [0116.239] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="NTDETECT.COM") returned 1 [0116.239] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="ntldr") returned 1 [0116.239] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="MSDOS.SYS") returned 1 [0116.239] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="IO.SYS") returned 1 [0116.239] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="boot.ini") returned 1 [0116.239] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="AUTOEXEC.BAT") returned 1 [0116.239] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="ntuser.dat") returned 1 [0116.239] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="desktop.ini") returned 1 [0116.239] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="CONFIG.SYS") returned 1 [0116.239] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="RECYCLER") returned 1 [0116.240] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="BOOTSECT.BAK") returned 1 [0116.240] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="bootmgr") returned 1 [0116.240] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="programdata") returned 1 [0116.240] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="appdata") returned 1 [0116.240] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="program files") returned 1 [0116.240] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="program files (x86)") returned 1 [0116.240] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\") returned="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\" [0116.240] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\", lpString2="vc_runtimeAdditional_x64.msi" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" [0116.240] PathFindExtensionW (pszPath="vc_runtimeAdditional_x64.msi") returned=".msi" [0116.240] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0116.240] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0116.240] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0116.240] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0116.240] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0116.240] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0116.240] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0116.240] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0116.240] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0116.240] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0116.240] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0116.241] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0116.241] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0116.241] lstrcmpiW (lpString1=".msi", lpString2=".NEPHILIM") returned -1 [0116.241] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0116.241] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36fed00, ftCreationTime.dwHighDateTime=0x1d28825, ftLastAccessTime.dwLowDateTime=0x36fed00, ftLastAccessTime.dwHighDateTime=0x1d28825, ftLastWriteTime.dwLowDateTime=0x36fed00, ftLastWriteTime.dwHighDateTime=0x1d28825, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0xc200c0, dwReserved1=0x24ddbe0, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0116.241] FindClose (in: hFindFile=0x50a9c0 | out: hFindFile=0x50a9c0) returned 1 [0116.241] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa938e870, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa938e870, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb000ae, dwReserved1=0x24de260, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0116.241] FindClose (in: hFindFile=0x50a980 | out: hFindFile=0x50a980) returned 1 [0116.241] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa9368710, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa9368710, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="packages", cAlternateFileName="")) returned 0 [0116.241] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0116.241] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa912d270, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa912d270, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa912d270, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="{e52a6842-b0ac-476e-b48f-378a97a67346}", cAlternateFileName="{E52A6~1")) returned 1 [0116.241] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2=".") returned 1 [0116.241] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="..") returned 1 [0116.241] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="...") returned 1 [0116.241] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="windows") returned -1 [0116.242] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="$RECYCLE.BIN") returned 1 [0116.242] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="rsa") returned -1 [0116.242] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="log") returned -1 [0116.242] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="NTDETECT.COM") returned -1 [0116.242] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="ntldr") returned -1 [0116.242] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="MSDOS.SYS") returned -1 [0116.242] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="IO.SYS") returned -1 [0116.242] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="boot.ini") returned -1 [0116.242] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="AUTOEXEC.BAT") returned -1 [0116.242] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="ntuser.dat") returned -1 [0116.242] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="desktop.ini") returned -1 [0116.242] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="CONFIG.SYS") returned -1 [0116.242] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="RECYCLER") returned -1 [0116.242] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="BOOTSECT.BAK") returned -1 [0116.242] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="bootmgr") returned -1 [0116.242] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="programdata") returned -1 [0116.242] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="appdata") returned -1 [0116.242] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="program files") returned -1 [0116.242] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="program files (x86)") returned -1 [0116.242] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Package Cache\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\") returned="C:\\Users\\All Users\\Package Cache\\" [0116.242] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\", lpString2="{e52a6842-b0ac-476e-b48f-378a97a67346}" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}") returned="C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}" [0116.243] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\") returned="C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\" [0116.243] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\") returned="C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\" [0116.243] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*") returned="C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*" [0116.243] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa912d270, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa912d270, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa912d270, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0116.243] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.243] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa912d270, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa912d270, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa912d270, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0116.243] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.243] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.243] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa912d270, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa912d270, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xe9f9cff0, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x2fe, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0116.243] lstrcmpiW (lpString1="state.rsm", lpString2=".") returned 1 [0116.243] lstrcmpiW (lpString1="state.rsm", lpString2="..") returned 1 [0116.244] lstrcmpiW (lpString1="state.rsm", lpString2="...") returned 1 [0116.244] lstrcmpiW (lpString1="state.rsm", lpString2="windows") returned -1 [0116.244] lstrcmpiW (lpString1="state.rsm", lpString2="$RECYCLE.BIN") returned 1 [0116.244] lstrcmpiW (lpString1="state.rsm", lpString2="rsa") returned 1 [0116.244] lstrcmpiW (lpString1="state.rsm", lpString2="log") returned 1 [0116.244] lstrcmpiW (lpString1="state.rsm", lpString2="NTDETECT.COM") returned 1 [0116.244] lstrcmpiW (lpString1="state.rsm", lpString2="ntldr") returned 1 [0116.244] lstrcmpiW (lpString1="state.rsm", lpString2="MSDOS.SYS") returned 1 [0116.244] lstrcmpiW (lpString1="state.rsm", lpString2="IO.SYS") returned 1 [0116.244] lstrcmpiW (lpString1="state.rsm", lpString2="boot.ini") returned 1 [0116.244] lstrcmpiW (lpString1="state.rsm", lpString2="AUTOEXEC.BAT") returned 1 [0116.244] lstrcmpiW (lpString1="state.rsm", lpString2="ntuser.dat") returned 1 [0116.244] lstrcmpiW (lpString1="state.rsm", lpString2="desktop.ini") returned 1 [0116.244] lstrcmpiW (lpString1="state.rsm", lpString2="CONFIG.SYS") returned 1 [0116.244] lstrcmpiW (lpString1="state.rsm", lpString2="RECYCLER") returned 1 [0116.244] lstrcmpiW (lpString1="state.rsm", lpString2="BOOTSECT.BAK") returned 1 [0116.244] lstrcmpiW (lpString1="state.rsm", lpString2="bootmgr") returned 1 [0116.244] lstrcmpiW (lpString1="state.rsm", lpString2="programdata") returned 1 [0116.244] lstrcmpiW (lpString1="state.rsm", lpString2="appdata") returned 1 [0116.244] lstrcmpiW (lpString1="state.rsm", lpString2="program files") returned 1 [0116.244] lstrcmpiW (lpString1="state.rsm", lpString2="program files (x86)") returned 1 [0116.244] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\") returned="C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\" [0116.244] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\", lpString2="state.rsm" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm") returned="C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm" [0116.244] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0116.244] lstrcmpiW (lpString1=".rsm", lpString2=".exe") returned 1 [0116.245] lstrcmpiW (lpString1=".rsm", lpString2=".log") returned 1 [0116.245] lstrcmpiW (lpString1=".rsm", lpString2=".cab") returned 1 [0116.245] lstrcmpiW (lpString1=".rsm", lpString2=".cmd") returned 1 [0116.245] lstrcmpiW (lpString1=".rsm", lpString2=".com") returned 1 [0116.245] lstrcmpiW (lpString1=".rsm", lpString2=".cpl") returned 1 [0116.245] lstrcmpiW (lpString1=".rsm", lpString2=".ini") returned 1 [0116.245] lstrcmpiW (lpString1=".rsm", lpString2=".dll") returned 1 [0116.245] lstrcmpiW (lpString1=".rsm", lpString2=".url") returned -1 [0116.245] lstrcmpiW (lpString1=".rsm", lpString2=".ttf") returned -1 [0116.245] lstrcmpiW (lpString1=".rsm", lpString2=".mp3") returned 1 [0116.245] lstrcmpiW (lpString1=".rsm", lpString2=".pif") returned 1 [0116.245] lstrcmpiW (lpString1=".rsm", lpString2=".mp4") returned 1 [0116.245] lstrcmpiW (lpString1=".rsm", lpString2=".NEPHILIM") returned 1 [0116.245] lstrcmpiW (lpString1=".rsm", lpString2=".msi") returned 1 [0116.245] lstrcmpiW (lpString1=".rsm", lpString2=".lnk") returned 1 [0116.245] lstrcmpiW (lpString1="state.rsm", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0116.245] lstrlenA (lpString="NEPHILIM") returned 8 [0116.245] GetProcessHeap () returned 0x4e0000 [0116.246] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50be60 [0116.246] lstrlenA (lpString="NEPHILIM") returned 8 [0116.246] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0116.247] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=766) returned 1 [0116.247] GetProcessHeap () returned 0x4e0000 [0116.247] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0116.247] GetProcessHeap () returned 0x4e0000 [0116.247] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0116.247] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0116.247] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0116.247] GetProcessHeap () returned 0x4e0000 [0116.247] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0116.247] GetProcessHeap () returned 0x4e0000 [0116.247] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0116.248] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0116.248] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0116.248] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x2fe, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.248] SetLastError (dwErrCode=0x0) [0116.248] WriteFile (in: hFile=0xf0, lpBuffer=0x51e388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x51e388*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0116.259] GetLastError () returned 0x0 [0116.259] GetLastError () returned 0x0 [0116.259] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x3fe, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.259] WriteFile (in: hFile=0xf0, lpBuffer=0x51e280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x51e280*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0116.259] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x4fe, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.259] lstrlenA (lpString="NEPHILIM") returned 8 [0116.259] WriteFile (in: hFile=0xf0, lpBuffer=0x50be60*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50be60*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0116.259] GetProcessHeap () returned 0x4e0000 [0116.259] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x2fe) returned 0x50c0a8 [0116.259] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.260] ReadFile (in: hFile=0xf0, lpBuffer=0x50c0a8, nNumberOfBytesToRead=0x2fe, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50c0a8*, lpNumberOfBytesRead=0x24dddb0*=0x2fe, lpOverlapped=0x0) returned 1 [0116.260] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.260] WriteFile (in: hFile=0xf0, lpBuffer=0x50c0a8*, nNumberOfBytesToWrite=0x2fe, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50c0a8*, lpNumberOfBytesWritten=0x24dddbc*=0x2fe, lpOverlapped=0x0) returned 1 [0116.260] GetProcessHeap () returned 0x4e0000 [0116.260] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50c0a8 | out: hHeap=0x4e0000) returned 1 [0116.260] CloseHandle (hObject=0xf0) returned 1 [0116.260] GetProcessHeap () returned 0x4e0000 [0116.261] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e388 | out: hHeap=0x4e0000) returned 1 [0116.261] GetProcessHeap () returned 0x4e0000 [0116.261] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e280 | out: hHeap=0x4e0000) returned 1 [0116.261] GetProcessHeap () returned 0x4e0000 [0116.261] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dec8 | out: hHeap=0x4e0000) returned 1 [0116.261] GetProcessHeap () returned 0x4e0000 [0116.261] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50deb0 | out: hHeap=0x4e0000) returned 1 [0116.261] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm") returned="C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm" [0116.261] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm.NEPHILIM") returned="C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm.NEPHILIM" [0116.261] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm"), lpNewFileName="C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm.NEPHILIM" (normalized: "c:\\users\\all users\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm.nephilim")) returned 1 [0116.262] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa912d270, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa912d270, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0x968d5df0, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0xbee38, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="VC_redist.x64.exe", cAlternateFileName="VC_RED~1.EXE")) returned 1 [0116.262] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2=".") returned 1 [0116.262] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="..") returned 1 [0116.262] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="...") returned 1 [0116.263] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="windows") returned -1 [0116.263] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="$RECYCLE.BIN") returned 1 [0116.263] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="rsa") returned 1 [0116.263] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="log") returned 1 [0116.263] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="NTDETECT.COM") returned 1 [0116.263] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="ntldr") returned 1 [0116.263] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="MSDOS.SYS") returned 1 [0116.263] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="IO.SYS") returned 1 [0116.263] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="boot.ini") returned 1 [0116.263] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="AUTOEXEC.BAT") returned 1 [0116.263] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="ntuser.dat") returned 1 [0116.263] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="desktop.ini") returned 1 [0116.263] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="CONFIG.SYS") returned 1 [0116.263] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="RECYCLER") returned 1 [0116.263] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="BOOTSECT.BAK") returned 1 [0116.263] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="bootmgr") returned 1 [0116.263] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="programdata") returned 1 [0116.263] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="appdata") returned 1 [0116.263] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="program files") returned 1 [0116.263] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="program files (x86)") returned 1 [0116.263] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\") returned="C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\" [0116.263] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\", lpString2="VC_redist.x64.exe" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe") returned="C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe" [0116.264] PathFindExtensionW (pszPath="VC_redist.x64.exe") returned=".exe" [0116.264] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0116.264] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa912d270, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa912d270, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0x968d5df0, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0xbee38, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="VC_redist.x64.exe", cAlternateFileName="VC_RED~1.EXE")) returned 0 [0116.264] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0116.264] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca64c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcad7040, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcad7040, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", cAlternateFileName="{E6E75~1")) returned 1 [0116.264] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2=".") returned 1 [0116.264] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="..") returned 1 [0116.264] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="...") returned 1 [0116.264] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="windows") returned -1 [0116.264] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="$RECYCLE.BIN") returned 1 [0116.264] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="rsa") returned -1 [0116.264] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="log") returned -1 [0116.264] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="NTDETECT.COM") returned -1 [0116.264] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="ntldr") returned -1 [0116.264] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="MSDOS.SYS") returned -1 [0116.264] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="IO.SYS") returned -1 [0116.264] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="boot.ini") returned -1 [0116.264] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="AUTOEXEC.BAT") returned -1 [0116.264] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="ntuser.dat") returned -1 [0116.265] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="desktop.ini") returned -1 [0116.265] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="CONFIG.SYS") returned -1 [0116.265] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="RECYCLER") returned -1 [0116.265] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="BOOTSECT.BAK") returned -1 [0116.265] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="bootmgr") returned -1 [0116.265] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="programdata") returned -1 [0116.265] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="appdata") returned -1 [0116.265] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="program files") returned -1 [0116.265] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="program files (x86)") returned -1 [0116.265] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Package Cache\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\") returned="C:\\Users\\All Users\\Package Cache\\" [0116.265] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\", lpString2="{e6e75766-da0f-4ba2-9788-6ea593ce702d}" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}") returned="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}" [0116.265] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\") returned="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\" [0116.265] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\") returned="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\" [0116.265] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*") returned="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*" [0116.265] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca64c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcad7040, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcad7040, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0116.267] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.267] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca64c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcad7040, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcad7040, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0116.267] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.267] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.267] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcad7040, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcad7040, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x105e7220, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x29a, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0116.267] lstrcmpiW (lpString1="state.rsm", lpString2=".") returned 1 [0116.267] lstrcmpiW (lpString1="state.rsm", lpString2="..") returned 1 [0116.267] lstrcmpiW (lpString1="state.rsm", lpString2="...") returned 1 [0116.267] lstrcmpiW (lpString1="state.rsm", lpString2="windows") returned -1 [0116.267] lstrcmpiW (lpString1="state.rsm", lpString2="$RECYCLE.BIN") returned 1 [0116.267] lstrcmpiW (lpString1="state.rsm", lpString2="rsa") returned 1 [0116.267] lstrcmpiW (lpString1="state.rsm", lpString2="log") returned 1 [0116.267] lstrcmpiW (lpString1="state.rsm", lpString2="NTDETECT.COM") returned 1 [0116.267] lstrcmpiW (lpString1="state.rsm", lpString2="ntldr") returned 1 [0116.267] lstrcmpiW (lpString1="state.rsm", lpString2="MSDOS.SYS") returned 1 [0116.267] lstrcmpiW (lpString1="state.rsm", lpString2="IO.SYS") returned 1 [0116.267] lstrcmpiW (lpString1="state.rsm", lpString2="boot.ini") returned 1 [0116.267] lstrcmpiW (lpString1="state.rsm", lpString2="AUTOEXEC.BAT") returned 1 [0116.268] lstrcmpiW (lpString1="state.rsm", lpString2="ntuser.dat") returned 1 [0116.268] lstrcmpiW (lpString1="state.rsm", lpString2="desktop.ini") returned 1 [0116.268] lstrcmpiW (lpString1="state.rsm", lpString2="CONFIG.SYS") returned 1 [0116.268] lstrcmpiW (lpString1="state.rsm", lpString2="RECYCLER") returned 1 [0116.268] lstrcmpiW (lpString1="state.rsm", lpString2="BOOTSECT.BAK") returned 1 [0116.268] lstrcmpiW (lpString1="state.rsm", lpString2="bootmgr") returned 1 [0116.268] lstrcmpiW (lpString1="state.rsm", lpString2="programdata") returned 1 [0116.268] lstrcmpiW (lpString1="state.rsm", lpString2="appdata") returned 1 [0116.268] lstrcmpiW (lpString1="state.rsm", lpString2="program files") returned 1 [0116.268] lstrcmpiW (lpString1="state.rsm", lpString2="program files (x86)") returned 1 [0116.268] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\") returned="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\" [0116.268] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\", lpString2="state.rsm" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm") returned="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" [0116.268] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0116.268] lstrcmpiW (lpString1=".rsm", lpString2=".exe") returned 1 [0116.268] lstrcmpiW (lpString1=".rsm", lpString2=".log") returned 1 [0116.268] lstrcmpiW (lpString1=".rsm", lpString2=".cab") returned 1 [0116.268] lstrcmpiW (lpString1=".rsm", lpString2=".cmd") returned 1 [0116.268] lstrcmpiW (lpString1=".rsm", lpString2=".com") returned 1 [0116.268] lstrcmpiW (lpString1=".rsm", lpString2=".cpl") returned 1 [0116.268] lstrcmpiW (lpString1=".rsm", lpString2=".ini") returned 1 [0116.268] lstrcmpiW (lpString1=".rsm", lpString2=".dll") returned 1 [0116.268] lstrcmpiW (lpString1=".rsm", lpString2=".url") returned -1 [0116.269] lstrcmpiW (lpString1=".rsm", lpString2=".ttf") returned -1 [0116.269] lstrcmpiW (lpString1=".rsm", lpString2=".mp3") returned 1 [0116.269] lstrcmpiW (lpString1=".rsm", lpString2=".pif") returned 1 [0116.269] lstrcmpiW (lpString1=".rsm", lpString2=".mp4") returned 1 [0116.269] lstrcmpiW (lpString1=".rsm", lpString2=".NEPHILIM") returned 1 [0116.269] lstrcmpiW (lpString1=".rsm", lpString2=".msi") returned 1 [0116.269] lstrcmpiW (lpString1=".rsm", lpString2=".lnk") returned 1 [0116.269] lstrcmpiW (lpString1="state.rsm", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0116.269] lstrlenA (lpString="NEPHILIM") returned 8 [0116.269] GetProcessHeap () returned 0x4e0000 [0116.269] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50be70 [0116.269] lstrlenA (lpString="NEPHILIM") returned 8 [0116.269] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0116.270] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=666) returned 1 [0116.270] GetProcessHeap () returned 0x4e0000 [0116.270] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0116.270] GetProcessHeap () returned 0x4e0000 [0116.270] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0116.270] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0116.270] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0116.270] GetProcessHeap () returned 0x4e0000 [0116.270] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0116.270] GetProcessHeap () returned 0x4e0000 [0116.270] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0116.270] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0116.271] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0116.271] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x29a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.271] SetLastError (dwErrCode=0x0) [0116.271] WriteFile (in: hFile=0xf0, lpBuffer=0x51e280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x51e280*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0116.273] GetLastError () returned 0x0 [0116.273] GetLastError () returned 0x0 [0116.273] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x39a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.273] WriteFile (in: hFile=0xf0, lpBuffer=0x51e388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x51e388*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0116.273] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x49a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.273] lstrlenA (lpString="NEPHILIM") returned 8 [0116.273] WriteFile (in: hFile=0xf0, lpBuffer=0x50be70*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50be70*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0116.273] GetProcessHeap () returned 0x4e0000 [0116.273] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x29a) returned 0x50fd10 [0116.273] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.273] ReadFile (in: hFile=0xf0, lpBuffer=0x50fd10, nNumberOfBytesToRead=0x29a, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesRead=0x24dddb0*=0x29a, lpOverlapped=0x0) returned 1 [0116.274] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.274] WriteFile (in: hFile=0xf0, lpBuffer=0x50fd10*, nNumberOfBytesToWrite=0x29a, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50fd10*, lpNumberOfBytesWritten=0x24dddbc*=0x29a, lpOverlapped=0x0) returned 1 [0116.274] GetProcessHeap () returned 0x4e0000 [0116.274] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50fd10 | out: hHeap=0x4e0000) returned 1 [0116.274] CloseHandle (hObject=0xf0) returned 1 [0116.274] GetProcessHeap () returned 0x4e0000 [0116.274] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e280 | out: hHeap=0x4e0000) returned 1 [0116.274] GetProcessHeap () returned 0x4e0000 [0116.274] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e388 | out: hHeap=0x4e0000) returned 1 [0116.274] GetProcessHeap () returned 0x4e0000 [0116.274] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50deb0 | out: hHeap=0x4e0000) returned 1 [0116.274] GetProcessHeap () returned 0x4e0000 [0116.274] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dec8 | out: hHeap=0x4e0000) returned 1 [0116.274] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm") returned="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" [0116.275] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm.NEPHILIM") returned="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm.NEPHILIM" [0116.275] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm"), lpNewFileName="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm.NEPHILIM" (normalized: "c:\\users\\all users\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm.nephilim")) returned 1 [0116.276] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca64c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xca64c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xfe5c3760, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x71080, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="vcredist_x86.exe", cAlternateFileName="VCREDI~1.EXE")) returned 1 [0116.276] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2=".") returned 1 [0116.276] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="..") returned 1 [0116.276] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="...") returned 1 [0116.276] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="windows") returned -1 [0116.276] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="$RECYCLE.BIN") returned 1 [0116.276] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="rsa") returned 1 [0116.276] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="log") returned 1 [0116.276] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="NTDETECT.COM") returned 1 [0116.276] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="ntldr") returned 1 [0116.276] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="MSDOS.SYS") returned 1 [0116.276] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="IO.SYS") returned 1 [0116.276] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="boot.ini") returned 1 [0116.276] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="AUTOEXEC.BAT") returned 1 [0116.276] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="ntuser.dat") returned 1 [0116.276] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="desktop.ini") returned 1 [0116.276] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="CONFIG.SYS") returned 1 [0116.276] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="RECYCLER") returned 1 [0116.276] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="BOOTSECT.BAK") returned 1 [0116.276] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="bootmgr") returned 1 [0116.276] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="programdata") returned 1 [0116.277] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="appdata") returned 1 [0116.277] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="program files") returned 1 [0116.277] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="program files (x86)") returned 1 [0116.277] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\") returned="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\" [0116.277] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\", lpString2="vcredist_x86.exe" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe") returned="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe" [0116.277] PathFindExtensionW (pszPath="vcredist_x86.exe") returned=".exe" [0116.277] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0116.277] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca64c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xca64c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xfe5c3760, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x71080, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="vcredist_x86.exe", cAlternateFileName="VCREDI~1.EXE")) returned 0 [0116.277] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0116.277] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf93c9960, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf93efac0, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf93efac0, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="{f325f05b-f963-4640-a43b-c8a494cdda0f}", cAlternateFileName="{F325F~1")) returned 1 [0116.277] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2=".") returned 1 [0116.277] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="..") returned 1 [0116.277] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="...") returned 1 [0116.277] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="windows") returned -1 [0116.278] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="$RECYCLE.BIN") returned 1 [0116.278] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="rsa") returned -1 [0116.278] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="log") returned -1 [0116.278] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="NTDETECT.COM") returned -1 [0116.278] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="ntldr") returned -1 [0116.278] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="MSDOS.SYS") returned -1 [0116.278] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="IO.SYS") returned -1 [0116.278] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="boot.ini") returned -1 [0116.278] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="AUTOEXEC.BAT") returned -1 [0116.278] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="ntuser.dat") returned -1 [0116.278] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="desktop.ini") returned -1 [0116.278] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="CONFIG.SYS") returned -1 [0116.278] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="RECYCLER") returned -1 [0116.278] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="BOOTSECT.BAK") returned -1 [0116.278] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="bootmgr") returned -1 [0116.278] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="programdata") returned -1 [0116.278] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="appdata") returned -1 [0116.278] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="program files") returned -1 [0116.278] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="program files (x86)") returned -1 [0116.278] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Package Cache\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\") returned="C:\\Users\\All Users\\Package Cache\\" [0116.278] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\", lpString2="{f325f05b-f963-4640-a43b-c8a494cdda0f}" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}") returned="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}" [0116.278] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\") returned="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\" [0116.278] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\") returned="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\" [0116.278] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*.*") returned="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*.*" [0116.279] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf93c9960, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf93efac0, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf93efac0, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0116.280] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.280] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf93c9960, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf93efac0, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf93efac0, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0116.280] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.280] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.280] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf93efac0, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf93efac0, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0x6601040, ftLastWriteTime.dwHighDateTime=0x1d2fc28, nFileSizeHigh=0x0, nFileSizeLow=0x2fe, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0116.280] lstrcmpiW (lpString1="state.rsm", lpString2=".") returned 1 [0116.280] lstrcmpiW (lpString1="state.rsm", lpString2="..") returned 1 [0116.280] lstrcmpiW (lpString1="state.rsm", lpString2="...") returned 1 [0116.280] lstrcmpiW (lpString1="state.rsm", lpString2="windows") returned -1 [0116.280] lstrcmpiW (lpString1="state.rsm", lpString2="$RECYCLE.BIN") returned 1 [0116.280] lstrcmpiW (lpString1="state.rsm", lpString2="rsa") returned 1 [0116.280] lstrcmpiW (lpString1="state.rsm", lpString2="log") returned 1 [0116.280] lstrcmpiW (lpString1="state.rsm", lpString2="NTDETECT.COM") returned 1 [0116.280] lstrcmpiW (lpString1="state.rsm", lpString2="ntldr") returned 1 [0116.280] lstrcmpiW (lpString1="state.rsm", lpString2="MSDOS.SYS") returned 1 [0116.280] lstrcmpiW (lpString1="state.rsm", lpString2="IO.SYS") returned 1 [0116.280] lstrcmpiW (lpString1="state.rsm", lpString2="boot.ini") returned 1 [0116.280] lstrcmpiW (lpString1="state.rsm", lpString2="AUTOEXEC.BAT") returned 1 [0116.281] lstrcmpiW (lpString1="state.rsm", lpString2="ntuser.dat") returned 1 [0116.281] lstrcmpiW (lpString1="state.rsm", lpString2="desktop.ini") returned 1 [0116.281] lstrcmpiW (lpString1="state.rsm", lpString2="CONFIG.SYS") returned 1 [0116.281] lstrcmpiW (lpString1="state.rsm", lpString2="RECYCLER") returned 1 [0116.281] lstrcmpiW (lpString1="state.rsm", lpString2="BOOTSECT.BAK") returned 1 [0116.281] lstrcmpiW (lpString1="state.rsm", lpString2="bootmgr") returned 1 [0116.281] lstrcmpiW (lpString1="state.rsm", lpString2="programdata") returned 1 [0116.281] lstrcmpiW (lpString1="state.rsm", lpString2="appdata") returned 1 [0116.281] lstrcmpiW (lpString1="state.rsm", lpString2="program files") returned 1 [0116.281] lstrcmpiW (lpString1="state.rsm", lpString2="program files (x86)") returned 1 [0116.281] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\") returned="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\" [0116.281] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\", lpString2="state.rsm" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm") returned="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm" [0116.281] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0116.281] lstrcmpiW (lpString1=".rsm", lpString2=".exe") returned 1 [0116.281] lstrcmpiW (lpString1=".rsm", lpString2=".log") returned 1 [0116.281] lstrcmpiW (lpString1=".rsm", lpString2=".cab") returned 1 [0116.281] lstrcmpiW (lpString1=".rsm", lpString2=".cmd") returned 1 [0116.281] lstrcmpiW (lpString1=".rsm", lpString2=".com") returned 1 [0116.281] lstrcmpiW (lpString1=".rsm", lpString2=".cpl") returned 1 [0116.281] lstrcmpiW (lpString1=".rsm", lpString2=".ini") returned 1 [0116.281] lstrcmpiW (lpString1=".rsm", lpString2=".dll") returned 1 [0116.281] lstrcmpiW (lpString1=".rsm", lpString2=".url") returned -1 [0116.281] lstrcmpiW (lpString1=".rsm", lpString2=".ttf") returned -1 [0116.281] lstrcmpiW (lpString1=".rsm", lpString2=".mp3") returned 1 [0116.281] lstrcmpiW (lpString1=".rsm", lpString2=".pif") returned 1 [0116.282] lstrcmpiW (lpString1=".rsm", lpString2=".mp4") returned 1 [0116.282] lstrcmpiW (lpString1=".rsm", lpString2=".NEPHILIM") returned 1 [0116.282] lstrcmpiW (lpString1=".rsm", lpString2=".msi") returned 1 [0116.282] lstrcmpiW (lpString1=".rsm", lpString2=".lnk") returned 1 [0116.282] lstrcmpiW (lpString1="state.rsm", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0116.282] lstrlenA (lpString="NEPHILIM") returned 8 [0116.282] GetProcessHeap () returned 0x4e0000 [0116.282] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50be80 [0116.282] lstrlenA (lpString="NEPHILIM") returned 8 [0116.282] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0116.283] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=766) returned 1 [0116.283] GetProcessHeap () returned 0x4e0000 [0116.283] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0116.283] GetProcessHeap () returned 0x4e0000 [0116.283] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0116.283] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0116.283] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0116.283] GetProcessHeap () returned 0x4e0000 [0116.283] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0116.283] GetProcessHeap () returned 0x4e0000 [0116.283] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0116.283] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0116.283] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0116.284] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x2fe, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.284] SetLastError (dwErrCode=0x0) [0116.284] WriteFile (in: hFile=0xf0, lpBuffer=0x51e388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x51e388*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0116.286] GetLastError () returned 0x0 [0116.286] GetLastError () returned 0x0 [0116.286] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x3fe, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.286] WriteFile (in: hFile=0xf0, lpBuffer=0x51e280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x51e280*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0116.286] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x4fe, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.286] lstrlenA (lpString="NEPHILIM") returned 8 [0116.286] WriteFile (in: hFile=0xf0, lpBuffer=0x50be80*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50be80*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0116.286] GetProcessHeap () returned 0x4e0000 [0116.286] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x2fe) returned 0x50c0a8 [0116.287] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.287] ReadFile (in: hFile=0xf0, lpBuffer=0x50c0a8, nNumberOfBytesToRead=0x2fe, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x50c0a8*, lpNumberOfBytesRead=0x24dddb0*=0x2fe, lpOverlapped=0x0) returned 1 [0116.287] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.287] WriteFile (in: hFile=0xf0, lpBuffer=0x50c0a8*, nNumberOfBytesToWrite=0x2fe, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50c0a8*, lpNumberOfBytesWritten=0x24dddbc*=0x2fe, lpOverlapped=0x0) returned 1 [0116.287] GetProcessHeap () returned 0x4e0000 [0116.287] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50c0a8 | out: hHeap=0x4e0000) returned 1 [0116.287] CloseHandle (hObject=0xf0) returned 1 [0116.287] GetProcessHeap () returned 0x4e0000 [0116.287] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e388 | out: hHeap=0x4e0000) returned 1 [0116.287] GetProcessHeap () returned 0x4e0000 [0116.287] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e280 | out: hHeap=0x4e0000) returned 1 [0116.287] GetProcessHeap () returned 0x4e0000 [0116.287] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dec8 | out: hHeap=0x4e0000) returned 1 [0116.287] GetProcessHeap () returned 0x4e0000 [0116.287] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50deb0 | out: hHeap=0x4e0000) returned 1 [0116.288] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm") returned="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm" [0116.288] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm.NEPHILIM") returned="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm.NEPHILIM" [0116.288] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm"), lpNewFileName="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm.NEPHILIM" (normalized: "c:\\users\\all users\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm.nephilim")) returned 1 [0116.288] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xf93c9960, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf93c9960, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xedfa2720, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0xbee30, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="VC_redist.x86.exe", cAlternateFileName="VC_RED~1.EXE")) returned 1 [0116.289] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2=".") returned 1 [0116.289] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="..") returned 1 [0116.289] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="...") returned 1 [0116.289] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="windows") returned -1 [0116.289] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="$RECYCLE.BIN") returned 1 [0116.289] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="rsa") returned 1 [0116.289] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="log") returned 1 [0116.289] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="NTDETECT.COM") returned 1 [0116.289] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="ntldr") returned 1 [0116.289] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="MSDOS.SYS") returned 1 [0116.289] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="IO.SYS") returned 1 [0116.289] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="boot.ini") returned 1 [0116.289] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="AUTOEXEC.BAT") returned 1 [0116.289] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="ntuser.dat") returned 1 [0116.289] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="desktop.ini") returned 1 [0116.289] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="CONFIG.SYS") returned 1 [0116.289] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="RECYCLER") returned 1 [0116.289] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="BOOTSECT.BAK") returned 1 [0116.289] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="bootmgr") returned 1 [0116.289] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="programdata") returned 1 [0116.289] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="appdata") returned 1 [0116.289] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="program files") returned 1 [0116.289] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="program files (x86)") returned 1 [0116.289] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\") returned="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\" [0116.290] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\", lpString2="VC_redist.x86.exe" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe") returned="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe" [0116.290] PathFindExtensionW (pszPath="VC_redist.x86.exe") returned=".exe" [0116.290] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0116.290] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xf93c9960, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf93c9960, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xedfa2720, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0xbee30, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="VC_redist.x86.exe", cAlternateFileName="VC_RED~1.EXE")) returned 0 [0116.290] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0116.290] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", cAlternateFileName="{F8CFE~1.210")) returned 1 [0116.290] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2=".") returned 1 [0116.290] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="..") returned 1 [0116.290] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="...") returned 1 [0116.290] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="windows") returned -1 [0116.290] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="$RECYCLE.BIN") returned 1 [0116.290] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="rsa") returned -1 [0116.290] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="log") returned -1 [0116.290] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="NTDETECT.COM") returned -1 [0116.290] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="ntldr") returned -1 [0116.290] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="MSDOS.SYS") returned -1 [0116.290] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="IO.SYS") returned -1 [0116.290] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="boot.ini") returned -1 [0116.290] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="AUTOEXEC.BAT") returned -1 [0116.290] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="ntuser.dat") returned -1 [0116.290] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="desktop.ini") returned -1 [0116.290] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="CONFIG.SYS") returned -1 [0116.291] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="RECYCLER") returned -1 [0116.291] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="BOOTSECT.BAK") returned -1 [0116.291] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="bootmgr") returned -1 [0116.291] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="programdata") returned -1 [0116.291] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="appdata") returned -1 [0116.291] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="program files") returned -1 [0116.291] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="program files (x86)") returned -1 [0116.291] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Package Cache\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\") returned="C:\\Users\\All Users\\Package Cache\\" [0116.291] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\", lpString2="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005") returned="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005" [0116.291] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\") returned="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\" [0116.291] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\") returned="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\" [0116.291] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*.*") returned="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*.*" [0116.291] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0116.291] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.291] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0116.292] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.292] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.292] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="packages", cAlternateFileName="")) returned 1 [0116.292] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0116.292] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0116.292] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0116.292] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0116.292] lstrcmpiW (lpString1="packages", lpString2="$RECYCLE.BIN") returned 1 [0116.292] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0116.292] lstrcmpiW (lpString1="packages", lpString2="log") returned 1 [0116.292] lstrcmpiW (lpString1="packages", lpString2="NTDETECT.COM") returned 1 [0116.292] lstrcmpiW (lpString1="packages", lpString2="ntldr") returned 1 [0116.292] lstrcmpiW (lpString1="packages", lpString2="MSDOS.SYS") returned 1 [0116.292] lstrcmpiW (lpString1="packages", lpString2="IO.SYS") returned 1 [0116.292] lstrcmpiW (lpString1="packages", lpString2="boot.ini") returned 1 [0116.292] lstrcmpiW (lpString1="packages", lpString2="AUTOEXEC.BAT") returned 1 [0116.292] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0116.292] lstrcmpiW (lpString1="packages", lpString2="desktop.ini") returned 1 [0116.292] lstrcmpiW (lpString1="packages", lpString2="CONFIG.SYS") returned 1 [0116.293] lstrcmpiW (lpString1="packages", lpString2="RECYCLER") returned -1 [0116.293] lstrcmpiW (lpString1="packages", lpString2="BOOTSECT.BAK") returned 1 [0116.293] lstrcmpiW (lpString1="packages", lpString2="bootmgr") returned 1 [0116.293] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0116.293] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0116.293] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0116.293] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0116.293] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\") returned="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\" [0116.293] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\", lpString2="packages" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages") returned="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages" [0116.293] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\") returned="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\" [0116.293] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\") returned="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\" [0116.293] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*.*") returned="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*.*" [0116.293] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x24de260, cFileName=".", cAlternateFileName="")) returned 0x50a980 [0116.293] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.293] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 1 [0116.294] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.294] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.294] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcc07b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcc07b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x24de260, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0116.294] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2=".") returned 1 [0116.294] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="..") returned 1 [0116.294] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="...") returned 1 [0116.294] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="windows") returned -1 [0116.294] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="$RECYCLE.BIN") returned 1 [0116.294] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="rsa") returned 1 [0116.294] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="log") returned 1 [0116.294] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="NTDETECT.COM") returned 1 [0116.294] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="ntldr") returned 1 [0116.294] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="MSDOS.SYS") returned 1 [0116.294] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="IO.SYS") returned 1 [0116.294] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="boot.ini") returned 1 [0116.294] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="AUTOEXEC.BAT") returned 1 [0116.294] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="ntuser.dat") returned 1 [0116.294] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="desktop.ini") returned 1 [0116.294] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="CONFIG.SYS") returned 1 [0116.294] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="RECYCLER") returned 1 [0116.294] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="BOOTSECT.BAK") returned 1 [0116.294] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="bootmgr") returned 1 [0116.294] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="programdata") returned 1 [0116.294] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="appdata") returned 1 [0116.294] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="program files") returned 1 [0116.295] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="program files (x86)") returned 1 [0116.295] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\") returned="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\" [0116.295] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\", lpString2="vcRuntimeAdditional_x86" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86") returned="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86" [0116.295] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\") returned="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\" [0116.295] lstrcpyW (in: lpString1=0x24dd560, lpString2="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\") returned="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\" [0116.295] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*.*") returned="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*.*" [0116.295] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*.*", lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcc07b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcc07b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc000be, dwReserved1=0x24ddbe0, cFileName=".", cAlternateFileName="")) returned 0x50a9c0 [0116.295] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.295] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcc07b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcc07b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc000be, dwReserved1=0x24ddbe0, cFileName="..", cAlternateFileName="")) returned 1 [0116.295] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.295] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.295] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x532ebf00, ftCreationTime.dwHighDateTime=0x1cf3dd3, ftLastAccessTime.dwLowDateTime=0x532ebf00, ftLastAccessTime.dwHighDateTime=0x1cf3dd3, ftLastWriteTime.dwLowDateTime=0x532ebf00, ftLastWriteTime.dwHighDateTime=0x1cf3dd3, nFileSizeHigh=0x0, nFileSizeLow=0x4b4520, dwReserved0=0xc000be, dwReserved1=0x24ddbe0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0116.295] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0116.295] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0116.295] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0116.295] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0116.296] lstrcmpiW (lpString1="cab1.cab", lpString2="$RECYCLE.BIN") returned 1 [0116.296] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0116.296] lstrcmpiW (lpString1="cab1.cab", lpString2="log") returned -1 [0116.296] lstrcmpiW (lpString1="cab1.cab", lpString2="NTDETECT.COM") returned -1 [0116.296] lstrcmpiW (lpString1="cab1.cab", lpString2="ntldr") returned -1 [0116.296] lstrcmpiW (lpString1="cab1.cab", lpString2="MSDOS.SYS") returned -1 [0116.296] lstrcmpiW (lpString1="cab1.cab", lpString2="IO.SYS") returned -1 [0116.296] lstrcmpiW (lpString1="cab1.cab", lpString2="boot.ini") returned 1 [0116.296] lstrcmpiW (lpString1="cab1.cab", lpString2="AUTOEXEC.BAT") returned 1 [0116.296] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0116.296] lstrcmpiW (lpString1="cab1.cab", lpString2="desktop.ini") returned -1 [0116.296] lstrcmpiW (lpString1="cab1.cab", lpString2="CONFIG.SYS") returned -1 [0116.296] lstrcmpiW (lpString1="cab1.cab", lpString2="RECYCLER") returned -1 [0116.296] lstrcmpiW (lpString1="cab1.cab", lpString2="BOOTSECT.BAK") returned 1 [0116.296] lstrcmpiW (lpString1="cab1.cab", lpString2="bootmgr") returned 1 [0116.296] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0116.296] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0116.296] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0116.296] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0116.296] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\") returned="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\" [0116.296] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\", lpString2="cab1.cab" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab" [0116.296] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0116.296] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0116.296] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0116.296] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0116.297] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f9b3800, ftCreationTime.dwHighDateTime=0x1cf3dd3, ftLastAccessTime.dwLowDateTime=0x4f9b3800, ftLastAccessTime.dwHighDateTime=0x1cf3dd3, ftLastWriteTime.dwLowDateTime=0x4f9b3800, ftLastWriteTime.dwHighDateTime=0x1cf3dd3, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0xc000be, dwReserved1=0x24ddbe0, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0116.297] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2=".") returned 1 [0116.297] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="..") returned 1 [0116.297] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="...") returned 1 [0116.297] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="windows") returned -1 [0116.297] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="$RECYCLE.BIN") returned 1 [0116.297] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="rsa") returned 1 [0116.297] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="log") returned 1 [0116.297] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="NTDETECT.COM") returned 1 [0116.297] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="ntldr") returned 1 [0116.297] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="MSDOS.SYS") returned 1 [0116.297] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="IO.SYS") returned 1 [0116.297] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="boot.ini") returned 1 [0116.297] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="AUTOEXEC.BAT") returned 1 [0116.297] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="ntuser.dat") returned 1 [0116.297] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="desktop.ini") returned 1 [0116.297] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="CONFIG.SYS") returned 1 [0116.297] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="RECYCLER") returned 1 [0116.297] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="BOOTSECT.BAK") returned 1 [0116.297] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="bootmgr") returned 1 [0116.297] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="programdata") returned 1 [0116.297] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="appdata") returned 1 [0116.297] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="program files") returned 1 [0116.298] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="program files (x86)") returned 1 [0116.298] lstrcpyW (in: lpString1=0x24dd358, lpString2="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\") returned="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\" [0116.298] lstrcatW (in: lpString1="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\", lpString2="vc_runtimeAdditional_x86.msi" | out: lpString1="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" [0116.298] PathFindExtensionW (pszPath="vc_runtimeAdditional_x86.msi") returned=".msi" [0116.298] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0116.298] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0116.298] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0116.298] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0116.298] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0116.298] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0116.298] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0116.298] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0116.298] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0116.298] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0116.298] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0116.298] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0116.298] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0116.298] lstrcmpiW (lpString1=".msi", lpString2=".NEPHILIM") returned -1 [0116.298] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0116.298] FindNextFileW (in: hFindFile=0x50a9c0, lpFindFileData=0x24dd108 | out: lpFindFileData=0x24dd108*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f9b3800, ftCreationTime.dwHighDateTime=0x1cf3dd3, ftLastAccessTime.dwLowDateTime=0x4f9b3800, ftLastAccessTime.dwHighDateTime=0x1cf3dd3, ftLastWriteTime.dwLowDateTime=0x4f9b3800, ftLastWriteTime.dwHighDateTime=0x1cf3dd3, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0xc000be, dwReserved1=0x24ddbe0, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0116.298] FindClose (in: hFindFile=0x50a9c0 | out: hFindFile=0x50a9c0) returned 1 [0116.298] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcc07b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcc07b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x24de260, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0116.299] FindClose (in: hFindFile=0x50a980 | out: hFindFile=0x50a980) returned 1 [0116.299] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x24de8e0, cFileName="packages", cAlternateFileName="")) returned 0 [0116.299] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0116.299] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", cAlternateFileName="{F8CFE~1.210")) returned 0 [0116.299] FindClose (in: hFindFile=0x50a900 | out: hFindFile=0x50a900) returned 1 [0116.299] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307753b3, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307753b3, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307753b3, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0116.299] lstrcmpiW (lpString1="Start Menu", lpString2=".") returned 1 [0116.299] lstrcmpiW (lpString1="Start Menu", lpString2="..") returned 1 [0116.299] lstrcmpiW (lpString1="Start Menu", lpString2="...") returned 1 [0116.299] lstrcmpiW (lpString1="Start Menu", lpString2="windows") returned -1 [0116.299] lstrcmpiW (lpString1="Start Menu", lpString2="$RECYCLE.BIN") returned 1 [0116.299] lstrcmpiW (lpString1="Start Menu", lpString2="rsa") returned 1 [0116.299] lstrcmpiW (lpString1="Start Menu", lpString2="log") returned 1 [0116.299] lstrcmpiW (lpString1="Start Menu", lpString2="NTDETECT.COM") returned 1 [0116.299] lstrcmpiW (lpString1="Start Menu", lpString2="ntldr") returned 1 [0116.299] lstrcmpiW (lpString1="Start Menu", lpString2="MSDOS.SYS") returned 1 [0116.299] lstrcmpiW (lpString1="Start Menu", lpString2="IO.SYS") returned 1 [0116.299] lstrcmpiW (lpString1="Start Menu", lpString2="boot.ini") returned 1 [0116.299] lstrcmpiW (lpString1="Start Menu", lpString2="AUTOEXEC.BAT") returned 1 [0116.300] lstrcmpiW (lpString1="Start Menu", lpString2="ntuser.dat") returned 1 [0116.300] lstrcmpiW (lpString1="Start Menu", lpString2="desktop.ini") returned 1 [0116.300] lstrcmpiW (lpString1="Start Menu", lpString2="CONFIG.SYS") returned 1 [0116.300] lstrcmpiW (lpString1="Start Menu", lpString2="RECYCLER") returned 1 [0116.300] lstrcmpiW (lpString1="Start Menu", lpString2="BOOTSECT.BAK") returned 1 [0116.300] lstrcmpiW (lpString1="Start Menu", lpString2="bootmgr") returned 1 [0116.300] lstrcmpiW (lpString1="Start Menu", lpString2="programdata") returned 1 [0116.300] lstrcmpiW (lpString1="Start Menu", lpString2="appdata") returned 1 [0116.300] lstrcmpiW (lpString1="Start Menu", lpString2="program files") returned 1 [0116.300] lstrcmpiW (lpString1="Start Menu", lpString2="program files (x86)") returned 1 [0116.300] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\All Users\\" | out: lpString1="C:\\Users\\All Users\\") returned="C:\\Users\\All Users\\" [0116.300] lstrcatW (in: lpString1="C:\\Users\\All Users\\", lpString2="Start Menu" | out: lpString1="C:\\Users\\All Users\\Start Menu") returned="C:\\Users\\All Users\\Start Menu" [0116.300] lstrcatW (in: lpString1="C:\\Users\\All Users\\Start Menu", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Start Menu\\") returned="C:\\Users\\All Users\\Start Menu\\" [0116.300] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\All Users\\Start Menu\\" | out: lpString1="C:\\Users\\All Users\\Start Menu\\") returned="C:\\Users\\All Users\\Start Menu\\" [0116.300] lstrcatW (in: lpString1="C:\\Users\\All Users\\Start Menu\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Start Menu\\*.*") returned="C:\\Users\\All Users\\Start Menu\\*.*" [0116.300] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Start Menu\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", cAlternateFileName="{F8CFE~1.210")) returned 0xffffffff [0116.300] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Sun", cAlternateFileName="")) returned 1 [0116.300] lstrcmpiW (lpString1="Sun", lpString2=".") returned 1 [0116.300] lstrcmpiW (lpString1="Sun", lpString2="..") returned 1 [0116.301] lstrcmpiW (lpString1="Sun", lpString2="...") returned 1 [0116.301] lstrcmpiW (lpString1="Sun", lpString2="windows") returned -1 [0116.301] lstrcmpiW (lpString1="Sun", lpString2="$RECYCLE.BIN") returned 1 [0116.301] lstrcmpiW (lpString1="Sun", lpString2="rsa") returned 1 [0116.301] lstrcmpiW (lpString1="Sun", lpString2="log") returned 1 [0116.301] lstrcmpiW (lpString1="Sun", lpString2="NTDETECT.COM") returned 1 [0116.301] lstrcmpiW (lpString1="Sun", lpString2="ntldr") returned 1 [0116.301] lstrcmpiW (lpString1="Sun", lpString2="MSDOS.SYS") returned 1 [0116.301] lstrcmpiW (lpString1="Sun", lpString2="IO.SYS") returned 1 [0116.301] lstrcmpiW (lpString1="Sun", lpString2="boot.ini") returned 1 [0116.301] lstrcmpiW (lpString1="Sun", lpString2="AUTOEXEC.BAT") returned 1 [0116.301] lstrcmpiW (lpString1="Sun", lpString2="ntuser.dat") returned 1 [0116.301] lstrcmpiW (lpString1="Sun", lpString2="desktop.ini") returned 1 [0116.301] lstrcmpiW (lpString1="Sun", lpString2="CONFIG.SYS") returned 1 [0116.301] lstrcmpiW (lpString1="Sun", lpString2="RECYCLER") returned 1 [0116.301] lstrcmpiW (lpString1="Sun", lpString2="BOOTSECT.BAK") returned 1 [0116.301] lstrcmpiW (lpString1="Sun", lpString2="bootmgr") returned 1 [0116.301] lstrcmpiW (lpString1="Sun", lpString2="programdata") returned 1 [0116.301] lstrcmpiW (lpString1="Sun", lpString2="appdata") returned 1 [0116.301] lstrcmpiW (lpString1="Sun", lpString2="program files") returned 1 [0116.301] lstrcmpiW (lpString1="Sun", lpString2="program files (x86)") returned 1 [0116.301] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\All Users\\" | out: lpString1="C:\\Users\\All Users\\") returned="C:\\Users\\All Users\\" [0116.301] lstrcatW (in: lpString1="C:\\Users\\All Users\\", lpString2="Sun" | out: lpString1="C:\\Users\\All Users\\Sun") returned="C:\\Users\\All Users\\Sun" [0116.302] lstrcatW (in: lpString1="C:\\Users\\All Users\\Sun", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Sun\\") returned="C:\\Users\\All Users\\Sun\\" [0116.302] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\All Users\\Sun\\" | out: lpString1="C:\\Users\\All Users\\Sun\\") returned="C:\\Users\\All Users\\Sun\\" [0116.302] lstrcatW (in: lpString1="C:\\Users\\All Users\\Sun\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Sun\\*.*") returned="C:\\Users\\All Users\\Sun\\*.*" [0116.302] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Sun\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x50a900 [0116.303] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.303] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0116.303] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.303] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.303] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="Java", cAlternateFileName="")) returned 1 [0116.303] lstrcmpiW (lpString1="Java", lpString2=".") returned 1 [0116.303] lstrcmpiW (lpString1="Java", lpString2="..") returned 1 [0116.303] lstrcmpiW (lpString1="Java", lpString2="...") returned 1 [0116.303] lstrcmpiW (lpString1="Java", lpString2="windows") returned -1 [0116.303] lstrcmpiW (lpString1="Java", lpString2="$RECYCLE.BIN") returned 1 [0116.303] lstrcmpiW (lpString1="Java", lpString2="rsa") returned -1 [0116.303] lstrcmpiW (lpString1="Java", lpString2="log") returned -1 [0116.303] lstrcmpiW (lpString1="Java", lpString2="NTDETECT.COM") returned -1 [0116.303] lstrcmpiW (lpString1="Java", lpString2="ntldr") returned -1 [0116.304] lstrcmpiW (lpString1="Java", lpString2="MSDOS.SYS") returned -1 [0116.304] lstrcmpiW (lpString1="Java", lpString2="IO.SYS") returned 1 [0116.304] lstrcmpiW (lpString1="Java", lpString2="boot.ini") returned 1 [0116.304] lstrcmpiW (lpString1="Java", lpString2="AUTOEXEC.BAT") returned 1 [0116.304] lstrcmpiW (lpString1="Java", lpString2="ntuser.dat") returned -1 [0116.304] lstrcmpiW (lpString1="Java", lpString2="desktop.ini") returned 1 [0116.304] lstrcmpiW (lpString1="Java", lpString2="CONFIG.SYS") returned 1 [0116.304] lstrcmpiW (lpString1="Java", lpString2="RECYCLER") returned -1 [0116.304] lstrcmpiW (lpString1="Java", lpString2="BOOTSECT.BAK") returned 1 [0116.304] lstrcmpiW (lpString1="Java", lpString2="bootmgr") returned 1 [0116.304] lstrcmpiW (lpString1="Java", lpString2="programdata") returned -1 [0116.304] lstrcmpiW (lpString1="Java", lpString2="appdata") returned 1 [0116.304] lstrcmpiW (lpString1="Java", lpString2="program files") returned -1 [0116.304] lstrcmpiW (lpString1="Java", lpString2="program files (x86)") returned -1 [0116.304] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\All Users\\Sun\\" | out: lpString1="C:\\Users\\All Users\\Sun\\") returned="C:\\Users\\All Users\\Sun\\" [0116.304] lstrcatW (in: lpString1="C:\\Users\\All Users\\Sun\\", lpString2="Java" | out: lpString1="C:\\Users\\All Users\\Sun\\Java") returned="C:\\Users\\All Users\\Sun\\Java" [0116.304] lstrcatW (in: lpString1="C:\\Users\\All Users\\Sun\\Java", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Sun\\Java\\") returned="C:\\Users\\All Users\\Sun\\Java\\" [0116.304] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\All Users\\Sun\\Java\\" | out: lpString1="C:\\Users\\All Users\\Sun\\Java\\") returned="C:\\Users\\All Users\\Sun\\Java\\" [0116.304] lstrcatW (in: lpString1="C:\\Users\\All Users\\Sun\\Java\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Sun\\Java\\*.*") returned="C:\\Users\\All Users\\Sun\\Java\\*.*" [0116.304] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Sun\\Java\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x360034, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0116.305] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.305] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x360034, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0116.305] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.305] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.305] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x360034, dwReserved1=0x24de8e0, cFileName="Java Update", cAlternateFileName="JAVAUP~1")) returned 1 [0116.305] lstrcmpiW (lpString1="Java Update", lpString2=".") returned 1 [0116.305] lstrcmpiW (lpString1="Java Update", lpString2="..") returned 1 [0116.305] lstrcmpiW (lpString1="Java Update", lpString2="...") returned 1 [0116.305] lstrcmpiW (lpString1="Java Update", lpString2="windows") returned -1 [0116.305] lstrcmpiW (lpString1="Java Update", lpString2="$RECYCLE.BIN") returned 1 [0116.305] lstrcmpiW (lpString1="Java Update", lpString2="rsa") returned -1 [0116.305] lstrcmpiW (lpString1="Java Update", lpString2="log") returned -1 [0116.305] lstrcmpiW (lpString1="Java Update", lpString2="NTDETECT.COM") returned -1 [0116.305] lstrcmpiW (lpString1="Java Update", lpString2="ntldr") returned -1 [0116.305] lstrcmpiW (lpString1="Java Update", lpString2="MSDOS.SYS") returned -1 [0116.306] lstrcmpiW (lpString1="Java Update", lpString2="IO.SYS") returned 1 [0116.306] lstrcmpiW (lpString1="Java Update", lpString2="boot.ini") returned 1 [0116.306] lstrcmpiW (lpString1="Java Update", lpString2="AUTOEXEC.BAT") returned 1 [0116.306] lstrcmpiW (lpString1="Java Update", lpString2="ntuser.dat") returned -1 [0116.306] lstrcmpiW (lpString1="Java Update", lpString2="desktop.ini") returned 1 [0116.306] lstrcmpiW (lpString1="Java Update", lpString2="CONFIG.SYS") returned 1 [0116.306] lstrcmpiW (lpString1="Java Update", lpString2="RECYCLER") returned -1 [0116.306] lstrcmpiW (lpString1="Java Update", lpString2="BOOTSECT.BAK") returned 1 [0116.306] lstrcmpiW (lpString1="Java Update", lpString2="bootmgr") returned 1 [0116.306] lstrcmpiW (lpString1="Java Update", lpString2="programdata") returned -1 [0116.306] lstrcmpiW (lpString1="Java Update", lpString2="appdata") returned 1 [0116.306] lstrcmpiW (lpString1="Java Update", lpString2="program files") returned -1 [0116.306] lstrcmpiW (lpString1="Java Update", lpString2="program files (x86)") returned -1 [0116.306] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\All Users\\Sun\\Java\\" | out: lpString1="C:\\Users\\All Users\\Sun\\Java\\") returned="C:\\Users\\All Users\\Sun\\Java\\" [0116.306] lstrcatW (in: lpString1="C:\\Users\\All Users\\Sun\\Java\\", lpString2="Java Update" | out: lpString1="C:\\Users\\All Users\\Sun\\Java\\Java Update") returned="C:\\Users\\All Users\\Sun\\Java\\Java Update" [0116.306] lstrcatW (in: lpString1="C:\\Users\\All Users\\Sun\\Java\\Java Update", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Sun\\Java\\Java Update\\") returned="C:\\Users\\All Users\\Sun\\Java\\Java Update\\" [0116.306] lstrcpyW (in: lpString1=0x24ddbe0, lpString2="C:\\Users\\All Users\\Sun\\Java\\Java Update\\" | out: lpString1="C:\\Users\\All Users\\Sun\\Java\\Java Update\\") returned="C:\\Users\\All Users\\Sun\\Java\\Java Update\\" [0116.306] lstrcatW (in: lpString1="C:\\Users\\All Users\\Sun\\Java\\Java Update\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Sun\\Java\\Java Update\\*.*") returned="C:\\Users\\All Users\\Sun\\Java\\Java Update\\*.*" [0116.306] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Sun\\Java\\Java Update\\*.*", lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x40003e, dwReserved1=0x24de260, cFileName=".", cAlternateFileName="")) returned 0x50a980 [0116.307] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.307] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x40003e, dwReserved1=0x24de260, cFileName="..", cAlternateFileName="")) returned 1 [0116.307] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.307] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.307] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x77, dwReserved0=0x40003e, dwReserved1=0x24de260, cFileName="jaureglist.xml", cAlternateFileName="JAUREG~1.XML")) returned 1 [0116.307] lstrcmpiW (lpString1="jaureglist.xml", lpString2=".") returned 1 [0116.307] lstrcmpiW (lpString1="jaureglist.xml", lpString2="..") returned 1 [0116.307] lstrcmpiW (lpString1="jaureglist.xml", lpString2="...") returned 1 [0116.307] lstrcmpiW (lpString1="jaureglist.xml", lpString2="windows") returned -1 [0116.307] lstrcmpiW (lpString1="jaureglist.xml", lpString2="$RECYCLE.BIN") returned 1 [0116.307] lstrcmpiW (lpString1="jaureglist.xml", lpString2="rsa") returned -1 [0116.307] lstrcmpiW (lpString1="jaureglist.xml", lpString2="log") returned -1 [0116.307] lstrcmpiW (lpString1="jaureglist.xml", lpString2="NTDETECT.COM") returned -1 [0116.307] lstrcmpiW (lpString1="jaureglist.xml", lpString2="ntldr") returned -1 [0116.307] lstrcmpiW (lpString1="jaureglist.xml", lpString2="MSDOS.SYS") returned -1 [0116.307] lstrcmpiW (lpString1="jaureglist.xml", lpString2="IO.SYS") returned 1 [0116.307] lstrcmpiW (lpString1="jaureglist.xml", lpString2="boot.ini") returned 1 [0116.307] lstrcmpiW (lpString1="jaureglist.xml", lpString2="AUTOEXEC.BAT") returned 1 [0116.308] lstrcmpiW (lpString1="jaureglist.xml", lpString2="ntuser.dat") returned -1 [0116.308] lstrcmpiW (lpString1="jaureglist.xml", lpString2="desktop.ini") returned 1 [0116.308] lstrcmpiW (lpString1="jaureglist.xml", lpString2="CONFIG.SYS") returned 1 [0116.308] lstrcmpiW (lpString1="jaureglist.xml", lpString2="RECYCLER") returned -1 [0116.308] lstrcmpiW (lpString1="jaureglist.xml", lpString2="BOOTSECT.BAK") returned 1 [0116.308] lstrcmpiW (lpString1="jaureglist.xml", lpString2="bootmgr") returned 1 [0116.308] lstrcmpiW (lpString1="jaureglist.xml", lpString2="programdata") returned -1 [0116.308] lstrcmpiW (lpString1="jaureglist.xml", lpString2="appdata") returned 1 [0116.308] lstrcmpiW (lpString1="jaureglist.xml", lpString2="program files") returned -1 [0116.308] lstrcmpiW (lpString1="jaureglist.xml", lpString2="program files (x86)") returned -1 [0116.308] lstrcpyW (in: lpString1=0x24dd9d8, lpString2="C:\\Users\\All Users\\Sun\\Java\\Java Update\\" | out: lpString1="C:\\Users\\All Users\\Sun\\Java\\Java Update\\") returned="C:\\Users\\All Users\\Sun\\Java\\Java Update\\" [0116.308] lstrcatW (in: lpString1="C:\\Users\\All Users\\Sun\\Java\\Java Update\\", lpString2="jaureglist.xml" | out: lpString1="C:\\Users\\All Users\\Sun\\Java\\Java Update\\jaureglist.xml") returned="C:\\Users\\All Users\\Sun\\Java\\Java Update\\jaureglist.xml" [0116.308] PathFindExtensionW (pszPath="jaureglist.xml") returned=".xml" [0116.308] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0116.308] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0116.308] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0116.308] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0116.308] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0116.308] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0116.308] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0116.308] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0116.308] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0116.309] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0116.309] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0116.309] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0116.309] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0116.309] lstrcmpiW (lpString1=".xml", lpString2=".NEPHILIM") returned 1 [0116.309] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0116.309] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0116.309] lstrcmpiW (lpString1="jaureglist.xml", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0116.309] lstrlenA (lpString="NEPHILIM") returned 8 [0116.309] GetProcessHeap () returned 0x4e0000 [0116.309] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50be90 [0116.309] lstrlenA (lpString="NEPHILIM") returned 8 [0116.309] CreateFileW (lpFileName="C:\\Users\\All Users\\Sun\\Java\\Java Update\\jaureglist.xml" (normalized: "c:\\users\\all users\\sun\\java\\java update\\jaureglist.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf4 [0116.310] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x24dd748 | out: lpFileSize=0x24dd748*=119) returned 1 [0116.310] GetProcessHeap () returned 0x4e0000 [0116.310] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0116.310] GetProcessHeap () returned 0x4e0000 [0116.310] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0116.310] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0116.310] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0116.310] GetProcessHeap () returned 0x4e0000 [0116.310] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0116.310] GetProcessHeap () returned 0x4e0000 [0116.310] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0116.310] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24dd508*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24dd508*=0x100) returned 1 [0116.311] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24dd504*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24dd504*=0x100) returned 1 [0116.311] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x77, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.311] SetLastError (dwErrCode=0x0) [0116.311] WriteFile (in: hFile=0xf4, lpBuffer=0x51e280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x51e280*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0116.313] GetLastError () returned 0x0 [0116.313] GetLastError () returned 0x0 [0116.313] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x177, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.313] WriteFile (in: hFile=0xf4, lpBuffer=0x51e388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x51e388*, lpNumberOfBytesWritten=0x24dd73c*=0x100, lpOverlapped=0x0) returned 1 [0116.313] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x277, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.313] lstrlenA (lpString="NEPHILIM") returned 8 [0116.313] WriteFile (in: hFile=0xf4, lpBuffer=0x50be90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x50be90*, lpNumberOfBytesWritten=0x24dd73c*=0x8, lpOverlapped=0x0) returned 1 [0116.314] GetProcessHeap () returned 0x4e0000 [0116.314] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x77) returned 0x4f18c0 [0116.314] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.314] ReadFile (in: hFile=0xf4, lpBuffer=0x4f18c0, nNumberOfBytesToRead=0x77, lpNumberOfBytesRead=0x24dd730, lpOverlapped=0x0 | out: lpBuffer=0x4f18c0*, lpNumberOfBytesRead=0x24dd730*=0x77, lpOverlapped=0x0) returned 1 [0116.314] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.314] WriteFile (in: hFile=0xf4, lpBuffer=0x4f18c0*, nNumberOfBytesToWrite=0x77, lpNumberOfBytesWritten=0x24dd73c, lpOverlapped=0x0 | out: lpBuffer=0x4f18c0*, lpNumberOfBytesWritten=0x24dd73c*=0x77, lpOverlapped=0x0) returned 1 [0116.314] GetProcessHeap () returned 0x4e0000 [0116.314] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x4f18c0 | out: hHeap=0x4e0000) returned 1 [0116.314] CloseHandle (hObject=0xf4) returned 1 [0116.314] GetProcessHeap () returned 0x4e0000 [0116.314] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e280 | out: hHeap=0x4e0000) returned 1 [0116.314] GetProcessHeap () returned 0x4e0000 [0116.314] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e388 | out: hHeap=0x4e0000) returned 1 [0116.314] GetProcessHeap () returned 0x4e0000 [0116.315] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50deb0 | out: hHeap=0x4e0000) returned 1 [0116.315] GetProcessHeap () returned 0x4e0000 [0116.315] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dec8 | out: hHeap=0x4e0000) returned 1 [0116.315] lstrcpyW (in: lpString1=0x24dd528, lpString2="C:\\Users\\All Users\\Sun\\Java\\Java Update\\jaureglist.xml" | out: lpString1="C:\\Users\\All Users\\Sun\\Java\\Java Update\\jaureglist.xml") returned="C:\\Users\\All Users\\Sun\\Java\\Java Update\\jaureglist.xml" [0116.315] lstrcatW (in: lpString1="C:\\Users\\All Users\\Sun\\Java\\Java Update\\jaureglist.xml", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\All Users\\Sun\\Java\\Java Update\\jaureglist.xml.NEPHILIM") returned="C:\\Users\\All Users\\Sun\\Java\\Java Update\\jaureglist.xml.NEPHILIM" [0116.315] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Sun\\Java\\Java Update\\jaureglist.xml" (normalized: "c:\\users\\all users\\sun\\java\\java update\\jaureglist.xml"), lpNewFileName="C:\\Users\\All Users\\Sun\\Java\\Java Update\\jaureglist.xml.NEPHILIM" (normalized: "c:\\users\\all users\\sun\\java\\java update\\jaureglist.xml.nephilim")) returned 1 [0116.316] FindNextFileW (in: hFindFile=0x50a980, lpFindFileData=0x24dd788 | out: lpFindFileData=0x24dd788*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x77, dwReserved0=0x40003e, dwReserved1=0x24de260, cFileName="jaureglist.xml", cAlternateFileName="JAUREG~1.XML")) returned 0 [0116.316] FindClose (in: hFindFile=0x50a980 | out: hFindFile=0x50a980) returned 1 [0116.316] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x360034, dwReserved1=0x24de8e0, cFileName="Java Update", cAlternateFileName="JAVAUP~1")) returned 0 [0116.316] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0116.316] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="Java", cAlternateFileName="")) returned 0 [0116.316] FindClose (in: hFindFile=0x50a900 | out: hFindFile=0x50a900) returned 1 [0116.316] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307753b3, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307753b3, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307753b3, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0116.316] lstrcmpiW (lpString1="Templates", lpString2=".") returned 1 [0116.316] lstrcmpiW (lpString1="Templates", lpString2="..") returned 1 [0116.316] lstrcmpiW (lpString1="Templates", lpString2="...") returned 1 [0116.316] lstrcmpiW (lpString1="Templates", lpString2="windows") returned -1 [0116.316] lstrcmpiW (lpString1="Templates", lpString2="$RECYCLE.BIN") returned 1 [0116.316] lstrcmpiW (lpString1="Templates", lpString2="rsa") returned 1 [0116.317] lstrcmpiW (lpString1="Templates", lpString2="log") returned 1 [0116.317] lstrcmpiW (lpString1="Templates", lpString2="NTDETECT.COM") returned 1 [0116.317] lstrcmpiW (lpString1="Templates", lpString2="ntldr") returned 1 [0116.317] lstrcmpiW (lpString1="Templates", lpString2="MSDOS.SYS") returned 1 [0116.317] lstrcmpiW (lpString1="Templates", lpString2="IO.SYS") returned 1 [0116.317] lstrcmpiW (lpString1="Templates", lpString2="boot.ini") returned 1 [0116.317] lstrcmpiW (lpString1="Templates", lpString2="AUTOEXEC.BAT") returned 1 [0116.317] lstrcmpiW (lpString1="Templates", lpString2="ntuser.dat") returned 1 [0116.317] lstrcmpiW (lpString1="Templates", lpString2="desktop.ini") returned 1 [0116.317] lstrcmpiW (lpString1="Templates", lpString2="CONFIG.SYS") returned 1 [0116.317] lstrcmpiW (lpString1="Templates", lpString2="RECYCLER") returned 1 [0116.317] lstrcmpiW (lpString1="Templates", lpString2="BOOTSECT.BAK") returned 1 [0116.317] lstrcmpiW (lpString1="Templates", lpString2="bootmgr") returned 1 [0116.317] lstrcmpiW (lpString1="Templates", lpString2="programdata") returned 1 [0116.317] lstrcmpiW (lpString1="Templates", lpString2="appdata") returned 1 [0116.317] lstrcmpiW (lpString1="Templates", lpString2="program files") returned 1 [0116.317] lstrcmpiW (lpString1="Templates", lpString2="program files (x86)") returned 1 [0116.317] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\All Users\\" | out: lpString1="C:\\Users\\All Users\\") returned="C:\\Users\\All Users\\" [0116.317] lstrcatW (in: lpString1="C:\\Users\\All Users\\", lpString2="Templates" | out: lpString1="C:\\Users\\All Users\\Templates") returned="C:\\Users\\All Users\\Templates" [0116.317] lstrcatW (in: lpString1="C:\\Users\\All Users\\Templates", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\Templates\\") returned="C:\\Users\\All Users\\Templates\\" [0116.317] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\All Users\\Templates\\" | out: lpString1="C:\\Users\\All Users\\Templates\\") returned="C:\\Users\\All Users\\Templates\\" [0116.317] lstrcatW (in: lpString1="C:\\Users\\All Users\\Templates\\", lpString2="*.*" | out: lpString1="C:\\Users\\All Users\\Templates\\*.*") returned="C:\\Users\\All Users\\Templates\\*.*" [0116.317] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Templates\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x24def60, cFileName="Java", cAlternateFileName="")) returned 0xffffffff [0116.318] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307753b3, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307753b3, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307753b3, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 0 [0116.318] FindClose (in: hFindFile=0x50a8c0 | out: hFindFile=0x50a8c0) returned 1 [0116.318] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x62fa4a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x3c67b114, cFileName="Default", cAlternateFileName="")) returned 1 [0116.318] lstrcmpiW (lpString1="Default", lpString2=".") returned 1 [0116.318] lstrcmpiW (lpString1="Default", lpString2="..") returned 1 [0116.318] lstrcmpiW (lpString1="Default", lpString2="...") returned 1 [0116.318] lstrcmpiW (lpString1="Default", lpString2="windows") returned -1 [0116.318] lstrcmpiW (lpString1="Default", lpString2="$RECYCLE.BIN") returned 1 [0116.318] lstrcmpiW (lpString1="Default", lpString2="rsa") returned -1 [0116.318] lstrcmpiW (lpString1="Default", lpString2="log") returned -1 [0116.318] lstrcmpiW (lpString1="Default", lpString2="NTDETECT.COM") returned -1 [0116.318] lstrcmpiW (lpString1="Default", lpString2="ntldr") returned -1 [0116.318] lstrcmpiW (lpString1="Default", lpString2="MSDOS.SYS") returned -1 [0116.318] lstrcmpiW (lpString1="Default", lpString2="IO.SYS") returned -1 [0116.318] lstrcmpiW (lpString1="Default", lpString2="boot.ini") returned 1 [0116.318] lstrcmpiW (lpString1="Default", lpString2="AUTOEXEC.BAT") returned 1 [0116.318] lstrcmpiW (lpString1="Default", lpString2="ntuser.dat") returned -1 [0116.318] lstrcmpiW (lpString1="Default", lpString2="desktop.ini") returned -1 [0116.318] lstrcmpiW (lpString1="Default", lpString2="CONFIG.SYS") returned 1 [0116.319] lstrcmpiW (lpString1="Default", lpString2="RECYCLER") returned -1 [0116.319] lstrcmpiW (lpString1="Default", lpString2="BOOTSECT.BAK") returned 1 [0116.319] lstrcmpiW (lpString1="Default", lpString2="bootmgr") returned 1 [0116.319] lstrcmpiW (lpString1="Default", lpString2="programdata") returned -1 [0116.319] lstrcmpiW (lpString1="Default", lpString2="appdata") returned 1 [0116.319] lstrcmpiW (lpString1="Default", lpString2="program files") returned -1 [0116.319] lstrcmpiW (lpString1="Default", lpString2="program files (x86)") returned -1 [0116.319] lstrcpyW (in: lpString1=0x24df3d8, lpString2="C:\\Users\\" | out: lpString1="C:\\Users\\") returned="C:\\Users\\" [0116.319] lstrcatW (in: lpString1="C:\\Users\\", lpString2="Default" | out: lpString1="C:\\Users\\Default") returned="C:\\Users\\Default" [0116.319] lstrcatW (in: lpString1="C:\\Users\\Default", lpString2="\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0116.319] lstrcpyW (in: lpString1=0x24def60, lpString2="C:\\Users\\Default\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0116.319] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\*.*") returned="C:\\Users\\Default\\*.*" [0116.319] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\*.*", lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x62fa4a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName=".", cAlternateFileName="")) returned 0x50a8c0 [0116.319] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.319] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x62fa4a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="..", cAlternateFileName="")) returned 1 [0116.319] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.320] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.320] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xe9bbeade, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="AppData", cAlternateFileName="")) returned 1 [0116.320] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0116.320] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0116.320] lstrcmpiW (lpString1="AppData", lpString2="...") returned 1 [0116.320] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0116.320] lstrcmpiW (lpString1="AppData", lpString2="$RECYCLE.BIN") returned 1 [0116.320] lstrcmpiW (lpString1="AppData", lpString2="rsa") returned -1 [0116.320] lstrcmpiW (lpString1="AppData", lpString2="log") returned -1 [0116.320] lstrcmpiW (lpString1="AppData", lpString2="NTDETECT.COM") returned -1 [0116.320] lstrcmpiW (lpString1="AppData", lpString2="ntldr") returned -1 [0116.320] lstrcmpiW (lpString1="AppData", lpString2="MSDOS.SYS") returned -1 [0116.320] lstrcmpiW (lpString1="AppData", lpString2="IO.SYS") returned -1 [0116.320] lstrcmpiW (lpString1="AppData", lpString2="boot.ini") returned -1 [0116.320] lstrcmpiW (lpString1="AppData", lpString2="AUTOEXEC.BAT") returned -1 [0116.320] lstrcmpiW (lpString1="AppData", lpString2="ntuser.dat") returned -1 [0116.320] lstrcmpiW (lpString1="AppData", lpString2="desktop.ini") returned -1 [0116.320] lstrcmpiW (lpString1="AppData", lpString2="CONFIG.SYS") returned -1 [0116.320] lstrcmpiW (lpString1="AppData", lpString2="RECYCLER") returned -1 [0116.320] lstrcmpiW (lpString1="AppData", lpString2="BOOTSECT.BAK") returned -1 [0116.320] lstrcmpiW (lpString1="AppData", lpString2="bootmgr") returned -1 [0116.320] lstrcmpiW (lpString1="AppData", lpString2="programdata") returned -1 [0116.320] lstrcmpiW (lpString1="AppData", lpString2="appdata") returned 0 [0116.320] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306dce32, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306dce32, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306dce32, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0116.321] lstrcmpiW (lpString1="Application Data", lpString2=".") returned 1 [0116.321] lstrcmpiW (lpString1="Application Data", lpString2="..") returned 1 [0116.321] lstrcmpiW (lpString1="Application Data", lpString2="...") returned 1 [0116.321] lstrcmpiW (lpString1="Application Data", lpString2="windows") returned -1 [0116.321] lstrcmpiW (lpString1="Application Data", lpString2="$RECYCLE.BIN") returned 1 [0116.321] lstrcmpiW (lpString1="Application Data", lpString2="rsa") returned -1 [0116.321] lstrcmpiW (lpString1="Application Data", lpString2="log") returned -1 [0116.321] lstrcmpiW (lpString1="Application Data", lpString2="NTDETECT.COM") returned -1 [0116.321] lstrcmpiW (lpString1="Application Data", lpString2="ntldr") returned -1 [0116.321] lstrcmpiW (lpString1="Application Data", lpString2="MSDOS.SYS") returned -1 [0116.321] lstrcmpiW (lpString1="Application Data", lpString2="IO.SYS") returned -1 [0116.321] lstrcmpiW (lpString1="Application Data", lpString2="boot.ini") returned -1 [0116.321] lstrcmpiW (lpString1="Application Data", lpString2="AUTOEXEC.BAT") returned -1 [0116.321] lstrcmpiW (lpString1="Application Data", lpString2="ntuser.dat") returned -1 [0116.321] lstrcmpiW (lpString1="Application Data", lpString2="desktop.ini") returned -1 [0116.321] lstrcmpiW (lpString1="Application Data", lpString2="CONFIG.SYS") returned -1 [0116.321] lstrcmpiW (lpString1="Application Data", lpString2="RECYCLER") returned -1 [0116.321] lstrcmpiW (lpString1="Application Data", lpString2="BOOTSECT.BAK") returned -1 [0116.321] lstrcmpiW (lpString1="Application Data", lpString2="bootmgr") returned -1 [0116.321] lstrcmpiW (lpString1="Application Data", lpString2="programdata") returned -1 [0116.321] lstrcmpiW (lpString1="Application Data", lpString2="appdata") returned 1 [0116.321] lstrcmpiW (lpString1="Application Data", lpString2="program files") returned -1 [0116.321] lstrcmpiW (lpString1="Application Data", lpString2="program files (x86)") returned -1 [0116.321] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\Default\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0116.321] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Application Data" | out: lpString1="C:\\Users\\Default\\Application Data") returned="C:\\Users\\Default\\Application Data" [0116.322] lstrcatW (in: lpString1="C:\\Users\\Default\\Application Data", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Application Data\\") returned="C:\\Users\\Default\\Application Data\\" [0116.322] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\Default\\Application Data\\" | out: lpString1="C:\\Users\\Default\\Application Data\\") returned="C:\\Users\\Default\\Application Data\\" [0116.322] lstrcatW (in: lpString1="C:\\Users\\Default\\Application Data\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\Application Data\\*.*") returned="C:\\Users\\Default\\Application Data\\*.*" [0116.322] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Application Data\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x759bddc7, ftCreationTime.dwLowDateTime=0x24de81c, ftCreationTime.dwHighDateTime=0x208, ftLastAccessTime.dwLowDateTime=0x50fd10, ftLastAccessTime.dwHighDateTime=0x24dfeb4, ftLastWriteTime.dwLowDateTime=0x77cb1ecd, ftLastWriteTime.dwHighDateTime=0x24de844, nFileSizeHigh=0xfffffffe, nFileSizeLow=0x14, dwReserved0=0x2a0028, dwReserved1=0x24def60, cFileName="Ȩ", cAlternateFileName="\x98")) returned 0xffffffff [0116.322] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6392a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Contacts", cAlternateFileName="")) returned 1 [0116.322] lstrcmpiW (lpString1="Contacts", lpString2=".") returned 1 [0116.322] lstrcmpiW (lpString1="Contacts", lpString2="..") returned 1 [0116.322] lstrcmpiW (lpString1="Contacts", lpString2="...") returned 1 [0116.322] lstrcmpiW (lpString1="Contacts", lpString2="windows") returned -1 [0116.322] lstrcmpiW (lpString1="Contacts", lpString2="$RECYCLE.BIN") returned 1 [0116.322] lstrcmpiW (lpString1="Contacts", lpString2="rsa") returned -1 [0116.322] lstrcmpiW (lpString1="Contacts", lpString2="log") returned -1 [0116.322] lstrcmpiW (lpString1="Contacts", lpString2="NTDETECT.COM") returned -1 [0116.322] lstrcmpiW (lpString1="Contacts", lpString2="ntldr") returned -1 [0116.322] lstrcmpiW (lpString1="Contacts", lpString2="MSDOS.SYS") returned -1 [0116.322] lstrcmpiW (lpString1="Contacts", lpString2="IO.SYS") returned -1 [0116.322] lstrcmpiW (lpString1="Contacts", lpString2="boot.ini") returned 1 [0116.322] lstrcmpiW (lpString1="Contacts", lpString2="AUTOEXEC.BAT") returned 1 [0116.322] lstrcmpiW (lpString1="Contacts", lpString2="ntuser.dat") returned -1 [0116.323] lstrcmpiW (lpString1="Contacts", lpString2="desktop.ini") returned -1 [0116.323] lstrcmpiW (lpString1="Contacts", lpString2="CONFIG.SYS") returned 1 [0116.323] lstrcmpiW (lpString1="Contacts", lpString2="RECYCLER") returned -1 [0116.323] lstrcmpiW (lpString1="Contacts", lpString2="BOOTSECT.BAK") returned 1 [0116.323] lstrcmpiW (lpString1="Contacts", lpString2="bootmgr") returned 1 [0116.323] lstrcmpiW (lpString1="Contacts", lpString2="programdata") returned -1 [0116.323] lstrcmpiW (lpString1="Contacts", lpString2="appdata") returned 1 [0116.323] lstrcmpiW (lpString1="Contacts", lpString2="program files") returned -1 [0116.323] lstrcmpiW (lpString1="Contacts", lpString2="program files (x86)") returned -1 [0116.323] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\Default\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0116.323] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Contacts" | out: lpString1="C:\\Users\\Default\\Contacts") returned="C:\\Users\\Default\\Contacts" [0116.323] lstrcatW (in: lpString1="C:\\Users\\Default\\Contacts", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Contacts\\") returned="C:\\Users\\Default\\Contacts\\" [0116.323] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\Default\\Contacts\\" | out: lpString1="C:\\Users\\Default\\Contacts\\") returned="C:\\Users\\Default\\Contacts\\" [0116.323] lstrcatW (in: lpString1="C:\\Users\\Default\\Contacts\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\Contacts\\*.*") returned="C:\\Users\\Default\\Contacts\\*.*" [0116.323] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Contacts\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6392a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2a0028, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x50a900 [0116.324] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.324] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6392a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2a0028, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0116.324] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.324] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.324] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf0fefd94, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x10b1e, dwReserved0=0x2a0028, dwReserved1=0x24def60, cFileName="Administrator.contact", cAlternateFileName="ADMINI~1.CON")) returned 1 [0116.324] lstrcmpiW (lpString1="Administrator.contact", lpString2=".") returned 1 [0116.324] lstrcmpiW (lpString1="Administrator.contact", lpString2="..") returned 1 [0116.324] lstrcmpiW (lpString1="Administrator.contact", lpString2="...") returned 1 [0116.324] lstrcmpiW (lpString1="Administrator.contact", lpString2="windows") returned -1 [0116.324] lstrcmpiW (lpString1="Administrator.contact", lpString2="$RECYCLE.BIN") returned 1 [0116.324] lstrcmpiW (lpString1="Administrator.contact", lpString2="rsa") returned -1 [0116.324] lstrcmpiW (lpString1="Administrator.contact", lpString2="log") returned -1 [0116.324] lstrcmpiW (lpString1="Administrator.contact", lpString2="NTDETECT.COM") returned -1 [0116.324] lstrcmpiW (lpString1="Administrator.contact", lpString2="ntldr") returned -1 [0116.324] lstrcmpiW (lpString1="Administrator.contact", lpString2="MSDOS.SYS") returned -1 [0116.324] lstrcmpiW (lpString1="Administrator.contact", lpString2="IO.SYS") returned -1 [0116.325] lstrcmpiW (lpString1="Administrator.contact", lpString2="boot.ini") returned -1 [0116.325] lstrcmpiW (lpString1="Administrator.contact", lpString2="AUTOEXEC.BAT") returned -1 [0116.325] lstrcmpiW (lpString1="Administrator.contact", lpString2="ntuser.dat") returned -1 [0116.325] lstrcmpiW (lpString1="Administrator.contact", lpString2="desktop.ini") returned -1 [0116.325] lstrcmpiW (lpString1="Administrator.contact", lpString2="CONFIG.SYS") returned -1 [0116.325] lstrcmpiW (lpString1="Administrator.contact", lpString2="RECYCLER") returned -1 [0116.325] lstrcmpiW (lpString1="Administrator.contact", lpString2="BOOTSECT.BAK") returned -1 [0116.325] lstrcmpiW (lpString1="Administrator.contact", lpString2="bootmgr") returned -1 [0116.325] lstrcmpiW (lpString1="Administrator.contact", lpString2="programdata") returned -1 [0116.325] lstrcmpiW (lpString1="Administrator.contact", lpString2="appdata") returned -1 [0116.325] lstrcmpiW (lpString1="Administrator.contact", lpString2="program files") returned -1 [0116.325] lstrcmpiW (lpString1="Administrator.contact", lpString2="program files (x86)") returned -1 [0116.325] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\Default\\Contacts\\" | out: lpString1="C:\\Users\\Default\\Contacts\\") returned="C:\\Users\\Default\\Contacts\\" [0116.325] lstrcatW (in: lpString1="C:\\Users\\Default\\Contacts\\", lpString2="Administrator.contact" | out: lpString1="C:\\Users\\Default\\Contacts\\Administrator.contact") returned="C:\\Users\\Default\\Contacts\\Administrator.contact" [0116.325] PathFindExtensionW (pszPath="Administrator.contact") returned=".contact" [0116.325] lstrcmpiW (lpString1=".contact", lpString2=".exe") returned -1 [0116.325] lstrcmpiW (lpString1=".contact", lpString2=".log") returned -1 [0116.325] lstrcmpiW (lpString1=".contact", lpString2=".cab") returned 1 [0116.325] lstrcmpiW (lpString1=".contact", lpString2=".cmd") returned 1 [0116.325] lstrcmpiW (lpString1=".contact", lpString2=".com") returned 1 [0116.325] lstrcmpiW (lpString1=".contact", lpString2=".cpl") returned -1 [0116.326] lstrcmpiW (lpString1=".contact", lpString2=".ini") returned -1 [0116.326] lstrcmpiW (lpString1=".contact", lpString2=".dll") returned -1 [0116.326] lstrcmpiW (lpString1=".contact", lpString2=".url") returned -1 [0116.326] lstrcmpiW (lpString1=".contact", lpString2=".ttf") returned -1 [0116.326] lstrcmpiW (lpString1=".contact", lpString2=".mp3") returned -1 [0116.326] lstrcmpiW (lpString1=".contact", lpString2=".pif") returned -1 [0116.326] lstrcmpiW (lpString1=".contact", lpString2=".mp4") returned -1 [0116.326] lstrcmpiW (lpString1=".contact", lpString2=".NEPHILIM") returned -1 [0116.326] lstrcmpiW (lpString1=".contact", lpString2=".msi") returned -1 [0116.326] lstrcmpiW (lpString1=".contact", lpString2=".lnk") returned -1 [0116.326] lstrcmpiW (lpString1="Administrator.contact", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0116.326] lstrlenA (lpString="NEPHILIM") returned 8 [0116.326] GetProcessHeap () returned 0x4e0000 [0116.326] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bea0 [0116.326] lstrlenA (lpString="NEPHILIM") returned 8 [0116.326] CreateFileW (lpFileName="C:\\Users\\Default\\Contacts\\Administrator.contact" (normalized: "c:\\users\\default\\contacts\\administrator.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0116.327] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=68382) returned 1 [0116.327] GetProcessHeap () returned 0x4e0000 [0116.327] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0116.327] GetProcessHeap () returned 0x4e0000 [0116.327] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0116.327] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0116.327] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0116.327] GetProcessHeap () returned 0x4e0000 [0116.327] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0116.327] GetProcessHeap () returned 0x4e0000 [0116.327] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0116.327] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24de208*=0x100) returned 1 [0116.328] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24de204*=0x100) returned 1 [0116.328] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x10b1e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.328] SetLastError (dwErrCode=0x0) [0116.328] WriteFile (in: hFile=0xec, lpBuffer=0x51e388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e388*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0116.340] GetLastError () returned 0x0 [0116.340] GetLastError () returned 0x0 [0116.340] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x10c1e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.340] WriteFile (in: hFile=0xec, lpBuffer=0x51e280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e280*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0116.340] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x10d1e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.340] lstrlenA (lpString="NEPHILIM") returned 8 [0116.340] WriteFile (in: hFile=0xec, lpBuffer=0x50bea0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50bea0*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0116.340] GetProcessHeap () returned 0x4e0000 [0116.340] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10b1e) returned 0x51efd8 [0116.340] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.340] ReadFile (in: hFile=0xec, lpBuffer=0x51efd8, nNumberOfBytesToRead=0x10b1e, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x51efd8*, lpNumberOfBytesRead=0x24de430*=0x10b1e, lpOverlapped=0x0) returned 1 [0116.346] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.346] WriteFile (in: hFile=0xec, lpBuffer=0x51efd8*, nNumberOfBytesToWrite=0x10b1e, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51efd8*, lpNumberOfBytesWritten=0x24de43c*=0x10b1e, lpOverlapped=0x0) returned 1 [0116.346] GetProcessHeap () returned 0x4e0000 [0116.346] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51efd8 | out: hHeap=0x4e0000) returned 1 [0116.346] CloseHandle (hObject=0xec) returned 1 [0116.346] GetProcessHeap () returned 0x4e0000 [0116.346] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e388 | out: hHeap=0x4e0000) returned 1 [0116.347] GetProcessHeap () returned 0x4e0000 [0116.347] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e280 | out: hHeap=0x4e0000) returned 1 [0116.347] GetProcessHeap () returned 0x4e0000 [0116.347] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dec8 | out: hHeap=0x4e0000) returned 1 [0116.347] GetProcessHeap () returned 0x4e0000 [0116.347] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50deb0 | out: hHeap=0x4e0000) returned 1 [0116.347] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\Default\\Contacts\\Administrator.contact" | out: lpString1="C:\\Users\\Default\\Contacts\\Administrator.contact") returned="C:\\Users\\Default\\Contacts\\Administrator.contact" [0116.347] lstrcatW (in: lpString1="C:\\Users\\Default\\Contacts\\Administrator.contact", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\Default\\Contacts\\Administrator.contact.NEPHILIM") returned="C:\\Users\\Default\\Contacts\\Administrator.contact.NEPHILIM" [0116.347] MoveFileW (lpExistingFileName="C:\\Users\\Default\\Contacts\\Administrator.contact" (normalized: "c:\\users\\default\\contacts\\administrator.contact"), lpNewFileName="C:\\Users\\Default\\Contacts\\Administrator.contact.NEPHILIM" (normalized: "c:\\users\\default\\contacts\\administrator.contact.nephilim")) returned 1 [0116.348] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x2a0028, dwReserved1=0x24def60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0116.348] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0116.348] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0116.348] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0116.348] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0116.348] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0116.348] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0116.348] lstrcmpiW (lpString1="desktop.ini", lpString2="log") returned -1 [0116.348] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0116.348] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0116.348] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0116.348] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0116.348] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0116.348] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0116.348] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0116.348] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0116.348] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x2a0028, dwReserved1=0x24def60, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0116.348] FindClose (in: hFindFile=0x50a900 | out: hFindFile=0x50a900) returned 1 [0116.349] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306dce32, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306dce32, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306dce32, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Cookies", cAlternateFileName="")) returned 1 [0116.349] lstrcmpiW (lpString1="Cookies", lpString2=".") returned 1 [0116.349] lstrcmpiW (lpString1="Cookies", lpString2="..") returned 1 [0116.350] lstrcmpiW (lpString1="Cookies", lpString2="...") returned 1 [0116.350] lstrcmpiW (lpString1="Cookies", lpString2="windows") returned -1 [0116.350] lstrcmpiW (lpString1="Cookies", lpString2="$RECYCLE.BIN") returned 1 [0116.350] lstrcmpiW (lpString1="Cookies", lpString2="rsa") returned -1 [0116.350] lstrcmpiW (lpString1="Cookies", lpString2="log") returned -1 [0116.350] lstrcmpiW (lpString1="Cookies", lpString2="NTDETECT.COM") returned -1 [0116.350] lstrcmpiW (lpString1="Cookies", lpString2="ntldr") returned -1 [0116.350] lstrcmpiW (lpString1="Cookies", lpString2="MSDOS.SYS") returned -1 [0116.350] lstrcmpiW (lpString1="Cookies", lpString2="IO.SYS") returned -1 [0116.350] lstrcmpiW (lpString1="Cookies", lpString2="boot.ini") returned 1 [0116.350] lstrcmpiW (lpString1="Cookies", lpString2="AUTOEXEC.BAT") returned 1 [0116.350] lstrcmpiW (lpString1="Cookies", lpString2="ntuser.dat") returned -1 [0116.350] lstrcmpiW (lpString1="Cookies", lpString2="desktop.ini") returned -1 [0116.350] lstrcmpiW (lpString1="Cookies", lpString2="CONFIG.SYS") returned 1 [0116.350] lstrcmpiW (lpString1="Cookies", lpString2="RECYCLER") returned -1 [0116.350] lstrcmpiW (lpString1="Cookies", lpString2="BOOTSECT.BAK") returned 1 [0116.350] lstrcmpiW (lpString1="Cookies", lpString2="bootmgr") returned 1 [0116.350] lstrcmpiW (lpString1="Cookies", lpString2="programdata") returned -1 [0116.350] lstrcmpiW (lpString1="Cookies", lpString2="appdata") returned 1 [0116.350] lstrcmpiW (lpString1="Cookies", lpString2="program files") returned -1 [0116.350] lstrcmpiW (lpString1="Cookies", lpString2="program files (x86)") returned -1 [0116.350] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\Default\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0116.350] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Cookies" | out: lpString1="C:\\Users\\Default\\Cookies") returned="C:\\Users\\Default\\Cookies" [0116.350] lstrcatW (in: lpString1="C:\\Users\\Default\\Cookies", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Cookies\\") returned="C:\\Users\\Default\\Cookies\\" [0116.350] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\Default\\Cookies\\" | out: lpString1="C:\\Users\\Default\\Cookies\\") returned="C:\\Users\\Default\\Cookies\\" [0116.351] lstrcatW (in: lpString1="C:\\Users\\Default\\Cookies\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\Cookies\\*.*") returned="C:\\Users\\Default\\Cookies\\*.*" [0116.351] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Cookies\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x2a0028, dwReserved1=0x24def60, cFileName="desktop.ini", cAlternateFileName="")) returned 0xffffffff [0116.351] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda4e0ba, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0116.351] lstrcmpiW (lpString1="Desktop", lpString2=".") returned 1 [0116.351] lstrcmpiW (lpString1="Desktop", lpString2="..") returned 1 [0116.351] lstrcmpiW (lpString1="Desktop", lpString2="...") returned 1 [0116.351] lstrcmpiW (lpString1="Desktop", lpString2="windows") returned -1 [0116.351] lstrcmpiW (lpString1="Desktop", lpString2="$RECYCLE.BIN") returned 1 [0116.351] lstrcmpiW (lpString1="Desktop", lpString2="rsa") returned -1 [0116.351] lstrcmpiW (lpString1="Desktop", lpString2="log") returned -1 [0116.351] lstrcmpiW (lpString1="Desktop", lpString2="NTDETECT.COM") returned -1 [0116.351] lstrcmpiW (lpString1="Desktop", lpString2="ntldr") returned -1 [0116.351] lstrcmpiW (lpString1="Desktop", lpString2="MSDOS.SYS") returned -1 [0116.351] lstrcmpiW (lpString1="Desktop", lpString2="IO.SYS") returned -1 [0116.351] lstrcmpiW (lpString1="Desktop", lpString2="boot.ini") returned 1 [0116.351] lstrcmpiW (lpString1="Desktop", lpString2="AUTOEXEC.BAT") returned 1 [0116.351] lstrcmpiW (lpString1="Desktop", lpString2="ntuser.dat") returned -1 [0116.351] lstrcmpiW (lpString1="Desktop", lpString2="desktop.ini") returned -1 [0116.351] lstrcmpiW (lpString1="Desktop", lpString2="CONFIG.SYS") returned 1 [0116.351] lstrcmpiW (lpString1="Desktop", lpString2="RECYCLER") returned -1 [0116.352] lstrcmpiW (lpString1="Desktop", lpString2="BOOTSECT.BAK") returned 1 [0116.352] lstrcmpiW (lpString1="Desktop", lpString2="bootmgr") returned 1 [0116.352] lstrcmpiW (lpString1="Desktop", lpString2="programdata") returned -1 [0116.352] lstrcmpiW (lpString1="Desktop", lpString2="appdata") returned 1 [0116.352] lstrcmpiW (lpString1="Desktop", lpString2="program files") returned -1 [0116.352] lstrcmpiW (lpString1="Desktop", lpString2="program files (x86)") returned -1 [0116.352] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\Default\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0116.352] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Desktop" | out: lpString1="C:\\Users\\Default\\Desktop") returned="C:\\Users\\Default\\Desktop" [0116.352] lstrcatW (in: lpString1="C:\\Users\\Default\\Desktop", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Desktop\\") returned="C:\\Users\\Default\\Desktop\\" [0116.352] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\Default\\Desktop\\" | out: lpString1="C:\\Users\\Default\\Desktop\\") returned="C:\\Users\\Default\\Desktop\\" [0116.352] lstrcatW (in: lpString1="C:\\Users\\Default\\Desktop\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\Desktop\\*.*") returned="C:\\Users\\Default\\Desktop\\*.*" [0116.352] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Desktop\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda4e0ba, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2a0028, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x50a900 [0116.352] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.353] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda4e0ba, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2a0028, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0116.353] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.353] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.353] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x2a0028, dwReserved1=0x24def60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0116.353] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0116.353] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0116.353] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0116.353] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0116.353] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0116.353] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0116.353] lstrcmpiW (lpString1="desktop.ini", lpString2="log") returned -1 [0116.353] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0116.353] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0116.353] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0116.353] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0116.353] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0116.353] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0116.353] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0116.353] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0116.353] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x2a0028, dwReserved1=0x24def60, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0116.353] FindClose (in: hFindFile=0x50a900 | out: hFindFile=0x50a900) returned 1 [0116.353] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd890148c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0116.353] lstrcmpiW (lpString1="Documents", lpString2=".") returned 1 [0116.354] lstrcmpiW (lpString1="Documents", lpString2="..") returned 1 [0116.354] lstrcmpiW (lpString1="Documents", lpString2="...") returned 1 [0116.354] lstrcmpiW (lpString1="Documents", lpString2="windows") returned -1 [0116.354] lstrcmpiW (lpString1="Documents", lpString2="$RECYCLE.BIN") returned 1 [0116.354] lstrcmpiW (lpString1="Documents", lpString2="rsa") returned -1 [0116.354] lstrcmpiW (lpString1="Documents", lpString2="log") returned -1 [0116.354] lstrcmpiW (lpString1="Documents", lpString2="NTDETECT.COM") returned -1 [0116.354] lstrcmpiW (lpString1="Documents", lpString2="ntldr") returned -1 [0116.354] lstrcmpiW (lpString1="Documents", lpString2="MSDOS.SYS") returned -1 [0116.354] lstrcmpiW (lpString1="Documents", lpString2="IO.SYS") returned -1 [0116.354] lstrcmpiW (lpString1="Documents", lpString2="boot.ini") returned 1 [0116.354] lstrcmpiW (lpString1="Documents", lpString2="AUTOEXEC.BAT") returned 1 [0116.354] lstrcmpiW (lpString1="Documents", lpString2="ntuser.dat") returned -1 [0116.354] lstrcmpiW (lpString1="Documents", lpString2="desktop.ini") returned 1 [0116.354] lstrcmpiW (lpString1="Documents", lpString2="CONFIG.SYS") returned 1 [0116.354] lstrcmpiW (lpString1="Documents", lpString2="RECYCLER") returned -1 [0116.354] lstrcmpiW (lpString1="Documents", lpString2="BOOTSECT.BAK") returned 1 [0116.354] lstrcmpiW (lpString1="Documents", lpString2="bootmgr") returned 1 [0116.354] lstrcmpiW (lpString1="Documents", lpString2="programdata") returned -1 [0116.354] lstrcmpiW (lpString1="Documents", lpString2="appdata") returned 1 [0116.354] lstrcmpiW (lpString1="Documents", lpString2="program files") returned -1 [0116.354] lstrcmpiW (lpString1="Documents", lpString2="program files (x86)") returned -1 [0116.354] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\Default\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0116.354] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Documents" | out: lpString1="C:\\Users\\Default\\Documents") returned="C:\\Users\\Default\\Documents" [0116.355] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Documents\\") returned="C:\\Users\\Default\\Documents\\" [0116.355] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\Default\\Documents\\" | out: lpString1="C:\\Users\\Default\\Documents\\") returned="C:\\Users\\Default\\Documents\\" [0116.355] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\Documents\\*.*") returned="C:\\Users\\Default\\Documents\\*.*" [0116.355] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Documents\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd890148c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2a0028, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x50a900 [0116.356] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.356] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd890148c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2a0028, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0116.356] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.356] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.356] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd890148c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x2a0028, dwReserved1=0x24def60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0116.356] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0116.356] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0116.356] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0116.356] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0116.356] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0116.356] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0116.356] lstrcmpiW (lpString1="desktop.ini", lpString2="log") returned -1 [0116.356] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0116.356] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0116.356] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0116.356] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0116.356] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0116.356] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0116.357] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0116.357] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0116.357] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306b6cd1, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306b6cd1, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306b6cd1, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0116.357] lstrcmpiW (lpString1="My Music", lpString2=".") returned 1 [0116.357] lstrcmpiW (lpString1="My Music", lpString2="..") returned 1 [0116.357] lstrcmpiW (lpString1="My Music", lpString2="...") returned 1 [0116.357] lstrcmpiW (lpString1="My Music", lpString2="windows") returned -1 [0116.357] lstrcmpiW (lpString1="My Music", lpString2="$RECYCLE.BIN") returned 1 [0116.357] lstrcmpiW (lpString1="My Music", lpString2="rsa") returned -1 [0116.357] lstrcmpiW (lpString1="My Music", lpString2="log") returned 1 [0116.357] lstrcmpiW (lpString1="My Music", lpString2="NTDETECT.COM") returned -1 [0116.357] lstrcmpiW (lpString1="My Music", lpString2="ntldr") returned -1 [0116.357] lstrcmpiW (lpString1="My Music", lpString2="MSDOS.SYS") returned 1 [0116.357] lstrcmpiW (lpString1="My Music", lpString2="IO.SYS") returned 1 [0116.357] lstrcmpiW (lpString1="My Music", lpString2="boot.ini") returned 1 [0116.357] lstrcmpiW (lpString1="My Music", lpString2="AUTOEXEC.BAT") returned 1 [0116.357] lstrcmpiW (lpString1="My Music", lpString2="ntuser.dat") returned -1 [0116.357] lstrcmpiW (lpString1="My Music", lpString2="desktop.ini") returned 1 [0116.357] lstrcmpiW (lpString1="My Music", lpString2="CONFIG.SYS") returned 1 [0116.357] lstrcmpiW (lpString1="My Music", lpString2="RECYCLER") returned -1 [0116.357] lstrcmpiW (lpString1="My Music", lpString2="BOOTSECT.BAK") returned 1 [0116.357] lstrcmpiW (lpString1="My Music", lpString2="bootmgr") returned 1 [0116.357] lstrcmpiW (lpString1="My Music", lpString2="programdata") returned -1 [0116.357] lstrcmpiW (lpString1="My Music", lpString2="appdata") returned 1 [0116.358] lstrcmpiW (lpString1="My Music", lpString2="program files") returned -1 [0116.358] lstrcmpiW (lpString1="My Music", lpString2="program files (x86)") returned -1 [0116.358] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\Default\\Documents\\" | out: lpString1="C:\\Users\\Default\\Documents\\") returned="C:\\Users\\Default\\Documents\\" [0116.358] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\", lpString2="My Music" | out: lpString1="C:\\Users\\Default\\Documents\\My Music") returned="C:\\Users\\Default\\Documents\\My Music" [0116.358] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\My Music", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Documents\\My Music\\") returned="C:\\Users\\Default\\Documents\\My Music\\" [0116.358] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\Default\\Documents\\My Music\\" | out: lpString1="C:\\Users\\Default\\Documents\\My Music\\") returned="C:\\Users\\Default\\Documents\\My Music\\" [0116.358] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\My Music\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\Documents\\My Music\\*.*") returned="C:\\Users\\Default\\Documents\\My Music\\*.*" [0116.358] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Documents\\My Music\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x759be647, ftCreationTime.dwLowDateTime=0x24de19c, ftCreationTime.dwHighDateTime=0x208, ftLastAccessTime.dwLowDateTime=0x50fd10, ftLastAccessTime.dwHighDateTime=0x24dfeb4, ftLastWriteTime.dwLowDateTime=0x77cb1ecd, ftLastWriteTime.dwHighDateTime=0x24de1c4, nFileSizeHigh=0xfffffffe, nFileSizeLow=0x1e, dwReserved0=0x3e003c, dwReserved1=0x24de8e0, cFileName="Ȩ", cAlternateFileName="\x98")) returned 0xffffffff [0116.358] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306b6cd1, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306b6cd1, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306b6cd1, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0116.358] lstrcmpiW (lpString1="My Pictures", lpString2=".") returned 1 [0116.358] lstrcmpiW (lpString1="My Pictures", lpString2="..") returned 1 [0116.358] lstrcmpiW (lpString1="My Pictures", lpString2="...") returned 1 [0116.358] lstrcmpiW (lpString1="My Pictures", lpString2="windows") returned -1 [0116.358] lstrcmpiW (lpString1="My Pictures", lpString2="$RECYCLE.BIN") returned 1 [0116.358] lstrcmpiW (lpString1="My Pictures", lpString2="rsa") returned -1 [0116.358] lstrcmpiW (lpString1="My Pictures", lpString2="log") returned 1 [0116.358] lstrcmpiW (lpString1="My Pictures", lpString2="NTDETECT.COM") returned -1 [0116.358] lstrcmpiW (lpString1="My Pictures", lpString2="ntldr") returned -1 [0116.358] lstrcmpiW (lpString1="My Pictures", lpString2="MSDOS.SYS") returned 1 [0116.359] lstrcmpiW (lpString1="My Pictures", lpString2="IO.SYS") returned 1 [0116.359] lstrcmpiW (lpString1="My Pictures", lpString2="boot.ini") returned 1 [0116.359] lstrcmpiW (lpString1="My Pictures", lpString2="AUTOEXEC.BAT") returned 1 [0116.359] lstrcmpiW (lpString1="My Pictures", lpString2="ntuser.dat") returned -1 [0116.359] lstrcmpiW (lpString1="My Pictures", lpString2="desktop.ini") returned 1 [0116.359] lstrcmpiW (lpString1="My Pictures", lpString2="CONFIG.SYS") returned 1 [0116.359] lstrcmpiW (lpString1="My Pictures", lpString2="RECYCLER") returned -1 [0116.359] lstrcmpiW (lpString1="My Pictures", lpString2="BOOTSECT.BAK") returned 1 [0116.359] lstrcmpiW (lpString1="My Pictures", lpString2="bootmgr") returned 1 [0116.359] lstrcmpiW (lpString1="My Pictures", lpString2="programdata") returned -1 [0116.359] lstrcmpiW (lpString1="My Pictures", lpString2="appdata") returned 1 [0116.359] lstrcmpiW (lpString1="My Pictures", lpString2="program files") returned -1 [0116.359] lstrcmpiW (lpString1="My Pictures", lpString2="program files (x86)") returned -1 [0116.359] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\Default\\Documents\\" | out: lpString1="C:\\Users\\Default\\Documents\\") returned="C:\\Users\\Default\\Documents\\" [0116.359] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\", lpString2="My Pictures" | out: lpString1="C:\\Users\\Default\\Documents\\My Pictures") returned="C:\\Users\\Default\\Documents\\My Pictures" [0116.359] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\My Pictures", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Documents\\My Pictures\\") returned="C:\\Users\\Default\\Documents\\My Pictures\\" [0116.359] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\Default\\Documents\\My Pictures\\" | out: lpString1="C:\\Users\\Default\\Documents\\My Pictures\\") returned="C:\\Users\\Default\\Documents\\My Pictures\\" [0116.359] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\My Pictures\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\Documents\\My Pictures\\*.*") returned="C:\\Users\\Default\\Documents\\My Pictures\\*.*" [0116.359] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Documents\\My Pictures\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x759be647, ftCreationTime.dwLowDateTime=0x24de19c, ftCreationTime.dwHighDateTime=0x208, ftLastAccessTime.dwLowDateTime=0x50fd10, ftLastAccessTime.dwHighDateTime=0x24dfeb4, ftLastWriteTime.dwLowDateTime=0x77cb1ecd, ftLastWriteTime.dwHighDateTime=0x24de1c4, nFileSizeHigh=0xfffffffe, nFileSizeLow=0x1e, dwReserved0=0x3e003c, dwReserved1=0x24de8e0, cFileName="Ȩ", cAlternateFileName="\x98")) returned 0xffffffff [0116.359] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306b6cd1, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306b6cd1, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306b6cd1, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0116.359] lstrcmpiW (lpString1="My Videos", lpString2=".") returned 1 [0116.360] lstrcmpiW (lpString1="My Videos", lpString2="..") returned 1 [0116.360] lstrcmpiW (lpString1="My Videos", lpString2="...") returned 1 [0116.360] lstrcmpiW (lpString1="My Videos", lpString2="windows") returned -1 [0116.360] lstrcmpiW (lpString1="My Videos", lpString2="$RECYCLE.BIN") returned 1 [0116.360] lstrcmpiW (lpString1="My Videos", lpString2="rsa") returned -1 [0116.360] lstrcmpiW (lpString1="My Videos", lpString2="log") returned 1 [0116.360] lstrcmpiW (lpString1="My Videos", lpString2="NTDETECT.COM") returned -1 [0116.360] lstrcmpiW (lpString1="My Videos", lpString2="ntldr") returned -1 [0116.360] lstrcmpiW (lpString1="My Videos", lpString2="MSDOS.SYS") returned 1 [0116.360] lstrcmpiW (lpString1="My Videos", lpString2="IO.SYS") returned 1 [0116.360] lstrcmpiW (lpString1="My Videos", lpString2="boot.ini") returned 1 [0116.360] lstrcmpiW (lpString1="My Videos", lpString2="AUTOEXEC.BAT") returned 1 [0116.360] lstrcmpiW (lpString1="My Videos", lpString2="ntuser.dat") returned -1 [0116.360] lstrcmpiW (lpString1="My Videos", lpString2="desktop.ini") returned 1 [0116.360] lstrcmpiW (lpString1="My Videos", lpString2="CONFIG.SYS") returned 1 [0116.360] lstrcmpiW (lpString1="My Videos", lpString2="RECYCLER") returned -1 [0116.360] lstrcmpiW (lpString1="My Videos", lpString2="BOOTSECT.BAK") returned 1 [0116.360] lstrcmpiW (lpString1="My Videos", lpString2="bootmgr") returned 1 [0116.360] lstrcmpiW (lpString1="My Videos", lpString2="programdata") returned -1 [0116.360] lstrcmpiW (lpString1="My Videos", lpString2="appdata") returned 1 [0116.360] lstrcmpiW (lpString1="My Videos", lpString2="program files") returned -1 [0116.360] lstrcmpiW (lpString1="My Videos", lpString2="program files (x86)") returned -1 [0116.360] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\Default\\Documents\\" | out: lpString1="C:\\Users\\Default\\Documents\\") returned="C:\\Users\\Default\\Documents\\" [0116.360] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\", lpString2="My Videos" | out: lpString1="C:\\Users\\Default\\Documents\\My Videos") returned="C:\\Users\\Default\\Documents\\My Videos" [0116.360] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\My Videos", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Documents\\My Videos\\") returned="C:\\Users\\Default\\Documents\\My Videos\\" [0116.361] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\Default\\Documents\\My Videos\\" | out: lpString1="C:\\Users\\Default\\Documents\\My Videos\\") returned="C:\\Users\\Default\\Documents\\My Videos\\" [0116.361] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\My Videos\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\Documents\\My Videos\\*.*") returned="C:\\Users\\Default\\Documents\\My Videos\\*.*" [0116.361] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Documents\\My Videos\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x759be647, ftCreationTime.dwLowDateTime=0x24de19c, ftCreationTime.dwHighDateTime=0x208, ftLastAccessTime.dwLowDateTime=0x50fd10, ftLastAccessTime.dwHighDateTime=0x24dfeb4, ftLastWriteTime.dwLowDateTime=0x77cb1ecd, ftLastWriteTime.dwHighDateTime=0x24de1c4, nFileSizeHigh=0xfffffffe, nFileSizeLow=0x1e, dwReserved0=0x3e003c, dwReserved1=0x24de8e0, cFileName="Ȩ", cAlternateFileName="\x98")) returned 0xffffffff [0116.361] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306b6cd1, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306b6cd1, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306b6cd1, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0 [0116.361] FindClose (in: hFindFile=0x50a900 | out: hFindFile=0x50a900) returned 1 [0116.362] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88db32b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0116.362] lstrcmpiW (lpString1="Downloads", lpString2=".") returned 1 [0116.362] lstrcmpiW (lpString1="Downloads", lpString2="..") returned 1 [0116.362] lstrcmpiW (lpString1="Downloads", lpString2="...") returned 1 [0116.362] lstrcmpiW (lpString1="Downloads", lpString2="windows") returned -1 [0116.362] lstrcmpiW (lpString1="Downloads", lpString2="$RECYCLE.BIN") returned 1 [0116.362] lstrcmpiW (lpString1="Downloads", lpString2="rsa") returned -1 [0116.362] lstrcmpiW (lpString1="Downloads", lpString2="log") returned -1 [0116.362] lstrcmpiW (lpString1="Downloads", lpString2="NTDETECT.COM") returned -1 [0116.362] lstrcmpiW (lpString1="Downloads", lpString2="ntldr") returned -1 [0116.362] lstrcmpiW (lpString1="Downloads", lpString2="MSDOS.SYS") returned -1 [0116.362] lstrcmpiW (lpString1="Downloads", lpString2="IO.SYS") returned -1 [0116.362] lstrcmpiW (lpString1="Downloads", lpString2="boot.ini") returned 1 [0116.362] lstrcmpiW (lpString1="Downloads", lpString2="AUTOEXEC.BAT") returned 1 [0116.362] lstrcmpiW (lpString1="Downloads", lpString2="ntuser.dat") returned -1 [0116.362] lstrcmpiW (lpString1="Downloads", lpString2="desktop.ini") returned 1 [0116.362] lstrcmpiW (lpString1="Downloads", lpString2="CONFIG.SYS") returned 1 [0116.362] lstrcmpiW (lpString1="Downloads", lpString2="RECYCLER") returned -1 [0116.362] lstrcmpiW (lpString1="Downloads", lpString2="BOOTSECT.BAK") returned 1 [0116.362] lstrcmpiW (lpString1="Downloads", lpString2="bootmgr") returned 1 [0116.363] lstrcmpiW (lpString1="Downloads", lpString2="programdata") returned -1 [0116.363] lstrcmpiW (lpString1="Downloads", lpString2="appdata") returned 1 [0116.363] lstrcmpiW (lpString1="Downloads", lpString2="program files") returned -1 [0116.363] lstrcmpiW (lpString1="Downloads", lpString2="program files (x86)") returned -1 [0116.363] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\Default\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0116.363] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Downloads" | out: lpString1="C:\\Users\\Default\\Downloads") returned="C:\\Users\\Default\\Downloads" [0116.363] lstrcatW (in: lpString1="C:\\Users\\Default\\Downloads", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Downloads\\") returned="C:\\Users\\Default\\Downloads\\" [0116.363] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\Default\\Downloads\\" | out: lpString1="C:\\Users\\Default\\Downloads\\") returned="C:\\Users\\Default\\Downloads\\" [0116.363] lstrcatW (in: lpString1="C:\\Users\\Default\\Downloads\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\Downloads\\*.*") returned="C:\\Users\\Default\\Downloads\\*.*" [0116.363] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Downloads\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88db32b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x50a900 [0116.363] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.363] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88db32b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0116.364] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.364] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.364] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88db32b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0116.364] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0116.364] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0116.364] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0116.364] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0116.364] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0116.364] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0116.364] lstrcmpiW (lpString1="desktop.ini", lpString2="log") returned -1 [0116.364] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0116.364] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0116.364] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0116.364] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0116.364] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0116.364] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0116.364] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0116.364] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0116.364] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88db32b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0116.364] FindClose (in: hFindFile=0x50a900 | out: hFindFile=0x50a900) returned 1 [0116.364] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0116.364] lstrcmpiW (lpString1="Favorites", lpString2=".") returned 1 [0116.364] lstrcmpiW (lpString1="Favorites", lpString2="..") returned 1 [0116.365] lstrcmpiW (lpString1="Favorites", lpString2="...") returned 1 [0116.365] lstrcmpiW (lpString1="Favorites", lpString2="windows") returned -1 [0116.365] lstrcmpiW (lpString1="Favorites", lpString2="$RECYCLE.BIN") returned 1 [0116.365] lstrcmpiW (lpString1="Favorites", lpString2="rsa") returned -1 [0116.365] lstrcmpiW (lpString1="Favorites", lpString2="log") returned -1 [0116.365] lstrcmpiW (lpString1="Favorites", lpString2="NTDETECT.COM") returned -1 [0116.365] lstrcmpiW (lpString1="Favorites", lpString2="ntldr") returned -1 [0116.365] lstrcmpiW (lpString1="Favorites", lpString2="MSDOS.SYS") returned -1 [0116.365] lstrcmpiW (lpString1="Favorites", lpString2="IO.SYS") returned -1 [0116.365] lstrcmpiW (lpString1="Favorites", lpString2="boot.ini") returned 1 [0116.365] lstrcmpiW (lpString1="Favorites", lpString2="AUTOEXEC.BAT") returned 1 [0116.365] lstrcmpiW (lpString1="Favorites", lpString2="ntuser.dat") returned -1 [0116.365] lstrcmpiW (lpString1="Favorites", lpString2="desktop.ini") returned 1 [0116.365] lstrcmpiW (lpString1="Favorites", lpString2="CONFIG.SYS") returned 1 [0116.365] lstrcmpiW (lpString1="Favorites", lpString2="RECYCLER") returned -1 [0116.365] lstrcmpiW (lpString1="Favorites", lpString2="BOOTSECT.BAK") returned 1 [0116.365] lstrcmpiW (lpString1="Favorites", lpString2="bootmgr") returned 1 [0116.365] lstrcmpiW (lpString1="Favorites", lpString2="programdata") returned -1 [0116.365] lstrcmpiW (lpString1="Favorites", lpString2="appdata") returned 1 [0116.365] lstrcmpiW (lpString1="Favorites", lpString2="program files") returned -1 [0116.365] lstrcmpiW (lpString1="Favorites", lpString2="program files (x86)") returned -1 [0116.365] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\Default\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0116.365] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Favorites" | out: lpString1="C:\\Users\\Default\\Favorites") returned="C:\\Users\\Default\\Favorites" [0116.365] lstrcatW (in: lpString1="C:\\Users\\Default\\Favorites", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Favorites\\") returned="C:\\Users\\Default\\Favorites\\" [0116.365] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\Default\\Favorites\\" | out: lpString1="C:\\Users\\Default\\Favorites\\") returned="C:\\Users\\Default\\Favorites\\" [0116.365] lstrcatW (in: lpString1="C:\\Users\\Default\\Favorites\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\Favorites\\*.*") returned="C:\\Users\\Default\\Favorites\\*.*" [0116.365] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Favorites\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x50a900 [0116.372] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.372] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0116.372] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.372] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.372] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0116.372] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0116.372] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0116.372] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0116.372] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0116.372] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0116.372] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0116.372] lstrcmpiW (lpString1="desktop.ini", lpString2="log") returned -1 [0116.372] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0116.372] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0116.372] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0116.372] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0116.372] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0116.372] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0116.372] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0116.372] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0116.372] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfeffd5f0, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="Links", cAlternateFileName="")) returned 1 [0116.372] lstrcmpiW (lpString1="Links", lpString2=".") returned 1 [0116.372] lstrcmpiW (lpString1="Links", lpString2="..") returned 1 [0116.373] lstrcmpiW (lpString1="Links", lpString2="...") returned 1 [0116.373] lstrcmpiW (lpString1="Links", lpString2="windows") returned -1 [0116.373] lstrcmpiW (lpString1="Links", lpString2="$RECYCLE.BIN") returned 1 [0116.373] lstrcmpiW (lpString1="Links", lpString2="rsa") returned -1 [0116.373] lstrcmpiW (lpString1="Links", lpString2="log") returned -1 [0116.373] lstrcmpiW (lpString1="Links", lpString2="NTDETECT.COM") returned -1 [0116.373] lstrcmpiW (lpString1="Links", lpString2="ntldr") returned -1 [0116.373] lstrcmpiW (lpString1="Links", lpString2="MSDOS.SYS") returned -1 [0116.373] lstrcmpiW (lpString1="Links", lpString2="IO.SYS") returned 1 [0116.373] lstrcmpiW (lpString1="Links", lpString2="boot.ini") returned 1 [0116.373] lstrcmpiW (lpString1="Links", lpString2="AUTOEXEC.BAT") returned 1 [0116.373] lstrcmpiW (lpString1="Links", lpString2="ntuser.dat") returned -1 [0116.373] lstrcmpiW (lpString1="Links", lpString2="desktop.ini") returned 1 [0116.373] lstrcmpiW (lpString1="Links", lpString2="CONFIG.SYS") returned 1 [0116.373] lstrcmpiW (lpString1="Links", lpString2="RECYCLER") returned -1 [0116.373] lstrcmpiW (lpString1="Links", lpString2="BOOTSECT.BAK") returned 1 [0116.373] lstrcmpiW (lpString1="Links", lpString2="bootmgr") returned 1 [0116.373] lstrcmpiW (lpString1="Links", lpString2="programdata") returned -1 [0116.373] lstrcmpiW (lpString1="Links", lpString2="appdata") returned 1 [0116.373] lstrcmpiW (lpString1="Links", lpString2="program files") returned -1 [0116.373] lstrcmpiW (lpString1="Links", lpString2="program files (x86)") returned -1 [0116.373] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\Default\\Favorites\\" | out: lpString1="C:\\Users\\Default\\Favorites\\") returned="C:\\Users\\Default\\Favorites\\" [0116.373] lstrcatW (in: lpString1="C:\\Users\\Default\\Favorites\\", lpString2="Links" | out: lpString1="C:\\Users\\Default\\Favorites\\Links") returned="C:\\Users\\Default\\Favorites\\Links" [0116.373] lstrcatW (in: lpString1="C:\\Users\\Default\\Favorites\\Links", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Favorites\\Links\\") returned="C:\\Users\\Default\\Favorites\\Links\\" [0116.373] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\Default\\Favorites\\Links\\" | out: lpString1="C:\\Users\\Default\\Favorites\\Links\\") returned="C:\\Users\\Default\\Favorites\\Links\\" [0116.373] lstrcatW (in: lpString1="C:\\Users\\Default\\Favorites\\Links\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\Favorites\\Links\\*.*") returned="C:\\Users\\Default\\Favorites\\Links\\*.*" [0116.374] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Favorites\\Links\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfeffd5f0, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3e003c, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0116.374] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.374] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfeffd5f0, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3e003c, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0116.374] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.374] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.374] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfefb1330, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x3e003c, dwReserved1=0x24de8e0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0116.374] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0116.374] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0116.374] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0116.374] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0116.374] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0116.374] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0116.374] lstrcmpiW (lpString1="desktop.ini", lpString2="log") returned -1 [0116.374] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0116.374] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0116.375] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0116.375] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0116.375] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0116.375] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0116.375] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0116.375] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0116.375] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xb11062, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0xe2, dwReserved0=0x3e003c, dwReserved1=0x24de8e0, cFileName="Web Slice Gallery.url", cAlternateFileName="WEBSLI~1.URL")) returned 1 [0116.375] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2=".") returned 1 [0116.375] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="..") returned 1 [0116.375] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="...") returned 1 [0116.375] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="windows") returned -1 [0116.375] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="$RECYCLE.BIN") returned 1 [0116.375] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="rsa") returned 1 [0116.375] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="log") returned 1 [0116.375] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="NTDETECT.COM") returned 1 [0116.375] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="ntldr") returned 1 [0116.375] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="MSDOS.SYS") returned 1 [0116.375] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="IO.SYS") returned 1 [0116.375] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="boot.ini") returned 1 [0116.375] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="AUTOEXEC.BAT") returned 1 [0116.375] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="ntuser.dat") returned 1 [0116.375] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="desktop.ini") returned 1 [0116.375] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="CONFIG.SYS") returned 1 [0116.375] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="RECYCLER") returned 1 [0116.375] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="BOOTSECT.BAK") returned 1 [0116.375] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="bootmgr") returned 1 [0116.376] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="programdata") returned 1 [0116.376] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="appdata") returned 1 [0116.376] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="program files") returned 1 [0116.376] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="program files (x86)") returned 1 [0116.376] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\Default\\Favorites\\Links\\" | out: lpString1="C:\\Users\\Default\\Favorites\\Links\\") returned="C:\\Users\\Default\\Favorites\\Links\\" [0116.376] lstrcatW (in: lpString1="C:\\Users\\Default\\Favorites\\Links\\", lpString2="Web Slice Gallery.url" | out: lpString1="C:\\Users\\Default\\Favorites\\Links\\Web Slice Gallery.url") returned="C:\\Users\\Default\\Favorites\\Links\\Web Slice Gallery.url" [0116.376] PathFindExtensionW (pszPath="Web Slice Gallery.url") returned=".url" [0116.376] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0116.376] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0116.376] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0116.376] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0116.376] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0116.376] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0116.376] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0116.376] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0116.376] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0116.376] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xb11062, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0xe2, dwReserved0=0x3e003c, dwReserved1=0x24de8e0, cFileName="Web Slice Gallery.url", cAlternateFileName="WEBSLI~1.URL")) returned 0 [0116.376] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0116.376] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="Microsoft Websites", cAlternateFileName="MICROS~1")) returned 1 [0116.376] lstrcmpiW (lpString1="Microsoft Websites", lpString2=".") returned 1 [0116.376] lstrcmpiW (lpString1="Microsoft Websites", lpString2="..") returned 1 [0116.376] lstrcmpiW (lpString1="Microsoft Websites", lpString2="...") returned 1 [0116.376] lstrcmpiW (lpString1="Microsoft Websites", lpString2="windows") returned -1 [0116.377] lstrcmpiW (lpString1="Microsoft Websites", lpString2="$RECYCLE.BIN") returned 1 [0116.377] lstrcmpiW (lpString1="Microsoft Websites", lpString2="rsa") returned -1 [0116.377] lstrcmpiW (lpString1="Microsoft Websites", lpString2="log") returned 1 [0116.377] lstrcmpiW (lpString1="Microsoft Websites", lpString2="NTDETECT.COM") returned -1 [0116.377] lstrcmpiW (lpString1="Microsoft Websites", lpString2="ntldr") returned -1 [0116.377] lstrcmpiW (lpString1="Microsoft Websites", lpString2="MSDOS.SYS") returned -1 [0116.377] lstrcmpiW (lpString1="Microsoft Websites", lpString2="IO.SYS") returned 1 [0116.377] lstrcmpiW (lpString1="Microsoft Websites", lpString2="boot.ini") returned 1 [0116.377] lstrcmpiW (lpString1="Microsoft Websites", lpString2="AUTOEXEC.BAT") returned 1 [0116.377] lstrcmpiW (lpString1="Microsoft Websites", lpString2="ntuser.dat") returned -1 [0116.377] lstrcmpiW (lpString1="Microsoft Websites", lpString2="desktop.ini") returned 1 [0116.377] lstrcmpiW (lpString1="Microsoft Websites", lpString2="CONFIG.SYS") returned 1 [0116.377] lstrcmpiW (lpString1="Microsoft Websites", lpString2="RECYCLER") returned -1 [0116.377] lstrcmpiW (lpString1="Microsoft Websites", lpString2="BOOTSECT.BAK") returned 1 [0116.377] lstrcmpiW (lpString1="Microsoft Websites", lpString2="bootmgr") returned 1 [0116.377] lstrcmpiW (lpString1="Microsoft Websites", lpString2="programdata") returned -1 [0116.377] lstrcmpiW (lpString1="Microsoft Websites", lpString2="appdata") returned 1 [0116.377] lstrcmpiW (lpString1="Microsoft Websites", lpString2="program files") returned -1 [0116.377] lstrcmpiW (lpString1="Microsoft Websites", lpString2="program files (x86)") returned -1 [0116.377] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\Default\\Favorites\\" | out: lpString1="C:\\Users\\Default\\Favorites\\") returned="C:\\Users\\Default\\Favorites\\" [0116.377] lstrcatW (in: lpString1="C:\\Users\\Default\\Favorites\\", lpString2="Microsoft Websites" | out: lpString1="C:\\Users\\Default\\Favorites\\Microsoft Websites") returned="C:\\Users\\Default\\Favorites\\Microsoft Websites" [0116.377] lstrcatW (in: lpString1="C:\\Users\\Default\\Favorites\\Microsoft Websites", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Favorites\\Microsoft Websites\\") returned="C:\\Users\\Default\\Favorites\\Microsoft Websites\\" [0116.377] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\Default\\Favorites\\Microsoft Websites\\" | out: lpString1="C:\\Users\\Default\\Favorites\\Microsoft Websites\\") returned="C:\\Users\\Default\\Favorites\\Microsoft Websites\\" [0116.377] lstrcatW (in: lpString1="C:\\Users\\Default\\Favorites\\Microsoft Websites\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\Favorites\\Microsoft Websites\\*.*") returned="C:\\Users\\Default\\Favorites\\Microsoft Websites\\*.*" [0116.377] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Favorites\\Microsoft Websites\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3e003c, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0116.380] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.380] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3e003c, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0116.380] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.380] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.381] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa066c0, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x3e003c, dwReserved1=0x24de8e0, cFileName="IE Add-on site.url", cAlternateFileName="IEADD-~1.URL")) returned 1 [0116.381] lstrcmpiW (lpString1="IE Add-on site.url", lpString2=".") returned 1 [0116.381] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="..") returned 1 [0116.381] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="...") returned 1 [0116.381] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="windows") returned -1 [0116.381] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="$RECYCLE.BIN") returned 1 [0116.381] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="rsa") returned -1 [0116.381] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="log") returned -1 [0116.381] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="NTDETECT.COM") returned -1 [0116.381] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="ntldr") returned -1 [0116.381] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="MSDOS.SYS") returned -1 [0116.381] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="IO.SYS") returned -1 [0116.381] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="boot.ini") returned 1 [0116.381] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="AUTOEXEC.BAT") returned 1 [0116.381] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="ntuser.dat") returned -1 [0116.381] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="desktop.ini") returned 1 [0116.381] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="CONFIG.SYS") returned 1 [0116.381] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="RECYCLER") returned -1 [0116.381] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="BOOTSECT.BAK") returned 1 [0116.381] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="bootmgr") returned 1 [0116.381] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="programdata") returned -1 [0116.381] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="appdata") returned 1 [0116.381] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="program files") returned -1 [0116.381] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="program files (x86)") returned -1 [0116.381] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\Default\\Favorites\\Microsoft Websites\\" | out: lpString1="C:\\Users\\Default\\Favorites\\Microsoft Websites\\") returned="C:\\Users\\Default\\Favorites\\Microsoft Websites\\" [0116.382] lstrcatW (in: lpString1="C:\\Users\\Default\\Favorites\\Microsoft Websites\\", lpString2="IE Add-on site.url" | out: lpString1="C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url") returned="C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url" [0116.382] PathFindExtensionW (pszPath="IE Add-on site.url") returned=".url" [0116.382] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0116.382] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0116.382] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0116.382] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0116.382] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0116.382] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0116.382] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0116.382] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0116.382] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0116.382] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa066c0, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x3e003c, dwReserved1=0x24de8e0, cFileName="IE site on Microsoft.com.url", cAlternateFileName="IESITE~1.URL")) returned 1 [0116.382] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2=".") returned 1 [0116.382] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="..") returned 1 [0116.382] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="...") returned 1 [0116.382] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="windows") returned -1 [0116.382] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="$RECYCLE.BIN") returned 1 [0116.382] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="rsa") returned -1 [0116.382] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="log") returned -1 [0116.382] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="NTDETECT.COM") returned -1 [0116.382] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="ntldr") returned -1 [0116.382] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="MSDOS.SYS") returned -1 [0116.382] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="IO.SYS") returned -1 [0116.382] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="boot.ini") returned 1 [0116.383] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="AUTOEXEC.BAT") returned 1 [0116.383] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="ntuser.dat") returned -1 [0116.383] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="desktop.ini") returned 1 [0116.383] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="CONFIG.SYS") returned 1 [0116.383] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="RECYCLER") returned -1 [0116.383] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="BOOTSECT.BAK") returned 1 [0116.383] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="bootmgr") returned 1 [0116.383] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="programdata") returned -1 [0116.383] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="appdata") returned 1 [0116.383] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="program files") returned -1 [0116.383] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="program files (x86)") returned -1 [0116.383] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\Default\\Favorites\\Microsoft Websites\\" | out: lpString1="C:\\Users\\Default\\Favorites\\Microsoft Websites\\") returned="C:\\Users\\Default\\Favorites\\Microsoft Websites\\" [0116.383] lstrcatW (in: lpString1="C:\\Users\\Default\\Favorites\\Microsoft Websites\\", lpString2="IE site on Microsoft.com.url" | out: lpString1="C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url") returned="C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url" [0116.383] PathFindExtensionW (pszPath="IE site on Microsoft.com.url") returned=".url" [0116.383] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0116.383] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0116.383] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0116.383] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0116.383] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0116.383] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0116.383] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0116.383] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0116.383] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0116.383] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa2c821, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x3e003c, dwReserved1=0x24de8e0, cFileName="Microsoft At Home.url", cAlternateFileName="MICROS~3.URL")) returned 1 [0116.384] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2=".") returned 1 [0116.384] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="..") returned 1 [0116.384] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="...") returned 1 [0116.384] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="windows") returned -1 [0116.384] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="$RECYCLE.BIN") returned 1 [0116.384] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="rsa") returned -1 [0116.384] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="log") returned 1 [0116.384] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="NTDETECT.COM") returned -1 [0116.384] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="ntldr") returned -1 [0116.384] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="MSDOS.SYS") returned -1 [0116.384] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="IO.SYS") returned 1 [0116.384] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="boot.ini") returned 1 [0116.384] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="AUTOEXEC.BAT") returned 1 [0116.384] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="ntuser.dat") returned -1 [0116.384] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="desktop.ini") returned 1 [0116.384] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="CONFIG.SYS") returned 1 [0116.384] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="RECYCLER") returned -1 [0116.384] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="BOOTSECT.BAK") returned 1 [0116.384] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="bootmgr") returned 1 [0116.384] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="programdata") returned -1 [0116.384] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="appdata") returned 1 [0116.384] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="program files") returned -1 [0116.384] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="program files (x86)") returned -1 [0116.384] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\Default\\Favorites\\Microsoft Websites\\" | out: lpString1="C:\\Users\\Default\\Favorites\\Microsoft Websites\\") returned="C:\\Users\\Default\\Favorites\\Microsoft Websites\\" [0116.384] lstrcatW (in: lpString1="C:\\Users\\Default\\Favorites\\Microsoft Websites\\", lpString2="Microsoft At Home.url" | out: lpString1="C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Home.url") returned="C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Home.url" [0116.384] PathFindExtensionW (pszPath="Microsoft At Home.url") returned=".url" [0116.385] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0116.385] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0116.385] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0116.385] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0116.385] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0116.385] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0116.385] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0116.385] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0116.385] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0116.385] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa2c821, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x3e003c, dwReserved1=0x24de8e0, cFileName="Microsoft At Work.url", cAlternateFileName="MICROS~2.URL")) returned 1 [0116.385] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2=".") returned 1 [0116.385] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="..") returned 1 [0116.385] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="...") returned 1 [0116.385] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="windows") returned -1 [0116.385] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="$RECYCLE.BIN") returned 1 [0116.385] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="rsa") returned -1 [0116.385] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="log") returned 1 [0116.385] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="NTDETECT.COM") returned -1 [0116.385] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="ntldr") returned -1 [0116.385] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="MSDOS.SYS") returned -1 [0116.385] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="IO.SYS") returned 1 [0116.385] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="boot.ini") returned 1 [0116.385] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="AUTOEXEC.BAT") returned 1 [0116.385] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="ntuser.dat") returned -1 [0116.385] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="desktop.ini") returned 1 [0116.386] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="CONFIG.SYS") returned 1 [0116.386] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="RECYCLER") returned -1 [0116.386] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="BOOTSECT.BAK") returned 1 [0116.386] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="bootmgr") returned 1 [0116.386] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="programdata") returned -1 [0116.386] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="appdata") returned 1 [0116.386] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="program files") returned -1 [0116.386] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="program files (x86)") returned -1 [0116.386] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\Default\\Favorites\\Microsoft Websites\\" | out: lpString1="C:\\Users\\Default\\Favorites\\Microsoft Websites\\") returned="C:\\Users\\Default\\Favorites\\Microsoft Websites\\" [0116.386] lstrcatW (in: lpString1="C:\\Users\\Default\\Favorites\\Microsoft Websites\\", lpString2="Microsoft At Work.url" | out: lpString1="C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Work.url") returned="C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Work.url" [0116.386] PathFindExtensionW (pszPath="Microsoft At Work.url") returned=".url" [0116.386] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0116.386] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0116.386] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0116.386] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0116.386] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0116.386] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0116.386] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0116.386] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0116.386] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0116.386] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa52981, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x86, dwReserved0=0x3e003c, dwReserved1=0x24de8e0, cFileName="Microsoft Store.url", cAlternateFileName="MICROS~1.URL")) returned 1 [0116.387] lstrcmpiW (lpString1="Microsoft Store.url", lpString2=".") returned 1 [0116.387] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="..") returned 1 [0116.387] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="...") returned 1 [0116.387] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="windows") returned -1 [0116.387] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="$RECYCLE.BIN") returned 1 [0116.387] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="rsa") returned -1 [0116.387] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="log") returned 1 [0116.387] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="NTDETECT.COM") returned -1 [0116.387] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="ntldr") returned -1 [0116.387] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="MSDOS.SYS") returned -1 [0116.387] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="IO.SYS") returned 1 [0116.387] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="boot.ini") returned 1 [0116.387] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="AUTOEXEC.BAT") returned 1 [0116.387] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="ntuser.dat") returned -1 [0116.387] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="desktop.ini") returned 1 [0116.387] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="CONFIG.SYS") returned 1 [0116.387] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="RECYCLER") returned -1 [0116.387] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="BOOTSECT.BAK") returned 1 [0116.387] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="bootmgr") returned 1 [0116.387] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="programdata") returned -1 [0116.387] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="appdata") returned 1 [0116.387] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="program files") returned -1 [0116.387] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="program files (x86)") returned -1 [0116.387] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\Default\\Favorites\\Microsoft Websites\\" | out: lpString1="C:\\Users\\Default\\Favorites\\Microsoft Websites\\") returned="C:\\Users\\Default\\Favorites\\Microsoft Websites\\" [0116.387] lstrcatW (in: lpString1="C:\\Users\\Default\\Favorites\\Microsoft Websites\\", lpString2="Microsoft Store.url" | out: lpString1="C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft Store.url") returned="C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft Store.url" [0116.388] PathFindExtensionW (pszPath="Microsoft Store.url") returned=".url" [0116.388] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0116.388] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0116.388] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0116.388] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0116.388] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0116.388] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0116.388] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0116.388] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0116.388] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0116.388] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa52981, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x86, dwReserved0=0x3e003c, dwReserved1=0x24de8e0, cFileName="Microsoft Store.url", cAlternateFileName="MICROS~1.URL")) returned 0 [0116.388] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0116.389] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe4d4ebc, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="MSN Websites", cAlternateFileName="MSNWEB~1")) returned 1 [0116.389] lstrcmpiW (lpString1="MSN Websites", lpString2=".") returned 1 [0116.389] lstrcmpiW (lpString1="MSN Websites", lpString2="..") returned 1 [0116.389] lstrcmpiW (lpString1="MSN Websites", lpString2="...") returned 1 [0116.389] lstrcmpiW (lpString1="MSN Websites", lpString2="windows") returned -1 [0116.389] lstrcmpiW (lpString1="MSN Websites", lpString2="$RECYCLE.BIN") returned 1 [0116.389] lstrcmpiW (lpString1="MSN Websites", lpString2="rsa") returned -1 [0116.389] lstrcmpiW (lpString1="MSN Websites", lpString2="log") returned 1 [0116.389] lstrcmpiW (lpString1="MSN Websites", lpString2="NTDETECT.COM") returned -1 [0116.389] lstrcmpiW (lpString1="MSN Websites", lpString2="ntldr") returned -1 [0116.389] lstrcmpiW (lpString1="MSN Websites", lpString2="MSDOS.SYS") returned 1 [0116.389] lstrcmpiW (lpString1="MSN Websites", lpString2="IO.SYS") returned 1 [0116.389] lstrcmpiW (lpString1="MSN Websites", lpString2="boot.ini") returned 1 [0116.389] lstrcmpiW (lpString1="MSN Websites", lpString2="AUTOEXEC.BAT") returned 1 [0116.390] lstrcmpiW (lpString1="MSN Websites", lpString2="ntuser.dat") returned -1 [0116.390] lstrcmpiW (lpString1="MSN Websites", lpString2="desktop.ini") returned 1 [0116.390] lstrcmpiW (lpString1="MSN Websites", lpString2="CONFIG.SYS") returned 1 [0116.390] lstrcmpiW (lpString1="MSN Websites", lpString2="RECYCLER") returned -1 [0116.390] lstrcmpiW (lpString1="MSN Websites", lpString2="BOOTSECT.BAK") returned 1 [0116.390] lstrcmpiW (lpString1="MSN Websites", lpString2="bootmgr") returned 1 [0116.390] lstrcmpiW (lpString1="MSN Websites", lpString2="programdata") returned -1 [0116.390] lstrcmpiW (lpString1="MSN Websites", lpString2="appdata") returned 1 [0116.390] lstrcmpiW (lpString1="MSN Websites", lpString2="program files") returned -1 [0116.390] lstrcmpiW (lpString1="MSN Websites", lpString2="program files (x86)") returned -1 [0116.390] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\Default\\Favorites\\" | out: lpString1="C:\\Users\\Default\\Favorites\\") returned="C:\\Users\\Default\\Favorites\\" [0116.390] lstrcatW (in: lpString1="C:\\Users\\Default\\Favorites\\", lpString2="MSN Websites" | out: lpString1="C:\\Users\\Default\\Favorites\\MSN Websites") returned="C:\\Users\\Default\\Favorites\\MSN Websites" [0116.390] lstrcatW (in: lpString1="C:\\Users\\Default\\Favorites\\MSN Websites", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Favorites\\MSN Websites\\") returned="C:\\Users\\Default\\Favorites\\MSN Websites\\" [0116.390] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\Default\\Favorites\\MSN Websites\\" | out: lpString1="C:\\Users\\Default\\Favorites\\MSN Websites\\") returned="C:\\Users\\Default\\Favorites\\MSN Websites\\" [0116.390] lstrcatW (in: lpString1="C:\\Users\\Default\\Favorites\\MSN Websites\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\Favorites\\MSN Websites\\*.*") returned="C:\\Users\\Default\\Favorites\\MSN Websites\\*.*" [0116.390] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Favorites\\MSN Websites\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe4d4ebc, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3e003c, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0116.417] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.417] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe4d4ebc, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3e003c, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0116.417] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.417] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.417] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa2c821, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x3e003c, dwReserved1=0x24de8e0, cFileName="MSN Autos.url", cAlternateFileName="MSNAUT~1.URL")) returned 1 [0116.417] lstrcmpiW (lpString1="MSN Autos.url", lpString2=".") returned 1 [0116.418] lstrcmpiW (lpString1="MSN Autos.url", lpString2="..") returned 1 [0116.418] lstrcmpiW (lpString1="MSN Autos.url", lpString2="...") returned 1 [0116.418] lstrcmpiW (lpString1="MSN Autos.url", lpString2="windows") returned -1 [0116.418] lstrcmpiW (lpString1="MSN Autos.url", lpString2="$RECYCLE.BIN") returned 1 [0116.418] lstrcmpiW (lpString1="MSN Autos.url", lpString2="rsa") returned -1 [0116.418] lstrcmpiW (lpString1="MSN Autos.url", lpString2="log") returned 1 [0116.418] lstrcmpiW (lpString1="MSN Autos.url", lpString2="NTDETECT.COM") returned -1 [0116.418] lstrcmpiW (lpString1="MSN Autos.url", lpString2="ntldr") returned -1 [0116.418] lstrcmpiW (lpString1="MSN Autos.url", lpString2="MSDOS.SYS") returned 1 [0116.418] lstrcmpiW (lpString1="MSN Autos.url", lpString2="IO.SYS") returned 1 [0116.418] lstrcmpiW (lpString1="MSN Autos.url", lpString2="boot.ini") returned 1 [0116.418] lstrcmpiW (lpString1="MSN Autos.url", lpString2="AUTOEXEC.BAT") returned 1 [0116.418] lstrcmpiW (lpString1="MSN Autos.url", lpString2="ntuser.dat") returned -1 [0116.418] lstrcmpiW (lpString1="MSN Autos.url", lpString2="desktop.ini") returned 1 [0116.418] lstrcmpiW (lpString1="MSN Autos.url", lpString2="CONFIG.SYS") returned 1 [0116.418] lstrcmpiW (lpString1="MSN Autos.url", lpString2="RECYCLER") returned -1 [0116.418] lstrcmpiW (lpString1="MSN Autos.url", lpString2="BOOTSECT.BAK") returned 1 [0116.418] lstrcmpiW (lpString1="MSN Autos.url", lpString2="bootmgr") returned 1 [0116.418] lstrcmpiW (lpString1="MSN Autos.url", lpString2="programdata") returned -1 [0116.418] lstrcmpiW (lpString1="MSN Autos.url", lpString2="appdata") returned 1 [0116.418] lstrcmpiW (lpString1="MSN Autos.url", lpString2="program files") returned -1 [0116.418] lstrcmpiW (lpString1="MSN Autos.url", lpString2="program files (x86)") returned -1 [0116.418] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\Default\\Favorites\\MSN Websites\\" | out: lpString1="C:\\Users\\Default\\Favorites\\MSN Websites\\") returned="C:\\Users\\Default\\Favorites\\MSN Websites\\" [0116.418] lstrcatW (in: lpString1="C:\\Users\\Default\\Favorites\\MSN Websites\\", lpString2="MSN Autos.url" | out: lpString1="C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url") returned="C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url" [0116.419] PathFindExtensionW (pszPath="MSN Autos.url") returned=".url" [0116.419] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0116.419] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0116.419] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0116.419] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0116.419] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0116.419] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0116.419] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0116.419] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0116.419] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0116.419] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa2c821, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x3e003c, dwReserved1=0x24de8e0, cFileName="MSN Entertainment.url", cAlternateFileName="MSNENT~1.URL")) returned 1 [0116.419] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2=".") returned 1 [0116.419] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="..") returned 1 [0116.419] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="...") returned 1 [0116.419] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="windows") returned -1 [0116.419] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="$RECYCLE.BIN") returned 1 [0116.419] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="rsa") returned -1 [0116.419] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="log") returned 1 [0116.419] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="NTDETECT.COM") returned -1 [0116.419] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="ntldr") returned -1 [0116.419] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="MSDOS.SYS") returned 1 [0116.419] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="IO.SYS") returned 1 [0116.419] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="boot.ini") returned 1 [0116.420] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="AUTOEXEC.BAT") returned 1 [0116.420] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="ntuser.dat") returned -1 [0116.420] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="desktop.ini") returned 1 [0116.420] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="CONFIG.SYS") returned 1 [0116.420] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="RECYCLER") returned -1 [0116.420] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="BOOTSECT.BAK") returned 1 [0116.420] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="bootmgr") returned 1 [0116.420] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="programdata") returned -1 [0116.420] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="appdata") returned 1 [0116.420] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="program files") returned -1 [0116.420] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="program files (x86)") returned -1 [0116.420] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\Default\\Favorites\\MSN Websites\\" | out: lpString1="C:\\Users\\Default\\Favorites\\MSN Websites\\") returned="C:\\Users\\Default\\Favorites\\MSN Websites\\" [0116.420] lstrcatW (in: lpString1="C:\\Users\\Default\\Favorites\\MSN Websites\\", lpString2="MSN Entertainment.url" | out: lpString1="C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Entertainment.url") returned="C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Entertainment.url" [0116.420] PathFindExtensionW (pszPath="MSN Entertainment.url") returned=".url" [0116.420] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0116.420] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0116.420] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0116.420] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0116.420] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0116.420] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0116.420] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0116.420] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0116.420] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0116.420] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa2c821, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x3e003c, dwReserved1=0x24de8e0, cFileName="MSN Money.url", cAlternateFileName="MSNMON~1.URL")) returned 1 [0116.421] lstrcmpiW (lpString1="MSN Money.url", lpString2=".") returned 1 [0116.421] lstrcmpiW (lpString1="MSN Money.url", lpString2="..") returned 1 [0116.421] lstrcmpiW (lpString1="MSN Money.url", lpString2="...") returned 1 [0116.421] lstrcmpiW (lpString1="MSN Money.url", lpString2="windows") returned -1 [0116.421] lstrcmpiW (lpString1="MSN Money.url", lpString2="$RECYCLE.BIN") returned 1 [0116.421] lstrcmpiW (lpString1="MSN Money.url", lpString2="rsa") returned -1 [0116.421] lstrcmpiW (lpString1="MSN Money.url", lpString2="log") returned 1 [0116.421] lstrcmpiW (lpString1="MSN Money.url", lpString2="NTDETECT.COM") returned -1 [0116.421] lstrcmpiW (lpString1="MSN Money.url", lpString2="ntldr") returned -1 [0116.421] lstrcmpiW (lpString1="MSN Money.url", lpString2="MSDOS.SYS") returned 1 [0116.421] lstrcmpiW (lpString1="MSN Money.url", lpString2="IO.SYS") returned 1 [0116.421] lstrcmpiW (lpString1="MSN Money.url", lpString2="boot.ini") returned 1 [0116.421] lstrcmpiW (lpString1="MSN Money.url", lpString2="AUTOEXEC.BAT") returned 1 [0116.421] lstrcmpiW (lpString1="MSN Money.url", lpString2="ntuser.dat") returned -1 [0116.421] lstrcmpiW (lpString1="MSN Money.url", lpString2="desktop.ini") returned 1 [0116.421] lstrcmpiW (lpString1="MSN Money.url", lpString2="CONFIG.SYS") returned 1 [0116.421] lstrcmpiW (lpString1="MSN Money.url", lpString2="RECYCLER") returned -1 [0116.421] lstrcmpiW (lpString1="MSN Money.url", lpString2="BOOTSECT.BAK") returned 1 [0116.421] lstrcmpiW (lpString1="MSN Money.url", lpString2="bootmgr") returned 1 [0116.421] lstrcmpiW (lpString1="MSN Money.url", lpString2="programdata") returned -1 [0116.421] lstrcmpiW (lpString1="MSN Money.url", lpString2="appdata") returned 1 [0116.421] lstrcmpiW (lpString1="MSN Money.url", lpString2="program files") returned -1 [0116.421] lstrcmpiW (lpString1="MSN Money.url", lpString2="program files (x86)") returned -1 [0116.421] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\Default\\Favorites\\MSN Websites\\" | out: lpString1="C:\\Users\\Default\\Favorites\\MSN Websites\\") returned="C:\\Users\\Default\\Favorites\\MSN Websites\\" [0116.421] lstrcatW (in: lpString1="C:\\Users\\Default\\Favorites\\MSN Websites\\", lpString2="MSN Money.url" | out: lpString1="C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Money.url") returned="C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Money.url" [0116.422] PathFindExtensionW (pszPath="MSN Money.url") returned=".url" [0116.422] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0116.422] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0116.422] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0116.422] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0116.422] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0116.422] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0116.422] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0116.422] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0116.422] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0116.422] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa2c821, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x3e003c, dwReserved1=0x24de8e0, cFileName="MSN Sports.url", cAlternateFileName="MSNSPO~1.URL")) returned 1 [0116.422] lstrcmpiW (lpString1="MSN Sports.url", lpString2=".") returned 1 [0116.422] lstrcmpiW (lpString1="MSN Sports.url", lpString2="..") returned 1 [0116.422] lstrcmpiW (lpString1="MSN Sports.url", lpString2="...") returned 1 [0116.422] lstrcmpiW (lpString1="MSN Sports.url", lpString2="windows") returned -1 [0116.422] lstrcmpiW (lpString1="MSN Sports.url", lpString2="$RECYCLE.BIN") returned 1 [0116.422] lstrcmpiW (lpString1="MSN Sports.url", lpString2="rsa") returned -1 [0116.422] lstrcmpiW (lpString1="MSN Sports.url", lpString2="log") returned 1 [0116.422] lstrcmpiW (lpString1="MSN Sports.url", lpString2="NTDETECT.COM") returned -1 [0116.422] lstrcmpiW (lpString1="MSN Sports.url", lpString2="ntldr") returned -1 [0116.422] lstrcmpiW (lpString1="MSN Sports.url", lpString2="MSDOS.SYS") returned 1 [0116.422] lstrcmpiW (lpString1="MSN Sports.url", lpString2="IO.SYS") returned 1 [0116.422] lstrcmpiW (lpString1="MSN Sports.url", lpString2="boot.ini") returned 1 [0116.423] lstrcmpiW (lpString1="MSN Sports.url", lpString2="AUTOEXEC.BAT") returned 1 [0116.423] lstrcmpiW (lpString1="MSN Sports.url", lpString2="ntuser.dat") returned -1 [0116.423] lstrcmpiW (lpString1="MSN Sports.url", lpString2="desktop.ini") returned 1 [0116.423] lstrcmpiW (lpString1="MSN Sports.url", lpString2="CONFIG.SYS") returned 1 [0116.423] lstrcmpiW (lpString1="MSN Sports.url", lpString2="RECYCLER") returned -1 [0116.423] lstrcmpiW (lpString1="MSN Sports.url", lpString2="BOOTSECT.BAK") returned 1 [0116.423] lstrcmpiW (lpString1="MSN Sports.url", lpString2="bootmgr") returned 1 [0116.423] lstrcmpiW (lpString1="MSN Sports.url", lpString2="programdata") returned -1 [0116.423] lstrcmpiW (lpString1="MSN Sports.url", lpString2="appdata") returned 1 [0116.423] lstrcmpiW (lpString1="MSN Sports.url", lpString2="program files") returned -1 [0116.423] lstrcmpiW (lpString1="MSN Sports.url", lpString2="program files (x86)") returned -1 [0116.423] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\Default\\Favorites\\MSN Websites\\" | out: lpString1="C:\\Users\\Default\\Favorites\\MSN Websites\\") returned="C:\\Users\\Default\\Favorites\\MSN Websites\\" [0116.423] lstrcatW (in: lpString1="C:\\Users\\Default\\Favorites\\MSN Websites\\", lpString2="MSN Sports.url" | out: lpString1="C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Sports.url") returned="C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Sports.url" [0116.423] PathFindExtensionW (pszPath="MSN Sports.url") returned=".url" [0116.423] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0116.423] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0116.423] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0116.423] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0116.423] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0116.423] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0116.423] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0116.423] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0116.424] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0116.424] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa2c821, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x3e003c, dwReserved1=0x24de8e0, cFileName="MSN.url", cAlternateFileName="")) returned 1 [0116.424] lstrcmpiW (lpString1="MSN.url", lpString2=".") returned 1 [0116.424] lstrcmpiW (lpString1="MSN.url", lpString2="..") returned 1 [0116.424] lstrcmpiW (lpString1="MSN.url", lpString2="...") returned 1 [0116.424] lstrcmpiW (lpString1="MSN.url", lpString2="windows") returned -1 [0116.424] lstrcmpiW (lpString1="MSN.url", lpString2="$RECYCLE.BIN") returned 1 [0116.424] lstrcmpiW (lpString1="MSN.url", lpString2="rsa") returned -1 [0116.424] lstrcmpiW (lpString1="MSN.url", lpString2="log") returned 1 [0116.424] lstrcmpiW (lpString1="MSN.url", lpString2="NTDETECT.COM") returned -1 [0116.424] lstrcmpiW (lpString1="MSN.url", lpString2="ntldr") returned -1 [0116.424] lstrcmpiW (lpString1="MSN.url", lpString2="MSDOS.SYS") returned 1 [0116.424] lstrcmpiW (lpString1="MSN.url", lpString2="IO.SYS") returned 1 [0116.424] lstrcmpiW (lpString1="MSN.url", lpString2="boot.ini") returned 1 [0116.424] lstrcmpiW (lpString1="MSN.url", lpString2="AUTOEXEC.BAT") returned 1 [0116.424] lstrcmpiW (lpString1="MSN.url", lpString2="ntuser.dat") returned -1 [0116.424] lstrcmpiW (lpString1="MSN.url", lpString2="desktop.ini") returned 1 [0116.424] lstrcmpiW (lpString1="MSN.url", lpString2="CONFIG.SYS") returned 1 [0116.424] lstrcmpiW (lpString1="MSN.url", lpString2="RECYCLER") returned -1 [0116.424] lstrcmpiW (lpString1="MSN.url", lpString2="BOOTSECT.BAK") returned 1 [0116.424] lstrcmpiW (lpString1="MSN.url", lpString2="bootmgr") returned 1 [0116.424] lstrcmpiW (lpString1="MSN.url", lpString2="programdata") returned -1 [0116.424] lstrcmpiW (lpString1="MSN.url", lpString2="appdata") returned 1 [0116.425] lstrcmpiW (lpString1="MSN.url", lpString2="program files") returned -1 [0116.425] lstrcmpiW (lpString1="MSN.url", lpString2="program files (x86)") returned -1 [0116.425] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\Default\\Favorites\\MSN Websites\\" | out: lpString1="C:\\Users\\Default\\Favorites\\MSN Websites\\") returned="C:\\Users\\Default\\Favorites\\MSN Websites\\" [0116.425] lstrcatW (in: lpString1="C:\\Users\\Default\\Favorites\\MSN Websites\\", lpString2="MSN.url" | out: lpString1="C:\\Users\\Default\\Favorites\\MSN Websites\\MSN.url") returned="C:\\Users\\Default\\Favorites\\MSN Websites\\MSN.url" [0116.425] PathFindExtensionW (pszPath="MSN.url") returned=".url" [0116.425] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0116.425] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0116.425] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0116.425] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0116.425] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0116.425] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0116.425] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0116.425] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0116.425] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0116.425] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa2c821, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x3e003c, dwReserved1=0x24de8e0, cFileName="MSNBC News.url", cAlternateFileName="MSNBCN~1.URL")) returned 1 [0116.425] lstrcmpiW (lpString1="MSNBC News.url", lpString2=".") returned 1 [0116.425] lstrcmpiW (lpString1="MSNBC News.url", lpString2="..") returned 1 [0116.425] lstrcmpiW (lpString1="MSNBC News.url", lpString2="...") returned 1 [0116.425] lstrcmpiW (lpString1="MSNBC News.url", lpString2="windows") returned -1 [0116.425] lstrcmpiW (lpString1="MSNBC News.url", lpString2="$RECYCLE.BIN") returned 1 [0116.425] lstrcmpiW (lpString1="MSNBC News.url", lpString2="rsa") returned -1 [0116.425] lstrcmpiW (lpString1="MSNBC News.url", lpString2="log") returned 1 [0116.425] lstrcmpiW (lpString1="MSNBC News.url", lpString2="NTDETECT.COM") returned -1 [0116.425] lstrcmpiW (lpString1="MSNBC News.url", lpString2="ntldr") returned -1 [0116.426] lstrcmpiW (lpString1="MSNBC News.url", lpString2="MSDOS.SYS") returned 1 [0116.426] lstrcmpiW (lpString1="MSNBC News.url", lpString2="IO.SYS") returned 1 [0116.426] lstrcmpiW (lpString1="MSNBC News.url", lpString2="boot.ini") returned 1 [0116.426] lstrcmpiW (lpString1="MSNBC News.url", lpString2="AUTOEXEC.BAT") returned 1 [0116.426] lstrcmpiW (lpString1="MSNBC News.url", lpString2="ntuser.dat") returned -1 [0116.426] lstrcmpiW (lpString1="MSNBC News.url", lpString2="desktop.ini") returned 1 [0116.426] lstrcmpiW (lpString1="MSNBC News.url", lpString2="CONFIG.SYS") returned 1 [0116.426] lstrcmpiW (lpString1="MSNBC News.url", lpString2="RECYCLER") returned -1 [0116.426] lstrcmpiW (lpString1="MSNBC News.url", lpString2="BOOTSECT.BAK") returned 1 [0116.426] lstrcmpiW (lpString1="MSNBC News.url", lpString2="bootmgr") returned 1 [0116.426] lstrcmpiW (lpString1="MSNBC News.url", lpString2="programdata") returned -1 [0116.426] lstrcmpiW (lpString1="MSNBC News.url", lpString2="appdata") returned 1 [0116.426] lstrcmpiW (lpString1="MSNBC News.url", lpString2="program files") returned -1 [0116.426] lstrcmpiW (lpString1="MSNBC News.url", lpString2="program files (x86)") returned -1 [0116.426] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\Default\\Favorites\\MSN Websites\\" | out: lpString1="C:\\Users\\Default\\Favorites\\MSN Websites\\") returned="C:\\Users\\Default\\Favorites\\MSN Websites\\" [0116.426] lstrcatW (in: lpString1="C:\\Users\\Default\\Favorites\\MSN Websites\\", lpString2="MSNBC News.url" | out: lpString1="C:\\Users\\Default\\Favorites\\MSN Websites\\MSNBC News.url") returned="C:\\Users\\Default\\Favorites\\MSN Websites\\MSNBC News.url" [0116.426] PathFindExtensionW (pszPath="MSNBC News.url") returned=".url" [0116.426] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0116.426] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0116.426] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0116.426] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0116.426] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0116.426] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0116.426] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0116.427] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0116.427] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0116.427] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa2c821, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x3e003c, dwReserved1=0x24de8e0, cFileName="MSNBC News.url", cAlternateFileName="MSNBCN~1.URL")) returned 0 [0116.427] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0116.428] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="Windows Live", cAlternateFileName="WINDOW~1")) returned 1 [0116.428] lstrcmpiW (lpString1="Windows Live", lpString2=".") returned 1 [0116.428] lstrcmpiW (lpString1="Windows Live", lpString2="..") returned 1 [0116.428] lstrcmpiW (lpString1="Windows Live", lpString2="...") returned 1 [0116.428] lstrcmpiW (lpString1="Windows Live", lpString2="windows") returned 1 [0116.428] lstrcmpiW (lpString1="Windows Live", lpString2="$RECYCLE.BIN") returned 1 [0116.428] lstrcmpiW (lpString1="Windows Live", lpString2="rsa") returned 1 [0116.428] lstrcmpiW (lpString1="Windows Live", lpString2="log") returned 1 [0116.428] lstrcmpiW (lpString1="Windows Live", lpString2="NTDETECT.COM") returned 1 [0116.428] lstrcmpiW (lpString1="Windows Live", lpString2="ntldr") returned 1 [0116.428] lstrcmpiW (lpString1="Windows Live", lpString2="MSDOS.SYS") returned 1 [0116.428] lstrcmpiW (lpString1="Windows Live", lpString2="IO.SYS") returned 1 [0116.428] lstrcmpiW (lpString1="Windows Live", lpString2="boot.ini") returned 1 [0116.428] lstrcmpiW (lpString1="Windows Live", lpString2="AUTOEXEC.BAT") returned 1 [0116.428] lstrcmpiW (lpString1="Windows Live", lpString2="ntuser.dat") returned 1 [0116.428] lstrcmpiW (lpString1="Windows Live", lpString2="desktop.ini") returned 1 [0116.428] lstrcmpiW (lpString1="Windows Live", lpString2="CONFIG.SYS") returned 1 [0116.428] lstrcmpiW (lpString1="Windows Live", lpString2="RECYCLER") returned 1 [0116.428] lstrcmpiW (lpString1="Windows Live", lpString2="BOOTSECT.BAK") returned 1 [0116.428] lstrcmpiW (lpString1="Windows Live", lpString2="bootmgr") returned 1 [0116.429] lstrcmpiW (lpString1="Windows Live", lpString2="programdata") returned 1 [0116.429] lstrcmpiW (lpString1="Windows Live", lpString2="appdata") returned 1 [0116.429] lstrcmpiW (lpString1="Windows Live", lpString2="program files") returned 1 [0116.429] lstrcmpiW (lpString1="Windows Live", lpString2="program files (x86)") returned 1 [0116.429] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\Default\\Favorites\\" | out: lpString1="C:\\Users\\Default\\Favorites\\") returned="C:\\Users\\Default\\Favorites\\" [0116.429] lstrcatW (in: lpString1="C:\\Users\\Default\\Favorites\\", lpString2="Windows Live" | out: lpString1="C:\\Users\\Default\\Favorites\\Windows Live") returned="C:\\Users\\Default\\Favorites\\Windows Live" [0116.429] lstrcatW (in: lpString1="C:\\Users\\Default\\Favorites\\Windows Live", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Favorites\\Windows Live\\") returned="C:\\Users\\Default\\Favorites\\Windows Live\\" [0116.429] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\Default\\Favorites\\Windows Live\\" | out: lpString1="C:\\Users\\Default\\Favorites\\Windows Live\\") returned="C:\\Users\\Default\\Favorites\\Windows Live\\" [0116.429] lstrcatW (in: lpString1="C:\\Users\\Default\\Favorites\\Windows Live\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\Favorites\\Windows Live\\*.*") returned="C:\\Users\\Default\\Favorites\\Windows Live\\*.*" [0116.429] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Favorites\\Windows Live\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3e003c, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0116.431] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.431] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3e003c, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0116.432] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.432] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.432] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa52981, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x3e003c, dwReserved1=0x24de8e0, cFileName="Get Windows Live.url", cAlternateFileName="GETWIN~1.URL")) returned 1 [0116.432] lstrcmpiW (lpString1="Get Windows Live.url", lpString2=".") returned 1 [0116.432] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="..") returned 1 [0116.432] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="...") returned 1 [0116.432] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="windows") returned -1 [0116.432] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="$RECYCLE.BIN") returned 1 [0116.432] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="rsa") returned -1 [0116.432] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="log") returned -1 [0116.432] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="NTDETECT.COM") returned -1 [0116.432] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="ntldr") returned -1 [0116.432] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="MSDOS.SYS") returned -1 [0116.432] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="IO.SYS") returned -1 [0116.432] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="boot.ini") returned 1 [0116.432] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="AUTOEXEC.BAT") returned 1 [0116.432] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="ntuser.dat") returned -1 [0116.432] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="desktop.ini") returned 1 [0116.432] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="CONFIG.SYS") returned 1 [0116.432] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="RECYCLER") returned -1 [0116.433] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="BOOTSECT.BAK") returned 1 [0116.433] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="bootmgr") returned 1 [0116.433] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="programdata") returned -1 [0116.433] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="appdata") returned 1 [0116.433] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="program files") returned -1 [0116.433] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="program files (x86)") returned -1 [0116.433] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\Default\\Favorites\\Windows Live\\" | out: lpString1="C:\\Users\\Default\\Favorites\\Windows Live\\") returned="C:\\Users\\Default\\Favorites\\Windows Live\\" [0116.433] lstrcatW (in: lpString1="C:\\Users\\Default\\Favorites\\Windows Live\\", lpString2="Get Windows Live.url" | out: lpString1="C:\\Users\\Default\\Favorites\\Windows Live\\Get Windows Live.url") returned="C:\\Users\\Default\\Favorites\\Windows Live\\Get Windows Live.url" [0116.433] PathFindExtensionW (pszPath="Get Windows Live.url") returned=".url" [0116.433] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0116.433] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0116.433] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0116.433] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0116.433] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0116.433] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0116.433] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0116.433] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0116.433] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0116.434] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa52981, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x3e003c, dwReserved1=0x24de8e0, cFileName="Windows Live Gallery.url", cAlternateFileName="WINDOW~2.URL")) returned 1 [0116.434] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2=".") returned 1 [0116.434] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="..") returned 1 [0116.434] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="...") returned 1 [0116.434] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="windows") returned 1 [0116.434] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="$RECYCLE.BIN") returned 1 [0116.434] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="rsa") returned 1 [0116.434] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="log") returned 1 [0116.434] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="NTDETECT.COM") returned 1 [0116.434] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="ntldr") returned 1 [0116.434] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="MSDOS.SYS") returned 1 [0116.434] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="IO.SYS") returned 1 [0116.434] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="boot.ini") returned 1 [0116.434] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="AUTOEXEC.BAT") returned 1 [0116.434] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="ntuser.dat") returned 1 [0116.434] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="desktop.ini") returned 1 [0116.435] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="CONFIG.SYS") returned 1 [0116.435] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="RECYCLER") returned 1 [0116.435] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="BOOTSECT.BAK") returned 1 [0116.435] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="bootmgr") returned 1 [0116.435] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="programdata") returned 1 [0116.435] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="appdata") returned 1 [0116.435] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="program files") returned 1 [0116.435] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="program files (x86)") returned 1 [0116.435] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\Default\\Favorites\\Windows Live\\" | out: lpString1="C:\\Users\\Default\\Favorites\\Windows Live\\") returned="C:\\Users\\Default\\Favorites\\Windows Live\\" [0116.435] lstrcatW (in: lpString1="C:\\Users\\Default\\Favorites\\Windows Live\\", lpString2="Windows Live Gallery.url" | out: lpString1="C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Gallery.url") returned="C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Gallery.url" [0116.435] PathFindExtensionW (pszPath="Windows Live Gallery.url") returned=".url" [0116.435] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0116.435] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0116.435] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0116.435] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0116.435] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0116.435] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0116.435] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0116.435] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0116.435] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0116.435] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa52981, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x3e003c, dwReserved1=0x24de8e0, cFileName="Windows Live Mail.url", cAlternateFileName="WINDOW~1.URL")) returned 1 [0116.436] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2=".") returned 1 [0116.436] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="..") returned 1 [0116.436] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="...") returned 1 [0116.436] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="windows") returned 1 [0116.436] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="$RECYCLE.BIN") returned 1 [0116.436] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="rsa") returned 1 [0116.436] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="log") returned 1 [0116.436] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="NTDETECT.COM") returned 1 [0116.436] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="ntldr") returned 1 [0116.436] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="MSDOS.SYS") returned 1 [0116.436] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="IO.SYS") returned 1 [0116.436] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="boot.ini") returned 1 [0116.436] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="AUTOEXEC.BAT") returned 1 [0116.436] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="ntuser.dat") returned 1 [0116.436] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="desktop.ini") returned 1 [0116.436] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="CONFIG.SYS") returned 1 [0116.436] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="RECYCLER") returned 1 [0116.436] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="BOOTSECT.BAK") returned 1 [0116.436] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="bootmgr") returned 1 [0116.436] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="programdata") returned 1 [0116.436] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="appdata") returned 1 [0116.436] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="program files") returned 1 [0116.436] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="program files (x86)") returned 1 [0116.436] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\Default\\Favorites\\Windows Live\\" | out: lpString1="C:\\Users\\Default\\Favorites\\Windows Live\\") returned="C:\\Users\\Default\\Favorites\\Windows Live\\" [0116.436] lstrcatW (in: lpString1="C:\\Users\\Default\\Favorites\\Windows Live\\", lpString2="Windows Live Mail.url" | out: lpString1="C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Mail.url") returned="C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Mail.url" [0116.437] PathFindExtensionW (pszPath="Windows Live Mail.url") returned=".url" [0116.437] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0116.437] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0116.437] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0116.437] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0116.437] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0116.437] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0116.437] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0116.437] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0116.437] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0116.437] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa52981, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x3e003c, dwReserved1=0x24de8e0, cFileName="Windows Live Spaces.url", cAlternateFileName="WINDOW~3.URL")) returned 1 [0116.437] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2=".") returned 1 [0116.437] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="..") returned 1 [0116.437] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="...") returned 1 [0116.437] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="windows") returned 1 [0116.437] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="$RECYCLE.BIN") returned 1 [0116.437] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="rsa") returned 1 [0116.437] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="log") returned 1 [0116.437] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="NTDETECT.COM") returned 1 [0116.437] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="ntldr") returned 1 [0116.437] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="MSDOS.SYS") returned 1 [0116.437] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="IO.SYS") returned 1 [0116.437] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="boot.ini") returned 1 [0116.437] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="AUTOEXEC.BAT") returned 1 [0116.437] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="ntuser.dat") returned 1 [0116.437] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="desktop.ini") returned 1 [0116.438] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="CONFIG.SYS") returned 1 [0116.438] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="RECYCLER") returned 1 [0116.438] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="BOOTSECT.BAK") returned 1 [0116.438] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="bootmgr") returned 1 [0116.438] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="programdata") returned 1 [0116.438] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="appdata") returned 1 [0116.438] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="program files") returned 1 [0116.438] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="program files (x86)") returned 1 [0116.438] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\Default\\Favorites\\Windows Live\\" | out: lpString1="C:\\Users\\Default\\Favorites\\Windows Live\\") returned="C:\\Users\\Default\\Favorites\\Windows Live\\" [0116.438] lstrcatW (in: lpString1="C:\\Users\\Default\\Favorites\\Windows Live\\", lpString2="Windows Live Spaces.url" | out: lpString1="C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Spaces.url") returned="C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Spaces.url" [0116.438] PathFindExtensionW (pszPath="Windows Live Spaces.url") returned=".url" [0116.438] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0116.438] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0116.438] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0116.438] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0116.438] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0116.438] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0116.438] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0116.438] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0116.438] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0116.438] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa52981, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x3e003c, dwReserved1=0x24de8e0, cFileName="Windows Live Spaces.url", cAlternateFileName="WINDOW~3.URL")) returned 0 [0116.438] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0116.439] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="Windows Live", cAlternateFileName="WINDOW~1")) returned 0 [0116.439] FindClose (in: hFindFile=0x50a900 | out: hFindFile=0x50a900) returned 1 [0116.439] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Links", cAlternateFileName="")) returned 1 [0116.440] lstrcmpiW (lpString1="Links", lpString2=".") returned 1 [0116.440] lstrcmpiW (lpString1="Links", lpString2="..") returned 1 [0116.440] lstrcmpiW (lpString1="Links", lpString2="...") returned 1 [0116.440] lstrcmpiW (lpString1="Links", lpString2="windows") returned -1 [0116.440] lstrcmpiW (lpString1="Links", lpString2="$RECYCLE.BIN") returned 1 [0116.440] lstrcmpiW (lpString1="Links", lpString2="rsa") returned -1 [0116.440] lstrcmpiW (lpString1="Links", lpString2="log") returned -1 [0116.440] lstrcmpiW (lpString1="Links", lpString2="NTDETECT.COM") returned -1 [0116.440] lstrcmpiW (lpString1="Links", lpString2="ntldr") returned -1 [0116.440] lstrcmpiW (lpString1="Links", lpString2="MSDOS.SYS") returned -1 [0116.440] lstrcmpiW (lpString1="Links", lpString2="IO.SYS") returned 1 [0116.440] lstrcmpiW (lpString1="Links", lpString2="boot.ini") returned 1 [0116.440] lstrcmpiW (lpString1="Links", lpString2="AUTOEXEC.BAT") returned 1 [0116.440] lstrcmpiW (lpString1="Links", lpString2="ntuser.dat") returned -1 [0116.440] lstrcmpiW (lpString1="Links", lpString2="desktop.ini") returned 1 [0116.440] lstrcmpiW (lpString1="Links", lpString2="CONFIG.SYS") returned 1 [0116.440] lstrcmpiW (lpString1="Links", lpString2="RECYCLER") returned -1 [0116.440] lstrcmpiW (lpString1="Links", lpString2="BOOTSECT.BAK") returned 1 [0116.440] lstrcmpiW (lpString1="Links", lpString2="bootmgr") returned 1 [0116.440] lstrcmpiW (lpString1="Links", lpString2="programdata") returned -1 [0116.440] lstrcmpiW (lpString1="Links", lpString2="appdata") returned 1 [0116.440] lstrcmpiW (lpString1="Links", lpString2="program files") returned -1 [0116.440] lstrcmpiW (lpString1="Links", lpString2="program files (x86)") returned -1 [0116.440] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\Default\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0116.440] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Links" | out: lpString1="C:\\Users\\Default\\Links") returned="C:\\Users\\Default\\Links" [0116.440] lstrcatW (in: lpString1="C:\\Users\\Default\\Links", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Links\\") returned="C:\\Users\\Default\\Links\\" [0116.441] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\Default\\Links\\" | out: lpString1="C:\\Users\\Default\\Links\\") returned="C:\\Users\\Default\\Links\\" [0116.441] lstrcatW (in: lpString1="C:\\Users\\Default\\Links\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\Links\\*.*") returned="C:\\Users\\Default\\Links\\*.*" [0116.441] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Links\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x50a900 [0116.443] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.443] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0116.443] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.443] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.443] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x244, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0116.443] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0116.444] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0116.444] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0116.444] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0116.444] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0116.444] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0116.444] lstrcmpiW (lpString1="desktop.ini", lpString2="log") returned -1 [0116.444] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0116.444] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0116.444] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0116.444] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0116.444] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0116.444] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0116.444] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0116.444] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0116.444] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1d3, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="Desktop.lnk", cAlternateFileName="")) returned 1 [0116.444] lstrcmpiW (lpString1="Desktop.lnk", lpString2=".") returned 1 [0116.444] lstrcmpiW (lpString1="Desktop.lnk", lpString2="..") returned 1 [0116.444] lstrcmpiW (lpString1="Desktop.lnk", lpString2="...") returned 1 [0116.444] lstrcmpiW (lpString1="Desktop.lnk", lpString2="windows") returned -1 [0116.444] lstrcmpiW (lpString1="Desktop.lnk", lpString2="$RECYCLE.BIN") returned 1 [0116.444] lstrcmpiW (lpString1="Desktop.lnk", lpString2="rsa") returned -1 [0116.444] lstrcmpiW (lpString1="Desktop.lnk", lpString2="log") returned -1 [0116.444] lstrcmpiW (lpString1="Desktop.lnk", lpString2="NTDETECT.COM") returned -1 [0116.444] lstrcmpiW (lpString1="Desktop.lnk", lpString2="ntldr") returned -1 [0116.444] lstrcmpiW (lpString1="Desktop.lnk", lpString2="MSDOS.SYS") returned -1 [0116.444] lstrcmpiW (lpString1="Desktop.lnk", lpString2="IO.SYS") returned -1 [0116.445] lstrcmpiW (lpString1="Desktop.lnk", lpString2="boot.ini") returned 1 [0116.445] lstrcmpiW (lpString1="Desktop.lnk", lpString2="AUTOEXEC.BAT") returned 1 [0116.445] lstrcmpiW (lpString1="Desktop.lnk", lpString2="ntuser.dat") returned -1 [0116.445] lstrcmpiW (lpString1="Desktop.lnk", lpString2="desktop.ini") returned 1 [0116.445] lstrcmpiW (lpString1="Desktop.lnk", lpString2="CONFIG.SYS") returned 1 [0116.445] lstrcmpiW (lpString1="Desktop.lnk", lpString2="RECYCLER") returned -1 [0116.445] lstrcmpiW (lpString1="Desktop.lnk", lpString2="BOOTSECT.BAK") returned 1 [0116.445] lstrcmpiW (lpString1="Desktop.lnk", lpString2="bootmgr") returned 1 [0116.445] lstrcmpiW (lpString1="Desktop.lnk", lpString2="programdata") returned -1 [0116.445] lstrcmpiW (lpString1="Desktop.lnk", lpString2="appdata") returned 1 [0116.445] lstrcmpiW (lpString1="Desktop.lnk", lpString2="program files") returned -1 [0116.445] lstrcmpiW (lpString1="Desktop.lnk", lpString2="program files (x86)") returned -1 [0116.445] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\Default\\Links\\" | out: lpString1="C:\\Users\\Default\\Links\\") returned="C:\\Users\\Default\\Links\\" [0116.445] lstrcatW (in: lpString1="C:\\Users\\Default\\Links\\", lpString2="Desktop.lnk" | out: lpString1="C:\\Users\\Default\\Links\\Desktop.lnk") returned="C:\\Users\\Default\\Links\\Desktop.lnk" [0116.445] PathFindExtensionW (pszPath="Desktop.lnk") returned=".lnk" [0116.445] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0116.445] lstrcmpiW (lpString1=".lnk", lpString2=".log") returned -1 [0116.445] lstrcmpiW (lpString1=".lnk", lpString2=".cab") returned 1 [0116.445] lstrcmpiW (lpString1=".lnk", lpString2=".cmd") returned 1 [0116.445] lstrcmpiW (lpString1=".lnk", lpString2=".com") returned 1 [0116.445] lstrcmpiW (lpString1=".lnk", lpString2=".cpl") returned 1 [0116.445] lstrcmpiW (lpString1=".lnk", lpString2=".ini") returned 1 [0116.445] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0116.445] lstrcmpiW (lpString1=".lnk", lpString2=".url") returned -1 [0116.445] lstrcmpiW (lpString1=".lnk", lpString2=".ttf") returned -1 [0116.446] lstrcmpiW (lpString1=".lnk", lpString2=".mp3") returned -1 [0116.446] lstrcmpiW (lpString1=".lnk", lpString2=".pif") returned -1 [0116.446] lstrcmpiW (lpString1=".lnk", lpString2=".mp4") returned -1 [0116.446] lstrcmpiW (lpString1=".lnk", lpString2=".NEPHILIM") returned -1 [0116.446] lstrcmpiW (lpString1=".lnk", lpString2=".msi") returned -1 [0116.446] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0116.446] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="Downloads.lnk", cAlternateFileName="DOWNLO~1.LNK")) returned 1 [0116.446] lstrcmpiW (lpString1="Downloads.lnk", lpString2=".") returned 1 [0116.446] lstrcmpiW (lpString1="Downloads.lnk", lpString2="..") returned 1 [0116.446] lstrcmpiW (lpString1="Downloads.lnk", lpString2="...") returned 1 [0116.446] lstrcmpiW (lpString1="Downloads.lnk", lpString2="windows") returned -1 [0116.446] lstrcmpiW (lpString1="Downloads.lnk", lpString2="$RECYCLE.BIN") returned 1 [0116.446] lstrcmpiW (lpString1="Downloads.lnk", lpString2="rsa") returned -1 [0116.446] lstrcmpiW (lpString1="Downloads.lnk", lpString2="log") returned -1 [0116.446] lstrcmpiW (lpString1="Downloads.lnk", lpString2="NTDETECT.COM") returned -1 [0116.446] lstrcmpiW (lpString1="Downloads.lnk", lpString2="ntldr") returned -1 [0116.446] lstrcmpiW (lpString1="Downloads.lnk", lpString2="MSDOS.SYS") returned -1 [0116.446] lstrcmpiW (lpString1="Downloads.lnk", lpString2="IO.SYS") returned -1 [0116.446] lstrcmpiW (lpString1="Downloads.lnk", lpString2="boot.ini") returned 1 [0116.446] lstrcmpiW (lpString1="Downloads.lnk", lpString2="AUTOEXEC.BAT") returned 1 [0116.446] lstrcmpiW (lpString1="Downloads.lnk", lpString2="ntuser.dat") returned -1 [0116.446] lstrcmpiW (lpString1="Downloads.lnk", lpString2="desktop.ini") returned 1 [0116.446] lstrcmpiW (lpString1="Downloads.lnk", lpString2="CONFIG.SYS") returned 1 [0116.446] lstrcmpiW (lpString1="Downloads.lnk", lpString2="RECYCLER") returned -1 [0116.446] lstrcmpiW (lpString1="Downloads.lnk", lpString2="BOOTSECT.BAK") returned 1 [0116.447] lstrcmpiW (lpString1="Downloads.lnk", lpString2="bootmgr") returned 1 [0116.447] lstrcmpiW (lpString1="Downloads.lnk", lpString2="programdata") returned -1 [0116.447] lstrcmpiW (lpString1="Downloads.lnk", lpString2="appdata") returned 1 [0116.447] lstrcmpiW (lpString1="Downloads.lnk", lpString2="program files") returned -1 [0116.447] lstrcmpiW (lpString1="Downloads.lnk", lpString2="program files (x86)") returned -1 [0116.447] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\Default\\Links\\" | out: lpString1="C:\\Users\\Default\\Links\\") returned="C:\\Users\\Default\\Links\\" [0116.447] lstrcatW (in: lpString1="C:\\Users\\Default\\Links\\", lpString2="Downloads.lnk" | out: lpString1="C:\\Users\\Default\\Links\\Downloads.lnk") returned="C:\\Users\\Default\\Links\\Downloads.lnk" [0116.447] PathFindExtensionW (pszPath="Downloads.lnk") returned=".lnk" [0116.447] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0116.447] lstrcmpiW (lpString1=".lnk", lpString2=".log") returned -1 [0116.447] lstrcmpiW (lpString1=".lnk", lpString2=".cab") returned 1 [0116.447] lstrcmpiW (lpString1=".lnk", lpString2=".cmd") returned 1 [0116.447] lstrcmpiW (lpString1=".lnk", lpString2=".com") returned 1 [0116.447] lstrcmpiW (lpString1=".lnk", lpString2=".cpl") returned 1 [0116.447] lstrcmpiW (lpString1=".lnk", lpString2=".ini") returned 1 [0116.447] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0116.447] lstrcmpiW (lpString1=".lnk", lpString2=".url") returned -1 [0116.447] lstrcmpiW (lpString1=".lnk", lpString2=".ttf") returned -1 [0116.447] lstrcmpiW (lpString1=".lnk", lpString2=".mp3") returned -1 [0116.447] lstrcmpiW (lpString1=".lnk", lpString2=".pif") returned -1 [0116.447] lstrcmpiW (lpString1=".lnk", lpString2=".mp4") returned -1 [0116.447] lstrcmpiW (lpString1=".lnk", lpString2=".NEPHILIM") returned -1 [0116.447] lstrcmpiW (lpString1=".lnk", lpString2=".msi") returned -1 [0116.447] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0116.447] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x16b, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="RecentPlaces.lnk", cAlternateFileName="RECENT~1.LNK")) returned 1 [0116.448] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2=".") returned 1 [0116.448] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="..") returned 1 [0116.448] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="...") returned 1 [0116.448] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="windows") returned -1 [0116.448] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="$RECYCLE.BIN") returned 1 [0116.448] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="rsa") returned -1 [0116.448] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="log") returned 1 [0116.448] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="NTDETECT.COM") returned 1 [0116.448] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="ntldr") returned 1 [0116.448] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="MSDOS.SYS") returned 1 [0116.448] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="IO.SYS") returned 1 [0116.448] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="boot.ini") returned 1 [0116.448] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="AUTOEXEC.BAT") returned 1 [0116.448] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="ntuser.dat") returned 1 [0116.448] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="desktop.ini") returned 1 [0116.448] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="CONFIG.SYS") returned 1 [0116.448] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="RECYCLER") returned -1 [0116.448] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="BOOTSECT.BAK") returned 1 [0116.449] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="bootmgr") returned 1 [0116.449] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="programdata") returned 1 [0116.449] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="appdata") returned 1 [0116.449] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="program files") returned 1 [0116.449] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="program files (x86)") returned 1 [0116.449] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\Default\\Links\\" | out: lpString1="C:\\Users\\Default\\Links\\") returned="C:\\Users\\Default\\Links\\" [0116.449] lstrcatW (in: lpString1="C:\\Users\\Default\\Links\\", lpString2="RecentPlaces.lnk" | out: lpString1="C:\\Users\\Default\\Links\\RecentPlaces.lnk") returned="C:\\Users\\Default\\Links\\RecentPlaces.lnk" [0116.449] PathFindExtensionW (pszPath="RecentPlaces.lnk") returned=".lnk" [0116.449] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0116.449] lstrcmpiW (lpString1=".lnk", lpString2=".log") returned -1 [0116.449] lstrcmpiW (lpString1=".lnk", lpString2=".cab") returned 1 [0116.449] lstrcmpiW (lpString1=".lnk", lpString2=".cmd") returned 1 [0116.449] lstrcmpiW (lpString1=".lnk", lpString2=".com") returned 1 [0116.449] lstrcmpiW (lpString1=".lnk", lpString2=".cpl") returned 1 [0116.449] lstrcmpiW (lpString1=".lnk", lpString2=".ini") returned 1 [0116.449] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0116.449] lstrcmpiW (lpString1=".lnk", lpString2=".url") returned -1 [0116.449] lstrcmpiW (lpString1=".lnk", lpString2=".ttf") returned -1 [0116.449] lstrcmpiW (lpString1=".lnk", lpString2=".mp3") returned -1 [0116.449] lstrcmpiW (lpString1=".lnk", lpString2=".pif") returned -1 [0116.449] lstrcmpiW (lpString1=".lnk", lpString2=".mp4") returned -1 [0116.449] lstrcmpiW (lpString1=".lnk", lpString2=".NEPHILIM") returned -1 [0116.449] lstrcmpiW (lpString1=".lnk", lpString2=".msi") returned -1 [0116.449] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0116.449] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x16b, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="RecentPlaces.lnk", cAlternateFileName="RECENT~1.LNK")) returned 0 [0116.450] FindClose (in: hFindFile=0x50a900 | out: hFindFile=0x50a900) returned 1 [0116.450] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x30702f92, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x30702f92, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x30702f92, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0116.451] lstrcmpiW (lpString1="Local Settings", lpString2=".") returned 1 [0116.451] lstrcmpiW (lpString1="Local Settings", lpString2="..") returned 1 [0116.451] lstrcmpiW (lpString1="Local Settings", lpString2="...") returned 1 [0116.451] lstrcmpiW (lpString1="Local Settings", lpString2="windows") returned -1 [0116.451] lstrcmpiW (lpString1="Local Settings", lpString2="$RECYCLE.BIN") returned 1 [0116.451] lstrcmpiW (lpString1="Local Settings", lpString2="rsa") returned -1 [0116.451] lstrcmpiW (lpString1="Local Settings", lpString2="log") returned -1 [0116.451] lstrcmpiW (lpString1="Local Settings", lpString2="NTDETECT.COM") returned -1 [0116.451] lstrcmpiW (lpString1="Local Settings", lpString2="ntldr") returned -1 [0116.451] lstrcmpiW (lpString1="Local Settings", lpString2="MSDOS.SYS") returned -1 [0116.451] lstrcmpiW (lpString1="Local Settings", lpString2="IO.SYS") returned 1 [0116.451] lstrcmpiW (lpString1="Local Settings", lpString2="boot.ini") returned 1 [0116.451] lstrcmpiW (lpString1="Local Settings", lpString2="AUTOEXEC.BAT") returned 1 [0116.451] lstrcmpiW (lpString1="Local Settings", lpString2="ntuser.dat") returned -1 [0116.451] lstrcmpiW (lpString1="Local Settings", lpString2="desktop.ini") returned 1 [0116.451] lstrcmpiW (lpString1="Local Settings", lpString2="CONFIG.SYS") returned 1 [0116.451] lstrcmpiW (lpString1="Local Settings", lpString2="RECYCLER") returned -1 [0116.451] lstrcmpiW (lpString1="Local Settings", lpString2="BOOTSECT.BAK") returned 1 [0116.451] lstrcmpiW (lpString1="Local Settings", lpString2="bootmgr") returned 1 [0116.451] lstrcmpiW (lpString1="Local Settings", lpString2="programdata") returned -1 [0116.451] lstrcmpiW (lpString1="Local Settings", lpString2="appdata") returned 1 [0116.451] lstrcmpiW (lpString1="Local Settings", lpString2="program files") returned -1 [0116.451] lstrcmpiW (lpString1="Local Settings", lpString2="program files (x86)") returned -1 [0116.451] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\Default\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0116.451] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Local Settings" | out: lpString1="C:\\Users\\Default\\Local Settings") returned="C:\\Users\\Default\\Local Settings" [0116.452] lstrcatW (in: lpString1="C:\\Users\\Default\\Local Settings", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Local Settings\\") returned="C:\\Users\\Default\\Local Settings\\" [0116.452] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\Default\\Local Settings\\" | out: lpString1="C:\\Users\\Default\\Local Settings\\") returned="C:\\Users\\Default\\Local Settings\\" [0116.452] lstrcatW (in: lpString1="C:\\Users\\Default\\Local Settings\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\Local Settings\\*.*") returned="C:\\Users\\Default\\Local Settings\\*.*" [0116.452] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Local Settings\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x16b, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="RecentPlaces.lnk", cAlternateFileName="RECENT~1.LNK")) returned 0xffffffff [0116.452] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Music", cAlternateFileName="")) returned 1 [0116.452] lstrcmpiW (lpString1="Music", lpString2=".") returned 1 [0116.452] lstrcmpiW (lpString1="Music", lpString2="..") returned 1 [0116.452] lstrcmpiW (lpString1="Music", lpString2="...") returned 1 [0116.452] lstrcmpiW (lpString1="Music", lpString2="windows") returned -1 [0116.452] lstrcmpiW (lpString1="Music", lpString2="$RECYCLE.BIN") returned 1 [0116.452] lstrcmpiW (lpString1="Music", lpString2="rsa") returned -1 [0116.452] lstrcmpiW (lpString1="Music", lpString2="log") returned 1 [0116.452] lstrcmpiW (lpString1="Music", lpString2="NTDETECT.COM") returned -1 [0116.452] lstrcmpiW (lpString1="Music", lpString2="ntldr") returned -1 [0116.452] lstrcmpiW (lpString1="Music", lpString2="MSDOS.SYS") returned 1 [0116.452] lstrcmpiW (lpString1="Music", lpString2="IO.SYS") returned 1 [0116.452] lstrcmpiW (lpString1="Music", lpString2="boot.ini") returned 1 [0116.452] lstrcmpiW (lpString1="Music", lpString2="AUTOEXEC.BAT") returned 1 [0116.452] lstrcmpiW (lpString1="Music", lpString2="ntuser.dat") returned -1 [0116.452] lstrcmpiW (lpString1="Music", lpString2="desktop.ini") returned 1 [0116.453] lstrcmpiW (lpString1="Music", lpString2="CONFIG.SYS") returned 1 [0116.453] lstrcmpiW (lpString1="Music", lpString2="RECYCLER") returned -1 [0116.453] lstrcmpiW (lpString1="Music", lpString2="BOOTSECT.BAK") returned 1 [0116.453] lstrcmpiW (lpString1="Music", lpString2="bootmgr") returned 1 [0116.453] lstrcmpiW (lpString1="Music", lpString2="programdata") returned -1 [0116.453] lstrcmpiW (lpString1="Music", lpString2="appdata") returned 1 [0116.453] lstrcmpiW (lpString1="Music", lpString2="program files") returned -1 [0116.453] lstrcmpiW (lpString1="Music", lpString2="program files (x86)") returned -1 [0116.453] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\Default\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0116.453] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Music" | out: lpString1="C:\\Users\\Default\\Music") returned="C:\\Users\\Default\\Music" [0116.453] lstrcatW (in: lpString1="C:\\Users\\Default\\Music", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Music\\") returned="C:\\Users\\Default\\Music\\" [0116.453] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\Default\\Music\\" | out: lpString1="C:\\Users\\Default\\Music\\") returned="C:\\Users\\Default\\Music\\" [0116.453] lstrcatW (in: lpString1="C:\\Users\\Default\\Music\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\Music\\*.*") returned="C:\\Users\\Default\\Music\\*.*" [0116.453] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Music\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x50a900 [0116.453] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.453] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0116.454] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.454] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.454] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0116.454] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0116.454] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0116.454] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0116.454] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0116.454] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0116.454] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0116.454] lstrcmpiW (lpString1="desktop.ini", lpString2="log") returned -1 [0116.454] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0116.454] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0116.454] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0116.454] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0116.454] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0116.454] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0116.454] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0116.454] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0116.454] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0116.455] FindClose (in: hFindFile=0x50a900 | out: hFindFile=0x50a900) returned 1 [0116.455] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306b6cd1, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306b6cd1, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306b6cd1, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0116.455] lstrcmpiW (lpString1="My Documents", lpString2=".") returned 1 [0116.455] lstrcmpiW (lpString1="My Documents", lpString2="..") returned 1 [0116.455] lstrcmpiW (lpString1="My Documents", lpString2="...") returned 1 [0116.455] lstrcmpiW (lpString1="My Documents", lpString2="windows") returned -1 [0116.455] lstrcmpiW (lpString1="My Documents", lpString2="$RECYCLE.BIN") returned 1 [0116.455] lstrcmpiW (lpString1="My Documents", lpString2="rsa") returned -1 [0116.455] lstrcmpiW (lpString1="My Documents", lpString2="log") returned 1 [0116.455] lstrcmpiW (lpString1="My Documents", lpString2="NTDETECT.COM") returned -1 [0116.455] lstrcmpiW (lpString1="My Documents", lpString2="ntldr") returned -1 [0116.455] lstrcmpiW (lpString1="My Documents", lpString2="MSDOS.SYS") returned 1 [0116.455] lstrcmpiW (lpString1="My Documents", lpString2="IO.SYS") returned 1 [0116.455] lstrcmpiW (lpString1="My Documents", lpString2="boot.ini") returned 1 [0116.455] lstrcmpiW (lpString1="My Documents", lpString2="AUTOEXEC.BAT") returned 1 [0116.455] lstrcmpiW (lpString1="My Documents", lpString2="ntuser.dat") returned -1 [0116.456] lstrcmpiW (lpString1="My Documents", lpString2="desktop.ini") returned 1 [0116.456] lstrcmpiW (lpString1="My Documents", lpString2="CONFIG.SYS") returned 1 [0116.456] lstrcmpiW (lpString1="My Documents", lpString2="RECYCLER") returned -1 [0116.456] lstrcmpiW (lpString1="My Documents", lpString2="BOOTSECT.BAK") returned 1 [0116.456] lstrcmpiW (lpString1="My Documents", lpString2="bootmgr") returned 1 [0116.456] lstrcmpiW (lpString1="My Documents", lpString2="programdata") returned -1 [0116.456] lstrcmpiW (lpString1="My Documents", lpString2="appdata") returned 1 [0116.456] lstrcmpiW (lpString1="My Documents", lpString2="program files") returned -1 [0116.456] lstrcmpiW (lpString1="My Documents", lpString2="program files (x86)") returned -1 [0116.456] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\Default\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0116.456] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="My Documents" | out: lpString1="C:\\Users\\Default\\My Documents") returned="C:\\Users\\Default\\My Documents" [0116.456] lstrcatW (in: lpString1="C:\\Users\\Default\\My Documents", lpString2="\\" | out: lpString1="C:\\Users\\Default\\My Documents\\") returned="C:\\Users\\Default\\My Documents\\" [0116.456] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\Default\\My Documents\\" | out: lpString1="C:\\Users\\Default\\My Documents\\") returned="C:\\Users\\Default\\My Documents\\" [0116.456] lstrcatW (in: lpString1="C:\\Users\\Default\\My Documents\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\My Documents\\*.*") returned="C:\\Users\\Default\\My Documents\\*.*" [0116.456] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\My Documents\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="desktop.ini", cAlternateFileName="")) returned 0xffffffff [0116.457] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306dce32, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306dce32, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306dce32, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="NetHood", cAlternateFileName="")) returned 1 [0116.457] lstrcmpiW (lpString1="NetHood", lpString2=".") returned 1 [0116.457] lstrcmpiW (lpString1="NetHood", lpString2="..") returned 1 [0116.457] lstrcmpiW (lpString1="NetHood", lpString2="...") returned 1 [0116.457] lstrcmpiW (lpString1="NetHood", lpString2="windows") returned -1 [0116.457] lstrcmpiW (lpString1="NetHood", lpString2="$RECYCLE.BIN") returned 1 [0116.457] lstrcmpiW (lpString1="NetHood", lpString2="rsa") returned -1 [0116.457] lstrcmpiW (lpString1="NetHood", lpString2="log") returned 1 [0116.457] lstrcmpiW (lpString1="NetHood", lpString2="NTDETECT.COM") returned -1 [0116.457] lstrcmpiW (lpString1="NetHood", lpString2="ntldr") returned -1 [0116.457] lstrcmpiW (lpString1="NetHood", lpString2="MSDOS.SYS") returned 1 [0116.457] lstrcmpiW (lpString1="NetHood", lpString2="IO.SYS") returned 1 [0116.457] lstrcmpiW (lpString1="NetHood", lpString2="boot.ini") returned 1 [0116.457] lstrcmpiW (lpString1="NetHood", lpString2="AUTOEXEC.BAT") returned 1 [0116.457] lstrcmpiW (lpString1="NetHood", lpString2="ntuser.dat") returned -1 [0116.457] lstrcmpiW (lpString1="NetHood", lpString2="desktop.ini") returned 1 [0116.457] lstrcmpiW (lpString1="NetHood", lpString2="CONFIG.SYS") returned 1 [0116.457] lstrcmpiW (lpString1="NetHood", lpString2="RECYCLER") returned -1 [0116.458] lstrcmpiW (lpString1="NetHood", lpString2="BOOTSECT.BAK") returned 1 [0116.458] lstrcmpiW (lpString1="NetHood", lpString2="bootmgr") returned 1 [0116.458] lstrcmpiW (lpString1="NetHood", lpString2="programdata") returned -1 [0116.458] lstrcmpiW (lpString1="NetHood", lpString2="appdata") returned 1 [0116.458] lstrcmpiW (lpString1="NetHood", lpString2="program files") returned -1 [0116.458] lstrcmpiW (lpString1="NetHood", lpString2="program files (x86)") returned -1 [0116.458] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\Default\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0116.458] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="NetHood" | out: lpString1="C:\\Users\\Default\\NetHood") returned="C:\\Users\\Default\\NetHood" [0116.458] lstrcatW (in: lpString1="C:\\Users\\Default\\NetHood", lpString2="\\" | out: lpString1="C:\\Users\\Default\\NetHood\\") returned="C:\\Users\\Default\\NetHood\\" [0116.458] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\Default\\NetHood\\" | out: lpString1="C:\\Users\\Default\\NetHood\\") returned="C:\\Users\\Default\\NetHood\\" [0116.458] lstrcatW (in: lpString1="C:\\Users\\Default\\NetHood\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\NetHood\\*.*") returned="C:\\Users\\Default\\NetHood\\*.*" [0116.458] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\NetHood\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="desktop.ini", cAlternateFileName="")) returned 0xffffffff [0116.458] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x9012aa61, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x6770de0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x6770de0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0xc0000, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0116.458] lstrcmpiW (lpString1="NTUSER.DAT", lpString2=".") returned 1 [0116.458] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="..") returned 1 [0116.458] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="...") returned 1 [0116.458] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="windows") returned -1 [0116.458] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="$RECYCLE.BIN") returned 1 [0116.459] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="rsa") returned -1 [0116.459] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="log") returned 1 [0116.459] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="NTDETECT.COM") returned 1 [0116.459] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="ntldr") returned 1 [0116.459] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="MSDOS.SYS") returned 1 [0116.459] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="IO.SYS") returned 1 [0116.459] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="boot.ini") returned 1 [0116.459] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="AUTOEXEC.BAT") returned 1 [0116.459] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="ntuser.dat") returned 0 [0116.459] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0xc103692e, ftCreationTime.dwHighDateTime=0x1ca0451, ftLastAccessTime.dwLowDateTime=0x1dd1880d, ftLastAccessTime.dwHighDateTime=0x1cbf8ec, ftLastWriteTime.dwLowDateTime=0x1dd1880d, ftLastWriteTime.dwHighDateTime=0x1cbf8ec, nFileSizeHigh=0x0, nFileSizeLow=0x400, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="NTUSER.DAT.LOG", cAlternateFileName="NTUSER~3.LOG")) returned 1 [0116.459] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2=".") returned 1 [0116.459] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2="..") returned 1 [0116.459] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2="...") returned 1 [0116.459] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2="windows") returned -1 [0116.459] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2="$RECYCLE.BIN") returned 1 [0116.459] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2="rsa") returned -1 [0116.459] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2="log") returned 1 [0116.459] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2="NTDETECT.COM") returned 1 [0116.459] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2="ntldr") returned 1 [0116.459] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2="MSDOS.SYS") returned 1 [0116.459] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2="IO.SYS") returned 1 [0116.459] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2="boot.ini") returned 1 [0116.459] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2="AUTOEXEC.BAT") returned 1 [0116.459] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2="ntuser.dat") returned 1 [0116.460] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2="desktop.ini") returned 1 [0116.460] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2="CONFIG.SYS") returned 1 [0116.460] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2="RECYCLER") returned -1 [0116.460] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2="BOOTSECT.BAK") returned 1 [0116.460] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2="bootmgr") returned 1 [0116.460] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2="programdata") returned -1 [0116.460] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2="appdata") returned 1 [0116.460] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2="program files") returned -1 [0116.460] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2="program files (x86)") returned -1 [0116.460] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\Default\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0116.460] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="NTUSER.DAT.LOG" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT.LOG") returned="C:\\Users\\Default\\NTUSER.DAT.LOG" [0116.460] PathFindExtensionW (pszPath="NTUSER.DAT.LOG") returned=".LOG" [0116.460] lstrcmpiW (lpString1=".LOG", lpString2=".exe") returned 1 [0116.460] lstrcmpiW (lpString1=".LOG", lpString2=".log") returned 0 [0116.460] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x9012aa61, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x9012aa61, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x674ac80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x2e400, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="NTUSER.DAT.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1 [0116.460] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2=".") returned 1 [0116.460] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="..") returned 1 [0116.460] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="...") returned 1 [0116.460] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="windows") returned -1 [0116.460] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="$RECYCLE.BIN") returned 1 [0116.460] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="rsa") returned -1 [0116.460] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="log") returned 1 [0116.460] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="NTDETECT.COM") returned 1 [0116.460] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="ntldr") returned 1 [0116.460] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="MSDOS.SYS") returned 1 [0116.460] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="IO.SYS") returned 1 [0116.461] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="boot.ini") returned 1 [0116.461] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="AUTOEXEC.BAT") returned 1 [0116.461] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="ntuser.dat") returned 1 [0116.461] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="desktop.ini") returned 1 [0116.461] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="CONFIG.SYS") returned 1 [0116.461] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="RECYCLER") returned -1 [0116.461] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="BOOTSECT.BAK") returned 1 [0116.461] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="bootmgr") returned 1 [0116.461] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="programdata") returned -1 [0116.461] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="appdata") returned 1 [0116.461] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="program files") returned -1 [0116.461] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="program files (x86)") returned -1 [0116.461] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\Default\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0116.461] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="NTUSER.DAT.LOG1" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT.LOG1") returned="C:\\Users\\Default\\NTUSER.DAT.LOG1" [0116.461] PathFindExtensionW (pszPath="NTUSER.DAT.LOG1") returned=".LOG1" [0116.461] lstrcmpiW (lpString1=".LOG1", lpString2=".exe") returned 1 [0116.461] lstrcmpiW (lpString1=".LOG1", lpString2=".log") returned 1 [0116.461] lstrcmpiW (lpString1=".LOG1", lpString2=".cab") returned 1 [0116.461] lstrcmpiW (lpString1=".LOG1", lpString2=".cmd") returned 1 [0116.461] lstrcmpiW (lpString1=".LOG1", lpString2=".com") returned 1 [0116.461] lstrcmpiW (lpString1=".LOG1", lpString2=".cpl") returned 1 [0116.461] lstrcmpiW (lpString1=".LOG1", lpString2=".ini") returned 1 [0116.461] lstrcmpiW (lpString1=".LOG1", lpString2=".dll") returned 1 [0116.461] lstrcmpiW (lpString1=".LOG1", lpString2=".url") returned -1 [0116.461] lstrcmpiW (lpString1=".LOG1", lpString2=".ttf") returned -1 [0116.462] lstrcmpiW (lpString1=".LOG1", lpString2=".mp3") returned -1 [0116.462] lstrcmpiW (lpString1=".LOG1", lpString2=".pif") returned -1 [0116.462] lstrcmpiW (lpString1=".LOG1", lpString2=".mp4") returned -1 [0116.462] lstrcmpiW (lpString1=".LOG1", lpString2=".NEPHILIM") returned -1 [0116.462] lstrcmpiW (lpString1=".LOG1", lpString2=".msi") returned -1 [0116.462] lstrcmpiW (lpString1=".LOG1", lpString2=".lnk") returned 1 [0116.462] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0116.462] lstrlenA (lpString="NEPHILIM") returned 8 [0116.462] GetProcessHeap () returned 0x4e0000 [0116.462] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50beb0 [0116.462] lstrlenA (lpString="NEPHILIM") returned 8 [0116.462] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT.LOG1" (normalized: "c:\\users\\default\\ntuser.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe8 [0116.463] GetFileSizeEx (in: hFile=0xe8, lpFileSize=0x24deac8 | out: lpFileSize=0x24deac8*=189440) returned 1 [0116.463] GetProcessHeap () returned 0x4e0000 [0116.463] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0116.463] GetProcessHeap () returned 0x4e0000 [0116.463] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0116.463] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0116.463] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0116.463] GetProcessHeap () returned 0x4e0000 [0116.463] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0116.463] GetProcessHeap () returned 0x4e0000 [0116.463] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0116.463] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24de888*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24de888*=0x100) returned 1 [0116.464] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24de884*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24de884*=0x100) returned 1 [0116.464] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2e400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.464] SetLastError (dwErrCode=0x0) [0116.464] WriteFile (in: hFile=0xe8, lpBuffer=0x51e280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x51e280*, lpNumberOfBytesWritten=0x24deabc*=0x100, lpOverlapped=0x0) returned 1 [0116.475] GetLastError () returned 0x0 [0116.475] GetLastError () returned 0x0 [0116.475] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2e500, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.475] WriteFile (in: hFile=0xe8, lpBuffer=0x51e388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x51e388*, lpNumberOfBytesWritten=0x24deabc*=0x100, lpOverlapped=0x0) returned 1 [0116.475] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x2e600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.475] lstrlenA (lpString="NEPHILIM") returned 8 [0116.476] WriteFile (in: hFile=0xe8, lpBuffer=0x50beb0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x50beb0*, lpNumberOfBytesWritten=0x24deabc*=0x8, lpOverlapped=0x0) returned 1 [0116.476] GetProcessHeap () returned 0x4e0000 [0116.476] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x2e400) returned 0x51efd8 [0116.476] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.476] ReadFile (in: hFile=0xe8, lpBuffer=0x51efd8, nNumberOfBytesToRead=0x2e400, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x51efd8*, lpNumberOfBytesRead=0x24deab0*=0x2e400, lpOverlapped=0x0) returned 1 [0116.486] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.486] WriteFile (in: hFile=0xe8, lpBuffer=0x51efd8*, nNumberOfBytesToWrite=0x2e400, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x51efd8*, lpNumberOfBytesWritten=0x24deabc*=0x2e400, lpOverlapped=0x0) returned 1 [0116.487] GetProcessHeap () returned 0x4e0000 [0116.487] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51efd8 | out: hHeap=0x4e0000) returned 1 [0116.487] CloseHandle (hObject=0xe8) returned 1 [0116.487] GetProcessHeap () returned 0x4e0000 [0116.487] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e280 | out: hHeap=0x4e0000) returned 1 [0116.487] GetProcessHeap () returned 0x4e0000 [0116.487] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e388 | out: hHeap=0x4e0000) returned 1 [0116.487] GetProcessHeap () returned 0x4e0000 [0116.488] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50deb0 | out: hHeap=0x4e0000) returned 1 [0116.488] GetProcessHeap () returned 0x4e0000 [0116.488] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dec8 | out: hHeap=0x4e0000) returned 1 [0116.488] lstrcpyW (in: lpString1=0x24de8a8, lpString2="C:\\Users\\Default\\NTUSER.DAT.LOG1" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT.LOG1") returned="C:\\Users\\Default\\NTUSER.DAT.LOG1" [0116.488] lstrcatW (in: lpString1="C:\\Users\\Default\\NTUSER.DAT.LOG1", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT.LOG1.NEPHILIM") returned="C:\\Users\\Default\\NTUSER.DAT.LOG1.NEPHILIM" [0116.488] MoveFileW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT.LOG1" (normalized: "c:\\users\\default\\ntuser.dat.log1"), lpNewFileName="C:\\Users\\Default\\NTUSER.DAT.LOG1.NEPHILIM" (normalized: "c:\\users\\default\\ntuser.dat.log1.nephilim")) returned 1 [0116.489] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x9012aa61, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x9012aa61, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x9012aa61, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="NTUSER.DAT.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1 [0116.489] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2=".") returned 1 [0116.489] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="..") returned 1 [0116.489] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="...") returned 1 [0116.489] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="windows") returned -1 [0116.489] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="$RECYCLE.BIN") returned 1 [0116.489] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="rsa") returned -1 [0116.489] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="log") returned 1 [0116.489] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="NTDETECT.COM") returned 1 [0116.489] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="ntldr") returned 1 [0116.489] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="MSDOS.SYS") returned 1 [0116.489] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="IO.SYS") returned 1 [0116.489] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="boot.ini") returned 1 [0116.489] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="AUTOEXEC.BAT") returned 1 [0116.489] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="ntuser.dat") returned 1 [0116.489] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="desktop.ini") returned 1 [0116.489] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="CONFIG.SYS") returned 1 [0116.489] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="RECYCLER") returned -1 [0116.489] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="BOOTSECT.BAK") returned 1 [0116.489] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="bootmgr") returned 1 [0116.489] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="programdata") returned -1 [0116.489] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="appdata") returned 1 [0116.489] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="program files") returned -1 [0116.489] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="program files (x86)") returned -1 [0116.489] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\Default\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0116.489] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="NTUSER.DAT.LOG2" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT.LOG2") returned="C:\\Users\\Default\\NTUSER.DAT.LOG2" [0116.489] PathFindExtensionW (pszPath="NTUSER.DAT.LOG2") returned=".LOG2" [0116.489] lstrcmpiW (lpString1=".LOG2", lpString2=".exe") returned 1 [0116.489] lstrcmpiW (lpString1=".LOG2", lpString2=".log") returned 1 [0116.489] lstrcmpiW (lpString1=".LOG2", lpString2=".cab") returned 1 [0116.489] lstrcmpiW (lpString1=".LOG2", lpString2=".cmd") returned 1 [0116.490] lstrcmpiW (lpString1=".LOG2", lpString2=".com") returned 1 [0116.490] lstrcmpiW (lpString1=".LOG2", lpString2=".cpl") returned 1 [0116.490] lstrcmpiW (lpString1=".LOG2", lpString2=".ini") returned 1 [0116.490] lstrcmpiW (lpString1=".LOG2", lpString2=".dll") returned 1 [0116.490] lstrcmpiW (lpString1=".LOG2", lpString2=".url") returned -1 [0116.490] lstrcmpiW (lpString1=".LOG2", lpString2=".ttf") returned -1 [0116.490] lstrcmpiW (lpString1=".LOG2", lpString2=".mp3") returned -1 [0116.490] lstrcmpiW (lpString1=".LOG2", lpString2=".pif") returned -1 [0116.490] lstrcmpiW (lpString1=".LOG2", lpString2=".mp4") returned -1 [0116.490] lstrcmpiW (lpString1=".LOG2", lpString2=".NEPHILIM") returned -1 [0116.490] lstrcmpiW (lpString1=".LOG2", lpString2=".msi") returned -1 [0116.490] lstrcmpiW (lpString1=".LOG2", lpString2=".lnk") returned 1 [0116.490] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0116.490] lstrlenA (lpString="NEPHILIM") returned 8 [0116.490] GetProcessHeap () returned 0x4e0000 [0116.490] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bec0 [0116.490] lstrlenA (lpString="NEPHILIM") returned 8 [0116.490] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT.LOG2" (normalized: "c:\\users\\default\\ntuser.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe8 [0116.491] GetFileSizeEx (in: hFile=0xe8, lpFileSize=0x24deac8 | out: lpFileSize=0x24deac8*=0) returned 1 [0116.491] GetProcessHeap () returned 0x4e0000 [0116.491] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0116.491] GetProcessHeap () returned 0x4e0000 [0116.491] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0116.491] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0116.491] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0116.491] GetProcessHeap () returned 0x4e0000 [0116.491] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0116.491] GetProcessHeap () returned 0x4e0000 [0116.491] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0116.491] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24de888*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24de888*=0x100) returned 1 [0116.491] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24de884*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24de884*=0x100) returned 1 [0116.491] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.491] SetLastError (dwErrCode=0x0) [0116.492] WriteFile (in: hFile=0xe8, lpBuffer=0x51e388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x51e388*, lpNumberOfBytesWritten=0x24deabc*=0x100, lpOverlapped=0x0) returned 1 [0116.492] GetLastError () returned 0x0 [0116.492] GetLastError () returned 0x0 [0116.492] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.493] WriteFile (in: hFile=0xe8, lpBuffer=0x51e280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x51e280*, lpNumberOfBytesWritten=0x24deabc*=0x100, lpOverlapped=0x0) returned 1 [0116.493] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.493] lstrlenA (lpString="NEPHILIM") returned 8 [0116.493] WriteFile (in: hFile=0xe8, lpBuffer=0x50bec0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x50bec0*, lpNumberOfBytesWritten=0x24deabc*=0x8, lpOverlapped=0x0) returned 1 [0116.493] GetProcessHeap () returned 0x4e0000 [0116.493] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x0) returned 0x50bed0 [0116.493] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.493] ReadFile (in: hFile=0xe8, lpBuffer=0x50bed0, nNumberOfBytesToRead=0x0, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x50bed0*, lpNumberOfBytesRead=0x24deab0*=0x0, lpOverlapped=0x0) returned 1 [0116.493] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.493] WriteFile (in: hFile=0xe8, lpBuffer=0x50bed0*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x50bed0*, lpNumberOfBytesWritten=0x24deabc*=0x0, lpOverlapped=0x0) returned 1 [0116.493] GetProcessHeap () returned 0x4e0000 [0116.493] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50bed0 | out: hHeap=0x4e0000) returned 1 [0116.493] CloseHandle (hObject=0xe8) returned 1 [0116.493] GetProcessHeap () returned 0x4e0000 [0116.493] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e388 | out: hHeap=0x4e0000) returned 1 [0116.493] GetProcessHeap () returned 0x4e0000 [0116.494] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e280 | out: hHeap=0x4e0000) returned 1 [0116.494] GetProcessHeap () returned 0x4e0000 [0116.494] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dec8 | out: hHeap=0x4e0000) returned 1 [0116.494] GetProcessHeap () returned 0x4e0000 [0116.494] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50deb0 | out: hHeap=0x4e0000) returned 1 [0116.494] lstrcpyW (in: lpString1=0x24de8a8, lpString2="C:\\Users\\Default\\NTUSER.DAT.LOG2" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT.LOG2") returned="C:\\Users\\Default\\NTUSER.DAT.LOG2" [0116.494] lstrcatW (in: lpString1="C:\\Users\\Default\\NTUSER.DAT.LOG2", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT.LOG2.NEPHILIM") returned="C:\\Users\\Default\\NTUSER.DAT.LOG2.NEPHILIM" [0116.494] MoveFileW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT.LOG2" (normalized: "c:\\users\\default\\ntuser.dat.log2"), lpNewFileName="C:\\Users\\Default\\NTUSER.DAT.LOG2.NEPHILIM" (normalized: "c:\\users\\default\\ntuser.dat.log2.nephilim")) returned 1 [0116.495] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf8d30919, ftCreationTime.dwHighDateTime=0x1ca043d, ftLastAccessTime.dwLowDateTime=0xf8d30919, ftLastAccessTime.dwHighDateTime=0x1ca043d, ftLastWriteTime.dwLowDateTime=0xf8ead6dc, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1 [0116.495] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2=".") returned 1 [0116.495] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="..") returned 1 [0116.495] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="...") returned 1 [0116.495] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="windows") returned -1 [0116.495] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="$RECYCLE.BIN") returned 1 [0116.495] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="rsa") returned -1 [0116.495] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="log") returned 1 [0116.495] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="NTDETECT.COM") returned 1 [0116.495] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="ntldr") returned 1 [0116.495] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="MSDOS.SYS") returned 1 [0116.495] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="IO.SYS") returned 1 [0116.496] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="boot.ini") returned 1 [0116.496] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="AUTOEXEC.BAT") returned 1 [0116.496] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="ntuser.dat") returned 1 [0116.496] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="desktop.ini") returned 1 [0116.496] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="CONFIG.SYS") returned 1 [0116.496] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="RECYCLER") returned -1 [0116.496] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="BOOTSECT.BAK") returned 1 [0116.496] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="bootmgr") returned 1 [0116.496] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="programdata") returned -1 [0116.496] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="appdata") returned 1 [0116.496] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="program files") returned -1 [0116.496] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="program files (x86)") returned -1 [0116.496] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\Default\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0116.496] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" [0116.496] PathFindExtensionW (pszPath="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned=".blf" [0116.496] lstrcmpiW (lpString1=".blf", lpString2=".exe") returned -1 [0116.496] lstrcmpiW (lpString1=".blf", lpString2=".log") returned -1 [0116.496] lstrcmpiW (lpString1=".blf", lpString2=".cab") returned -1 [0116.496] lstrcmpiW (lpString1=".blf", lpString2=".cmd") returned -1 [0116.496] lstrcmpiW (lpString1=".blf", lpString2=".com") returned -1 [0116.496] lstrcmpiW (lpString1=".blf", lpString2=".cpl") returned -1 [0116.496] lstrcmpiW (lpString1=".blf", lpString2=".ini") returned -1 [0116.496] lstrcmpiW (lpString1=".blf", lpString2=".dll") returned -1 [0116.496] lstrcmpiW (lpString1=".blf", lpString2=".url") returned -1 [0116.496] lstrcmpiW (lpString1=".blf", lpString2=".ttf") returned -1 [0116.496] lstrcmpiW (lpString1=".blf", lpString2=".mp3") returned -1 [0116.496] lstrcmpiW (lpString1=".blf", lpString2=".pif") returned -1 [0116.496] lstrcmpiW (lpString1=".blf", lpString2=".mp4") returned -1 [0116.497] lstrcmpiW (lpString1=".blf", lpString2=".NEPHILIM") returned -1 [0116.497] lstrcmpiW (lpString1=".blf", lpString2=".msi") returned -1 [0116.497] lstrcmpiW (lpString1=".blf", lpString2=".lnk") returned -1 [0116.497] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0116.497] lstrlenA (lpString="NEPHILIM") returned 8 [0116.497] GetProcessHeap () returned 0x4e0000 [0116.497] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bed0 [0116.497] lstrlenA (lpString="NEPHILIM") returned 8 [0116.497] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe8 [0116.497] GetFileSizeEx (in: hFile=0xe8, lpFileSize=0x24deac8 | out: lpFileSize=0x24deac8*=65536) returned 1 [0116.497] GetProcessHeap () returned 0x4e0000 [0116.497] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0116.497] GetProcessHeap () returned 0x4e0000 [0116.497] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0116.497] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0116.497] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0116.497] GetProcessHeap () returned 0x4e0000 [0116.498] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0116.498] GetProcessHeap () returned 0x4e0000 [0116.498] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0116.498] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24de888*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24de888*=0x100) returned 1 [0116.498] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24de884*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24de884*=0x100) returned 1 [0116.498] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x10000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.498] SetLastError (dwErrCode=0x0) [0116.498] WriteFile (in: hFile=0xe8, lpBuffer=0x51e280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x51e280*, lpNumberOfBytesWritten=0x24deabc*=0x100, lpOverlapped=0x0) returned 1 [0116.499] GetLastError () returned 0x0 [0116.499] GetLastError () returned 0x0 [0116.499] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x10100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.499] WriteFile (in: hFile=0xe8, lpBuffer=0x51e388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x51e388*, lpNumberOfBytesWritten=0x24deabc*=0x100, lpOverlapped=0x0) returned 1 [0116.499] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x10200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.499] lstrlenA (lpString="NEPHILIM") returned 8 [0116.499] WriteFile (in: hFile=0xe8, lpBuffer=0x50bed0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x50bed0*, lpNumberOfBytesWritten=0x24deabc*=0x8, lpOverlapped=0x0) returned 1 [0116.500] GetProcessHeap () returned 0x4e0000 [0116.500] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10000) returned 0x51efd8 [0116.500] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.500] ReadFile (in: hFile=0xe8, lpBuffer=0x51efd8, nNumberOfBytesToRead=0x10000, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x51efd8*, lpNumberOfBytesRead=0x24deab0*=0x10000, lpOverlapped=0x0) returned 1 [0116.506] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.506] WriteFile (in: hFile=0xe8, lpBuffer=0x51efd8*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x51efd8*, lpNumberOfBytesWritten=0x24deabc*=0x10000, lpOverlapped=0x0) returned 1 [0116.507] GetProcessHeap () returned 0x4e0000 [0116.507] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51efd8 | out: hHeap=0x4e0000) returned 1 [0116.507] CloseHandle (hObject=0xe8) returned 1 [0116.507] GetProcessHeap () returned 0x4e0000 [0116.507] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e280 | out: hHeap=0x4e0000) returned 1 [0116.507] GetProcessHeap () returned 0x4e0000 [0116.507] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e388 | out: hHeap=0x4e0000) returned 1 [0116.507] GetProcessHeap () returned 0x4e0000 [0116.507] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50deb0 | out: hHeap=0x4e0000) returned 1 [0116.507] GetProcessHeap () returned 0x4e0000 [0116.507] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dec8 | out: hHeap=0x4e0000) returned 1 [0116.507] lstrcpyW (in: lpString1=0x24de8a8, lpString2="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" [0116.507] lstrcatW (in: lpString1="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.NEPHILIM") returned="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.NEPHILIM" [0116.507] MoveFileW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf"), lpNewFileName="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.NEPHILIM" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf.nephilim")) returned 1 [0116.508] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf8da2d3a, ftCreationTime.dwHighDateTime=0x1ca043d, ftLastAccessTime.dwLowDateTime=0xf8da2d3a, ftLastAccessTime.dwHighDateTime=0x1ca043d, ftLastWriteTime.dwLowDateTime=0xf8e8757c, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1 [0116.508] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2=".") returned 1 [0116.508] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="..") returned 1 [0116.508] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="...") returned 1 [0116.508] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="windows") returned -1 [0116.508] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="$RECYCLE.BIN") returned 1 [0116.508] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="rsa") returned -1 [0116.508] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="log") returned 1 [0116.508] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="NTDETECT.COM") returned 1 [0116.508] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="ntldr") returned 1 [0116.508] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="MSDOS.SYS") returned 1 [0116.508] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="IO.SYS") returned 1 [0116.508] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="boot.ini") returned 1 [0116.508] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="AUTOEXEC.BAT") returned 1 [0116.508] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="ntuser.dat") returned 1 [0116.508] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="desktop.ini") returned 1 [0116.508] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="CONFIG.SYS") returned 1 [0116.508] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="RECYCLER") returned -1 [0116.509] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="BOOTSECT.BAK") returned 1 [0116.509] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="bootmgr") returned 1 [0116.509] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="programdata") returned -1 [0116.509] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="appdata") returned 1 [0116.509] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="program files") returned -1 [0116.509] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="program files (x86)") returned -1 [0116.509] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\Default\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0116.509] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" [0116.509] PathFindExtensionW (pszPath="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned=".regtrans-ms" [0116.509] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".exe") returned 1 [0116.509] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".log") returned 1 [0116.509] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cab") returned 1 [0116.509] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cmd") returned 1 [0116.509] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".com") returned 1 [0116.509] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cpl") returned 1 [0116.509] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".ini") returned 1 [0116.509] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".dll") returned 1 [0116.509] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".url") returned -1 [0116.509] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".ttf") returned -1 [0116.509] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".mp3") returned 1 [0116.509] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".pif") returned 1 [0116.509] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".mp4") returned 1 [0116.509] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".NEPHILIM") returned 1 [0116.509] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".msi") returned 1 [0116.509] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".lnk") returned 1 [0116.509] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0116.509] lstrlenA (lpString="NEPHILIM") returned 8 [0116.509] GetProcessHeap () returned 0x4e0000 [0116.509] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bee0 [0116.509] lstrlenA (lpString="NEPHILIM") returned 8 [0116.510] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe8 [0116.510] GetFileSizeEx (in: hFile=0xe8, lpFileSize=0x24deac8 | out: lpFileSize=0x24deac8*=524288) returned 1 [0116.510] GetProcessHeap () returned 0x4e0000 [0116.510] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0116.510] GetProcessHeap () returned 0x4e0000 [0116.510] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0116.510] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0116.510] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0116.510] GetProcessHeap () returned 0x4e0000 [0116.510] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0116.510] GetProcessHeap () returned 0x4e0000 [0116.510] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0116.511] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24de888*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24de888*=0x100) returned 1 [0116.511] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24de884*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24de884*=0x100) returned 1 [0116.511] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x80000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.511] SetLastError (dwErrCode=0x0) [0116.511] WriteFile (in: hFile=0xe8, lpBuffer=0x51e388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x51e388*, lpNumberOfBytesWritten=0x24deabc*=0x100, lpOverlapped=0x0) returned 1 [0116.512] GetLastError () returned 0x0 [0116.512] GetLastError () returned 0x0 [0116.512] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x80100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.512] WriteFile (in: hFile=0xe8, lpBuffer=0x51e280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x51e280*, lpNumberOfBytesWritten=0x24deabc*=0x100, lpOverlapped=0x0) returned 1 [0116.512] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x80200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.512] lstrlenA (lpString="NEPHILIM") returned 8 [0116.512] WriteFile (in: hFile=0xe8, lpBuffer=0x50bee0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x50bee0*, lpNumberOfBytesWritten=0x24deabc*=0x8, lpOverlapped=0x0) returned 1 [0116.513] GetProcessHeap () returned 0x4e0000 [0116.513] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x80000) returned 0x2110020 [0116.513] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.513] ReadFile (in: hFile=0xe8, lpBuffer=0x2110020, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x2110020*, lpNumberOfBytesRead=0x24deab0*=0x80000, lpOverlapped=0x0) returned 1 [0116.550] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.550] WriteFile (in: hFile=0xe8, lpBuffer=0x2110020*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x2110020*, lpNumberOfBytesWritten=0x24deabc*=0x80000, lpOverlapped=0x0) returned 1 [0116.552] GetProcessHeap () returned 0x4e0000 [0116.552] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x2110020 | out: hHeap=0x4e0000) returned 1 [0116.555] CloseHandle (hObject=0xe8) returned 1 [0116.555] GetProcessHeap () returned 0x4e0000 [0116.555] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e388 | out: hHeap=0x4e0000) returned 1 [0116.555] GetProcessHeap () returned 0x4e0000 [0116.555] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e280 | out: hHeap=0x4e0000) returned 1 [0116.555] GetProcessHeap () returned 0x4e0000 [0116.555] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dec8 | out: hHeap=0x4e0000) returned 1 [0116.555] GetProcessHeap () returned 0x4e0000 [0116.555] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50deb0 | out: hHeap=0x4e0000) returned 1 [0116.555] lstrcpyW (in: lpString1=0x24de8a8, lpString2="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" [0116.555] lstrcatW (in: lpString1="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.NEPHILIM") returned="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.NEPHILIM" [0116.555] MoveFileW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms"), lpNewFileName="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.NEPHILIM" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms.nephilim")) returned 1 [0116.556] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf8deeffb, ftCreationTime.dwHighDateTime=0x1ca043d, ftLastAccessTime.dwLowDateTime=0xf8deeffb, ftLastAccessTime.dwHighDateTime=0x1ca043d, ftLastWriteTime.dwLowDateTime=0xf8ead6dc, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1 [0116.556] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2=".") returned 1 [0116.556] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="..") returned 1 [0116.556] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="...") returned 1 [0116.556] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="windows") returned -1 [0116.556] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="$RECYCLE.BIN") returned 1 [0116.556] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="rsa") returned -1 [0116.556] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="log") returned 1 [0116.556] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="NTDETECT.COM") returned 1 [0116.556] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="ntldr") returned 1 [0116.556] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="MSDOS.SYS") returned 1 [0116.556] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="IO.SYS") returned 1 [0116.556] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="boot.ini") returned 1 [0116.556] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="AUTOEXEC.BAT") returned 1 [0116.557] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="ntuser.dat") returned 1 [0116.557] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="desktop.ini") returned 1 [0116.557] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="CONFIG.SYS") returned 1 [0116.557] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="RECYCLER") returned -1 [0116.557] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="BOOTSECT.BAK") returned 1 [0116.557] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="bootmgr") returned 1 [0116.557] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="programdata") returned -1 [0116.557] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="appdata") returned 1 [0116.557] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="program files") returned -1 [0116.557] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="program files (x86)") returned -1 [0116.557] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\Default\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0116.557] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" [0116.557] PathFindExtensionW (pszPath="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned=".regtrans-ms" [0116.557] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".exe") returned 1 [0116.557] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".log") returned 1 [0116.557] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cab") returned 1 [0116.557] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cmd") returned 1 [0116.557] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".com") returned 1 [0116.557] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cpl") returned 1 [0116.557] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".ini") returned 1 [0116.557] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".dll") returned 1 [0116.557] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".url") returned -1 [0116.557] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".ttf") returned -1 [0116.557] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".mp3") returned 1 [0116.558] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".pif") returned 1 [0116.558] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".mp4") returned 1 [0116.558] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".NEPHILIM") returned 1 [0116.558] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".msi") returned 1 [0116.558] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".lnk") returned 1 [0116.558] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0116.558] lstrlenA (lpString="NEPHILIM") returned 8 [0116.558] GetProcessHeap () returned 0x4e0000 [0116.558] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bef0 [0116.558] lstrlenA (lpString="NEPHILIM") returned 8 [0116.559] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe8 [0116.559] GetFileSizeEx (in: hFile=0xe8, lpFileSize=0x24deac8 | out: lpFileSize=0x24deac8*=524288) returned 1 [0116.559] GetProcessHeap () returned 0x4e0000 [0116.559] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0116.559] GetProcessHeap () returned 0x4e0000 [0116.559] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0116.559] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0116.559] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0116.559] GetProcessHeap () returned 0x4e0000 [0116.559] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0116.559] GetProcessHeap () returned 0x4e0000 [0116.559] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0116.559] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24de888*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24de888*=0x100) returned 1 [0116.560] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24de884*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24de884*=0x100) returned 1 [0116.560] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x80000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.560] SetLastError (dwErrCode=0x0) [0116.560] WriteFile (in: hFile=0xe8, lpBuffer=0x51e280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x51e280*, lpNumberOfBytesWritten=0x24deabc*=0x100, lpOverlapped=0x0) returned 1 [0116.561] GetLastError () returned 0x0 [0116.561] GetLastError () returned 0x0 [0116.561] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x80100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.561] WriteFile (in: hFile=0xe8, lpBuffer=0x51e388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x51e388*, lpNumberOfBytesWritten=0x24deabc*=0x100, lpOverlapped=0x0) returned 1 [0116.561] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x80200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.561] lstrlenA (lpString="NEPHILIM") returned 8 [0116.561] WriteFile (in: hFile=0xe8, lpBuffer=0x50bef0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x50bef0*, lpNumberOfBytesWritten=0x24deabc*=0x8, lpOverlapped=0x0) returned 1 [0116.562] GetProcessHeap () returned 0x4e0000 [0116.562] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x80000) returned 0x2110020 [0116.562] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.562] ReadFile (in: hFile=0xe8, lpBuffer=0x2110020, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x24deab0, lpOverlapped=0x0 | out: lpBuffer=0x2110020*, lpNumberOfBytesRead=0x24deab0*=0x80000, lpOverlapped=0x0) returned 1 [0116.604] SetFilePointerEx (in: hFile=0xe8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.604] WriteFile (in: hFile=0xe8, lpBuffer=0x2110020*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x24deabc, lpOverlapped=0x0 | out: lpBuffer=0x2110020*, lpNumberOfBytesWritten=0x24deabc*=0x80000, lpOverlapped=0x0) returned 1 [0116.606] GetProcessHeap () returned 0x4e0000 [0116.606] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x2110020 | out: hHeap=0x4e0000) returned 1 [0116.609] CloseHandle (hObject=0xe8) returned 1 [0116.609] GetProcessHeap () returned 0x4e0000 [0116.609] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e280 | out: hHeap=0x4e0000) returned 1 [0116.609] GetProcessHeap () returned 0x4e0000 [0116.609] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e388 | out: hHeap=0x4e0000) returned 1 [0116.609] GetProcessHeap () returned 0x4e0000 [0116.610] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50deb0 | out: hHeap=0x4e0000) returned 1 [0116.610] GetProcessHeap () returned 0x4e0000 [0116.610] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50dec8 | out: hHeap=0x4e0000) returned 1 [0116.610] lstrcpyW (in: lpString1=0x24de8a8, lpString2="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" [0116.610] lstrcatW (in: lpString1="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.NEPHILIM") returned="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.NEPHILIM" [0116.610] MoveFileW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms"), lpNewFileName="C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.NEPHILIM" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms.nephilim")) returned 1 [0116.611] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xe9bbeade, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x14, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="ntuser.ini", cAlternateFileName="")) returned 1 [0116.611] lstrcmpiW (lpString1="ntuser.ini", lpString2=".") returned 1 [0116.611] lstrcmpiW (lpString1="ntuser.ini", lpString2="..") returned 1 [0116.611] lstrcmpiW (lpString1="ntuser.ini", lpString2="...") returned 1 [0116.611] lstrcmpiW (lpString1="ntuser.ini", lpString2="windows") returned -1 [0116.611] lstrcmpiW (lpString1="ntuser.ini", lpString2="$RECYCLE.BIN") returned 1 [0116.611] lstrcmpiW (lpString1="ntuser.ini", lpString2="rsa") returned -1 [0116.611] lstrcmpiW (lpString1="ntuser.ini", lpString2="log") returned 1 [0116.611] lstrcmpiW (lpString1="ntuser.ini", lpString2="NTDETECT.COM") returned 1 [0116.611] lstrcmpiW (lpString1="ntuser.ini", lpString2="ntldr") returned 1 [0116.611] lstrcmpiW (lpString1="ntuser.ini", lpString2="MSDOS.SYS") returned 1 [0116.611] lstrcmpiW (lpString1="ntuser.ini", lpString2="IO.SYS") returned 1 [0116.611] lstrcmpiW (lpString1="ntuser.ini", lpString2="boot.ini") returned 1 [0116.611] lstrcmpiW (lpString1="ntuser.ini", lpString2="AUTOEXEC.BAT") returned 1 [0116.611] lstrcmpiW (lpString1="ntuser.ini", lpString2="ntuser.dat") returned 1 [0116.611] lstrcmpiW (lpString1="ntuser.ini", lpString2="desktop.ini") returned 1 [0116.612] lstrcmpiW (lpString1="ntuser.ini", lpString2="CONFIG.SYS") returned 1 [0116.612] lstrcmpiW (lpString1="ntuser.ini", lpString2="RECYCLER") returned -1 [0116.612] lstrcmpiW (lpString1="ntuser.ini", lpString2="BOOTSECT.BAK") returned 1 [0116.612] lstrcmpiW (lpString1="ntuser.ini", lpString2="bootmgr") returned 1 [0116.612] lstrcmpiW (lpString1="ntuser.ini", lpString2="programdata") returned -1 [0116.612] lstrcmpiW (lpString1="ntuser.ini", lpString2="appdata") returned 1 [0116.612] lstrcmpiW (lpString1="ntuser.ini", lpString2="program files") returned -1 [0116.612] lstrcmpiW (lpString1="ntuser.ini", lpString2="program files (x86)") returned -1 [0116.612] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\Default\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0116.612] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="ntuser.ini" | out: lpString1="C:\\Users\\Default\\ntuser.ini") returned="C:\\Users\\Default\\ntuser.ini" [0116.612] PathFindExtensionW (pszPath="ntuser.ini") returned=".ini" [0116.612] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0116.612] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0116.612] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0116.612] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0116.612] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0116.612] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0116.612] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0116.612] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0116.612] lstrcmpiW (lpString1="Pictures", lpString2=".") returned 1 [0116.612] lstrcmpiW (lpString1="Pictures", lpString2="..") returned 1 [0116.612] lstrcmpiW (lpString1="Pictures", lpString2="...") returned 1 [0116.612] lstrcmpiW (lpString1="Pictures", lpString2="windows") returned -1 [0116.612] lstrcmpiW (lpString1="Pictures", lpString2="$RECYCLE.BIN") returned 1 [0116.612] lstrcmpiW (lpString1="Pictures", lpString2="rsa") returned -1 [0116.612] lstrcmpiW (lpString1="Pictures", lpString2="log") returned 1 [0116.612] lstrcmpiW (lpString1="Pictures", lpString2="NTDETECT.COM") returned 1 [0116.612] lstrcmpiW (lpString1="Pictures", lpString2="ntldr") returned 1 [0116.612] lstrcmpiW (lpString1="Pictures", lpString2="MSDOS.SYS") returned 1 [0116.613] lstrcmpiW (lpString1="Pictures", lpString2="IO.SYS") returned 1 [0116.613] lstrcmpiW (lpString1="Pictures", lpString2="boot.ini") returned 1 [0116.613] lstrcmpiW (lpString1="Pictures", lpString2="AUTOEXEC.BAT") returned 1 [0116.613] lstrcmpiW (lpString1="Pictures", lpString2="ntuser.dat") returned 1 [0116.613] lstrcmpiW (lpString1="Pictures", lpString2="desktop.ini") returned 1 [0116.613] lstrcmpiW (lpString1="Pictures", lpString2="CONFIG.SYS") returned 1 [0116.613] lstrcmpiW (lpString1="Pictures", lpString2="RECYCLER") returned -1 [0116.613] lstrcmpiW (lpString1="Pictures", lpString2="BOOTSECT.BAK") returned 1 [0116.613] lstrcmpiW (lpString1="Pictures", lpString2="bootmgr") returned 1 [0116.613] lstrcmpiW (lpString1="Pictures", lpString2="programdata") returned -1 [0116.613] lstrcmpiW (lpString1="Pictures", lpString2="appdata") returned 1 [0116.613] lstrcmpiW (lpString1="Pictures", lpString2="program files") returned -1 [0116.613] lstrcmpiW (lpString1="Pictures", lpString2="program files (x86)") returned -1 [0116.613] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\Default\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0116.613] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Pictures" | out: lpString1="C:\\Users\\Default\\Pictures") returned="C:\\Users\\Default\\Pictures" [0116.613] lstrcatW (in: lpString1="C:\\Users\\Default\\Pictures", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Pictures\\") returned="C:\\Users\\Default\\Pictures\\" [0116.613] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\Default\\Pictures\\" | out: lpString1="C:\\Users\\Default\\Pictures\\") returned="C:\\Users\\Default\\Pictures\\" [0116.613] lstrcatW (in: lpString1="C:\\Users\\Default\\Pictures\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\Pictures\\*.*") returned="C:\\Users\\Default\\Pictures\\*.*" [0116.613] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Pictures\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24de42c, dwReserved1=0xec5becb0, cFileName=".", cAlternateFileName="")) returned 0x50a900 [0116.614] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.614] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24de42c, dwReserved1=0xec5becb0, cFileName="..", cAlternateFileName="")) returned 1 [0116.614] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.614] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.614] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x24de42c, dwReserved1=0xec5becb0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0116.614] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0116.614] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0116.614] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0116.614] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0116.614] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0116.614] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0116.614] lstrcmpiW (lpString1="desktop.ini", lpString2="log") returned -1 [0116.614] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0116.614] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0116.614] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0116.614] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0116.614] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0116.614] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0116.614] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0116.614] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0116.614] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x24de42c, dwReserved1=0xec5becb0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0116.614] FindClose (in: hFindFile=0x50a900 | out: hFindFile=0x50a900) returned 1 [0116.614] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x30702f92, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x30702f92, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x30702f92, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0116.614] lstrcmpiW (lpString1="PrintHood", lpString2=".") returned 1 [0116.614] lstrcmpiW (lpString1="PrintHood", lpString2="..") returned 1 [0116.614] lstrcmpiW (lpString1="PrintHood", lpString2="...") returned 1 [0116.614] lstrcmpiW (lpString1="PrintHood", lpString2="windows") returned -1 [0116.614] lstrcmpiW (lpString1="PrintHood", lpString2="$RECYCLE.BIN") returned 1 [0116.614] lstrcmpiW (lpString1="PrintHood", lpString2="rsa") returned -1 [0116.615] lstrcmpiW (lpString1="PrintHood", lpString2="log") returned 1 [0116.615] lstrcmpiW (lpString1="PrintHood", lpString2="NTDETECT.COM") returned 1 [0116.615] lstrcmpiW (lpString1="PrintHood", lpString2="ntldr") returned 1 [0116.615] lstrcmpiW (lpString1="PrintHood", lpString2="MSDOS.SYS") returned 1 [0116.615] lstrcmpiW (lpString1="PrintHood", lpString2="IO.SYS") returned 1 [0116.615] lstrcmpiW (lpString1="PrintHood", lpString2="boot.ini") returned 1 [0116.615] lstrcmpiW (lpString1="PrintHood", lpString2="AUTOEXEC.BAT") returned 1 [0116.615] lstrcmpiW (lpString1="PrintHood", lpString2="ntuser.dat") returned 1 [0116.615] lstrcmpiW (lpString1="PrintHood", lpString2="desktop.ini") returned 1 [0116.615] lstrcmpiW (lpString1="PrintHood", lpString2="CONFIG.SYS") returned 1 [0116.615] lstrcmpiW (lpString1="PrintHood", lpString2="RECYCLER") returned -1 [0116.615] lstrcmpiW (lpString1="PrintHood", lpString2="BOOTSECT.BAK") returned 1 [0116.615] lstrcmpiW (lpString1="PrintHood", lpString2="bootmgr") returned 1 [0116.615] lstrcmpiW (lpString1="PrintHood", lpString2="programdata") returned -1 [0116.615] lstrcmpiW (lpString1="PrintHood", lpString2="appdata") returned 1 [0116.615] lstrcmpiW (lpString1="PrintHood", lpString2="program files") returned -1 [0116.615] lstrcmpiW (lpString1="PrintHood", lpString2="program files (x86)") returned -1 [0116.615] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\Default\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0116.615] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="PrintHood" | out: lpString1="C:\\Users\\Default\\PrintHood") returned="C:\\Users\\Default\\PrintHood" [0116.615] lstrcatW (in: lpString1="C:\\Users\\Default\\PrintHood", lpString2="\\" | out: lpString1="C:\\Users\\Default\\PrintHood\\") returned="C:\\Users\\Default\\PrintHood\\" [0116.615] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\Default\\PrintHood\\" | out: lpString1="C:\\Users\\Default\\PrintHood\\") returned="C:\\Users\\Default\\PrintHood\\" [0116.615] lstrcatW (in: lpString1="C:\\Users\\Default\\PrintHood\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\PrintHood\\*.*") returned="C:\\Users\\Default\\PrintHood\\*.*" [0116.615] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\PrintHood\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x24de42c, dwReserved1=0xec5becb0, cFileName="desktop.ini", cAlternateFileName="")) returned 0xffffffff [0116.615] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x30702f92, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x30702f92, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x30702f92, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Recent", cAlternateFileName="")) returned 1 [0116.615] lstrcmpiW (lpString1="Recent", lpString2=".") returned 1 [0116.615] lstrcmpiW (lpString1="Recent", lpString2="..") returned 1 [0116.616] lstrcmpiW (lpString1="Recent", lpString2="...") returned 1 [0116.616] lstrcmpiW (lpString1="Recent", lpString2="windows") returned -1 [0116.616] lstrcmpiW (lpString1="Recent", lpString2="$RECYCLE.BIN") returned 1 [0116.616] lstrcmpiW (lpString1="Recent", lpString2="rsa") returned -1 [0116.616] lstrcmpiW (lpString1="Recent", lpString2="log") returned 1 [0116.616] lstrcmpiW (lpString1="Recent", lpString2="NTDETECT.COM") returned 1 [0116.616] lstrcmpiW (lpString1="Recent", lpString2="ntldr") returned 1 [0116.616] lstrcmpiW (lpString1="Recent", lpString2="MSDOS.SYS") returned 1 [0116.616] lstrcmpiW (lpString1="Recent", lpString2="IO.SYS") returned 1 [0116.616] lstrcmpiW (lpString1="Recent", lpString2="boot.ini") returned 1 [0116.616] lstrcmpiW (lpString1="Recent", lpString2="AUTOEXEC.BAT") returned 1 [0116.616] lstrcmpiW (lpString1="Recent", lpString2="ntuser.dat") returned 1 [0116.616] lstrcmpiW (lpString1="Recent", lpString2="desktop.ini") returned 1 [0116.616] lstrcmpiW (lpString1="Recent", lpString2="CONFIG.SYS") returned 1 [0116.616] lstrcmpiW (lpString1="Recent", lpString2="RECYCLER") returned -1 [0116.616] lstrcmpiW (lpString1="Recent", lpString2="BOOTSECT.BAK") returned 1 [0116.616] lstrcmpiW (lpString1="Recent", lpString2="bootmgr") returned 1 [0116.616] lstrcmpiW (lpString1="Recent", lpString2="programdata") returned 1 [0116.616] lstrcmpiW (lpString1="Recent", lpString2="appdata") returned 1 [0116.616] lstrcmpiW (lpString1="Recent", lpString2="program files") returned 1 [0116.616] lstrcmpiW (lpString1="Recent", lpString2="program files (x86)") returned 1 [0116.616] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\Default\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0116.616] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Recent" | out: lpString1="C:\\Users\\Default\\Recent") returned="C:\\Users\\Default\\Recent" [0116.616] lstrcatW (in: lpString1="C:\\Users\\Default\\Recent", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Recent\\") returned="C:\\Users\\Default\\Recent\\" [0116.616] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\Default\\Recent\\" | out: lpString1="C:\\Users\\Default\\Recent\\") returned="C:\\Users\\Default\\Recent\\" [0116.616] lstrcatW (in: lpString1="C:\\Users\\Default\\Recent\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\Recent\\*.*") returned="C:\\Users\\Default\\Recent\\*.*" [0116.616] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Recent\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x24de42c, dwReserved1=0xec5becb0, cFileName="desktop.ini", cAlternateFileName="")) returned 0xffffffff [0116.616] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd894d74c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0116.617] lstrcmpiW (lpString1="Saved Games", lpString2=".") returned 1 [0116.617] lstrcmpiW (lpString1="Saved Games", lpString2="..") returned 1 [0116.617] lstrcmpiW (lpString1="Saved Games", lpString2="...") returned 1 [0116.617] lstrcmpiW (lpString1="Saved Games", lpString2="windows") returned -1 [0116.617] lstrcmpiW (lpString1="Saved Games", lpString2="$RECYCLE.BIN") returned 1 [0116.617] lstrcmpiW (lpString1="Saved Games", lpString2="rsa") returned 1 [0116.617] lstrcmpiW (lpString1="Saved Games", lpString2="log") returned 1 [0116.617] lstrcmpiW (lpString1="Saved Games", lpString2="NTDETECT.COM") returned 1 [0116.617] lstrcmpiW (lpString1="Saved Games", lpString2="ntldr") returned 1 [0116.617] lstrcmpiW (lpString1="Saved Games", lpString2="MSDOS.SYS") returned 1 [0116.617] lstrcmpiW (lpString1="Saved Games", lpString2="IO.SYS") returned 1 [0116.617] lstrcmpiW (lpString1="Saved Games", lpString2="boot.ini") returned 1 [0116.617] lstrcmpiW (lpString1="Saved Games", lpString2="AUTOEXEC.BAT") returned 1 [0116.617] lstrcmpiW (lpString1="Saved Games", lpString2="ntuser.dat") returned 1 [0116.617] lstrcmpiW (lpString1="Saved Games", lpString2="desktop.ini") returned 1 [0116.617] lstrcmpiW (lpString1="Saved Games", lpString2="CONFIG.SYS") returned 1 [0116.617] lstrcmpiW (lpString1="Saved Games", lpString2="RECYCLER") returned 1 [0116.617] lstrcmpiW (lpString1="Saved Games", lpString2="BOOTSECT.BAK") returned 1 [0116.617] lstrcmpiW (lpString1="Saved Games", lpString2="bootmgr") returned 1 [0116.617] lstrcmpiW (lpString1="Saved Games", lpString2="programdata") returned 1 [0116.617] lstrcmpiW (lpString1="Saved Games", lpString2="appdata") returned 1 [0116.617] lstrcmpiW (lpString1="Saved Games", lpString2="program files") returned 1 [0116.617] lstrcmpiW (lpString1="Saved Games", lpString2="program files (x86)") returned 1 [0116.617] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\Default\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0116.617] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Saved Games" | out: lpString1="C:\\Users\\Default\\Saved Games") returned="C:\\Users\\Default\\Saved Games" [0116.617] lstrcatW (in: lpString1="C:\\Users\\Default\\Saved Games", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Saved Games\\") returned="C:\\Users\\Default\\Saved Games\\" [0116.617] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\Default\\Saved Games\\" | out: lpString1="C:\\Users\\Default\\Saved Games\\") returned="C:\\Users\\Default\\Saved Games\\" [0116.617] lstrcatW (in: lpString1="C:\\Users\\Default\\Saved Games\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\Saved Games\\*.*") returned="C:\\Users\\Default\\Saved Games\\*.*" [0116.618] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Saved Games\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd894d74c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24de42c, dwReserved1=0xec5becb0, cFileName=".", cAlternateFileName="")) returned 0x50a900 [0116.618] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.618] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd894d74c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24de42c, dwReserved1=0xec5becb0, cFileName="..", cAlternateFileName="")) returned 1 [0116.618] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.618] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.618] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd894d74c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x24de42c, dwReserved1=0xec5becb0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0116.618] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0116.618] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0116.618] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0116.618] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0116.618] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0116.618] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0116.618] lstrcmpiW (lpString1="desktop.ini", lpString2="log") returned -1 [0116.618] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0116.618] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0116.619] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0116.619] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0116.619] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0116.619] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0116.619] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0116.619] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0116.619] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd894d74c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x24de42c, dwReserved1=0xec5becb0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0116.619] FindClose (in: hFindFile=0x50a900 | out: hFindFile=0x50a900) returned 1 [0116.619] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88b51cb, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Searches", cAlternateFileName="")) returned 1 [0116.619] lstrcmpiW (lpString1="Searches", lpString2=".") returned 1 [0116.619] lstrcmpiW (lpString1="Searches", lpString2="..") returned 1 [0116.619] lstrcmpiW (lpString1="Searches", lpString2="...") returned 1 [0116.619] lstrcmpiW (lpString1="Searches", lpString2="windows") returned -1 [0116.619] lstrcmpiW (lpString1="Searches", lpString2="$RECYCLE.BIN") returned 1 [0116.619] lstrcmpiW (lpString1="Searches", lpString2="rsa") returned 1 [0116.619] lstrcmpiW (lpString1="Searches", lpString2="log") returned 1 [0116.619] lstrcmpiW (lpString1="Searches", lpString2="NTDETECT.COM") returned 1 [0116.619] lstrcmpiW (lpString1="Searches", lpString2="ntldr") returned 1 [0116.619] lstrcmpiW (lpString1="Searches", lpString2="MSDOS.SYS") returned 1 [0116.619] lstrcmpiW (lpString1="Searches", lpString2="IO.SYS") returned 1 [0116.619] lstrcmpiW (lpString1="Searches", lpString2="boot.ini") returned 1 [0116.619] lstrcmpiW (lpString1="Searches", lpString2="AUTOEXEC.BAT") returned 1 [0116.619] lstrcmpiW (lpString1="Searches", lpString2="ntuser.dat") returned 1 [0116.619] lstrcmpiW (lpString1="Searches", lpString2="desktop.ini") returned 1 [0116.619] lstrcmpiW (lpString1="Searches", lpString2="CONFIG.SYS") returned 1 [0116.619] lstrcmpiW (lpString1="Searches", lpString2="RECYCLER") returned 1 [0116.620] lstrcmpiW (lpString1="Searches", lpString2="BOOTSECT.BAK") returned 1 [0116.620] lstrcmpiW (lpString1="Searches", lpString2="bootmgr") returned 1 [0116.620] lstrcmpiW (lpString1="Searches", lpString2="programdata") returned 1 [0116.620] lstrcmpiW (lpString1="Searches", lpString2="appdata") returned 1 [0116.620] lstrcmpiW (lpString1="Searches", lpString2="program files") returned 1 [0116.620] lstrcmpiW (lpString1="Searches", lpString2="program files (x86)") returned 1 [0116.620] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\Default\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0116.620] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Searches" | out: lpString1="C:\\Users\\Default\\Searches") returned="C:\\Users\\Default\\Searches" [0116.620] lstrcatW (in: lpString1="C:\\Users\\Default\\Searches", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Searches\\") returned="C:\\Users\\Default\\Searches\\" [0116.620] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\Default\\Searches\\" | out: lpString1="C:\\Users\\Default\\Searches\\") returned="C:\\Users\\Default\\Searches\\" [0116.620] lstrcatW (in: lpString1="C:\\Users\\Default\\Searches\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\Searches\\*.*") returned="C:\\Users\\Default\\Searches\\*.*" [0116.620] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Searches\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88b51cb, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24de42c, dwReserved1=0xec5becb0, cFileName=".", cAlternateFileName="")) returned 0x50a900 [0116.626] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.626] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88b51cb, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24de42c, dwReserved1=0xec5becb0, cFileName="..", cAlternateFileName="")) returned 1 [0116.626] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.626] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.626] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88b51cb, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x20c, dwReserved0=0x24de42c, dwReserved1=0xec5becb0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0116.626] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0116.626] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0116.626] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0116.626] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0116.626] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0116.626] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0116.626] lstrcmpiW (lpString1="desktop.ini", lpString2="log") returned -1 [0116.626] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0116.627] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0116.627] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0116.627] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0116.627] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0116.627] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0116.627] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0116.627] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0116.627] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99d9932, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x24de42c, dwReserved1=0xec5becb0, cFileName="Everywhere.search-ms", cAlternateFileName="EVERYW~1.SEA")) returned 1 [0116.627] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2=".") returned 1 [0116.627] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="..") returned 1 [0116.627] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="...") returned 1 [0116.627] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="windows") returned -1 [0116.627] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="$RECYCLE.BIN") returned 1 [0116.627] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="rsa") returned -1 [0116.627] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="log") returned -1 [0116.627] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="NTDETECT.COM") returned -1 [0116.627] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="ntldr") returned -1 [0116.627] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="MSDOS.SYS") returned -1 [0116.627] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="IO.SYS") returned -1 [0116.627] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="boot.ini") returned 1 [0116.627] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="AUTOEXEC.BAT") returned 1 [0116.627] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="ntuser.dat") returned -1 [0116.627] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="desktop.ini") returned 1 [0116.627] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="CONFIG.SYS") returned 1 [0116.627] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="RECYCLER") returned -1 [0116.627] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="BOOTSECT.BAK") returned 1 [0116.627] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="bootmgr") returned 1 [0116.628] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="programdata") returned -1 [0116.628] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="appdata") returned 1 [0116.628] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="program files") returned -1 [0116.628] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="program files (x86)") returned -1 [0116.628] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\Default\\Searches\\" | out: lpString1="C:\\Users\\Default\\Searches\\") returned="C:\\Users\\Default\\Searches\\" [0116.628] lstrcatW (in: lpString1="C:\\Users\\Default\\Searches\\", lpString2="Everywhere.search-ms" | out: lpString1="C:\\Users\\Default\\Searches\\Everywhere.search-ms") returned="C:\\Users\\Default\\Searches\\Everywhere.search-ms" [0116.628] PathFindExtensionW (pszPath="Everywhere.search-ms") returned=".search-ms" [0116.628] lstrcmpiW (lpString1=".search-ms", lpString2=".exe") returned 1 [0116.628] lstrcmpiW (lpString1=".search-ms", lpString2=".log") returned 1 [0116.628] lstrcmpiW (lpString1=".search-ms", lpString2=".cab") returned 1 [0116.628] lstrcmpiW (lpString1=".search-ms", lpString2=".cmd") returned 1 [0116.628] lstrcmpiW (lpString1=".search-ms", lpString2=".com") returned 1 [0116.628] lstrcmpiW (lpString1=".search-ms", lpString2=".cpl") returned 1 [0116.628] lstrcmpiW (lpString1=".search-ms", lpString2=".ini") returned 1 [0116.628] lstrcmpiW (lpString1=".search-ms", lpString2=".dll") returned 1 [0116.628] lstrcmpiW (lpString1=".search-ms", lpString2=".url") returned -1 [0116.628] lstrcmpiW (lpString1=".search-ms", lpString2=".ttf") returned -1 [0116.628] lstrcmpiW (lpString1=".search-ms", lpString2=".mp3") returned 1 [0116.628] lstrcmpiW (lpString1=".search-ms", lpString2=".pif") returned 1 [0116.628] lstrcmpiW (lpString1=".search-ms", lpString2=".mp4") returned 1 [0116.628] lstrcmpiW (lpString1=".search-ms", lpString2=".NEPHILIM") returned 1 [0116.628] lstrcmpiW (lpString1=".search-ms", lpString2=".msi") returned 1 [0116.628] lstrcmpiW (lpString1=".search-ms", lpString2=".lnk") returned 1 [0116.628] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0116.628] lstrlenA (lpString="NEPHILIM") returned 8 [0116.628] GetProcessHeap () returned 0x4e0000 [0116.628] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bf00 [0116.629] lstrlenA (lpString="NEPHILIM") returned 8 [0116.629] CreateFileW (lpFileName="C:\\Users\\Default\\Searches\\Everywhere.search-ms" (normalized: "c:\\users\\default\\searches\\everywhere.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0116.630] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=4294968320) returned 0 [0116.630] GetProcessHeap () returned 0x4e0000 [0116.630] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dec8 [0116.630] GetProcessHeap () returned 0x4e0000 [0116.630] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50deb0 [0116.630] SystemFunction036 (in: RandomBuffer=0x50dec8, RandomBufferLength=0x10 | out: RandomBuffer=0x50dec8) returned 1 [0116.630] SystemFunction036 (in: RandomBuffer=0x50deb0, RandomBufferLength=0x10 | out: RandomBuffer=0x50deb0) returned 1 [0116.630] GetProcessHeap () returned 0x4e0000 [0116.630] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e388 [0116.630] GetProcessHeap () returned 0x4e0000 [0116.630] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e280 [0116.630] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e388*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x51e388*, pdwDataLen=0x24de208*=0x100) returned 1 [0116.630] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e280*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x51e280*, pdwDataLen=0x24de204*=0x100) returned 1 [0116.631] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0116.631] SetLastError (dwErrCode=0x0) [0116.631] WriteFile (in: hFile=0xffffffff, lpBuffer=0x51e388, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0) returned 0 [0116.631] GetLastError () returned 0x6 [0116.631] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x24de42c, dwReserved1=0xec5becb0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 1 [0116.631] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2=".") returned 1 [0116.631] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="..") returned 1 [0116.631] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="...") returned 1 [0116.631] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="windows") returned -1 [0116.631] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="$RECYCLE.BIN") returned 1 [0116.631] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="rsa") returned -1 [0116.631] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="log") returned -1 [0116.631] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="NTDETECT.COM") returned -1 [0116.631] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="ntldr") returned -1 [0116.631] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="MSDOS.SYS") returned -1 [0116.631] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="IO.SYS") returned -1 [0116.631] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="boot.ini") returned 1 [0116.631] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="AUTOEXEC.BAT") returned 1 [0116.631] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="ntuser.dat") returned -1 [0116.631] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="desktop.ini") returned 1 [0116.631] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="CONFIG.SYS") returned 1 [0116.631] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="RECYCLER") returned -1 [0116.631] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="BOOTSECT.BAK") returned 1 [0116.631] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="bootmgr") returned 1 [0116.631] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="programdata") returned -1 [0116.631] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="appdata") returned 1 [0116.632] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="program files") returned -1 [0116.632] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="program files (x86)") returned -1 [0116.632] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\Default\\Searches\\" | out: lpString1="C:\\Users\\Default\\Searches\\") returned="C:\\Users\\Default\\Searches\\" [0116.632] lstrcatW (in: lpString1="C:\\Users\\Default\\Searches\\", lpString2="Indexed Locations.search-ms" | out: lpString1="C:\\Users\\Default\\Searches\\Indexed Locations.search-ms") returned="C:\\Users\\Default\\Searches\\Indexed Locations.search-ms" [0116.632] PathFindExtensionW (pszPath="Indexed Locations.search-ms") returned=".search-ms" [0116.632] lstrcmpiW (lpString1=".search-ms", lpString2=".exe") returned 1 [0116.632] lstrcmpiW (lpString1=".search-ms", lpString2=".log") returned 1 [0116.632] lstrcmpiW (lpString1=".search-ms", lpString2=".cab") returned 1 [0116.632] lstrcmpiW (lpString1=".search-ms", lpString2=".cmd") returned 1 [0116.632] lstrcmpiW (lpString1=".search-ms", lpString2=".com") returned 1 [0116.632] lstrcmpiW (lpString1=".search-ms", lpString2=".cpl") returned 1 [0116.632] lstrcmpiW (lpString1=".search-ms", lpString2=".ini") returned 1 [0116.632] lstrcmpiW (lpString1=".search-ms", lpString2=".dll") returned 1 [0116.632] lstrcmpiW (lpString1=".search-ms", lpString2=".url") returned -1 [0116.632] lstrcmpiW (lpString1=".search-ms", lpString2=".ttf") returned -1 [0116.632] lstrcmpiW (lpString1=".search-ms", lpString2=".mp3") returned 1 [0116.632] lstrcmpiW (lpString1=".search-ms", lpString2=".pif") returned 1 [0116.632] lstrcmpiW (lpString1=".search-ms", lpString2=".mp4") returned 1 [0116.632] lstrcmpiW (lpString1=".search-ms", lpString2=".NEPHILIM") returned 1 [0116.632] lstrcmpiW (lpString1=".search-ms", lpString2=".msi") returned 1 [0116.632] lstrcmpiW (lpString1=".search-ms", lpString2=".lnk") returned 1 [0116.632] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0116.632] lstrlenA (lpString="NEPHILIM") returned 8 [0116.632] GetProcessHeap () returned 0x4e0000 [0116.632] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bf10 [0116.632] lstrlenA (lpString="NEPHILIM") returned 8 [0116.632] CreateFileW (lpFileName="C:\\Users\\Default\\Searches\\Indexed Locations.search-ms" (normalized: "c:\\users\\default\\searches\\indexed locations.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0116.633] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=4294968320) returned 0 [0116.633] GetProcessHeap () returned 0x4e0000 [0116.633] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50dee0 [0116.633] GetProcessHeap () returned 0x4e0000 [0116.633] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50def8 [0116.633] SystemFunction036 (in: RandomBuffer=0x50dee0, RandomBufferLength=0x10 | out: RandomBuffer=0x50dee0) returned 1 [0116.633] SystemFunction036 (in: RandomBuffer=0x50def8, RandomBufferLength=0x10 | out: RandomBuffer=0x50def8) returned 1 [0116.633] GetProcessHeap () returned 0x4e0000 [0116.633] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e490 [0116.633] GetProcessHeap () returned 0x4e0000 [0116.633] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e598 [0116.633] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e490*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x51e490*, pdwDataLen=0x24de208*=0x100) returned 1 [0116.633] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e598*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x51e598*, pdwDataLen=0x24de204*=0x100) returned 1 [0116.634] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x400, lpNewFilePointer=0x1, dwMoveMethod=0x0 | out: lpNewFilePointer=0x1) returned 0 [0116.634] SetLastError (dwErrCode=0x0) [0116.634] WriteFile (in: hFile=0xffffffff, lpBuffer=0x51e490, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0) returned 0 [0116.634] GetLastError () returned 0x6 [0116.634] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x24de42c, dwReserved1=0xec5becb0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 0 [0116.634] FindClose (in: hFindFile=0x50a900 | out: hFindFile=0x50a900) returned 1 [0116.635] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x30702f92, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x30702f92, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x30702f92, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="SendTo", cAlternateFileName="")) returned 1 [0116.635] lstrcmpiW (lpString1="SendTo", lpString2=".") returned 1 [0116.635] lstrcmpiW (lpString1="SendTo", lpString2="..") returned 1 [0116.635] lstrcmpiW (lpString1="SendTo", lpString2="...") returned 1 [0116.635] lstrcmpiW (lpString1="SendTo", lpString2="windows") returned -1 [0116.635] lstrcmpiW (lpString1="SendTo", lpString2="$RECYCLE.BIN") returned 1 [0116.635] lstrcmpiW (lpString1="SendTo", lpString2="rsa") returned 1 [0116.635] lstrcmpiW (lpString1="SendTo", lpString2="log") returned 1 [0116.635] lstrcmpiW (lpString1="SendTo", lpString2="NTDETECT.COM") returned 1 [0116.635] lstrcmpiW (lpString1="SendTo", lpString2="ntldr") returned 1 [0116.635] lstrcmpiW (lpString1="SendTo", lpString2="MSDOS.SYS") returned 1 [0116.635] lstrcmpiW (lpString1="SendTo", lpString2="IO.SYS") returned 1 [0116.635] lstrcmpiW (lpString1="SendTo", lpString2="boot.ini") returned 1 [0116.635] lstrcmpiW (lpString1="SendTo", lpString2="AUTOEXEC.BAT") returned 1 [0116.635] lstrcmpiW (lpString1="SendTo", lpString2="ntuser.dat") returned 1 [0116.636] lstrcmpiW (lpString1="SendTo", lpString2="desktop.ini") returned 1 [0116.636] lstrcmpiW (lpString1="SendTo", lpString2="CONFIG.SYS") returned 1 [0116.636] lstrcmpiW (lpString1="SendTo", lpString2="RECYCLER") returned 1 [0116.636] lstrcmpiW (lpString1="SendTo", lpString2="BOOTSECT.BAK") returned 1 [0116.636] lstrcmpiW (lpString1="SendTo", lpString2="bootmgr") returned 1 [0116.636] lstrcmpiW (lpString1="SendTo", lpString2="programdata") returned 1 [0116.636] lstrcmpiW (lpString1="SendTo", lpString2="appdata") returned 1 [0116.636] lstrcmpiW (lpString1="SendTo", lpString2="program files") returned 1 [0116.636] lstrcmpiW (lpString1="SendTo", lpString2="program files (x86)") returned 1 [0116.636] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\Default\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0116.636] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="SendTo" | out: lpString1="C:\\Users\\Default\\SendTo") returned="C:\\Users\\Default\\SendTo" [0116.636] lstrcatW (in: lpString1="C:\\Users\\Default\\SendTo", lpString2="\\" | out: lpString1="C:\\Users\\Default\\SendTo\\") returned="C:\\Users\\Default\\SendTo\\" [0116.636] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\Default\\SendTo\\" | out: lpString1="C:\\Users\\Default\\SendTo\\") returned="C:\\Users\\Default\\SendTo\\" [0116.636] lstrcatW (in: lpString1="C:\\Users\\Default\\SendTo\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\SendTo\\*.*") returned="C:\\Users\\Default\\SendTo\\*.*" [0116.636] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\SendTo\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x24de42c, dwReserved1=0xec5becb0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 0xffffffff [0116.636] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x30702f92, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x30702f92, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x30702f92, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0116.636] lstrcmpiW (lpString1="Start Menu", lpString2=".") returned 1 [0116.636] lstrcmpiW (lpString1="Start Menu", lpString2="..") returned 1 [0116.636] lstrcmpiW (lpString1="Start Menu", lpString2="...") returned 1 [0116.636] lstrcmpiW (lpString1="Start Menu", lpString2="windows") returned -1 [0116.636] lstrcmpiW (lpString1="Start Menu", lpString2="$RECYCLE.BIN") returned 1 [0116.636] lstrcmpiW (lpString1="Start Menu", lpString2="rsa") returned 1 [0116.637] lstrcmpiW (lpString1="Start Menu", lpString2="log") returned 1 [0116.637] lstrcmpiW (lpString1="Start Menu", lpString2="NTDETECT.COM") returned 1 [0116.637] lstrcmpiW (lpString1="Start Menu", lpString2="ntldr") returned 1 [0116.637] lstrcmpiW (lpString1="Start Menu", lpString2="MSDOS.SYS") returned 1 [0116.637] lstrcmpiW (lpString1="Start Menu", lpString2="IO.SYS") returned 1 [0116.637] lstrcmpiW (lpString1="Start Menu", lpString2="boot.ini") returned 1 [0116.637] lstrcmpiW (lpString1="Start Menu", lpString2="AUTOEXEC.BAT") returned 1 [0116.637] lstrcmpiW (lpString1="Start Menu", lpString2="ntuser.dat") returned 1 [0116.637] lstrcmpiW (lpString1="Start Menu", lpString2="desktop.ini") returned 1 [0116.637] lstrcmpiW (lpString1="Start Menu", lpString2="CONFIG.SYS") returned 1 [0116.637] lstrcmpiW (lpString1="Start Menu", lpString2="RECYCLER") returned 1 [0116.637] lstrcmpiW (lpString1="Start Menu", lpString2="BOOTSECT.BAK") returned 1 [0116.637] lstrcmpiW (lpString1="Start Menu", lpString2="bootmgr") returned 1 [0116.637] lstrcmpiW (lpString1="Start Menu", lpString2="programdata") returned 1 [0116.637] lstrcmpiW (lpString1="Start Menu", lpString2="appdata") returned 1 [0116.637] lstrcmpiW (lpString1="Start Menu", lpString2="program files") returned 1 [0116.637] lstrcmpiW (lpString1="Start Menu", lpString2="program files (x86)") returned 1 [0116.637] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\Default\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0116.637] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Start Menu" | out: lpString1="C:\\Users\\Default\\Start Menu") returned="C:\\Users\\Default\\Start Menu" [0116.637] lstrcatW (in: lpString1="C:\\Users\\Default\\Start Menu", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Start Menu\\") returned="C:\\Users\\Default\\Start Menu\\" [0116.637] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\Default\\Start Menu\\" | out: lpString1="C:\\Users\\Default\\Start Menu\\") returned="C:\\Users\\Default\\Start Menu\\" [0116.637] lstrcatW (in: lpString1="C:\\Users\\Default\\Start Menu\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\Start Menu\\*.*") returned="C:\\Users\\Default\\Start Menu\\*.*" [0116.637] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Start Menu\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x24de42c, dwReserved1=0xec5becb0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 0xffffffff [0116.638] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x30702f92, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x30702f92, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x30702f92, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0116.638] lstrcmpiW (lpString1="Templates", lpString2=".") returned 1 [0116.638] lstrcmpiW (lpString1="Templates", lpString2="..") returned 1 [0116.638] lstrcmpiW (lpString1="Templates", lpString2="...") returned 1 [0116.638] lstrcmpiW (lpString1="Templates", lpString2="windows") returned -1 [0116.638] lstrcmpiW (lpString1="Templates", lpString2="$RECYCLE.BIN") returned 1 [0116.638] lstrcmpiW (lpString1="Templates", lpString2="rsa") returned 1 [0116.638] lstrcmpiW (lpString1="Templates", lpString2="log") returned 1 [0116.638] lstrcmpiW (lpString1="Templates", lpString2="NTDETECT.COM") returned 1 [0116.638] lstrcmpiW (lpString1="Templates", lpString2="ntldr") returned 1 [0116.638] lstrcmpiW (lpString1="Templates", lpString2="MSDOS.SYS") returned 1 [0116.638] lstrcmpiW (lpString1="Templates", lpString2="IO.SYS") returned 1 [0116.638] lstrcmpiW (lpString1="Templates", lpString2="boot.ini") returned 1 [0116.638] lstrcmpiW (lpString1="Templates", lpString2="AUTOEXEC.BAT") returned 1 [0116.638] lstrcmpiW (lpString1="Templates", lpString2="ntuser.dat") returned 1 [0116.638] lstrcmpiW (lpString1="Templates", lpString2="desktop.ini") returned 1 [0116.638] lstrcmpiW (lpString1="Templates", lpString2="CONFIG.SYS") returned 1 [0116.638] lstrcmpiW (lpString1="Templates", lpString2="RECYCLER") returned 1 [0116.638] lstrcmpiW (lpString1="Templates", lpString2="BOOTSECT.BAK") returned 1 [0116.638] lstrcmpiW (lpString1="Templates", lpString2="bootmgr") returned 1 [0116.638] lstrcmpiW (lpString1="Templates", lpString2="programdata") returned 1 [0116.638] lstrcmpiW (lpString1="Templates", lpString2="appdata") returned 1 [0116.639] lstrcmpiW (lpString1="Templates", lpString2="program files") returned 1 [0116.639] lstrcmpiW (lpString1="Templates", lpString2="program files (x86)") returned 1 [0116.639] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\Default\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0116.639] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Templates" | out: lpString1="C:\\Users\\Default\\Templates") returned="C:\\Users\\Default\\Templates" [0116.639] lstrcatW (in: lpString1="C:\\Users\\Default\\Templates", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Templates\\") returned="C:\\Users\\Default\\Templates\\" [0116.639] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\Default\\Templates\\" | out: lpString1="C:\\Users\\Default\\Templates\\") returned="C:\\Users\\Default\\Templates\\" [0116.639] lstrcatW (in: lpString1="C:\\Users\\Default\\Templates\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\Templates\\*.*") returned="C:\\Users\\Default\\Templates\\*.*" [0116.639] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Templates\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x24de42c, dwReserved1=0xec5becb0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 0xffffffff [0116.639] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Videos", cAlternateFileName="")) returned 1 [0116.639] lstrcmpiW (lpString1="Videos", lpString2=".") returned 1 [0116.639] lstrcmpiW (lpString1="Videos", lpString2="..") returned 1 [0116.639] lstrcmpiW (lpString1="Videos", lpString2="...") returned 1 [0116.639] lstrcmpiW (lpString1="Videos", lpString2="windows") returned -1 [0116.639] lstrcmpiW (lpString1="Videos", lpString2="$RECYCLE.BIN") returned 1 [0116.639] lstrcmpiW (lpString1="Videos", lpString2="rsa") returned 1 [0116.639] lstrcmpiW (lpString1="Videos", lpString2="log") returned 1 [0116.639] lstrcmpiW (lpString1="Videos", lpString2="NTDETECT.COM") returned 1 [0116.639] lstrcmpiW (lpString1="Videos", lpString2="ntldr") returned 1 [0116.639] lstrcmpiW (lpString1="Videos", lpString2="MSDOS.SYS") returned 1 [0116.639] lstrcmpiW (lpString1="Videos", lpString2="IO.SYS") returned 1 [0116.639] lstrcmpiW (lpString1="Videos", lpString2="boot.ini") returned 1 [0116.639] lstrcmpiW (lpString1="Videos", lpString2="AUTOEXEC.BAT") returned 1 [0116.639] lstrcmpiW (lpString1="Videos", lpString2="ntuser.dat") returned 1 [0116.639] lstrcmpiW (lpString1="Videos", lpString2="desktop.ini") returned 1 [0116.639] lstrcmpiW (lpString1="Videos", lpString2="CONFIG.SYS") returned 1 [0116.639] lstrcmpiW (lpString1="Videos", lpString2="RECYCLER") returned 1 [0116.639] lstrcmpiW (lpString1="Videos", lpString2="BOOTSECT.BAK") returned 1 [0116.640] lstrcmpiW (lpString1="Videos", lpString2="bootmgr") returned 1 [0116.640] lstrcmpiW (lpString1="Videos", lpString2="programdata") returned 1 [0116.640] lstrcmpiW (lpString1="Videos", lpString2="appdata") returned 1 [0116.640] lstrcmpiW (lpString1="Videos", lpString2="program files") returned 1 [0116.640] lstrcmpiW (lpString1="Videos", lpString2="program files (x86)") returned 1 [0116.640] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\Default\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0116.640] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Videos" | out: lpString1="C:\\Users\\Default\\Videos") returned="C:\\Users\\Default\\Videos" [0116.640] lstrcatW (in: lpString1="C:\\Users\\Default\\Videos", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Videos\\") returned="C:\\Users\\Default\\Videos\\" [0116.640] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\Default\\Videos\\" | out: lpString1="C:\\Users\\Default\\Videos\\") returned="C:\\Users\\Default\\Videos\\" [0116.640] lstrcatW (in: lpString1="C:\\Users\\Default\\Videos\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default\\Videos\\*.*") returned="C:\\Users\\Default\\Videos\\*.*" [0116.640] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Videos\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24de42c, dwReserved1=0xec5becb0, cFileName=".", cAlternateFileName="")) returned 0x50a900 [0116.640] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.640] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x24de42c, dwReserved1=0xec5becb0, cFileName="..", cAlternateFileName="")) returned 1 [0116.640] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.640] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.640] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x24de42c, dwReserved1=0xec5becb0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0116.640] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0116.640] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0116.640] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0116.640] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0116.641] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0116.641] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0116.641] lstrcmpiW (lpString1="desktop.ini", lpString2="log") returned -1 [0116.641] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0116.641] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0116.641] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0116.641] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0116.641] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0116.641] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0116.641] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0116.641] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0116.641] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x24de42c, dwReserved1=0xec5becb0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0116.641] FindClose (in: hFindFile=0x50a900 | out: hFindFile=0x50a900) returned 1 [0116.641] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Videos", cAlternateFileName="")) returned 0 [0116.641] FindClose (in: hFindFile=0x50a8c0 | out: hFindFile=0x50a8c0) returned 1 [0116.641] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x3c67b114, cFileName="Default User", cAlternateFileName="DEFAUL~1")) returned 1 [0116.641] lstrcmpiW (lpString1="Default User", lpString2=".") returned 1 [0116.641] lstrcmpiW (lpString1="Default User", lpString2="..") returned 1 [0116.641] lstrcmpiW (lpString1="Default User", lpString2="...") returned 1 [0116.641] lstrcmpiW (lpString1="Default User", lpString2="windows") returned -1 [0116.641] lstrcmpiW (lpString1="Default User", lpString2="$RECYCLE.BIN") returned 1 [0116.641] lstrcmpiW (lpString1="Default User", lpString2="rsa") returned -1 [0116.641] lstrcmpiW (lpString1="Default User", lpString2="log") returned -1 [0116.641] lstrcmpiW (lpString1="Default User", lpString2="NTDETECT.COM") returned -1 [0116.641] lstrcmpiW (lpString1="Default User", lpString2="ntldr") returned -1 [0116.641] lstrcmpiW (lpString1="Default User", lpString2="MSDOS.SYS") returned -1 [0116.641] lstrcmpiW (lpString1="Default User", lpString2="IO.SYS") returned -1 [0116.641] lstrcmpiW (lpString1="Default User", lpString2="boot.ini") returned 1 [0116.641] lstrcmpiW (lpString1="Default User", lpString2="AUTOEXEC.BAT") returned 1 [0116.642] lstrcmpiW (lpString1="Default User", lpString2="ntuser.dat") returned -1 [0116.642] lstrcmpiW (lpString1="Default User", lpString2="desktop.ini") returned -1 [0116.642] lstrcmpiW (lpString1="Default User", lpString2="CONFIG.SYS") returned 1 [0116.642] lstrcmpiW (lpString1="Default User", lpString2="RECYCLER") returned -1 [0116.642] lstrcmpiW (lpString1="Default User", lpString2="BOOTSECT.BAK") returned 1 [0116.642] lstrcmpiW (lpString1="Default User", lpString2="bootmgr") returned 1 [0116.642] lstrcmpiW (lpString1="Default User", lpString2="programdata") returned -1 [0116.642] lstrcmpiW (lpString1="Default User", lpString2="appdata") returned 1 [0116.642] lstrcmpiW (lpString1="Default User", lpString2="program files") returned -1 [0116.642] lstrcmpiW (lpString1="Default User", lpString2="program files (x86)") returned -1 [0116.642] lstrcpyW (in: lpString1=0x24df3d8, lpString2="C:\\Users\\" | out: lpString1="C:\\Users\\") returned="C:\\Users\\" [0116.642] lstrcatW (in: lpString1="C:\\Users\\", lpString2="Default User" | out: lpString1="C:\\Users\\Default User") returned="C:\\Users\\Default User" [0116.642] lstrcatW (in: lpString1="C:\\Users\\Default User", lpString2="\\" | out: lpString1="C:\\Users\\Default User\\") returned="C:\\Users\\Default User\\" [0116.642] lstrcpyW (in: lpString1=0x24def60, lpString2="C:\\Users\\Default User\\" | out: lpString1="C:\\Users\\Default User\\") returned="C:\\Users\\Default User\\" [0116.642] lstrcatW (in: lpString1="C:\\Users\\Default User\\", lpString2="*.*" | out: lpString1="C:\\Users\\Default User\\*.*") returned="C:\\Users\\Default User\\*.*" [0116.642] FindFirstFileW (in: lpFileName="C:\\Users\\Default User\\*.*", lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Videos", cAlternateFileName="")) returned 0xffffffff [0116.642] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x286e4016, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x286e4016, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x3c67b114, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0116.642] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0116.642] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0116.642] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0116.642] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0116.642] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0116.642] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0116.642] lstrcmpiW (lpString1="desktop.ini", lpString2="log") returned -1 [0116.642] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0116.643] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0116.643] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0116.643] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0116.643] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0116.643] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0116.643] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0116.643] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0116.643] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x917fa2ee, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x3c67b114, cFileName="Public", cAlternateFileName="")) returned 1 [0116.643] lstrcmpiW (lpString1="Public", lpString2=".") returned 1 [0116.643] lstrcmpiW (lpString1="Public", lpString2="..") returned 1 [0116.643] lstrcmpiW (lpString1="Public", lpString2="...") returned 1 [0116.643] lstrcmpiW (lpString1="Public", lpString2="windows") returned -1 [0116.643] lstrcmpiW (lpString1="Public", lpString2="$RECYCLE.BIN") returned 1 [0116.643] lstrcmpiW (lpString1="Public", lpString2="rsa") returned -1 [0116.643] lstrcmpiW (lpString1="Public", lpString2="log") returned 1 [0116.643] lstrcmpiW (lpString1="Public", lpString2="NTDETECT.COM") returned 1 [0116.643] lstrcmpiW (lpString1="Public", lpString2="ntldr") returned 1 [0116.643] lstrcmpiW (lpString1="Public", lpString2="MSDOS.SYS") returned 1 [0116.643] lstrcmpiW (lpString1="Public", lpString2="IO.SYS") returned 1 [0116.643] lstrcmpiW (lpString1="Public", lpString2="boot.ini") returned 1 [0116.643] lstrcmpiW (lpString1="Public", lpString2="AUTOEXEC.BAT") returned 1 [0116.643] lstrcmpiW (lpString1="Public", lpString2="ntuser.dat") returned 1 [0116.643] lstrcmpiW (lpString1="Public", lpString2="desktop.ini") returned 1 [0116.643] lstrcmpiW (lpString1="Public", lpString2="CONFIG.SYS") returned 1 [0116.643] lstrcmpiW (lpString1="Public", lpString2="RECYCLER") returned -1 [0116.643] lstrcmpiW (lpString1="Public", lpString2="BOOTSECT.BAK") returned 1 [0116.643] lstrcmpiW (lpString1="Public", lpString2="bootmgr") returned 1 [0116.643] lstrcmpiW (lpString1="Public", lpString2="programdata") returned 1 [0116.643] lstrcmpiW (lpString1="Public", lpString2="appdata") returned 1 [0116.643] lstrcmpiW (lpString1="Public", lpString2="program files") returned 1 [0116.643] lstrcmpiW (lpString1="Public", lpString2="program files (x86)") returned 1 [0116.644] lstrcpyW (in: lpString1=0x24df3d8, lpString2="C:\\Users\\" | out: lpString1="C:\\Users\\") returned="C:\\Users\\" [0116.644] lstrcatW (in: lpString1="C:\\Users\\", lpString2="Public" | out: lpString1="C:\\Users\\Public") returned="C:\\Users\\Public" [0116.644] lstrcatW (in: lpString1="C:\\Users\\Public", lpString2="\\" | out: lpString1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0116.644] lstrcpyW (in: lpString1=0x24def60, lpString2="C:\\Users\\Public\\" | out: lpString1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0116.644] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2="*.*" | out: lpString1="C:\\Users\\Public\\*.*") returned="C:\\Users\\Public\\*.*" [0116.644] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\*.*", lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x917fa2ee, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName=".", cAlternateFileName="")) returned 0x50a8c0 [0116.644] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.644] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x917fa2ee, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="..", cAlternateFileName="")) returned 1 [0116.644] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.644] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.644] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xb0a09a40, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb0a09a40, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0116.644] lstrcmpiW (lpString1="Desktop", lpString2=".") returned 1 [0116.644] lstrcmpiW (lpString1="Desktop", lpString2="..") returned 1 [0116.644] lstrcmpiW (lpString1="Desktop", lpString2="...") returned 1 [0116.644] lstrcmpiW (lpString1="Desktop", lpString2="windows") returned -1 [0116.644] lstrcmpiW (lpString1="Desktop", lpString2="$RECYCLE.BIN") returned 1 [0116.644] lstrcmpiW (lpString1="Desktop", lpString2="rsa") returned -1 [0116.644] lstrcmpiW (lpString1="Desktop", lpString2="log") returned -1 [0116.644] lstrcmpiW (lpString1="Desktop", lpString2="NTDETECT.COM") returned -1 [0116.644] lstrcmpiW (lpString1="Desktop", lpString2="ntldr") returned -1 [0116.644] lstrcmpiW (lpString1="Desktop", lpString2="MSDOS.SYS") returned -1 [0116.644] lstrcmpiW (lpString1="Desktop", lpString2="IO.SYS") returned -1 [0116.644] lstrcmpiW (lpString1="Desktop", lpString2="boot.ini") returned 1 [0116.644] lstrcmpiW (lpString1="Desktop", lpString2="AUTOEXEC.BAT") returned 1 [0116.644] lstrcmpiW (lpString1="Desktop", lpString2="ntuser.dat") returned -1 [0116.644] lstrcmpiW (lpString1="Desktop", lpString2="desktop.ini") returned -1 [0116.645] lstrcmpiW (lpString1="Desktop", lpString2="CONFIG.SYS") returned 1 [0116.645] lstrcmpiW (lpString1="Desktop", lpString2="RECYCLER") returned -1 [0116.645] lstrcmpiW (lpString1="Desktop", lpString2="BOOTSECT.BAK") returned 1 [0116.645] lstrcmpiW (lpString1="Desktop", lpString2="bootmgr") returned 1 [0116.645] lstrcmpiW (lpString1="Desktop", lpString2="programdata") returned -1 [0116.645] lstrcmpiW (lpString1="Desktop", lpString2="appdata") returned 1 [0116.645] lstrcmpiW (lpString1="Desktop", lpString2="program files") returned -1 [0116.645] lstrcmpiW (lpString1="Desktop", lpString2="program files (x86)") returned -1 [0116.645] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\Public\\" | out: lpString1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0116.645] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2="Desktop" | out: lpString1="C:\\Users\\Public\\Desktop") returned="C:\\Users\\Public\\Desktop" [0116.645] lstrcatW (in: lpString1="C:\\Users\\Public\\Desktop", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Desktop\\") returned="C:\\Users\\Public\\Desktop\\" [0116.645] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\Public\\Desktop\\" | out: lpString1="C:\\Users\\Public\\Desktop\\") returned="C:\\Users\\Public\\Desktop\\" [0116.645] lstrcatW (in: lpString1="C:\\Users\\Public\\Desktop\\", lpString2="*.*" | out: lpString1="C:\\Users\\Public\\Desktop\\*.*") returned="C:\\Users\\Public\\Desktop\\*.*" [0116.645] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Desktop\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xb0a09a40, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb0a09a40, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x280026, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x50a900 [0116.645] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.645] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xb0a09a40, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb0a09a40, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x280026, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0116.645] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.645] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.645] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83c279c0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x83c279c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x83c4db20, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x7e9, dwReserved0=0x280026, dwReserved1=0x24def60, cFileName="Adobe Reader X.lnk", cAlternateFileName="ADOBER~1.LNK")) returned 1 [0116.645] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2=".") returned 1 [0116.645] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2="..") returned 1 [0116.645] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2="...") returned 1 [0116.645] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2="windows") returned -1 [0116.645] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2="$RECYCLE.BIN") returned 1 [0116.645] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2="rsa") returned -1 [0116.645] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2="log") returned -1 [0116.645] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2="NTDETECT.COM") returned -1 [0116.645] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2="ntldr") returned -1 [0116.646] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2="MSDOS.SYS") returned -1 [0116.646] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2="IO.SYS") returned -1 [0116.646] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2="boot.ini") returned -1 [0116.646] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2="AUTOEXEC.BAT") returned -1 [0116.646] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2="ntuser.dat") returned -1 [0116.646] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2="desktop.ini") returned -1 [0116.646] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2="CONFIG.SYS") returned -1 [0116.646] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2="RECYCLER") returned -1 [0116.646] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2="BOOTSECT.BAK") returned -1 [0116.646] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2="bootmgr") returned -1 [0116.646] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2="programdata") returned -1 [0116.646] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2="appdata") returned -1 [0116.646] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2="program files") returned -1 [0116.646] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2="program files (x86)") returned -1 [0116.646] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\Public\\Desktop\\" | out: lpString1="C:\\Users\\Public\\Desktop\\") returned="C:\\Users\\Public\\Desktop\\" [0116.646] lstrcatW (in: lpString1="C:\\Users\\Public\\Desktop\\", lpString2="Adobe Reader X.lnk" | out: lpString1="C:\\Users\\Public\\Desktop\\Adobe Reader X.lnk") returned="C:\\Users\\Public\\Desktop\\Adobe Reader X.lnk" [0116.646] PathFindExtensionW (pszPath="Adobe Reader X.lnk") returned=".lnk" [0116.646] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0116.646] lstrcmpiW (lpString1=".lnk", lpString2=".log") returned -1 [0116.646] lstrcmpiW (lpString1=".lnk", lpString2=".cab") returned 1 [0116.646] lstrcmpiW (lpString1=".lnk", lpString2=".cmd") returned 1 [0116.646] lstrcmpiW (lpString1=".lnk", lpString2=".com") returned 1 [0116.646] lstrcmpiW (lpString1=".lnk", lpString2=".cpl") returned 1 [0116.646] lstrcmpiW (lpString1=".lnk", lpString2=".ini") returned 1 [0116.646] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0116.646] lstrcmpiW (lpString1=".lnk", lpString2=".url") returned -1 [0116.646] lstrcmpiW (lpString1=".lnk", lpString2=".ttf") returned -1 [0116.646] lstrcmpiW (lpString1=".lnk", lpString2=".mp3") returned -1 [0116.646] lstrcmpiW (lpString1=".lnk", lpString2=".pif") returned -1 [0116.647] lstrcmpiW (lpString1=".lnk", lpString2=".mp4") returned -1 [0116.647] lstrcmpiW (lpString1=".lnk", lpString2=".NEPHILIM") returned -1 [0116.647] lstrcmpiW (lpString1=".lnk", lpString2=".msi") returned -1 [0116.647] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0116.647] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2826d6cd, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x2826d6cd, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28860dd8, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x280026, dwReserved1=0x24def60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0116.647] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0116.647] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0116.647] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0116.647] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0116.647] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0116.647] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0116.647] lstrcmpiW (lpString1="desktop.ini", lpString2="log") returned -1 [0116.647] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0116.647] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0116.647] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0116.647] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0116.647] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0116.647] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0116.647] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0116.647] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0116.647] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7df21ca0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7df21ca0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7df21ca0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x8d1, dwReserved0=0x280026, dwReserved1=0x24def60, cFileName="Google Chrome.lnk", cAlternateFileName="GOOGLE~1.LNK")) returned 1 [0116.647] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2=".") returned 1 [0116.647] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="..") returned 1 [0116.647] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="...") returned 1 [0116.647] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="windows") returned -1 [0116.647] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="$RECYCLE.BIN") returned 1 [0116.647] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="rsa") returned -1 [0116.647] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="log") returned -1 [0116.647] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="NTDETECT.COM") returned -1 [0116.648] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="ntldr") returned -1 [0116.648] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="MSDOS.SYS") returned -1 [0116.648] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="IO.SYS") returned -1 [0116.648] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="boot.ini") returned 1 [0116.648] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="AUTOEXEC.BAT") returned 1 [0116.648] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="ntuser.dat") returned -1 [0116.648] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="desktop.ini") returned 1 [0116.648] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="CONFIG.SYS") returned 1 [0116.648] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="RECYCLER") returned -1 [0116.648] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="BOOTSECT.BAK") returned 1 [0116.648] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="bootmgr") returned 1 [0116.648] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="programdata") returned -1 [0116.648] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="appdata") returned 1 [0116.648] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="program files") returned -1 [0116.648] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="program files (x86)") returned -1 [0116.648] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\Public\\Desktop\\" | out: lpString1="C:\\Users\\Public\\Desktop\\") returned="C:\\Users\\Public\\Desktop\\" [0116.648] lstrcatW (in: lpString1="C:\\Users\\Public\\Desktop\\", lpString2="Google Chrome.lnk" | out: lpString1="C:\\Users\\Public\\Desktop\\Google Chrome.lnk") returned="C:\\Users\\Public\\Desktop\\Google Chrome.lnk" [0116.648] PathFindExtensionW (pszPath="Google Chrome.lnk") returned=".lnk" [0116.648] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0116.648] lstrcmpiW (lpString1=".lnk", lpString2=".log") returned -1 [0116.648] lstrcmpiW (lpString1=".lnk", lpString2=".cab") returned 1 [0116.648] lstrcmpiW (lpString1=".lnk", lpString2=".cmd") returned 1 [0116.648] lstrcmpiW (lpString1=".lnk", lpString2=".com") returned 1 [0116.648] lstrcmpiW (lpString1=".lnk", lpString2=".cpl") returned 1 [0116.648] lstrcmpiW (lpString1=".lnk", lpString2=".ini") returned 1 [0116.648] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0116.648] lstrcmpiW (lpString1=".lnk", lpString2=".url") returned -1 [0116.648] lstrcmpiW (lpString1=".lnk", lpString2=".ttf") returned -1 [0116.648] lstrcmpiW (lpString1=".lnk", lpString2=".mp3") returned -1 [0116.648] lstrcmpiW (lpString1=".lnk", lpString2=".pif") returned -1 [0116.648] lstrcmpiW (lpString1=".lnk", lpString2=".mp4") returned -1 [0116.649] lstrcmpiW (lpString1=".lnk", lpString2=".NEPHILIM") returned -1 [0116.649] lstrcmpiW (lpString1=".lnk", lpString2=".msi") returned -1 [0116.649] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0116.649] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0a09a40, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb0a09a40, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb0a09a40, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x485, dwReserved0=0x280026, dwReserved1=0x24def60, cFileName="Mozilla Firefox.lnk", cAlternateFileName="MOZILL~1.LNK")) returned 1 [0116.649] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2=".") returned 1 [0116.649] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="..") returned 1 [0116.649] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="...") returned 1 [0116.649] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="windows") returned -1 [0116.649] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="$RECYCLE.BIN") returned 1 [0116.649] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="rsa") returned -1 [0116.649] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="log") returned 1 [0116.649] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="NTDETECT.COM") returned -1 [0116.649] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="ntldr") returned -1 [0116.649] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="MSDOS.SYS") returned -1 [0116.649] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="IO.SYS") returned 1 [0116.649] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="boot.ini") returned 1 [0116.649] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="AUTOEXEC.BAT") returned 1 [0116.649] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="ntuser.dat") returned -1 [0116.649] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="desktop.ini") returned 1 [0116.649] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="CONFIG.SYS") returned 1 [0116.649] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="RECYCLER") returned -1 [0116.649] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="BOOTSECT.BAK") returned 1 [0116.649] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="bootmgr") returned 1 [0116.649] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="programdata") returned -1 [0116.649] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="appdata") returned 1 [0116.649] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="program files") returned -1 [0116.649] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="program files (x86)") returned -1 [0116.650] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\Public\\Desktop\\" | out: lpString1="C:\\Users\\Public\\Desktop\\") returned="C:\\Users\\Public\\Desktop\\" [0116.650] lstrcatW (in: lpString1="C:\\Users\\Public\\Desktop\\", lpString2="Mozilla Firefox.lnk" | out: lpString1="C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk") returned="C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk" [0116.650] PathFindExtensionW (pszPath="Mozilla Firefox.lnk") returned=".lnk" [0116.650] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0116.650] lstrcmpiW (lpString1=".lnk", lpString2=".log") returned -1 [0116.650] lstrcmpiW (lpString1=".lnk", lpString2=".cab") returned 1 [0116.650] lstrcmpiW (lpString1=".lnk", lpString2=".cmd") returned 1 [0116.650] lstrcmpiW (lpString1=".lnk", lpString2=".com") returned 1 [0116.650] lstrcmpiW (lpString1=".lnk", lpString2=".cpl") returned 1 [0116.650] lstrcmpiW (lpString1=".lnk", lpString2=".ini") returned 1 [0116.650] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0116.650] lstrcmpiW (lpString1=".lnk", lpString2=".url") returned -1 [0116.650] lstrcmpiW (lpString1=".lnk", lpString2=".ttf") returned -1 [0116.650] lstrcmpiW (lpString1=".lnk", lpString2=".mp3") returned -1 [0116.650] lstrcmpiW (lpString1=".lnk", lpString2=".pif") returned -1 [0116.650] lstrcmpiW (lpString1=".lnk", lpString2=".mp4") returned -1 [0116.650] lstrcmpiW (lpString1=".lnk", lpString2=".NEPHILIM") returned -1 [0116.650] lstrcmpiW (lpString1=".lnk", lpString2=".msi") returned -1 [0116.650] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0116.650] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0a09a40, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb0a09a40, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb0a09a40, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x485, dwReserved0=0x280026, dwReserved1=0x24def60, cFileName="Mozilla Firefox.lnk", cAlternateFileName="MOZILL~1.LNK")) returned 0 [0116.650] FindClose (in: hFindFile=0x50a900 | out: hFindFile=0x50a900) returned 1 [0116.650] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x286e4016, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x286e4016, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0116.650] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0116.650] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0116.651] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0116.651] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0116.651] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0116.651] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0116.651] lstrcmpiW (lpString1="desktop.ini", lpString2="log") returned -1 [0116.651] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0116.651] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0116.651] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0116.651] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0116.651] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0116.652] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0116.652] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0116.652] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0116.652] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x3079b513, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3079b513, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0116.652] lstrcmpiW (lpString1="Documents", lpString2=".") returned 1 [0116.652] lstrcmpiW (lpString1="Documents", lpString2="..") returned 1 [0116.652] lstrcmpiW (lpString1="Documents", lpString2="...") returned 1 [0116.652] lstrcmpiW (lpString1="Documents", lpString2="windows") returned -1 [0116.652] lstrcmpiW (lpString1="Documents", lpString2="$RECYCLE.BIN") returned 1 [0116.652] lstrcmpiW (lpString1="Documents", lpString2="rsa") returned -1 [0116.652] lstrcmpiW (lpString1="Documents", lpString2="log") returned -1 [0116.652] lstrcmpiW (lpString1="Documents", lpString2="NTDETECT.COM") returned -1 [0116.652] lstrcmpiW (lpString1="Documents", lpString2="ntldr") returned -1 [0116.652] lstrcmpiW (lpString1="Documents", lpString2="MSDOS.SYS") returned -1 [0116.652] lstrcmpiW (lpString1="Documents", lpString2="IO.SYS") returned -1 [0116.652] lstrcmpiW (lpString1="Documents", lpString2="boot.ini") returned 1 [0116.652] lstrcmpiW (lpString1="Documents", lpString2="AUTOEXEC.BAT") returned 1 [0116.652] lstrcmpiW (lpString1="Documents", lpString2="ntuser.dat") returned -1 [0116.652] lstrcmpiW (lpString1="Documents", lpString2="desktop.ini") returned 1 [0116.652] lstrcmpiW (lpString1="Documents", lpString2="CONFIG.SYS") returned 1 [0116.652] lstrcmpiW (lpString1="Documents", lpString2="RECYCLER") returned -1 [0116.652] lstrcmpiW (lpString1="Documents", lpString2="BOOTSECT.BAK") returned 1 [0116.652] lstrcmpiW (lpString1="Documents", lpString2="bootmgr") returned 1 [0116.652] lstrcmpiW (lpString1="Documents", lpString2="programdata") returned -1 [0116.652] lstrcmpiW (lpString1="Documents", lpString2="appdata") returned 1 [0116.652] lstrcmpiW (lpString1="Documents", lpString2="program files") returned -1 [0116.652] lstrcmpiW (lpString1="Documents", lpString2="program files (x86)") returned -1 [0116.652] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\Public\\" | out: lpString1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0116.652] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2="Documents" | out: lpString1="C:\\Users\\Public\\Documents") returned="C:\\Users\\Public\\Documents" [0116.653] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Documents\\") returned="C:\\Users\\Public\\Documents\\" [0116.653] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\Public\\Documents\\" | out: lpString1="C:\\Users\\Public\\Documents\\") returned="C:\\Users\\Public\\Documents\\" [0116.653] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\", lpString2="*.*" | out: lpString1="C:\\Users\\Public\\Documents\\*.*") returned="C:\\Users\\Public\\Documents\\*.*" [0116.653] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x3079b513, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3079b513, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x280026, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x50a900 [0116.653] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.653] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x3079b513, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3079b513, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x280026, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0116.653] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.653] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.653] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28697d55, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x28697d55, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x116, dwReserved0=0x280026, dwReserved1=0x24def60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0116.653] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0116.653] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0116.653] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0116.653] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0116.653] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0116.653] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0116.653] lstrcmpiW (lpString1="desktop.ini", lpString2="log") returned -1 [0116.653] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0116.653] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0116.654] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0116.654] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0116.654] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0116.654] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0116.654] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0116.654] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0116.654] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3079b513, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3079b513, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3079b513, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0116.654] lstrcmpiW (lpString1="My Music", lpString2=".") returned 1 [0116.654] lstrcmpiW (lpString1="My Music", lpString2="..") returned 1 [0116.654] lstrcmpiW (lpString1="My Music", lpString2="...") returned 1 [0116.654] lstrcmpiW (lpString1="My Music", lpString2="windows") returned -1 [0116.654] lstrcmpiW (lpString1="My Music", lpString2="$RECYCLE.BIN") returned 1 [0116.654] lstrcmpiW (lpString1="My Music", lpString2="rsa") returned -1 [0116.654] lstrcmpiW (lpString1="My Music", lpString2="log") returned 1 [0116.654] lstrcmpiW (lpString1="My Music", lpString2="NTDETECT.COM") returned -1 [0116.654] lstrcmpiW (lpString1="My Music", lpString2="ntldr") returned -1 [0116.654] lstrcmpiW (lpString1="My Music", lpString2="MSDOS.SYS") returned 1 [0116.654] lstrcmpiW (lpString1="My Music", lpString2="IO.SYS") returned 1 [0116.654] lstrcmpiW (lpString1="My Music", lpString2="boot.ini") returned 1 [0116.654] lstrcmpiW (lpString1="My Music", lpString2="AUTOEXEC.BAT") returned 1 [0116.654] lstrcmpiW (lpString1="My Music", lpString2="ntuser.dat") returned -1 [0116.654] lstrcmpiW (lpString1="My Music", lpString2="desktop.ini") returned 1 [0116.654] lstrcmpiW (lpString1="My Music", lpString2="CONFIG.SYS") returned 1 [0116.654] lstrcmpiW (lpString1="My Music", lpString2="RECYCLER") returned -1 [0116.654] lstrcmpiW (lpString1="My Music", lpString2="BOOTSECT.BAK") returned 1 [0116.654] lstrcmpiW (lpString1="My Music", lpString2="bootmgr") returned 1 [0116.654] lstrcmpiW (lpString1="My Music", lpString2="programdata") returned -1 [0116.654] lstrcmpiW (lpString1="My Music", lpString2="appdata") returned 1 [0116.654] lstrcmpiW (lpString1="My Music", lpString2="program files") returned -1 [0116.655] lstrcmpiW (lpString1="My Music", lpString2="program files (x86)") returned -1 [0116.655] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\Public\\Documents\\" | out: lpString1="C:\\Users\\Public\\Documents\\") returned="C:\\Users\\Public\\Documents\\" [0116.655] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\", lpString2="My Music" | out: lpString1="C:\\Users\\Public\\Documents\\My Music") returned="C:\\Users\\Public\\Documents\\My Music" [0116.655] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\My Music", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Documents\\My Music\\") returned="C:\\Users\\Public\\Documents\\My Music\\" [0116.655] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\Public\\Documents\\My Music\\" | out: lpString1="C:\\Users\\Public\\Documents\\My Music\\") returned="C:\\Users\\Public\\Documents\\My Music\\" [0116.655] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\My Music\\", lpString2="*.*" | out: lpString1="C:\\Users\\Public\\Documents\\My Music\\*.*") returned="C:\\Users\\Public\\Documents\\My Music\\*.*" [0116.655] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\My Music\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x759be647, ftCreationTime.dwLowDateTime=0x24de19c, ftCreationTime.dwHighDateTime=0x208, ftLastAccessTime.dwLowDateTime=0x50fd10, ftLastAccessTime.dwHighDateTime=0x24dfeb4, ftLastWriteTime.dwLowDateTime=0x77cb1ecd, ftLastWriteTime.dwHighDateTime=0x24de1c4, nFileSizeHigh=0xfffffffe, nFileSizeLow=0x1d, dwReserved0=0x3c003a, dwReserved1=0x24de8e0, cFileName="Ȩ", cAlternateFileName="\x98")) returned 0xffffffff [0116.655] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3079b513, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3079b513, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3079b513, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0116.655] lstrcmpiW (lpString1="My Pictures", lpString2=".") returned 1 [0116.655] lstrcmpiW (lpString1="My Pictures", lpString2="..") returned 1 [0116.655] lstrcmpiW (lpString1="My Pictures", lpString2="...") returned 1 [0116.655] lstrcmpiW (lpString1="My Pictures", lpString2="windows") returned -1 [0116.655] lstrcmpiW (lpString1="My Pictures", lpString2="$RECYCLE.BIN") returned 1 [0116.655] lstrcmpiW (lpString1="My Pictures", lpString2="rsa") returned -1 [0116.655] lstrcmpiW (lpString1="My Pictures", lpString2="log") returned 1 [0116.655] lstrcmpiW (lpString1="My Pictures", lpString2="NTDETECT.COM") returned -1 [0116.655] lstrcmpiW (lpString1="My Pictures", lpString2="ntldr") returned -1 [0116.655] lstrcmpiW (lpString1="My Pictures", lpString2="MSDOS.SYS") returned 1 [0116.655] lstrcmpiW (lpString1="My Pictures", lpString2="IO.SYS") returned 1 [0116.655] lstrcmpiW (lpString1="My Pictures", lpString2="boot.ini") returned 1 [0116.656] lstrcmpiW (lpString1="My Pictures", lpString2="AUTOEXEC.BAT") returned 1 [0116.656] lstrcmpiW (lpString1="My Pictures", lpString2="ntuser.dat") returned -1 [0116.656] lstrcmpiW (lpString1="My Pictures", lpString2="desktop.ini") returned 1 [0116.656] lstrcmpiW (lpString1="My Pictures", lpString2="CONFIG.SYS") returned 1 [0116.656] lstrcmpiW (lpString1="My Pictures", lpString2="RECYCLER") returned -1 [0116.656] lstrcmpiW (lpString1="My Pictures", lpString2="BOOTSECT.BAK") returned 1 [0116.656] lstrcmpiW (lpString1="My Pictures", lpString2="bootmgr") returned 1 [0116.656] lstrcmpiW (lpString1="My Pictures", lpString2="programdata") returned -1 [0116.656] lstrcmpiW (lpString1="My Pictures", lpString2="appdata") returned 1 [0116.656] lstrcmpiW (lpString1="My Pictures", lpString2="program files") returned -1 [0116.656] lstrcmpiW (lpString1="My Pictures", lpString2="program files (x86)") returned -1 [0116.656] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\Public\\Documents\\" | out: lpString1="C:\\Users\\Public\\Documents\\") returned="C:\\Users\\Public\\Documents\\" [0116.656] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\", lpString2="My Pictures" | out: lpString1="C:\\Users\\Public\\Documents\\My Pictures") returned="C:\\Users\\Public\\Documents\\My Pictures" [0116.656] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\My Pictures", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Documents\\My Pictures\\") returned="C:\\Users\\Public\\Documents\\My Pictures\\" [0116.656] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\Public\\Documents\\My Pictures\\" | out: lpString1="C:\\Users\\Public\\Documents\\My Pictures\\") returned="C:\\Users\\Public\\Documents\\My Pictures\\" [0116.656] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\My Pictures\\", lpString2="*.*" | out: lpString1="C:\\Users\\Public\\Documents\\My Pictures\\*.*") returned="C:\\Users\\Public\\Documents\\My Pictures\\*.*" [0116.656] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\My Pictures\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x759be647, ftCreationTime.dwLowDateTime=0x24de19c, ftCreationTime.dwHighDateTime=0x208, ftLastAccessTime.dwLowDateTime=0x50fd10, ftLastAccessTime.dwHighDateTime=0x24dfeb4, ftLastWriteTime.dwLowDateTime=0x77cb1ecd, ftLastWriteTime.dwHighDateTime=0x24de1c4, nFileSizeHigh=0xfffffffe, nFileSizeLow=0x1d, dwReserved0=0x3c003a, dwReserved1=0x24de8e0, cFileName="Ȩ", cAlternateFileName="\x98")) returned 0xffffffff [0116.656] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3079b513, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3079b513, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3079b513, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0116.656] lstrcmpiW (lpString1="My Videos", lpString2=".") returned 1 [0116.656] lstrcmpiW (lpString1="My Videos", lpString2="..") returned 1 [0116.656] lstrcmpiW (lpString1="My Videos", lpString2="...") returned 1 [0116.656] lstrcmpiW (lpString1="My Videos", lpString2="windows") returned -1 [0116.657] lstrcmpiW (lpString1="My Videos", lpString2="$RECYCLE.BIN") returned 1 [0116.657] lstrcmpiW (lpString1="My Videos", lpString2="rsa") returned -1 [0116.657] lstrcmpiW (lpString1="My Videos", lpString2="log") returned 1 [0116.657] lstrcmpiW (lpString1="My Videos", lpString2="NTDETECT.COM") returned -1 [0116.657] lstrcmpiW (lpString1="My Videos", lpString2="ntldr") returned -1 [0116.657] lstrcmpiW (lpString1="My Videos", lpString2="MSDOS.SYS") returned 1 [0116.657] lstrcmpiW (lpString1="My Videos", lpString2="IO.SYS") returned 1 [0116.657] lstrcmpiW (lpString1="My Videos", lpString2="boot.ini") returned 1 [0116.657] lstrcmpiW (lpString1="My Videos", lpString2="AUTOEXEC.BAT") returned 1 [0116.657] lstrcmpiW (lpString1="My Videos", lpString2="ntuser.dat") returned -1 [0116.657] lstrcmpiW (lpString1="My Videos", lpString2="desktop.ini") returned 1 [0116.657] lstrcmpiW (lpString1="My Videos", lpString2="CONFIG.SYS") returned 1 [0116.657] lstrcmpiW (lpString1="My Videos", lpString2="RECYCLER") returned -1 [0116.657] lstrcmpiW (lpString1="My Videos", lpString2="BOOTSECT.BAK") returned 1 [0116.657] lstrcmpiW (lpString1="My Videos", lpString2="bootmgr") returned 1 [0116.657] lstrcmpiW (lpString1="My Videos", lpString2="programdata") returned -1 [0116.657] lstrcmpiW (lpString1="My Videos", lpString2="appdata") returned 1 [0116.657] lstrcmpiW (lpString1="My Videos", lpString2="program files") returned -1 [0116.657] lstrcmpiW (lpString1="My Videos", lpString2="program files (x86)") returned -1 [0116.658] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\Public\\Documents\\" | out: lpString1="C:\\Users\\Public\\Documents\\") returned="C:\\Users\\Public\\Documents\\" [0116.658] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\", lpString2="My Videos" | out: lpString1="C:\\Users\\Public\\Documents\\My Videos") returned="C:\\Users\\Public\\Documents\\My Videos" [0116.658] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\My Videos", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Documents\\My Videos\\") returned="C:\\Users\\Public\\Documents\\My Videos\\" [0116.658] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\Public\\Documents\\My Videos\\" | out: lpString1="C:\\Users\\Public\\Documents\\My Videos\\") returned="C:\\Users\\Public\\Documents\\My Videos\\" [0116.658] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\My Videos\\", lpString2="*.*" | out: lpString1="C:\\Users\\Public\\Documents\\My Videos\\*.*") returned="C:\\Users\\Public\\Documents\\My Videos\\*.*" [0116.658] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\My Videos\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x759be647, ftCreationTime.dwLowDateTime=0x24de19c, ftCreationTime.dwHighDateTime=0x208, ftLastAccessTime.dwLowDateTime=0x50fd10, ftLastAccessTime.dwHighDateTime=0x24dfeb4, ftLastWriteTime.dwLowDateTime=0x77cb1ecd, ftLastWriteTime.dwHighDateTime=0x24de1c4, nFileSizeHigh=0xfffffffe, nFileSizeLow=0x1d, dwReserved0=0x3c003a, dwReserved1=0x24de8e0, cFileName="Ȩ", cAlternateFileName="\x98")) returned 0xffffffff [0116.658] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3079b513, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3079b513, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3079b513, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0 [0116.658] FindClose (in: hFindFile=0x50a900 | out: hFindFile=0x50a900) returned 1 [0116.658] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28351f0f, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0116.658] lstrcmpiW (lpString1="Downloads", lpString2=".") returned 1 [0116.658] lstrcmpiW (lpString1="Downloads", lpString2="..") returned 1 [0116.658] lstrcmpiW (lpString1="Downloads", lpString2="...") returned 1 [0116.658] lstrcmpiW (lpString1="Downloads", lpString2="windows") returned -1 [0116.658] lstrcmpiW (lpString1="Downloads", lpString2="$RECYCLE.BIN") returned 1 [0116.658] lstrcmpiW (lpString1="Downloads", lpString2="rsa") returned -1 [0116.658] lstrcmpiW (lpString1="Downloads", lpString2="log") returned -1 [0116.658] lstrcmpiW (lpString1="Downloads", lpString2="NTDETECT.COM") returned -1 [0116.658] lstrcmpiW (lpString1="Downloads", lpString2="ntldr") returned -1 [0116.659] lstrcmpiW (lpString1="Downloads", lpString2="MSDOS.SYS") returned -1 [0116.659] lstrcmpiW (lpString1="Downloads", lpString2="IO.SYS") returned -1 [0116.659] lstrcmpiW (lpString1="Downloads", lpString2="boot.ini") returned 1 [0116.659] lstrcmpiW (lpString1="Downloads", lpString2="AUTOEXEC.BAT") returned 1 [0116.659] lstrcmpiW (lpString1="Downloads", lpString2="ntuser.dat") returned -1 [0116.659] lstrcmpiW (lpString1="Downloads", lpString2="desktop.ini") returned 1 [0116.659] lstrcmpiW (lpString1="Downloads", lpString2="CONFIG.SYS") returned 1 [0116.659] lstrcmpiW (lpString1="Downloads", lpString2="RECYCLER") returned -1 [0116.659] lstrcmpiW (lpString1="Downloads", lpString2="BOOTSECT.BAK") returned 1 [0116.659] lstrcmpiW (lpString1="Downloads", lpString2="bootmgr") returned 1 [0116.659] lstrcmpiW (lpString1="Downloads", lpString2="programdata") returned -1 [0116.659] lstrcmpiW (lpString1="Downloads", lpString2="appdata") returned 1 [0116.659] lstrcmpiW (lpString1="Downloads", lpString2="program files") returned -1 [0116.659] lstrcmpiW (lpString1="Downloads", lpString2="program files (x86)") returned -1 [0116.659] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\Public\\" | out: lpString1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0116.659] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2="Downloads" | out: lpString1="C:\\Users\\Public\\Downloads") returned="C:\\Users\\Public\\Downloads" [0116.659] lstrcatW (in: lpString1="C:\\Users\\Public\\Downloads", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Downloads\\") returned="C:\\Users\\Public\\Downloads\\" [0116.659] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\Public\\Downloads\\" | out: lpString1="C:\\Users\\Public\\Downloads\\") returned="C:\\Users\\Public\\Downloads\\" [0116.659] lstrcatW (in: lpString1="C:\\Users\\Public\\Downloads\\", lpString2="*.*" | out: lpString1="C:\\Users\\Public\\Downloads\\*.*") returned="C:\\Users\\Public\\Downloads\\*.*" [0116.659] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Downloads\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28351f0f, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x50a900 [0116.660] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.660] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28351f0f, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0116.660] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.660] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.660] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28351f0f, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x28351f0f, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0116.660] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0116.660] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0116.660] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0116.660] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0116.660] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0116.660] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0116.660] lstrcmpiW (lpString1="desktop.ini", lpString2="log") returned -1 [0116.660] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0116.660] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0116.660] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0116.660] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0116.660] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0116.660] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0116.660] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0116.660] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0116.660] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28351f0f, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x28351f0f, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0116.660] FindClose (in: hFindFile=0x50a900 | out: hFindFile=0x50a900) returned 1 [0116.660] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfdae6622, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xaee7d305, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0116.660] lstrcmpiW (lpString1="Favorites", lpString2=".") returned 1 [0116.660] lstrcmpiW (lpString1="Favorites", lpString2="..") returned 1 [0116.660] lstrcmpiW (lpString1="Favorites", lpString2="...") returned 1 [0116.660] lstrcmpiW (lpString1="Favorites", lpString2="windows") returned -1 [0116.660] lstrcmpiW (lpString1="Favorites", lpString2="$RECYCLE.BIN") returned 1 [0116.661] lstrcmpiW (lpString1="Favorites", lpString2="rsa") returned -1 [0116.661] lstrcmpiW (lpString1="Favorites", lpString2="log") returned -1 [0116.661] lstrcmpiW (lpString1="Favorites", lpString2="NTDETECT.COM") returned -1 [0116.661] lstrcmpiW (lpString1="Favorites", lpString2="ntldr") returned -1 [0116.661] lstrcmpiW (lpString1="Favorites", lpString2="MSDOS.SYS") returned -1 [0116.661] lstrcmpiW (lpString1="Favorites", lpString2="IO.SYS") returned -1 [0116.661] lstrcmpiW (lpString1="Favorites", lpString2="boot.ini") returned 1 [0116.661] lstrcmpiW (lpString1="Favorites", lpString2="AUTOEXEC.BAT") returned 1 [0116.661] lstrcmpiW (lpString1="Favorites", lpString2="ntuser.dat") returned -1 [0116.661] lstrcmpiW (lpString1="Favorites", lpString2="desktop.ini") returned 1 [0116.661] lstrcmpiW (lpString1="Favorites", lpString2="CONFIG.SYS") returned 1 [0116.661] lstrcmpiW (lpString1="Favorites", lpString2="RECYCLER") returned -1 [0116.661] lstrcmpiW (lpString1="Favorites", lpString2="BOOTSECT.BAK") returned 1 [0116.661] lstrcmpiW (lpString1="Favorites", lpString2="bootmgr") returned 1 [0116.661] lstrcmpiW (lpString1="Favorites", lpString2="programdata") returned -1 [0116.661] lstrcmpiW (lpString1="Favorites", lpString2="appdata") returned 1 [0116.661] lstrcmpiW (lpString1="Favorites", lpString2="program files") returned -1 [0116.661] lstrcmpiW (lpString1="Favorites", lpString2="program files (x86)") returned -1 [0116.661] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\Public\\" | out: lpString1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0116.661] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2="Favorites" | out: lpString1="C:\\Users\\Public\\Favorites") returned="C:\\Users\\Public\\Favorites" [0116.661] lstrcatW (in: lpString1="C:\\Users\\Public\\Favorites", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Favorites\\") returned="C:\\Users\\Public\\Favorites\\" [0116.661] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\Public\\Favorites\\" | out: lpString1="C:\\Users\\Public\\Favorites\\") returned="C:\\Users\\Public\\Favorites\\" [0116.661] lstrcatW (in: lpString1="C:\\Users\\Public\\Favorites\\", lpString2="*.*" | out: lpString1="C:\\Users\\Public\\Favorites\\*.*") returned="C:\\Users\\Public\\Favorites\\*.*" [0116.661] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Favorites\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfdae6622, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xaee7d305, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x50a900 [0116.661] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.661] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfdae6622, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xaee7d305, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0116.662] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.662] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.662] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfdae6622, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xaee7d305, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 0 [0116.662] FindClose (in: hFindFile=0x50a900 | out: hFindFile=0x50a900) returned 1 [0116.662] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28a29e5c, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a29e5c, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Libraries", cAlternateFileName="LIBRAR~1")) returned 1 [0116.662] lstrcmpiW (lpString1="Libraries", lpString2=".") returned 1 [0116.662] lstrcmpiW (lpString1="Libraries", lpString2="..") returned 1 [0116.662] lstrcmpiW (lpString1="Libraries", lpString2="...") returned 1 [0116.662] lstrcmpiW (lpString1="Libraries", lpString2="windows") returned -1 [0116.662] lstrcmpiW (lpString1="Libraries", lpString2="$RECYCLE.BIN") returned 1 [0116.662] lstrcmpiW (lpString1="Libraries", lpString2="rsa") returned -1 [0116.662] lstrcmpiW (lpString1="Libraries", lpString2="log") returned -1 [0116.662] lstrcmpiW (lpString1="Libraries", lpString2="NTDETECT.COM") returned -1 [0116.662] lstrcmpiW (lpString1="Libraries", lpString2="ntldr") returned -1 [0116.662] lstrcmpiW (lpString1="Libraries", lpString2="MSDOS.SYS") returned -1 [0116.662] lstrcmpiW (lpString1="Libraries", lpString2="IO.SYS") returned 1 [0116.662] lstrcmpiW (lpString1="Libraries", lpString2="boot.ini") returned 1 [0116.662] lstrcmpiW (lpString1="Libraries", lpString2="AUTOEXEC.BAT") returned 1 [0116.662] lstrcmpiW (lpString1="Libraries", lpString2="ntuser.dat") returned -1 [0116.662] lstrcmpiW (lpString1="Libraries", lpString2="desktop.ini") returned 1 [0116.662] lstrcmpiW (lpString1="Libraries", lpString2="CONFIG.SYS") returned 1 [0116.662] lstrcmpiW (lpString1="Libraries", lpString2="RECYCLER") returned -1 [0116.662] lstrcmpiW (lpString1="Libraries", lpString2="BOOTSECT.BAK") returned 1 [0116.662] lstrcmpiW (lpString1="Libraries", lpString2="bootmgr") returned 1 [0116.662] lstrcmpiW (lpString1="Libraries", lpString2="programdata") returned -1 [0116.662] lstrcmpiW (lpString1="Libraries", lpString2="appdata") returned 1 [0116.662] lstrcmpiW (lpString1="Libraries", lpString2="program files") returned -1 [0116.662] lstrcmpiW (lpString1="Libraries", lpString2="program files (x86)") returned -1 [0116.662] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\Public\\" | out: lpString1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0116.662] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2="Libraries" | out: lpString1="C:\\Users\\Public\\Libraries") returned="C:\\Users\\Public\\Libraries" [0116.662] lstrcatW (in: lpString1="C:\\Users\\Public\\Libraries", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Libraries\\") returned="C:\\Users\\Public\\Libraries\\" [0116.663] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\Public\\Libraries\\" | out: lpString1="C:\\Users\\Public\\Libraries\\") returned="C:\\Users\\Public\\Libraries\\" [0116.663] lstrcatW (in: lpString1="C:\\Users\\Public\\Libraries\\", lpString2="*.*" | out: lpString1="C:\\Users\\Public\\Libraries\\*.*") returned="C:\\Users\\Public\\Libraries\\*.*" [0116.663] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Libraries\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28a29e5c, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a29e5c, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x50a900 [0116.663] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.663] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28a29e5c, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a29e5c, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0116.663] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.663] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.663] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2839e1d0, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x2839e1d0, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288f9359, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x58, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0116.663] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0116.663] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0116.663] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0116.663] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0116.663] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0116.663] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0116.663] lstrcmpiW (lpString1="desktop.ini", lpString2="log") returned -1 [0116.663] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0116.663] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0116.663] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0116.663] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0116.663] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0116.664] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0116.664] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0116.664] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0116.664] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2837806f, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x289b7a3b, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a29e5c, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x36c, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="RecordedTV.library-ms", cAlternateFileName="RECORD~1.LIB")) returned 1 [0116.664] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2=".") returned 1 [0116.664] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="..") returned 1 [0116.664] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="...") returned 1 [0116.664] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="windows") returned -1 [0116.664] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="$RECYCLE.BIN") returned 1 [0116.664] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="rsa") returned -1 [0116.664] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="log") returned 1 [0116.664] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="NTDETECT.COM") returned 1 [0116.664] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="ntldr") returned 1 [0116.664] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="MSDOS.SYS") returned 1 [0116.664] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="IO.SYS") returned 1 [0116.664] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="boot.ini") returned 1 [0116.664] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="AUTOEXEC.BAT") returned 1 [0116.664] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="ntuser.dat") returned 1 [0116.664] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="desktop.ini") returned 1 [0116.664] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="CONFIG.SYS") returned 1 [0116.664] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="RECYCLER") returned -1 [0116.664] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="BOOTSECT.BAK") returned 1 [0116.664] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="bootmgr") returned 1 [0116.664] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="programdata") returned 1 [0116.664] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="appdata") returned 1 [0116.664] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="program files") returned 1 [0116.665] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="program files (x86)") returned 1 [0116.665] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\Public\\Libraries\\" | out: lpString1="C:\\Users\\Public\\Libraries\\") returned="C:\\Users\\Public\\Libraries\\" [0116.665] lstrcatW (in: lpString1="C:\\Users\\Public\\Libraries\\", lpString2="RecordedTV.library-ms" | out: lpString1="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms") returned="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" [0116.665] PathFindExtensionW (pszPath="RecordedTV.library-ms") returned=".library-ms" [0116.665] lstrcmpiW (lpString1=".library-ms", lpString2=".exe") returned 1 [0116.665] lstrcmpiW (lpString1=".library-ms", lpString2=".log") returned -1 [0116.665] lstrcmpiW (lpString1=".library-ms", lpString2=".cab") returned 1 [0116.665] lstrcmpiW (lpString1=".library-ms", lpString2=".cmd") returned 1 [0116.665] lstrcmpiW (lpString1=".library-ms", lpString2=".com") returned 1 [0116.665] lstrcmpiW (lpString1=".library-ms", lpString2=".cpl") returned 1 [0116.665] lstrcmpiW (lpString1=".library-ms", lpString2=".ini") returned 1 [0116.665] lstrcmpiW (lpString1=".library-ms", lpString2=".dll") returned 1 [0116.665] lstrcmpiW (lpString1=".library-ms", lpString2=".url") returned -1 [0116.665] lstrcmpiW (lpString1=".library-ms", lpString2=".ttf") returned -1 [0116.665] lstrcmpiW (lpString1=".library-ms", lpString2=".mp3") returned -1 [0116.665] lstrcmpiW (lpString1=".library-ms", lpString2=".pif") returned -1 [0116.665] lstrcmpiW (lpString1=".library-ms", lpString2=".mp4") returned -1 [0116.665] lstrcmpiW (lpString1=".library-ms", lpString2=".NEPHILIM") returned -1 [0116.665] lstrcmpiW (lpString1=".library-ms", lpString2=".msi") returned -1 [0116.665] lstrcmpiW (lpString1=".library-ms", lpString2=".lnk") returned -1 [0116.665] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0116.665] lstrlenA (lpString="NEPHILIM") returned 8 [0116.665] GetProcessHeap () returned 0x4e0000 [0116.665] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bf20 [0116.665] lstrlenA (lpString="NEPHILIM") returned 8 [0116.665] CreateFileW (lpFileName="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xec [0116.666] GetFileSizeEx (in: hFile=0xec, lpFileSize=0x24de448 | out: lpFileSize=0x24de448*=876) returned 1 [0116.666] GetProcessHeap () returned 0x4e0000 [0116.666] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50df10 [0116.666] GetProcessHeap () returned 0x4e0000 [0116.666] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50df28 [0116.666] SystemFunction036 (in: RandomBuffer=0x50df10, RandomBufferLength=0x10 | out: RandomBuffer=0x50df10) returned 1 [0116.666] SystemFunction036 (in: RandomBuffer=0x50df28, RandomBufferLength=0x10 | out: RandomBuffer=0x50df28) returned 1 [0116.666] GetProcessHeap () returned 0x4e0000 [0116.666] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e6a0 [0116.666] GetProcessHeap () returned 0x4e0000 [0116.666] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e7a8 [0116.666] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e6a0*, pdwDataLen=0x24de208*=0x10, dwBufLen=0x100 | out: pbData=0x51e6a0*, pdwDataLen=0x24de208*=0x100) returned 1 [0116.667] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e7a8*, pdwDataLen=0x24de204*=0x10, dwBufLen=0x100 | out: pbData=0x51e7a8*, pdwDataLen=0x24de204*=0x100) returned 1 [0116.667] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x36c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.667] SetLastError (dwErrCode=0x0) [0116.667] WriteFile (in: hFile=0xec, lpBuffer=0x51e6a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e6a0*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0116.669] GetLastError () returned 0x0 [0116.669] GetLastError () returned 0x0 [0116.669] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x46c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.669] WriteFile (in: hFile=0xec, lpBuffer=0x51e7a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x51e7a8*, lpNumberOfBytesWritten=0x24de43c*=0x100, lpOverlapped=0x0) returned 1 [0116.669] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x56c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.669] lstrlenA (lpString="NEPHILIM") returned 8 [0116.669] WriteFile (in: hFile=0xec, lpBuffer=0x50bf20*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50bf20*, lpNumberOfBytesWritten=0x24de43c*=0x8, lpOverlapped=0x0) returned 1 [0116.669] GetProcessHeap () returned 0x4e0000 [0116.669] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x36c) returned 0x50c0a8 [0116.670] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.670] ReadFile (in: hFile=0xec, lpBuffer=0x50c0a8, nNumberOfBytesToRead=0x36c, lpNumberOfBytesRead=0x24de430, lpOverlapped=0x0 | out: lpBuffer=0x50c0a8*, lpNumberOfBytesRead=0x24de430*=0x36c, lpOverlapped=0x0) returned 1 [0116.670] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.670] WriteFile (in: hFile=0xec, lpBuffer=0x50c0a8*, nNumberOfBytesToWrite=0x36c, lpNumberOfBytesWritten=0x24de43c, lpOverlapped=0x0 | out: lpBuffer=0x50c0a8*, lpNumberOfBytesWritten=0x24de43c*=0x36c, lpOverlapped=0x0) returned 1 [0116.670] GetProcessHeap () returned 0x4e0000 [0116.670] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50c0a8 | out: hHeap=0x4e0000) returned 1 [0116.670] CloseHandle (hObject=0xec) returned 1 [0116.670] GetProcessHeap () returned 0x4e0000 [0116.670] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e6a0 | out: hHeap=0x4e0000) returned 1 [0116.670] GetProcessHeap () returned 0x4e0000 [0116.670] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e7a8 | out: hHeap=0x4e0000) returned 1 [0116.670] GetProcessHeap () returned 0x4e0000 [0116.670] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50df10 | out: hHeap=0x4e0000) returned 1 [0116.670] GetProcessHeap () returned 0x4e0000 [0116.670] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50df28 | out: hHeap=0x4e0000) returned 1 [0116.671] lstrcpyW (in: lpString1=0x24de228, lpString2="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" | out: lpString1="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms") returned="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" [0116.671] lstrcatW (in: lpString1="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms.NEPHILIM") returned="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms.NEPHILIM" [0116.671] MoveFileW (lpExistingFileName="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms"), lpNewFileName="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms.NEPHILIM" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms.nephilim")) returned 1 [0116.671] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2837806f, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x289b7a3b, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a29e5c, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x36c, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="RecordedTV.library-ms", cAlternateFileName="RECORD~1.LIB")) returned 0 [0116.672] FindClose (in: hFindFile=0x50a900 | out: hFindFile=0x50a900) returned 1 [0116.672] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28305c4e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Music", cAlternateFileName="")) returned 1 [0116.672] lstrcmpiW (lpString1="Music", lpString2=".") returned 1 [0116.672] lstrcmpiW (lpString1="Music", lpString2="..") returned 1 [0116.672] lstrcmpiW (lpString1="Music", lpString2="...") returned 1 [0116.672] lstrcmpiW (lpString1="Music", lpString2="windows") returned -1 [0116.672] lstrcmpiW (lpString1="Music", lpString2="$RECYCLE.BIN") returned 1 [0116.672] lstrcmpiW (lpString1="Music", lpString2="rsa") returned -1 [0116.672] lstrcmpiW (lpString1="Music", lpString2="log") returned 1 [0116.672] lstrcmpiW (lpString1="Music", lpString2="NTDETECT.COM") returned -1 [0116.672] lstrcmpiW (lpString1="Music", lpString2="ntldr") returned -1 [0116.672] lstrcmpiW (lpString1="Music", lpString2="MSDOS.SYS") returned 1 [0116.672] lstrcmpiW (lpString1="Music", lpString2="IO.SYS") returned 1 [0116.672] lstrcmpiW (lpString1="Music", lpString2="boot.ini") returned 1 [0116.672] lstrcmpiW (lpString1="Music", lpString2="AUTOEXEC.BAT") returned 1 [0116.672] lstrcmpiW (lpString1="Music", lpString2="ntuser.dat") returned -1 [0116.672] lstrcmpiW (lpString1="Music", lpString2="desktop.ini") returned 1 [0116.672] lstrcmpiW (lpString1="Music", lpString2="CONFIG.SYS") returned 1 [0116.672] lstrcmpiW (lpString1="Music", lpString2="RECYCLER") returned -1 [0116.672] lstrcmpiW (lpString1="Music", lpString2="BOOTSECT.BAK") returned 1 [0116.672] lstrcmpiW (lpString1="Music", lpString2="bootmgr") returned 1 [0116.672] lstrcmpiW (lpString1="Music", lpString2="programdata") returned -1 [0116.672] lstrcmpiW (lpString1="Music", lpString2="appdata") returned 1 [0116.672] lstrcmpiW (lpString1="Music", lpString2="program files") returned -1 [0116.672] lstrcmpiW (lpString1="Music", lpString2="program files (x86)") returned -1 [0116.672] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\Public\\" | out: lpString1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0116.672] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2="Music" | out: lpString1="C:\\Users\\Public\\Music") returned="C:\\Users\\Public\\Music" [0116.672] lstrcatW (in: lpString1="C:\\Users\\Public\\Music", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Music\\") returned="C:\\Users\\Public\\Music\\" [0116.672] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\Public\\Music\\" | out: lpString1="C:\\Users\\Public\\Music\\") returned="C:\\Users\\Public\\Music\\" [0116.673] lstrcatW (in: lpString1="C:\\Users\\Public\\Music\\", lpString2="*.*" | out: lpString1="C:\\Users\\Public\\Music\\*.*") returned="C:\\Users\\Public\\Music\\*.*" [0116.673] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Music\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28305c4e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x50a900 [0116.673] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.673] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28305c4e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0116.673] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.673] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.673] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28305c4e, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x28305c4e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0116.673] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0116.673] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0116.673] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0116.673] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0116.673] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0116.673] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0116.673] lstrcmpiW (lpString1="desktop.ini", lpString2="log") returned -1 [0116.673] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0116.673] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0116.673] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0116.673] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0116.673] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0116.673] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0116.673] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0116.673] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0116.673] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8031a7b6, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="Sample Music", cAlternateFileName="SAMPLE~1")) returned 1 [0116.673] lstrcmpiW (lpString1="Sample Music", lpString2=".") returned 1 [0116.674] lstrcmpiW (lpString1="Sample Music", lpString2="..") returned 1 [0116.674] lstrcmpiW (lpString1="Sample Music", lpString2="...") returned 1 [0116.674] lstrcmpiW (lpString1="Sample Music", lpString2="windows") returned -1 [0116.674] lstrcmpiW (lpString1="Sample Music", lpString2="$RECYCLE.BIN") returned 1 [0116.674] lstrcmpiW (lpString1="Sample Music", lpString2="rsa") returned 1 [0116.674] lstrcmpiW (lpString1="Sample Music", lpString2="log") returned 1 [0116.674] lstrcmpiW (lpString1="Sample Music", lpString2="NTDETECT.COM") returned 1 [0116.674] lstrcmpiW (lpString1="Sample Music", lpString2="ntldr") returned 1 [0116.674] lstrcmpiW (lpString1="Sample Music", lpString2="MSDOS.SYS") returned 1 [0116.674] lstrcmpiW (lpString1="Sample Music", lpString2="IO.SYS") returned 1 [0116.674] lstrcmpiW (lpString1="Sample Music", lpString2="boot.ini") returned 1 [0116.674] lstrcmpiW (lpString1="Sample Music", lpString2="AUTOEXEC.BAT") returned 1 [0116.674] lstrcmpiW (lpString1="Sample Music", lpString2="ntuser.dat") returned 1 [0116.674] lstrcmpiW (lpString1="Sample Music", lpString2="desktop.ini") returned 1 [0116.674] lstrcmpiW (lpString1="Sample Music", lpString2="CONFIG.SYS") returned 1 [0116.674] lstrcmpiW (lpString1="Sample Music", lpString2="RECYCLER") returned 1 [0116.674] lstrcmpiW (lpString1="Sample Music", lpString2="BOOTSECT.BAK") returned 1 [0116.674] lstrcmpiW (lpString1="Sample Music", lpString2="bootmgr") returned 1 [0116.674] lstrcmpiW (lpString1="Sample Music", lpString2="programdata") returned 1 [0116.674] lstrcmpiW (lpString1="Sample Music", lpString2="appdata") returned 1 [0116.674] lstrcmpiW (lpString1="Sample Music", lpString2="program files") returned 1 [0116.674] lstrcmpiW (lpString1="Sample Music", lpString2="program files (x86)") returned 1 [0116.674] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\Public\\Music\\" | out: lpString1="C:\\Users\\Public\\Music\\") returned="C:\\Users\\Public\\Music\\" [0116.674] lstrcatW (in: lpString1="C:\\Users\\Public\\Music\\", lpString2="Sample Music" | out: lpString1="C:\\Users\\Public\\Music\\Sample Music") returned="C:\\Users\\Public\\Music\\Sample Music" [0116.674] lstrcatW (in: lpString1="C:\\Users\\Public\\Music\\Sample Music", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Music\\Sample Music\\") returned="C:\\Users\\Public\\Music\\Sample Music\\" [0116.674] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\Public\\Music\\Sample Music\\" | out: lpString1="C:\\Users\\Public\\Music\\Sample Music\\") returned="C:\\Users\\Public\\Music\\Sample Music\\" [0116.674] lstrcatW (in: lpString1="C:\\Users\\Public\\Music\\Sample Music\\", lpString2="*.*" | out: lpString1="C:\\Users\\Public\\Music\\Sample Music\\*.*") returned="C:\\Users\\Public\\Music\\Sample Music\\*.*" [0116.674] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Music\\Sample Music\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8031a7b6, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0116.688] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.688] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8031a7b6, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0116.688] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.688] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.689] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8031a7b6, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7be84d57, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x24a, dwReserved0=0x340032, dwReserved1=0x24de8e0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0116.689] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0116.689] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0116.689] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0116.689] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0116.689] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0116.689] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0116.689] lstrcmpiW (lpString1="desktop.ini", lpString2="log") returned -1 [0116.689] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0116.689] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0116.689] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0116.689] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0116.689] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0116.689] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0116.689] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0116.689] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0116.689] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8031a7b6, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7be5ebf7, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7be84d57, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x8064f1, dwReserved0=0x340032, dwReserved1=0x24de8e0, cFileName="Kalimba.mp3", cAlternateFileName="")) returned 1 [0116.689] lstrcmpiW (lpString1="Kalimba.mp3", lpString2=".") returned 1 [0116.689] lstrcmpiW (lpString1="Kalimba.mp3", lpString2="..") returned 1 [0116.689] lstrcmpiW (lpString1="Kalimba.mp3", lpString2="...") returned 1 [0116.689] lstrcmpiW (lpString1="Kalimba.mp3", lpString2="windows") returned -1 [0116.689] lstrcmpiW (lpString1="Kalimba.mp3", lpString2="$RECYCLE.BIN") returned 1 [0116.689] lstrcmpiW (lpString1="Kalimba.mp3", lpString2="rsa") returned -1 [0116.689] lstrcmpiW (lpString1="Kalimba.mp3", lpString2="log") returned -1 [0116.689] lstrcmpiW (lpString1="Kalimba.mp3", lpString2="NTDETECT.COM") returned -1 [0116.689] lstrcmpiW (lpString1="Kalimba.mp3", lpString2="ntldr") returned -1 [0116.689] lstrcmpiW (lpString1="Kalimba.mp3", lpString2="MSDOS.SYS") returned -1 [0116.689] lstrcmpiW (lpString1="Kalimba.mp3", lpString2="IO.SYS") returned 1 [0116.689] lstrcmpiW (lpString1="Kalimba.mp3", lpString2="boot.ini") returned 1 [0116.689] lstrcmpiW (lpString1="Kalimba.mp3", lpString2="AUTOEXEC.BAT") returned 1 [0116.689] lstrcmpiW (lpString1="Kalimba.mp3", lpString2="ntuser.dat") returned -1 [0116.689] lstrcmpiW (lpString1="Kalimba.mp3", lpString2="desktop.ini") returned 1 [0116.690] lstrcmpiW (lpString1="Kalimba.mp3", lpString2="CONFIG.SYS") returned 1 [0116.690] lstrcmpiW (lpString1="Kalimba.mp3", lpString2="RECYCLER") returned -1 [0116.690] lstrcmpiW (lpString1="Kalimba.mp3", lpString2="BOOTSECT.BAK") returned 1 [0116.690] lstrcmpiW (lpString1="Kalimba.mp3", lpString2="bootmgr") returned 1 [0116.690] lstrcmpiW (lpString1="Kalimba.mp3", lpString2="programdata") returned -1 [0116.690] lstrcmpiW (lpString1="Kalimba.mp3", lpString2="appdata") returned 1 [0116.690] lstrcmpiW (lpString1="Kalimba.mp3", lpString2="program files") returned -1 [0116.690] lstrcmpiW (lpString1="Kalimba.mp3", lpString2="program files (x86)") returned -1 [0116.690] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\Public\\Music\\Sample Music\\" | out: lpString1="C:\\Users\\Public\\Music\\Sample Music\\") returned="C:\\Users\\Public\\Music\\Sample Music\\" [0116.690] lstrcatW (in: lpString1="C:\\Users\\Public\\Music\\Sample Music\\", lpString2="Kalimba.mp3" | out: lpString1="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3") returned="C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3" [0116.690] PathFindExtensionW (pszPath="Kalimba.mp3") returned=".mp3" [0116.690] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0116.690] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0116.690] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0116.690] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0116.690] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0116.690] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0116.690] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0116.690] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0116.690] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0116.690] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0116.690] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0116.690] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8031a7b6, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7be38a97, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7be5ebf7, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x3ec5d2, dwReserved0=0x340032, dwReserved1=0x24de8e0, cFileName="Maid with the Flaxen Hair.mp3", cAlternateFileName="MAIDWI~1.MP3")) returned 1 [0116.690] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2=".") returned 1 [0116.690] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="..") returned 1 [0116.690] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="...") returned 1 [0116.690] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="windows") returned -1 [0116.690] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="$RECYCLE.BIN") returned 1 [0116.690] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="rsa") returned -1 [0116.690] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="log") returned 1 [0116.691] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="NTDETECT.COM") returned -1 [0116.691] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="ntldr") returned -1 [0116.691] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="MSDOS.SYS") returned -1 [0116.691] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="IO.SYS") returned 1 [0116.691] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="boot.ini") returned 1 [0116.691] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="AUTOEXEC.BAT") returned 1 [0116.691] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="ntuser.dat") returned -1 [0116.691] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="desktop.ini") returned 1 [0116.691] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="CONFIG.SYS") returned 1 [0116.691] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="RECYCLER") returned -1 [0116.691] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="BOOTSECT.BAK") returned 1 [0116.691] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="bootmgr") returned 1 [0116.691] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="programdata") returned -1 [0116.691] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="appdata") returned 1 [0116.691] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="program files") returned -1 [0116.691] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="program files (x86)") returned -1 [0116.691] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\Public\\Music\\Sample Music\\" | out: lpString1="C:\\Users\\Public\\Music\\Sample Music\\") returned="C:\\Users\\Public\\Music\\Sample Music\\" [0116.691] lstrcatW (in: lpString1="C:\\Users\\Public\\Music\\Sample Music\\", lpString2="Maid with the Flaxen Hair.mp3" | out: lpString1="C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3") returned="C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3" [0116.691] PathFindExtensionW (pszPath="Maid with the Flaxen Hair.mp3") returned=".mp3" [0116.691] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0116.691] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0116.691] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0116.691] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0116.691] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0116.691] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0116.691] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0116.691] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0116.691] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0116.691] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0116.692] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0116.692] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x802f4656, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7be38a97, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7be38a97, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x49e459, dwReserved0=0x340032, dwReserved1=0x24de8e0, cFileName="Sleep Away.mp3", cAlternateFileName="SLEEPA~1.MP3")) returned 1 [0116.692] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2=".") returned 1 [0116.692] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2="..") returned 1 [0116.692] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2="...") returned 1 [0116.692] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2="windows") returned -1 [0116.692] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2="$RECYCLE.BIN") returned 1 [0116.692] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2="rsa") returned 1 [0116.692] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2="log") returned 1 [0116.692] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2="NTDETECT.COM") returned 1 [0116.692] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2="ntldr") returned 1 [0116.692] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2="MSDOS.SYS") returned 1 [0116.692] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2="IO.SYS") returned 1 [0116.692] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2="boot.ini") returned 1 [0116.692] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2="AUTOEXEC.BAT") returned 1 [0116.692] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2="ntuser.dat") returned 1 [0116.692] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2="desktop.ini") returned 1 [0116.692] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2="CONFIG.SYS") returned 1 [0116.692] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2="RECYCLER") returned 1 [0116.692] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2="BOOTSECT.BAK") returned 1 [0116.692] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2="bootmgr") returned 1 [0116.692] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2="programdata") returned 1 [0116.692] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2="appdata") returned 1 [0116.692] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2="program files") returned 1 [0116.692] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2="program files (x86)") returned 1 [0116.693] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\Public\\Music\\Sample Music\\" | out: lpString1="C:\\Users\\Public\\Music\\Sample Music\\") returned="C:\\Users\\Public\\Music\\Sample Music\\" [0116.693] lstrcatW (in: lpString1="C:\\Users\\Public\\Music\\Sample Music\\", lpString2="Sleep Away.mp3" | out: lpString1="C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3") returned="C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3" [0116.693] PathFindExtensionW (pszPath="Sleep Away.mp3") returned=".mp3" [0116.693] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0116.693] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0116.693] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0116.693] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0116.693] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0116.693] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0116.693] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0116.693] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0116.693] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0116.693] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0116.693] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0116.693] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x802f4656, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7be38a97, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7be38a97, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x49e459, dwReserved0=0x340032, dwReserved1=0x24de8e0, cFileName="Sleep Away.mp3", cAlternateFileName="SLEEPA~1.MP3")) returned 0 [0116.693] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0116.694] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8031a7b6, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="Sample Music", cAlternateFileName="SAMPLE~1")) returned 0 [0116.694] FindClose (in: hFindFile=0x50a900 | out: hFindFile=0x50a900) returned 1 [0116.694] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0116.694] lstrcmpiW (lpString1="Pictures", lpString2=".") returned 1 [0116.694] lstrcmpiW (lpString1="Pictures", lpString2="..") returned 1 [0116.694] lstrcmpiW (lpString1="Pictures", lpString2="...") returned 1 [0116.694] lstrcmpiW (lpString1="Pictures", lpString2="windows") returned -1 [0116.694] lstrcmpiW (lpString1="Pictures", lpString2="$RECYCLE.BIN") returned 1 [0116.694] lstrcmpiW (lpString1="Pictures", lpString2="rsa") returned -1 [0116.695] lstrcmpiW (lpString1="Pictures", lpString2="log") returned 1 [0116.695] lstrcmpiW (lpString1="Pictures", lpString2="NTDETECT.COM") returned 1 [0116.695] lstrcmpiW (lpString1="Pictures", lpString2="ntldr") returned 1 [0116.695] lstrcmpiW (lpString1="Pictures", lpString2="MSDOS.SYS") returned 1 [0116.695] lstrcmpiW (lpString1="Pictures", lpString2="IO.SYS") returned 1 [0116.695] lstrcmpiW (lpString1="Pictures", lpString2="boot.ini") returned 1 [0116.695] lstrcmpiW (lpString1="Pictures", lpString2="AUTOEXEC.BAT") returned 1 [0116.695] lstrcmpiW (lpString1="Pictures", lpString2="ntuser.dat") returned 1 [0116.695] lstrcmpiW (lpString1="Pictures", lpString2="desktop.ini") returned 1 [0116.695] lstrcmpiW (lpString1="Pictures", lpString2="CONFIG.SYS") returned 1 [0116.695] lstrcmpiW (lpString1="Pictures", lpString2="RECYCLER") returned -1 [0116.695] lstrcmpiW (lpString1="Pictures", lpString2="BOOTSECT.BAK") returned 1 [0116.695] lstrcmpiW (lpString1="Pictures", lpString2="bootmgr") returned 1 [0116.695] lstrcmpiW (lpString1="Pictures", lpString2="programdata") returned -1 [0116.695] lstrcmpiW (lpString1="Pictures", lpString2="appdata") returned 1 [0116.695] lstrcmpiW (lpString1="Pictures", lpString2="program files") returned -1 [0116.695] lstrcmpiW (lpString1="Pictures", lpString2="program files (x86)") returned -1 [0116.695] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\Public\\" | out: lpString1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0116.695] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2="Pictures" | out: lpString1="C:\\Users\\Public\\Pictures") returned="C:\\Users\\Public\\Pictures" [0116.695] lstrcatW (in: lpString1="C:\\Users\\Public\\Pictures", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Pictures\\") returned="C:\\Users\\Public\\Pictures\\" [0116.695] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\Public\\Pictures\\" | out: lpString1="C:\\Users\\Public\\Pictures\\") returned="C:\\Users\\Public\\Pictures\\" [0116.695] lstrcatW (in: lpString1="C:\\Users\\Public\\Pictures\\", lpString2="*.*" | out: lpString1="C:\\Users\\Public\\Pictures\\*.*") returned="C:\\Users\\Public\\Pictures\\*.*" [0116.695] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Pictures\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x50a900 [0116.696] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.696] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0116.696] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.696] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.696] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x282dfaee, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0116.696] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0116.696] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0116.696] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0116.696] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0116.696] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0116.696] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0116.696] lstrcmpiW (lpString1="desktop.ini", lpString2="log") returned -1 [0116.696] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0116.696] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0116.696] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0116.696] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0116.696] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0116.696] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0116.696] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0116.696] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0116.696] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="Sample Pictures", cAlternateFileName="SAMPLE~1")) returned 1 [0116.696] lstrcmpiW (lpString1="Sample Pictures", lpString2=".") returned 1 [0116.697] lstrcmpiW (lpString1="Sample Pictures", lpString2="..") returned 1 [0116.697] lstrcmpiW (lpString1="Sample Pictures", lpString2="...") returned 1 [0116.697] lstrcmpiW (lpString1="Sample Pictures", lpString2="windows") returned -1 [0116.697] lstrcmpiW (lpString1="Sample Pictures", lpString2="$RECYCLE.BIN") returned 1 [0116.697] lstrcmpiW (lpString1="Sample Pictures", lpString2="rsa") returned 1 [0116.697] lstrcmpiW (lpString1="Sample Pictures", lpString2="log") returned 1 [0116.697] lstrcmpiW (lpString1="Sample Pictures", lpString2="NTDETECT.COM") returned 1 [0116.697] lstrcmpiW (lpString1="Sample Pictures", lpString2="ntldr") returned 1 [0116.697] lstrcmpiW (lpString1="Sample Pictures", lpString2="MSDOS.SYS") returned 1 [0116.697] lstrcmpiW (lpString1="Sample Pictures", lpString2="IO.SYS") returned 1 [0116.697] lstrcmpiW (lpString1="Sample Pictures", lpString2="boot.ini") returned 1 [0116.697] lstrcmpiW (lpString1="Sample Pictures", lpString2="AUTOEXEC.BAT") returned 1 [0116.697] lstrcmpiW (lpString1="Sample Pictures", lpString2="ntuser.dat") returned 1 [0116.697] lstrcmpiW (lpString1="Sample Pictures", lpString2="desktop.ini") returned 1 [0116.697] lstrcmpiW (lpString1="Sample Pictures", lpString2="CONFIG.SYS") returned 1 [0116.697] lstrcmpiW (lpString1="Sample Pictures", lpString2="RECYCLER") returned 1 [0116.697] lstrcmpiW (lpString1="Sample Pictures", lpString2="BOOTSECT.BAK") returned 1 [0116.697] lstrcmpiW (lpString1="Sample Pictures", lpString2="bootmgr") returned 1 [0116.697] lstrcmpiW (lpString1="Sample Pictures", lpString2="programdata") returned 1 [0116.697] lstrcmpiW (lpString1="Sample Pictures", lpString2="appdata") returned 1 [0116.697] lstrcmpiW (lpString1="Sample Pictures", lpString2="program files") returned 1 [0116.697] lstrcmpiW (lpString1="Sample Pictures", lpString2="program files (x86)") returned 1 [0116.697] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\Public\\Pictures\\" | out: lpString1="C:\\Users\\Public\\Pictures\\") returned="C:\\Users\\Public\\Pictures\\" [0116.697] lstrcatW (in: lpString1="C:\\Users\\Public\\Pictures\\", lpString2="Sample Pictures" | out: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures") returned="C:\\Users\\Public\\Pictures\\Sample Pictures" [0116.697] lstrcatW (in: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\") returned="C:\\Users\\Public\\Pictures\\Sample Pictures\\" [0116.697] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\Public\\Pictures\\Sample Pictures\\" | out: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\") returned="C:\\Users\\Public\\Pictures\\Sample Pictures\\" [0116.698] lstrcatW (in: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\", lpString2="*.*" | out: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\*.*") returned="C:\\Users\\Public\\Pictures\\Sample Pictures\\*.*" [0116.698] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3a0038, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0116.700] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0116.700] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3a0038, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0116.700] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0116.700] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0116.700] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7beaaeb8, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7beaaeb8, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xd6b22, dwReserved0=0x3a0038, dwReserved1=0x24de8e0, cFileName="Chrysanthemum.jpg", cAlternateFileName="CHRYSA~1.JPG")) returned 1 [0116.700] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2=".") returned 1 [0116.700] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2="..") returned 1 [0116.700] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2="...") returned 1 [0116.700] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2="windows") returned -1 [0116.700] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2="$RECYCLE.BIN") returned 1 [0116.701] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2="rsa") returned -1 [0116.701] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2="log") returned -1 [0116.701] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2="NTDETECT.COM") returned -1 [0116.701] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2="ntldr") returned -1 [0116.701] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2="MSDOS.SYS") returned -1 [0116.701] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2="IO.SYS") returned -1 [0116.701] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2="boot.ini") returned 1 [0116.701] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2="AUTOEXEC.BAT") returned 1 [0116.701] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2="ntuser.dat") returned -1 [0116.701] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2="desktop.ini") returned -1 [0116.701] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2="CONFIG.SYS") returned -1 [0116.701] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2="RECYCLER") returned -1 [0116.701] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2="BOOTSECT.BAK") returned 1 [0116.701] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2="bootmgr") returned 1 [0116.701] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2="programdata") returned -1 [0116.701] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2="appdata") returned 1 [0116.701] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2="program files") returned -1 [0116.701] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2="program files (x86)") returned -1 [0116.701] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\Public\\Pictures\\Sample Pictures\\" | out: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\") returned="C:\\Users\\Public\\Pictures\\Sample Pictures\\" [0116.701] lstrcatW (in: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\", lpString2="Chrysanthemum.jpg" | out: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg") returned="C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg" [0116.701] PathFindExtensionW (pszPath="Chrysanthemum.jpg") returned=".jpg" [0116.701] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0116.701] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0116.701] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0116.701] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0116.702] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0116.702] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0116.702] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0116.702] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0116.702] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0116.702] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0116.702] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0116.702] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0116.702] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0116.702] lstrcmpiW (lpString1=".jpg", lpString2=".NEPHILIM") returned -1 [0116.702] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0116.702] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0116.702] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0116.702] lstrlenA (lpString="NEPHILIM") returned 8 [0116.702] GetProcessHeap () returned 0x4e0000 [0116.702] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bf30 [0116.702] lstrlenA (lpString="NEPHILIM") returned 8 [0116.702] CreateFileW (lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\chrysanthemum.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0116.704] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=879394) returned 1 [0116.704] GetProcessHeap () returned 0x4e0000 [0116.704] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50df28 [0116.704] GetProcessHeap () returned 0x4e0000 [0116.704] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50df10 [0116.704] SystemFunction036 (in: RandomBuffer=0x50df28, RandomBufferLength=0x10 | out: RandomBuffer=0x50df28) returned 1 [0116.704] SystemFunction036 (in: RandomBuffer=0x50df10, RandomBufferLength=0x10 | out: RandomBuffer=0x50df10) returned 1 [0116.704] GetProcessHeap () returned 0x4e0000 [0116.704] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e7a8 [0116.704] GetProcessHeap () returned 0x4e0000 [0116.705] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e6a0 [0116.705] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e7a8*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x51e7a8*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0116.705] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e6a0*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x51e6a0*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0116.705] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xd6b22, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.705] SetLastError (dwErrCode=0x0) [0116.705] WriteFile (in: hFile=0xf0, lpBuffer=0x51e7a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x51e7a8*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0116.718] GetLastError () returned 0x0 [0116.718] GetLastError () returned 0x0 [0116.718] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xd6c22, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.718] WriteFile (in: hFile=0xf0, lpBuffer=0x51e6a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x51e6a0*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0116.718] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xd6d22, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.718] lstrlenA (lpString="NEPHILIM") returned 8 [0116.718] WriteFile (in: hFile=0xf0, lpBuffer=0x50bf30*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50bf30*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0116.718] GetProcessHeap () returned 0x4e0000 [0116.718] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xd6b22) returned 0x22b0020 [0116.719] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.719] ReadFile (in: hFile=0xf0, lpBuffer=0x22b0020, nNumberOfBytesToRead=0xd6b22, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x22b0020*, lpNumberOfBytesRead=0x24dddb0*=0xd6b22, lpOverlapped=0x0) returned 1 [0116.825] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.825] WriteFile (in: hFile=0xf0, lpBuffer=0x22b0020*, nNumberOfBytesToWrite=0xd6b22, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x22b0020*, lpNumberOfBytesWritten=0x24dddbc*=0xd6b22, lpOverlapped=0x0) returned 1 [0116.829] GetProcessHeap () returned 0x4e0000 [0116.829] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x22b0020 | out: hHeap=0x4e0000) returned 1 [0116.834] CloseHandle (hObject=0xf0) returned 1 [0116.834] GetProcessHeap () returned 0x4e0000 [0116.835] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e7a8 | out: hHeap=0x4e0000) returned 1 [0116.835] GetProcessHeap () returned 0x4e0000 [0116.835] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e6a0 | out: hHeap=0x4e0000) returned 1 [0116.835] GetProcessHeap () returned 0x4e0000 [0116.835] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50df28 | out: hHeap=0x4e0000) returned 1 [0116.835] GetProcessHeap () returned 0x4e0000 [0116.835] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50df10 | out: hHeap=0x4e0000) returned 1 [0116.835] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg" | out: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg") returned="C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg" [0116.835] lstrcatW (in: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg.NEPHILIM") returned="C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg.NEPHILIM" [0116.835] MoveFileW (lpExistingFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\chrysanthemum.jpg"), lpNewFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg.NEPHILIM" (normalized: "c:\\users\\public\\pictures\\sample pictures\\chrysanthemum.jpg.nephilim")) returned 1 [0116.840] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8031a7b6, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7be84d57, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7be84d57, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xce875, dwReserved0=0x3a0038, dwReserved1=0x24de8e0, cFileName="Desert.jpg", cAlternateFileName="")) returned 1 [0116.840] lstrcmpiW (lpString1="Desert.jpg", lpString2=".") returned 1 [0116.840] lstrcmpiW (lpString1="Desert.jpg", lpString2="..") returned 1 [0116.840] lstrcmpiW (lpString1="Desert.jpg", lpString2="...") returned 1 [0116.840] lstrcmpiW (lpString1="Desert.jpg", lpString2="windows") returned -1 [0116.840] lstrcmpiW (lpString1="Desert.jpg", lpString2="$RECYCLE.BIN") returned 1 [0116.840] lstrcmpiW (lpString1="Desert.jpg", lpString2="rsa") returned -1 [0116.840] lstrcmpiW (lpString1="Desert.jpg", lpString2="log") returned -1 [0116.840] lstrcmpiW (lpString1="Desert.jpg", lpString2="NTDETECT.COM") returned -1 [0116.841] lstrcmpiW (lpString1="Desert.jpg", lpString2="ntldr") returned -1 [0116.841] lstrcmpiW (lpString1="Desert.jpg", lpString2="MSDOS.SYS") returned -1 [0116.841] lstrcmpiW (lpString1="Desert.jpg", lpString2="IO.SYS") returned -1 [0116.841] lstrcmpiW (lpString1="Desert.jpg", lpString2="boot.ini") returned 1 [0116.841] lstrcmpiW (lpString1="Desert.jpg", lpString2="AUTOEXEC.BAT") returned 1 [0116.841] lstrcmpiW (lpString1="Desert.jpg", lpString2="ntuser.dat") returned -1 [0116.841] lstrcmpiW (lpString1="Desert.jpg", lpString2="desktop.ini") returned -1 [0116.841] lstrcmpiW (lpString1="Desert.jpg", lpString2="CONFIG.SYS") returned 1 [0116.841] lstrcmpiW (lpString1="Desert.jpg", lpString2="RECYCLER") returned -1 [0116.841] lstrcmpiW (lpString1="Desert.jpg", lpString2="BOOTSECT.BAK") returned 1 [0116.841] lstrcmpiW (lpString1="Desert.jpg", lpString2="bootmgr") returned 1 [0116.841] lstrcmpiW (lpString1="Desert.jpg", lpString2="programdata") returned -1 [0116.841] lstrcmpiW (lpString1="Desert.jpg", lpString2="appdata") returned 1 [0116.841] lstrcmpiW (lpString1="Desert.jpg", lpString2="program files") returned -1 [0116.841] lstrcmpiW (lpString1="Desert.jpg", lpString2="program files (x86)") returned -1 [0116.841] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\Public\\Pictures\\Sample Pictures\\" | out: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\") returned="C:\\Users\\Public\\Pictures\\Sample Pictures\\" [0116.841] lstrcatW (in: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\", lpString2="Desert.jpg" | out: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg") returned="C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg" [0116.841] PathFindExtensionW (pszPath="Desert.jpg") returned=".jpg" [0116.841] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0116.841] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0116.841] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0116.841] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0116.841] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0116.841] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0116.841] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0116.841] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0116.842] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0116.842] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0116.842] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0116.842] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0116.842] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0116.842] lstrcmpiW (lpString1=".jpg", lpString2=".NEPHILIM") returned -1 [0116.842] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0116.842] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0116.842] lstrcmpiW (lpString1="Desert.jpg", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0116.842] lstrlenA (lpString="NEPHILIM") returned 8 [0116.842] GetProcessHeap () returned 0x4e0000 [0116.842] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bf40 [0116.842] lstrlenA (lpString="NEPHILIM") returned 8 [0116.842] CreateFileW (lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\desert.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0116.843] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=845941) returned 1 [0116.843] GetProcessHeap () returned 0x4e0000 [0116.843] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50df10 [0116.843] GetProcessHeap () returned 0x4e0000 [0116.843] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50df28 [0116.843] SystemFunction036 (in: RandomBuffer=0x50df10, RandomBufferLength=0x10 | out: RandomBuffer=0x50df10) returned 1 [0116.843] SystemFunction036 (in: RandomBuffer=0x50df28, RandomBufferLength=0x10 | out: RandomBuffer=0x50df28) returned 1 [0116.843] GetProcessHeap () returned 0x4e0000 [0116.843] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e6a0 [0116.843] GetProcessHeap () returned 0x4e0000 [0116.843] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e7a8 [0116.843] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e6a0*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x51e6a0*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0116.843] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e7a8*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x51e7a8*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0116.844] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xce875, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.844] SetLastError (dwErrCode=0x0) [0116.844] WriteFile (in: hFile=0xf0, lpBuffer=0x51e6a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x51e6a0*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0116.851] GetLastError () returned 0x0 [0116.851] GetLastError () returned 0x0 [0116.852] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xce975, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.852] WriteFile (in: hFile=0xf0, lpBuffer=0x51e7a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x51e7a8*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0116.852] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xcea75, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.852] lstrlenA (lpString="NEPHILIM") returned 8 [0116.852] WriteFile (in: hFile=0xf0, lpBuffer=0x50bf40*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50bf40*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0116.852] GetProcessHeap () returned 0x4e0000 [0116.852] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xce875) returned 0x22b0020 [0116.852] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.852] ReadFile (in: hFile=0xf0, lpBuffer=0x22b0020, nNumberOfBytesToRead=0xce875, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x22b0020*, lpNumberOfBytesRead=0x24dddb0*=0xce875, lpOverlapped=0x0) returned 1 [0116.936] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.936] WriteFile (in: hFile=0xf0, lpBuffer=0x22b0020*, nNumberOfBytesToWrite=0xce875, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x22b0020*, lpNumberOfBytesWritten=0x24dddbc*=0xce875, lpOverlapped=0x0) returned 1 [0116.939] GetProcessHeap () returned 0x4e0000 [0116.939] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x22b0020 | out: hHeap=0x4e0000) returned 1 [0116.945] CloseHandle (hObject=0xf0) returned 1 [0116.945] GetProcessHeap () returned 0x4e0000 [0116.945] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e6a0 | out: hHeap=0x4e0000) returned 1 [0116.945] GetProcessHeap () returned 0x4e0000 [0116.945] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e7a8 | out: hHeap=0x4e0000) returned 1 [0116.945] GetProcessHeap () returned 0x4e0000 [0116.945] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50df10 | out: hHeap=0x4e0000) returned 1 [0116.945] GetProcessHeap () returned 0x4e0000 [0116.945] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50df28 | out: hHeap=0x4e0000) returned 1 [0116.945] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg" | out: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg") returned="C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg" [0116.945] lstrcatW (in: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg.NEPHILIM") returned="C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg.NEPHILIM" [0116.945] MoveFileW (lpExistingFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\desert.jpg"), lpNewFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg.NEPHILIM" (normalized: "c:\\users\\public\\pictures\\sample pictures\\desert.jpg.nephilim")) returned 1 [0116.946] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7beaaeb8, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x460, dwReserved0=0x3a0038, dwReserved1=0x24de8e0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0116.946] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0116.946] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0116.946] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0116.946] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0116.946] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0116.946] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0116.946] lstrcmpiW (lpString1="desktop.ini", lpString2="log") returned -1 [0116.946] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0116.946] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0116.947] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0116.947] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0116.947] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0116.947] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0116.947] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0116.947] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0116.947] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8031a7b6, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7be84d57, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7be84d57, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x91554, dwReserved0=0x3a0038, dwReserved1=0x24de8e0, cFileName="Hydrangeas.jpg", cAlternateFileName="HYDRAN~1.JPG")) returned 1 [0116.947] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2=".") returned 1 [0116.947] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2="..") returned 1 [0116.947] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2="...") returned 1 [0116.947] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2="windows") returned -1 [0116.947] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2="$RECYCLE.BIN") returned 1 [0116.947] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2="rsa") returned -1 [0116.947] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2="log") returned -1 [0116.947] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2="NTDETECT.COM") returned -1 [0116.947] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2="ntldr") returned -1 [0116.947] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2="MSDOS.SYS") returned -1 [0116.947] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2="IO.SYS") returned -1 [0116.947] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2="boot.ini") returned 1 [0116.947] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2="AUTOEXEC.BAT") returned 1 [0116.947] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2="ntuser.dat") returned -1 [0116.947] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2="desktop.ini") returned 1 [0116.947] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2="CONFIG.SYS") returned 1 [0116.947] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2="RECYCLER") returned -1 [0116.947] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2="BOOTSECT.BAK") returned 1 [0116.947] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2="bootmgr") returned 1 [0116.948] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2="programdata") returned -1 [0116.948] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2="appdata") returned 1 [0116.948] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2="program files") returned -1 [0116.948] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2="program files (x86)") returned -1 [0116.948] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\Public\\Pictures\\Sample Pictures\\" | out: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\") returned="C:\\Users\\Public\\Pictures\\Sample Pictures\\" [0116.948] lstrcatW (in: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\", lpString2="Hydrangeas.jpg" | out: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg") returned="C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg" [0116.948] PathFindExtensionW (pszPath="Hydrangeas.jpg") returned=".jpg" [0116.948] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0116.948] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0116.948] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0116.948] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0116.948] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0116.948] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0116.948] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0116.948] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0116.948] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0116.948] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0116.948] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0116.948] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0116.948] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0116.948] lstrcmpiW (lpString1=".jpg", lpString2=".NEPHILIM") returned -1 [0116.948] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0116.948] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0116.948] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0116.948] lstrlenA (lpString="NEPHILIM") returned 8 [0116.948] GetProcessHeap () returned 0x4e0000 [0116.949] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bf50 [0116.949] lstrlenA (lpString="NEPHILIM") returned 8 [0116.949] CreateFileW (lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\hydrangeas.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0116.950] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=595284) returned 1 [0116.950] GetProcessHeap () returned 0x4e0000 [0116.950] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50df28 [0116.951] GetProcessHeap () returned 0x4e0000 [0116.951] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50df10 [0116.951] SystemFunction036 (in: RandomBuffer=0x50df28, RandomBufferLength=0x10 | out: RandomBuffer=0x50df28) returned 1 [0116.951] SystemFunction036 (in: RandomBuffer=0x50df10, RandomBufferLength=0x10 | out: RandomBuffer=0x50df10) returned 1 [0116.951] GetProcessHeap () returned 0x4e0000 [0116.951] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e7a8 [0116.951] GetProcessHeap () returned 0x4e0000 [0116.951] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e6a0 [0116.951] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e7a8*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x51e7a8*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0116.951] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e6a0*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x51e6a0*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0116.951] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x91554, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.952] SetLastError (dwErrCode=0x0) [0116.952] WriteFile (in: hFile=0xf0, lpBuffer=0x51e7a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x51e7a8*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0116.954] GetLastError () returned 0x0 [0116.954] GetLastError () returned 0x0 [0116.954] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x91654, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.954] WriteFile (in: hFile=0xf0, lpBuffer=0x51e6a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x51e6a0*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0116.954] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x91754, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.954] lstrlenA (lpString="NEPHILIM") returned 8 [0116.954] WriteFile (in: hFile=0xf0, lpBuffer=0x50bf50*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50bf50*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0116.954] GetProcessHeap () returned 0x4e0000 [0116.954] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x91554) returned 0x2110020 [0116.955] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.955] ReadFile (in: hFile=0xf0, lpBuffer=0x2110020, nNumberOfBytesToRead=0x91554, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x2110020*, lpNumberOfBytesRead=0x24dddb0*=0x91554, lpOverlapped=0x0) returned 1 [0117.007] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.007] WriteFile (in: hFile=0xf0, lpBuffer=0x2110020*, nNumberOfBytesToWrite=0x91554, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x2110020*, lpNumberOfBytesWritten=0x24dddbc*=0x91554, lpOverlapped=0x0) returned 1 [0117.009] GetProcessHeap () returned 0x4e0000 [0117.009] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x2110020 | out: hHeap=0x4e0000) returned 1 [0117.014] CloseHandle (hObject=0xf0) returned 1 [0117.014] GetProcessHeap () returned 0x4e0000 [0117.014] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e7a8 | out: hHeap=0x4e0000) returned 1 [0117.014] GetProcessHeap () returned 0x4e0000 [0117.014] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e6a0 | out: hHeap=0x4e0000) returned 1 [0117.014] GetProcessHeap () returned 0x4e0000 [0117.014] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50df28 | out: hHeap=0x4e0000) returned 1 [0117.014] GetProcessHeap () returned 0x4e0000 [0117.015] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50df10 | out: hHeap=0x4e0000) returned 1 [0117.015] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg" | out: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg") returned="C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg" [0117.015] lstrcatW (in: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.NEPHILIM") returned="C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.NEPHILIM" [0117.015] MoveFileW (lpExistingFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\hydrangeas.jpg"), lpNewFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.NEPHILIM" (normalized: "c:\\users\\public\\pictures\\sample pictures\\hydrangeas.jpg.nephilim")) returned 1 [0117.016] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8031a7b6, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7beaaeb8, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7beaaeb8, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xbd616, dwReserved0=0x3a0038, dwReserved1=0x24de8e0, cFileName="Jellyfish.jpg", cAlternateFileName="JELLYF~1.JPG")) returned 1 [0117.016] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2=".") returned 1 [0117.016] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2="..") returned 1 [0117.016] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2="...") returned 1 [0117.016] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2="windows") returned -1 [0117.016] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2="$RECYCLE.BIN") returned 1 [0117.016] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2="rsa") returned -1 [0117.016] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2="log") returned -1 [0117.016] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2="NTDETECT.COM") returned -1 [0117.016] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2="ntldr") returned -1 [0117.016] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2="MSDOS.SYS") returned -1 [0117.016] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2="IO.SYS") returned 1 [0117.016] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2="boot.ini") returned 1 [0117.016] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2="AUTOEXEC.BAT") returned 1 [0117.016] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2="ntuser.dat") returned -1 [0117.016] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2="desktop.ini") returned 1 [0117.016] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2="CONFIG.SYS") returned 1 [0117.016] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2="RECYCLER") returned -1 [0117.016] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2="BOOTSECT.BAK") returned 1 [0117.016] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2="bootmgr") returned 1 [0117.016] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2="programdata") returned -1 [0117.016] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2="appdata") returned 1 [0117.017] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2="program files") returned -1 [0117.017] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2="program files (x86)") returned -1 [0117.017] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\Public\\Pictures\\Sample Pictures\\" | out: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\") returned="C:\\Users\\Public\\Pictures\\Sample Pictures\\" [0117.017] lstrcatW (in: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\", lpString2="Jellyfish.jpg" | out: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg") returned="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg" [0117.017] PathFindExtensionW (pszPath="Jellyfish.jpg") returned=".jpg" [0117.017] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0117.017] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0117.017] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0117.017] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0117.017] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0117.017] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0117.017] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0117.017] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0117.017] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0117.017] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0117.017] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0117.017] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0117.017] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0117.017] lstrcmpiW (lpString1=".jpg", lpString2=".NEPHILIM") returned -1 [0117.017] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0117.017] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0117.017] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0117.017] lstrlenA (lpString="NEPHILIM") returned 8 [0117.017] GetProcessHeap () returned 0x4e0000 [0117.017] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bf60 [0117.018] lstrlenA (lpString="NEPHILIM") returned 8 [0117.018] CreateFileW (lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\jellyfish.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0117.023] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=775702) returned 1 [0117.023] GetProcessHeap () returned 0x4e0000 [0117.023] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50df10 [0117.023] GetProcessHeap () returned 0x4e0000 [0117.023] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50df28 [0117.023] SystemFunction036 (in: RandomBuffer=0x50df10, RandomBufferLength=0x10 | out: RandomBuffer=0x50df10) returned 1 [0117.023] SystemFunction036 (in: RandomBuffer=0x50df28, RandomBufferLength=0x10 | out: RandomBuffer=0x50df28) returned 1 [0117.023] GetProcessHeap () returned 0x4e0000 [0117.023] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e6a0 [0117.023] GetProcessHeap () returned 0x4e0000 [0117.024] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e7a8 [0117.024] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e6a0*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x51e6a0*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0117.024] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e7a8*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x51e7a8*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0117.024] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xbd616, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.024] SetLastError (dwErrCode=0x0) [0117.024] WriteFile (in: hFile=0xf0, lpBuffer=0x51e6a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x51e6a0*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0117.037] GetLastError () returned 0x0 [0117.037] GetLastError () returned 0x0 [0117.037] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xbd716, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.037] WriteFile (in: hFile=0xf0, lpBuffer=0x51e7a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x51e7a8*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0117.038] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xbd816, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.038] lstrlenA (lpString="NEPHILIM") returned 8 [0117.038] WriteFile (in: hFile=0xf0, lpBuffer=0x50bf60*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50bf60*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0117.038] GetProcessHeap () returned 0x4e0000 [0117.038] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xbd616) returned 0x22b0020 [0117.038] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.038] ReadFile (in: hFile=0xf0, lpBuffer=0x22b0020, nNumberOfBytesToRead=0xbd616, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x22b0020*, lpNumberOfBytesRead=0x24dddb0*=0xbd616, lpOverlapped=0x0) returned 1 [0117.163] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.164] WriteFile (in: hFile=0xf0, lpBuffer=0x22b0020*, nNumberOfBytesToWrite=0xbd616, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x22b0020*, lpNumberOfBytesWritten=0x24dddbc*=0xbd616, lpOverlapped=0x0) returned 1 [0117.166] GetProcessHeap () returned 0x4e0000 [0117.166] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x22b0020 | out: hHeap=0x4e0000) returned 1 [0117.171] CloseHandle (hObject=0xf0) returned 1 [0117.171] GetProcessHeap () returned 0x4e0000 [0117.171] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e6a0 | out: hHeap=0x4e0000) returned 1 [0117.171] GetProcessHeap () returned 0x4e0000 [0117.171] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e7a8 | out: hHeap=0x4e0000) returned 1 [0117.172] GetProcessHeap () returned 0x4e0000 [0117.172] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50df10 | out: hHeap=0x4e0000) returned 1 [0117.172] GetProcessHeap () returned 0x4e0000 [0117.172] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50df28 | out: hHeap=0x4e0000) returned 1 [0117.172] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg" | out: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg") returned="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg" [0117.172] lstrcatW (in: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.NEPHILIM") returned="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.NEPHILIM" [0117.172] MoveFileW (lpExistingFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\jellyfish.jpg"), lpNewFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.NEPHILIM" (normalized: "c:\\users\\public\\pictures\\sample pictures\\jellyfish.jpg.nephilim")) returned 1 [0117.173] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8031a7b6, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7be84d57, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7be84d57, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xbea1f, dwReserved0=0x3a0038, dwReserved1=0x24de8e0, cFileName="Koala.jpg", cAlternateFileName="")) returned 1 [0117.173] lstrcmpiW (lpString1="Koala.jpg", lpString2=".") returned 1 [0117.173] lstrcmpiW (lpString1="Koala.jpg", lpString2="..") returned 1 [0117.173] lstrcmpiW (lpString1="Koala.jpg", lpString2="...") returned 1 [0117.173] lstrcmpiW (lpString1="Koala.jpg", lpString2="windows") returned -1 [0117.173] lstrcmpiW (lpString1="Koala.jpg", lpString2="$RECYCLE.BIN") returned 1 [0117.173] lstrcmpiW (lpString1="Koala.jpg", lpString2="rsa") returned -1 [0117.173] lstrcmpiW (lpString1="Koala.jpg", lpString2="log") returned -1 [0117.173] lstrcmpiW (lpString1="Koala.jpg", lpString2="NTDETECT.COM") returned -1 [0117.173] lstrcmpiW (lpString1="Koala.jpg", lpString2="ntldr") returned -1 [0117.174] lstrcmpiW (lpString1="Koala.jpg", lpString2="MSDOS.SYS") returned -1 [0117.174] lstrcmpiW (lpString1="Koala.jpg", lpString2="IO.SYS") returned 1 [0117.174] lstrcmpiW (lpString1="Koala.jpg", lpString2="boot.ini") returned 1 [0117.174] lstrcmpiW (lpString1="Koala.jpg", lpString2="AUTOEXEC.BAT") returned 1 [0117.174] lstrcmpiW (lpString1="Koala.jpg", lpString2="ntuser.dat") returned -1 [0117.174] lstrcmpiW (lpString1="Koala.jpg", lpString2="desktop.ini") returned 1 [0117.174] lstrcmpiW (lpString1="Koala.jpg", lpString2="CONFIG.SYS") returned 1 [0117.174] lstrcmpiW (lpString1="Koala.jpg", lpString2="RECYCLER") returned -1 [0117.174] lstrcmpiW (lpString1="Koala.jpg", lpString2="BOOTSECT.BAK") returned 1 [0117.174] lstrcmpiW (lpString1="Koala.jpg", lpString2="bootmgr") returned 1 [0117.174] lstrcmpiW (lpString1="Koala.jpg", lpString2="programdata") returned -1 [0117.174] lstrcmpiW (lpString1="Koala.jpg", lpString2="appdata") returned 1 [0117.174] lstrcmpiW (lpString1="Koala.jpg", lpString2="program files") returned -1 [0117.174] lstrcmpiW (lpString1="Koala.jpg", lpString2="program files (x86)") returned -1 [0117.174] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\Public\\Pictures\\Sample Pictures\\" | out: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\") returned="C:\\Users\\Public\\Pictures\\Sample Pictures\\" [0117.174] lstrcatW (in: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\", lpString2="Koala.jpg" | out: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg") returned="C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg" [0117.174] PathFindExtensionW (pszPath="Koala.jpg") returned=".jpg" [0117.175] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0117.175] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0117.175] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0117.175] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0117.175] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0117.175] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0117.175] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0117.175] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0117.175] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0117.175] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0117.175] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0117.175] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0117.175] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0117.175] lstrcmpiW (lpString1=".jpg", lpString2=".NEPHILIM") returned -1 [0117.175] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0117.175] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0117.175] lstrcmpiW (lpString1="Koala.jpg", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0117.175] lstrlenA (lpString="NEPHILIM") returned 8 [0117.175] GetProcessHeap () returned 0x4e0000 [0117.175] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bf70 [0117.175] lstrlenA (lpString="NEPHILIM") returned 8 [0117.175] CreateFileW (lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\koala.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0117.176] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=780831) returned 1 [0117.176] GetProcessHeap () returned 0x4e0000 [0117.176] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50df28 [0117.176] GetProcessHeap () returned 0x4e0000 [0117.176] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50df10 [0117.176] SystemFunction036 (in: RandomBuffer=0x50df28, RandomBufferLength=0x10 | out: RandomBuffer=0x50df28) returned 1 [0117.176] SystemFunction036 (in: RandomBuffer=0x50df10, RandomBufferLength=0x10 | out: RandomBuffer=0x50df10) returned 1 [0117.176] GetProcessHeap () returned 0x4e0000 [0117.176] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e7a8 [0117.176] GetProcessHeap () returned 0x4e0000 [0117.177] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e6a0 [0117.177] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e7a8*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x51e7a8*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0117.177] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e6a0*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x51e6a0*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0117.177] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xbea1f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.177] SetLastError (dwErrCode=0x0) [0117.177] WriteFile (in: hFile=0xf0, lpBuffer=0x51e7a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x51e7a8*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0117.182] GetLastError () returned 0x0 [0117.182] GetLastError () returned 0x0 [0117.182] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xbeb1f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.182] WriteFile (in: hFile=0xf0, lpBuffer=0x51e6a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x51e6a0*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0117.182] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xbec1f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.182] lstrlenA (lpString="NEPHILIM") returned 8 [0117.182] WriteFile (in: hFile=0xf0, lpBuffer=0x50bf70*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50bf70*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0117.182] GetProcessHeap () returned 0x4e0000 [0117.182] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xbea1f) returned 0x22b0020 [0117.183] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.183] ReadFile (in: hFile=0xf0, lpBuffer=0x22b0020, nNumberOfBytesToRead=0xbea1f, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x22b0020*, lpNumberOfBytesRead=0x24dddb0*=0xbea1f, lpOverlapped=0x0) returned 1 [0117.248] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.248] WriteFile (in: hFile=0xf0, lpBuffer=0x22b0020*, nNumberOfBytesToWrite=0xbea1f, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x22b0020*, lpNumberOfBytesWritten=0x24dddbc*=0xbea1f, lpOverlapped=0x0) returned 1 [0117.250] GetProcessHeap () returned 0x4e0000 [0117.250] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x22b0020 | out: hHeap=0x4e0000) returned 1 [0117.255] CloseHandle (hObject=0xf0) returned 1 [0117.255] GetProcessHeap () returned 0x4e0000 [0117.255] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e7a8 | out: hHeap=0x4e0000) returned 1 [0117.255] GetProcessHeap () returned 0x4e0000 [0117.255] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e6a0 | out: hHeap=0x4e0000) returned 1 [0117.255] GetProcessHeap () returned 0x4e0000 [0117.255] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50df28 | out: hHeap=0x4e0000) returned 1 [0117.255] GetProcessHeap () returned 0x4e0000 [0117.255] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50df10 | out: hHeap=0x4e0000) returned 1 [0117.255] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg" | out: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg") returned="C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg" [0117.255] lstrcatW (in: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg.NEPHILIM") returned="C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg.NEPHILIM" [0117.256] MoveFileW (lpExistingFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\koala.jpg"), lpNewFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg.NEPHILIM" (normalized: "c:\\users\\public\\pictures\\sample pictures\\koala.jpg.nephilim")) returned 1 [0117.256] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7beaaeb8, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7beaaeb8, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x8907c, dwReserved0=0x3a0038, dwReserved1=0x24de8e0, cFileName="Lighthouse.jpg", cAlternateFileName="LIGHTH~1.JPG")) returned 1 [0117.256] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2=".") returned 1 [0117.256] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2="..") returned 1 [0117.256] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2="...") returned 1 [0117.256] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2="windows") returned -1 [0117.256] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2="$RECYCLE.BIN") returned 1 [0117.256] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2="rsa") returned -1 [0117.256] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2="log") returned -1 [0117.256] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2="NTDETECT.COM") returned -1 [0117.256] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2="ntldr") returned -1 [0117.257] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2="MSDOS.SYS") returned -1 [0117.257] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2="IO.SYS") returned 1 [0117.257] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2="boot.ini") returned 1 [0117.257] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2="AUTOEXEC.BAT") returned 1 [0117.257] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2="ntuser.dat") returned -1 [0117.257] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2="desktop.ini") returned 1 [0117.257] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2="CONFIG.SYS") returned 1 [0117.257] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2="RECYCLER") returned -1 [0117.257] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2="BOOTSECT.BAK") returned 1 [0117.257] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2="bootmgr") returned 1 [0117.257] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2="programdata") returned -1 [0117.257] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2="appdata") returned 1 [0117.257] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2="program files") returned -1 [0117.257] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2="program files (x86)") returned -1 [0117.257] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\Public\\Pictures\\Sample Pictures\\" | out: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\") returned="C:\\Users\\Public\\Pictures\\Sample Pictures\\" [0117.257] lstrcatW (in: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\", lpString2="Lighthouse.jpg" | out: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg") returned="C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg" [0117.257] PathFindExtensionW (pszPath="Lighthouse.jpg") returned=".jpg" [0117.257] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0117.257] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0117.257] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0117.257] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0117.257] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0117.257] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0117.257] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0117.257] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0117.257] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0117.257] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0117.257] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0117.257] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0117.257] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0117.257] lstrcmpiW (lpString1=".jpg", lpString2=".NEPHILIM") returned -1 [0117.258] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0117.258] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0117.258] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2="NEPHILIM-DECRYPT.txt") returned -1 [0117.258] lstrlenA (lpString="NEPHILIM") returned 8 [0117.258] GetProcessHeap () returned 0x4e0000 [0117.258] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bf80 [0117.258] lstrlenA (lpString="NEPHILIM") returned 8 [0117.258] CreateFileW (lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\lighthouse.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0117.260] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=561276) returned 1 [0117.260] GetProcessHeap () returned 0x4e0000 [0117.260] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50df10 [0117.260] GetProcessHeap () returned 0x4e0000 [0117.260] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50df28 [0117.260] SystemFunction036 (in: RandomBuffer=0x50df10, RandomBufferLength=0x10 | out: RandomBuffer=0x50df10) returned 1 [0117.260] SystemFunction036 (in: RandomBuffer=0x50df28, RandomBufferLength=0x10 | out: RandomBuffer=0x50df28) returned 1 [0117.260] GetProcessHeap () returned 0x4e0000 [0117.260] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e6a0 [0117.260] GetProcessHeap () returned 0x4e0000 [0117.260] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e7a8 [0117.260] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e6a0*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x51e6a0*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0117.260] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e7a8*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x51e7a8*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0117.261] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x8907c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.261] SetLastError (dwErrCode=0x0) [0117.261] WriteFile (in: hFile=0xf0, lpBuffer=0x51e6a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x51e6a0*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0117.265] GetLastError () returned 0x0 [0117.265] GetLastError () returned 0x0 [0117.265] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x8917c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.265] WriteFile (in: hFile=0xf0, lpBuffer=0x51e7a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x51e7a8*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0117.265] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x8927c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.265] lstrlenA (lpString="NEPHILIM") returned 8 [0117.265] WriteFile (in: hFile=0xf0, lpBuffer=0x50bf80*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50bf80*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0117.265] GetProcessHeap () returned 0x4e0000 [0117.265] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8907c) returned 0x2110020 [0117.266] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.266] ReadFile (in: hFile=0xf0, lpBuffer=0x2110020, nNumberOfBytesToRead=0x8907c, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x2110020*, lpNumberOfBytesRead=0x24dddb0*=0x8907c, lpOverlapped=0x0) returned 1 [0117.313] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.313] WriteFile (in: hFile=0xf0, lpBuffer=0x2110020*, nNumberOfBytesToWrite=0x8907c, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x2110020*, lpNumberOfBytesWritten=0x24dddbc*=0x8907c, lpOverlapped=0x0) returned 1 [0117.316] GetProcessHeap () returned 0x4e0000 [0117.316] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x2110020 | out: hHeap=0x4e0000) returned 1 [0117.320] CloseHandle (hObject=0xf0) returned 1 [0117.320] GetProcessHeap () returned 0x4e0000 [0117.320] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e6a0 | out: hHeap=0x4e0000) returned 1 [0117.320] GetProcessHeap () returned 0x4e0000 [0117.320] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e7a8 | out: hHeap=0x4e0000) returned 1 [0117.320] GetProcessHeap () returned 0x4e0000 [0117.320] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50df10 | out: hHeap=0x4e0000) returned 1 [0117.320] GetProcessHeap () returned 0x4e0000 [0117.320] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50df28 | out: hHeap=0x4e0000) returned 1 [0117.321] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg" | out: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg") returned="C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg" [0117.321] lstrcatW (in: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg.NEPHILIM") returned="C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg.NEPHILIM" [0117.321] MoveFileW (lpExistingFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\lighthouse.jpg"), lpNewFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg.NEPHILIM" (normalized: "c:\\users\\public\\pictures\\sample pictures\\lighthouse.jpg.nephilim")) returned 1 [0117.324] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8031a7b6, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7be84d57, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7beaaeb8, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xbde6b, dwReserved0=0x3a0038, dwReserved1=0x24de8e0, cFileName="Penguins.jpg", cAlternateFileName="")) returned 1 [0117.324] lstrcmpiW (lpString1="Penguins.jpg", lpString2=".") returned 1 [0117.324] lstrcmpiW (lpString1="Penguins.jpg", lpString2="..") returned 1 [0117.324] lstrcmpiW (lpString1="Penguins.jpg", lpString2="...") returned 1 [0117.324] lstrcmpiW (lpString1="Penguins.jpg", lpString2="windows") returned -1 [0117.324] lstrcmpiW (lpString1="Penguins.jpg", lpString2="$RECYCLE.BIN") returned 1 [0117.324] lstrcmpiW (lpString1="Penguins.jpg", lpString2="rsa") returned -1 [0117.324] lstrcmpiW (lpString1="Penguins.jpg", lpString2="log") returned 1 [0117.325] lstrcmpiW (lpString1="Penguins.jpg", lpString2="NTDETECT.COM") returned 1 [0117.325] lstrcmpiW (lpString1="Penguins.jpg", lpString2="ntldr") returned 1 [0117.325] lstrcmpiW (lpString1="Penguins.jpg", lpString2="MSDOS.SYS") returned 1 [0117.325] lstrcmpiW (lpString1="Penguins.jpg", lpString2="IO.SYS") returned 1 [0117.325] lstrcmpiW (lpString1="Penguins.jpg", lpString2="boot.ini") returned 1 [0117.325] lstrcmpiW (lpString1="Penguins.jpg", lpString2="AUTOEXEC.BAT") returned 1 [0117.325] lstrcmpiW (lpString1="Penguins.jpg", lpString2="ntuser.dat") returned 1 [0117.325] lstrcmpiW (lpString1="Penguins.jpg", lpString2="desktop.ini") returned 1 [0117.325] lstrcmpiW (lpString1="Penguins.jpg", lpString2="CONFIG.SYS") returned 1 [0117.325] lstrcmpiW (lpString1="Penguins.jpg", lpString2="RECYCLER") returned -1 [0117.325] lstrcmpiW (lpString1="Penguins.jpg", lpString2="BOOTSECT.BAK") returned 1 [0117.325] lstrcmpiW (lpString1="Penguins.jpg", lpString2="bootmgr") returned 1 [0117.325] lstrcmpiW (lpString1="Penguins.jpg", lpString2="programdata") returned -1 [0117.325] lstrcmpiW (lpString1="Penguins.jpg", lpString2="appdata") returned 1 [0117.325] lstrcmpiW (lpString1="Penguins.jpg", lpString2="program files") returned -1 [0117.325] lstrcmpiW (lpString1="Penguins.jpg", lpString2="program files (x86)") returned -1 [0117.325] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\Public\\Pictures\\Sample Pictures\\" | out: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\") returned="C:\\Users\\Public\\Pictures\\Sample Pictures\\" [0117.325] lstrcatW (in: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\", lpString2="Penguins.jpg" | out: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg") returned="C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg" [0117.325] PathFindExtensionW (pszPath="Penguins.jpg") returned=".jpg" [0117.325] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0117.325] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0117.325] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0117.326] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0117.326] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0117.326] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0117.326] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0117.326] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0117.326] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0117.326] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0117.326] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0117.326] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0117.326] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0117.326] lstrcmpiW (lpString1=".jpg", lpString2=".NEPHILIM") returned -1 [0117.326] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0117.326] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0117.326] lstrcmpiW (lpString1="Penguins.jpg", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0117.326] lstrlenA (lpString="NEPHILIM") returned 8 [0117.326] GetProcessHeap () returned 0x4e0000 [0117.326] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bf90 [0117.326] lstrlenA (lpString="NEPHILIM") returned 8 [0117.326] CreateFileW (lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\penguins.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0117.327] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=777835) returned 1 [0117.327] GetProcessHeap () returned 0x4e0000 [0117.327] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50df28 [0117.327] GetProcessHeap () returned 0x4e0000 [0117.327] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50df10 [0117.327] SystemFunction036 (in: RandomBuffer=0x50df28, RandomBufferLength=0x10 | out: RandomBuffer=0x50df28) returned 1 [0117.327] SystemFunction036 (in: RandomBuffer=0x50df10, RandomBufferLength=0x10 | out: RandomBuffer=0x50df10) returned 1 [0117.327] GetProcessHeap () returned 0x4e0000 [0117.327] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e7a8 [0117.327] GetProcessHeap () returned 0x4e0000 [0117.327] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e6a0 [0117.327] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e7a8*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x51e7a8*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0117.328] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e6a0*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x51e6a0*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0117.328] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xbde6b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.328] SetLastError (dwErrCode=0x0) [0117.328] WriteFile (in: hFile=0xf0, lpBuffer=0x51e7a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x51e7a8*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0117.334] GetLastError () returned 0x0 [0117.334] GetLastError () returned 0x0 [0117.334] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xbdf6b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.334] WriteFile (in: hFile=0xf0, lpBuffer=0x51e6a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x51e6a0*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0117.334] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xbe06b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.334] lstrlenA (lpString="NEPHILIM") returned 8 [0117.334] WriteFile (in: hFile=0xf0, lpBuffer=0x50bf90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50bf90*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0117.335] GetProcessHeap () returned 0x4e0000 [0117.335] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xbde6b) returned 0x22b0020 [0117.335] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.335] ReadFile (in: hFile=0xf0, lpBuffer=0x22b0020, nNumberOfBytesToRead=0xbde6b, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x22b0020*, lpNumberOfBytesRead=0x24dddb0*=0xbde6b, lpOverlapped=0x0) returned 1 [0117.396] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.396] WriteFile (in: hFile=0xf0, lpBuffer=0x22b0020*, nNumberOfBytesToWrite=0xbde6b, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x22b0020*, lpNumberOfBytesWritten=0x24dddbc*=0xbde6b, lpOverlapped=0x0) returned 1 [0117.399] GetProcessHeap () returned 0x4e0000 [0117.399] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x22b0020 | out: hHeap=0x4e0000) returned 1 [0117.405] CloseHandle (hObject=0xf0) returned 1 [0117.405] GetProcessHeap () returned 0x4e0000 [0117.405] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e7a8 | out: hHeap=0x4e0000) returned 1 [0117.405] GetProcessHeap () returned 0x4e0000 [0117.405] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e6a0 | out: hHeap=0x4e0000) returned 1 [0117.405] GetProcessHeap () returned 0x4e0000 [0117.405] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50df28 | out: hHeap=0x4e0000) returned 1 [0117.405] GetProcessHeap () returned 0x4e0000 [0117.405] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50df10 | out: hHeap=0x4e0000) returned 1 [0117.405] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg" | out: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg") returned="C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg" [0117.405] lstrcatW (in: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg.NEPHILIM") returned="C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg.NEPHILIM" [0117.405] MoveFileW (lpExistingFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\penguins.jpg"), lpNewFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg.NEPHILIM" (normalized: "c:\\users\\public\\pictures\\sample pictures\\penguins.jpg.nephilim")) returned 1 [0117.406] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7beaaeb8, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7beaaeb8, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x97958, dwReserved0=0x3a0038, dwReserved1=0x24de8e0, cFileName="Tulips.jpg", cAlternateFileName="")) returned 1 [0117.406] lstrcmpiW (lpString1="Tulips.jpg", lpString2=".") returned 1 [0117.406] lstrcmpiW (lpString1="Tulips.jpg", lpString2="..") returned 1 [0117.406] lstrcmpiW (lpString1="Tulips.jpg", lpString2="...") returned 1 [0117.406] lstrcmpiW (lpString1="Tulips.jpg", lpString2="windows") returned -1 [0117.406] lstrcmpiW (lpString1="Tulips.jpg", lpString2="$RECYCLE.BIN") returned 1 [0117.406] lstrcmpiW (lpString1="Tulips.jpg", lpString2="rsa") returned 1 [0117.406] lstrcmpiW (lpString1="Tulips.jpg", lpString2="log") returned 1 [0117.406] lstrcmpiW (lpString1="Tulips.jpg", lpString2="NTDETECT.COM") returned 1 [0117.406] lstrcmpiW (lpString1="Tulips.jpg", lpString2="ntldr") returned 1 [0117.406] lstrcmpiW (lpString1="Tulips.jpg", lpString2="MSDOS.SYS") returned 1 [0117.406] lstrcmpiW (lpString1="Tulips.jpg", lpString2="IO.SYS") returned 1 [0117.407] lstrcmpiW (lpString1="Tulips.jpg", lpString2="boot.ini") returned 1 [0117.407] lstrcmpiW (lpString1="Tulips.jpg", lpString2="AUTOEXEC.BAT") returned 1 [0117.407] lstrcmpiW (lpString1="Tulips.jpg", lpString2="ntuser.dat") returned 1 [0117.407] lstrcmpiW (lpString1="Tulips.jpg", lpString2="desktop.ini") returned 1 [0117.407] lstrcmpiW (lpString1="Tulips.jpg", lpString2="CONFIG.SYS") returned 1 [0117.407] lstrcmpiW (lpString1="Tulips.jpg", lpString2="RECYCLER") returned 1 [0117.407] lstrcmpiW (lpString1="Tulips.jpg", lpString2="BOOTSECT.BAK") returned 1 [0117.407] lstrcmpiW (lpString1="Tulips.jpg", lpString2="bootmgr") returned 1 [0117.407] lstrcmpiW (lpString1="Tulips.jpg", lpString2="programdata") returned 1 [0117.407] lstrcmpiW (lpString1="Tulips.jpg", lpString2="appdata") returned 1 [0117.407] lstrcmpiW (lpString1="Tulips.jpg", lpString2="program files") returned 1 [0117.407] lstrcmpiW (lpString1="Tulips.jpg", lpString2="program files (x86)") returned 1 [0117.407] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\Public\\Pictures\\Sample Pictures\\" | out: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\") returned="C:\\Users\\Public\\Pictures\\Sample Pictures\\" [0117.407] lstrcatW (in: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\", lpString2="Tulips.jpg" | out: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg") returned="C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg" [0117.407] PathFindExtensionW (pszPath="Tulips.jpg") returned=".jpg" [0117.407] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0117.407] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0117.407] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0117.407] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0117.407] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0117.407] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0117.407] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0117.407] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0117.407] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0117.407] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0117.408] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0117.408] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0117.408] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0117.408] lstrcmpiW (lpString1=".jpg", lpString2=".NEPHILIM") returned -1 [0117.408] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0117.408] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0117.408] lstrcmpiW (lpString1="Tulips.jpg", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0117.408] lstrlenA (lpString="NEPHILIM") returned 8 [0117.408] GetProcessHeap () returned 0x4e0000 [0117.408] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bfa0 [0117.408] lstrlenA (lpString="NEPHILIM") returned 8 [0117.408] CreateFileW (lpFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\tulips.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0117.408] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=620888) returned 1 [0117.408] GetProcessHeap () returned 0x4e0000 [0117.409] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50df10 [0117.409] GetProcessHeap () returned 0x4e0000 [0117.409] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50df28 [0117.409] SystemFunction036 (in: RandomBuffer=0x50df10, RandomBufferLength=0x10 | out: RandomBuffer=0x50df10) returned 1 [0117.409] SystemFunction036 (in: RandomBuffer=0x50df28, RandomBufferLength=0x10 | out: RandomBuffer=0x50df28) returned 1 [0117.409] GetProcessHeap () returned 0x4e0000 [0117.409] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e6a0 [0117.409] GetProcessHeap () returned 0x4e0000 [0117.409] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e7a8 [0117.409] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e6a0*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x51e6a0*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0117.409] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e7a8*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x51e7a8*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0117.409] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x97958, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.410] SetLastError (dwErrCode=0x0) [0117.410] WriteFile (in: hFile=0xf0, lpBuffer=0x51e6a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x51e6a0*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0117.443] GetLastError () returned 0x0 [0117.443] GetLastError () returned 0x0 [0117.443] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x97a58, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.443] WriteFile (in: hFile=0xf0, lpBuffer=0x51e7a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x51e7a8*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0117.443] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x97b58, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.443] lstrlenA (lpString="NEPHILIM") returned 8 [0117.443] WriteFile (in: hFile=0xf0, lpBuffer=0x50bfa0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50bfa0*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0117.443] GetProcessHeap () returned 0x4e0000 [0117.444] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x97958) returned 0x2110020 [0117.444] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.444] ReadFile (in: hFile=0xf0, lpBuffer=0x2110020, nNumberOfBytesToRead=0x97958, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x2110020*, lpNumberOfBytesRead=0x24dddb0*=0x97958, lpOverlapped=0x0) returned 1 [0117.507] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.507] WriteFile (in: hFile=0xf0, lpBuffer=0x2110020*, nNumberOfBytesToWrite=0x97958, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x2110020*, lpNumberOfBytesWritten=0x24dddbc*=0x97958, lpOverlapped=0x0) returned 1 [0117.510] GetProcessHeap () returned 0x4e0000 [0117.510] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x2110020 | out: hHeap=0x4e0000) returned 1 [0117.513] CloseHandle (hObject=0xf0) returned 1 [0117.514] GetProcessHeap () returned 0x4e0000 [0117.514] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e6a0 | out: hHeap=0x4e0000) returned 1 [0117.514] GetProcessHeap () returned 0x4e0000 [0117.514] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e7a8 | out: hHeap=0x4e0000) returned 1 [0117.514] GetProcessHeap () returned 0x4e0000 [0117.514] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50df10 | out: hHeap=0x4e0000) returned 1 [0117.514] GetProcessHeap () returned 0x4e0000 [0117.514] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50df28 | out: hHeap=0x4e0000) returned 1 [0117.514] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg" | out: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg") returned="C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg" [0117.514] lstrcatW (in: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg.NEPHILIM") returned="C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg.NEPHILIM" [0117.514] MoveFileW (lpExistingFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\tulips.jpg"), lpNewFileName="C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg.NEPHILIM" (normalized: "c:\\users\\public\\pictures\\sample pictures\\tulips.jpg.nephilim")) returned 1 [0117.515] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7beaaeb8, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7beaaeb8, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x97958, dwReserved0=0x3a0038, dwReserved1=0x24de8e0, cFileName="Tulips.jpg", cAlternateFileName="")) returned 0 [0117.515] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0117.515] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="Sample Pictures", cAlternateFileName="SAMPLE~1")) returned 0 [0117.515] FindClose (in: hFindFile=0x50a900 | out: hFindFile=0x50a900) returned 1 [0117.515] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Recorded TV", cAlternateFileName="RECORD~1")) returned 1 [0117.515] lstrcmpiW (lpString1="Recorded TV", lpString2=".") returned 1 [0117.515] lstrcmpiW (lpString1="Recorded TV", lpString2="..") returned 1 [0117.516] lstrcmpiW (lpString1="Recorded TV", lpString2="...") returned 1 [0117.516] lstrcmpiW (lpString1="Recorded TV", lpString2="windows") returned -1 [0117.516] lstrcmpiW (lpString1="Recorded TV", lpString2="$RECYCLE.BIN") returned 1 [0117.516] lstrcmpiW (lpString1="Recorded TV", lpString2="rsa") returned -1 [0117.516] lstrcmpiW (lpString1="Recorded TV", lpString2="log") returned 1 [0117.516] lstrcmpiW (lpString1="Recorded TV", lpString2="NTDETECT.COM") returned 1 [0117.516] lstrcmpiW (lpString1="Recorded TV", lpString2="ntldr") returned 1 [0117.516] lstrcmpiW (lpString1="Recorded TV", lpString2="MSDOS.SYS") returned 1 [0117.516] lstrcmpiW (lpString1="Recorded TV", lpString2="IO.SYS") returned 1 [0117.516] lstrcmpiW (lpString1="Recorded TV", lpString2="boot.ini") returned 1 [0117.516] lstrcmpiW (lpString1="Recorded TV", lpString2="AUTOEXEC.BAT") returned 1 [0117.516] lstrcmpiW (lpString1="Recorded TV", lpString2="ntuser.dat") returned 1 [0117.516] lstrcmpiW (lpString1="Recorded TV", lpString2="desktop.ini") returned 1 [0117.516] lstrcmpiW (lpString1="Recorded TV", lpString2="CONFIG.SYS") returned 1 [0117.516] lstrcmpiW (lpString1="Recorded TV", lpString2="RECYCLER") returned -1 [0117.516] lstrcmpiW (lpString1="Recorded TV", lpString2="BOOTSECT.BAK") returned 1 [0117.516] lstrcmpiW (lpString1="Recorded TV", lpString2="bootmgr") returned 1 [0117.516] lstrcmpiW (lpString1="Recorded TV", lpString2="programdata") returned 1 [0117.516] lstrcmpiW (lpString1="Recorded TV", lpString2="appdata") returned 1 [0117.516] lstrcmpiW (lpString1="Recorded TV", lpString2="program files") returned 1 [0117.516] lstrcmpiW (lpString1="Recorded TV", lpString2="program files (x86)") returned 1 [0117.516] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\Public\\" | out: lpString1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0117.516] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2="Recorded TV" | out: lpString1="C:\\Users\\Public\\Recorded TV") returned="C:\\Users\\Public\\Recorded TV" [0117.516] lstrcatW (in: lpString1="C:\\Users\\Public\\Recorded TV", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Recorded TV\\") returned="C:\\Users\\Public\\Recorded TV\\" [0117.516] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\Public\\Recorded TV\\" | out: lpString1="C:\\Users\\Public\\Recorded TV\\") returned="C:\\Users\\Public\\Recorded TV\\" [0117.517] lstrcatW (in: lpString1="C:\\Users\\Public\\Recorded TV\\", lpString2="*.*" | out: lpString1="C:\\Users\\Public\\Recorded TV\\*.*") returned="C:\\Users\\Public\\Recorded TV\\*.*" [0117.517] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Recorded TV\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x50a900 [0117.517] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.517] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0117.517] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.517] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.517] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0x89e5e11e, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x89e5e11e, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0117.517] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0117.517] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0117.517] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0117.518] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0117.518] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0117.518] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0117.518] lstrcmpiW (lpString1="desktop.ini", lpString2="log") returned -1 [0117.518] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0117.518] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0117.518] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0117.518] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0117.518] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0117.518] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0117.518] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0117.518] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0117.518] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="Sample Media", cAlternateFileName="SAMPLE~1")) returned 1 [0117.518] lstrcmpiW (lpString1="Sample Media", lpString2=".") returned 1 [0117.518] lstrcmpiW (lpString1="Sample Media", lpString2="..") returned 1 [0117.518] lstrcmpiW (lpString1="Sample Media", lpString2="...") returned 1 [0117.518] lstrcmpiW (lpString1="Sample Media", lpString2="windows") returned -1 [0117.518] lstrcmpiW (lpString1="Sample Media", lpString2="$RECYCLE.BIN") returned 1 [0117.518] lstrcmpiW (lpString1="Sample Media", lpString2="rsa") returned 1 [0117.518] lstrcmpiW (lpString1="Sample Media", lpString2="log") returned 1 [0117.518] lstrcmpiW (lpString1="Sample Media", lpString2="NTDETECT.COM") returned 1 [0117.518] lstrcmpiW (lpString1="Sample Media", lpString2="ntldr") returned 1 [0117.518] lstrcmpiW (lpString1="Sample Media", lpString2="MSDOS.SYS") returned 1 [0117.518] lstrcmpiW (lpString1="Sample Media", lpString2="IO.SYS") returned 1 [0117.518] lstrcmpiW (lpString1="Sample Media", lpString2="boot.ini") returned 1 [0117.518] lstrcmpiW (lpString1="Sample Media", lpString2="AUTOEXEC.BAT") returned 1 [0117.519] lstrcmpiW (lpString1="Sample Media", lpString2="ntuser.dat") returned 1 [0117.519] lstrcmpiW (lpString1="Sample Media", lpString2="desktop.ini") returned 1 [0117.519] lstrcmpiW (lpString1="Sample Media", lpString2="CONFIG.SYS") returned 1 [0117.519] lstrcmpiW (lpString1="Sample Media", lpString2="RECYCLER") returned 1 [0117.519] lstrcmpiW (lpString1="Sample Media", lpString2="BOOTSECT.BAK") returned 1 [0117.519] lstrcmpiW (lpString1="Sample Media", lpString2="bootmgr") returned 1 [0117.519] lstrcmpiW (lpString1="Sample Media", lpString2="programdata") returned 1 [0117.519] lstrcmpiW (lpString1="Sample Media", lpString2="appdata") returned 1 [0117.519] lstrcmpiW (lpString1="Sample Media", lpString2="program files") returned 1 [0117.519] lstrcmpiW (lpString1="Sample Media", lpString2="program files (x86)") returned 1 [0117.519] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\Public\\Recorded TV\\" | out: lpString1="C:\\Users\\Public\\Recorded TV\\") returned="C:\\Users\\Public\\Recorded TV\\" [0117.519] lstrcatW (in: lpString1="C:\\Users\\Public\\Recorded TV\\", lpString2="Sample Media" | out: lpString1="C:\\Users\\Public\\Recorded TV\\Sample Media") returned="C:\\Users\\Public\\Recorded TV\\Sample Media" [0117.519] lstrcatW (in: lpString1="C:\\Users\\Public\\Recorded TV\\Sample Media", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Recorded TV\\Sample Media\\") returned="C:\\Users\\Public\\Recorded TV\\Sample Media\\" [0117.519] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\Public\\Recorded TV\\Sample Media\\" | out: lpString1="C:\\Users\\Public\\Recorded TV\\Sample Media\\") returned="C:\\Users\\Public\\Recorded TV\\Sample Media\\" [0117.519] lstrcatW (in: lpString1="C:\\Users\\Public\\Recorded TV\\Sample Media\\", lpString2="*.*" | out: lpString1="C:\\Users\\Public\\Recorded TV\\Sample Media\\*.*") returned="C:\\Users\\Public\\Recorded TV\\Sample Media\\*.*" [0117.519] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Recorded TV\\Sample Media\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x40003e, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0117.519] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0117.520] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x40003e, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0117.520] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0117.520] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0117.520] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0x8a1f1b86, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x8a1f1b86, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0xab, dwReserved0=0x40003e, dwReserved1=0x24de8e0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0117.520] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0117.520] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0117.520] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0117.520] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0117.520] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0117.520] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0117.520] lstrcmpiW (lpString1="desktop.ini", lpString2="log") returned -1 [0117.520] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0117.520] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0117.520] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0117.520] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0117.520] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0117.520] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0117.520] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0117.520] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0117.520] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0x8a1f1b86, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x8a1f1b86, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x940000, dwReserved0=0x40003e, dwReserved1=0x24de8e0, cFileName="win7_scenic-demoshort_raw.wtv", cAlternateFileName="WIN7_S~1.WTV")) returned 1 [0117.520] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2=".") returned 1 [0117.520] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="..") returned 1 [0117.520] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="...") returned 1 [0117.520] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="windows") returned -1 [0117.521] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="$RECYCLE.BIN") returned 1 [0117.521] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="rsa") returned 1 [0117.521] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="log") returned 1 [0117.521] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="NTDETECT.COM") returned 1 [0117.521] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="ntldr") returned 1 [0117.521] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="MSDOS.SYS") returned 1 [0117.521] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="IO.SYS") returned 1 [0117.521] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="boot.ini") returned 1 [0117.521] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="AUTOEXEC.BAT") returned 1 [0117.521] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="ntuser.dat") returned 1 [0117.521] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="desktop.ini") returned 1 [0117.521] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="CONFIG.SYS") returned 1 [0117.521] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="RECYCLER") returned 1 [0117.521] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="BOOTSECT.BAK") returned 1 [0117.521] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="bootmgr") returned 1 [0117.521] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="programdata") returned 1 [0117.521] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="appdata") returned 1 [0117.521] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="program files") returned 1 [0117.521] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="program files (x86)") returned 1 [0117.521] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\Public\\Recorded TV\\Sample Media\\" | out: lpString1="C:\\Users\\Public\\Recorded TV\\Sample Media\\") returned="C:\\Users\\Public\\Recorded TV\\Sample Media\\" [0117.521] lstrcatW (in: lpString1="C:\\Users\\Public\\Recorded TV\\Sample Media\\", lpString2="win7_scenic-demoshort_raw.wtv" | out: lpString1="C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv") returned="C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv" [0117.521] PathFindExtensionW (pszPath="win7_scenic-demoshort_raw.wtv") returned=".wtv" [0117.521] lstrcmpiW (lpString1=".wtv", lpString2=".exe") returned 1 [0117.521] lstrcmpiW (lpString1=".wtv", lpString2=".log") returned 1 [0117.521] lstrcmpiW (lpString1=".wtv", lpString2=".cab") returned 1 [0117.521] lstrcmpiW (lpString1=".wtv", lpString2=".cmd") returned 1 [0117.521] lstrcmpiW (lpString1=".wtv", lpString2=".com") returned 1 [0117.522] lstrcmpiW (lpString1=".wtv", lpString2=".cpl") returned 1 [0117.522] lstrcmpiW (lpString1=".wtv", lpString2=".ini") returned 1 [0117.522] lstrcmpiW (lpString1=".wtv", lpString2=".dll") returned 1 [0117.522] lstrcmpiW (lpString1=".wtv", lpString2=".url") returned 1 [0117.522] lstrcmpiW (lpString1=".wtv", lpString2=".ttf") returned 1 [0117.522] lstrcmpiW (lpString1=".wtv", lpString2=".mp3") returned 1 [0117.522] lstrcmpiW (lpString1=".wtv", lpString2=".pif") returned 1 [0117.522] lstrcmpiW (lpString1=".wtv", lpString2=".mp4") returned 1 [0117.522] lstrcmpiW (lpString1=".wtv", lpString2=".NEPHILIM") returned 1 [0117.522] lstrcmpiW (lpString1=".wtv", lpString2=".msi") returned 1 [0117.522] lstrcmpiW (lpString1=".wtv", lpString2=".lnk") returned 1 [0117.522] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0117.522] lstrlenA (lpString="NEPHILIM") returned 8 [0117.522] GetProcessHeap () returned 0x4e0000 [0117.522] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bfb0 [0117.522] lstrlenA (lpString="NEPHILIM") returned 8 [0117.522] CreateFileW (lpFileName="C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv" (normalized: "c:\\users\\public\\recorded tv\\sample media\\win7_scenic-demoshort_raw.wtv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf0 [0117.523] GetFileSizeEx (in: hFile=0xf0, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=9699328) returned 1 [0117.523] GetProcessHeap () returned 0x4e0000 [0117.523] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50df28 [0117.523] GetProcessHeap () returned 0x4e0000 [0117.523] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50df10 [0117.523] SystemFunction036 (in: RandomBuffer=0x50df28, RandomBufferLength=0x10 | out: RandomBuffer=0x50df28) returned 1 [0117.523] SystemFunction036 (in: RandomBuffer=0x50df10, RandomBufferLength=0x10 | out: RandomBuffer=0x50df10) returned 1 [0117.523] GetProcessHeap () returned 0x4e0000 [0117.523] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e7a8 [0117.523] GetProcessHeap () returned 0x4e0000 [0117.523] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e6a0 [0117.523] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e7a8*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x51e7a8*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0117.524] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e6a0*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x51e6a0*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0117.524] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x940000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.524] SetLastError (dwErrCode=0x0) [0117.524] WriteFile (in: hFile=0xf0, lpBuffer=0x51e7a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x51e7a8*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0117.525] GetLastError () returned 0x0 [0117.526] GetLastError () returned 0x0 [0117.526] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x940100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.526] WriteFile (in: hFile=0xf0, lpBuffer=0x51e6a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x51e6a0*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0117.526] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x940200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.526] lstrlenA (lpString="NEPHILIM") returned 8 [0117.526] WriteFile (in: hFile=0xf0, lpBuffer=0x50bfb0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50bfb0*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0117.526] GetProcessHeap () returned 0x4e0000 [0117.526] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x927c0) returned 0x2110020 [0117.526] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.526] ReadFile (in: hFile=0xf0, lpBuffer=0x2110020, nNumberOfBytesToRead=0x927c0, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x2110020*, lpNumberOfBytesRead=0x24dddb0*=0x927c0, lpOverlapped=0x0) returned 1 [0118.373] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.374] WriteFile (in: hFile=0xf0, lpBuffer=0x2110020*, nNumberOfBytesToWrite=0x927c0, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x2110020*, lpNumberOfBytesWritten=0x24dddbc*=0x927c0, lpOverlapped=0x0) returned 1 [0118.376] GetProcessHeap () returned 0x4e0000 [0118.376] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x2110020 | out: hHeap=0x4e0000) returned 1 [0118.381] CloseHandle (hObject=0xf0) returned 1 [0119.559] GetProcessHeap () returned 0x4e0000 [0119.560] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e7a8 | out: hHeap=0x4e0000) returned 1 [0119.560] GetProcessHeap () returned 0x4e0000 [0119.560] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e6a0 | out: hHeap=0x4e0000) returned 1 [0119.560] GetProcessHeap () returned 0x4e0000 [0119.560] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50df28 | out: hHeap=0x4e0000) returned 1 [0119.560] GetProcessHeap () returned 0x4e0000 [0119.560] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50df10 | out: hHeap=0x4e0000) returned 1 [0119.560] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv" | out: lpString1="C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv") returned="C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv" [0119.560] lstrcatW (in: lpString1="C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv.NEPHILIM") returned="C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv.NEPHILIM" [0119.560] MoveFileW (lpExistingFileName="C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv" (normalized: "c:\\users\\public\\recorded tv\\sample media\\win7_scenic-demoshort_raw.wtv"), lpNewFileName="C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv.NEPHILIM" (normalized: "c:\\users\\public\\recorded tv\\sample media\\win7_scenic-demoshort_raw.wtv.nephilim")) returned 1 [0119.561] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0x8a1f1b86, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x8a1f1b86, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x940000, dwReserved0=0x40003e, dwReserved1=0x24de8e0, cFileName="win7_scenic-demoshort_raw.wtv", cAlternateFileName="WIN7_S~1.WTV")) returned 0 [0119.561] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0119.561] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="Sample Media", cAlternateFileName="SAMPLE~1")) returned 0 [0119.561] FindClose (in: hFindFile=0x50a900 | out: hFindFile=0x50a900) returned 1 [0119.561] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28886f39, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Videos", cAlternateFileName="")) returned 1 [0119.561] lstrcmpiW (lpString1="Videos", lpString2=".") returned 1 [0119.561] lstrcmpiW (lpString1="Videos", lpString2="..") returned 1 [0119.561] lstrcmpiW (lpString1="Videos", lpString2="...") returned 1 [0119.561] lstrcmpiW (lpString1="Videos", lpString2="windows") returned -1 [0119.561] lstrcmpiW (lpString1="Videos", lpString2="$RECYCLE.BIN") returned 1 [0119.561] lstrcmpiW (lpString1="Videos", lpString2="rsa") returned 1 [0119.561] lstrcmpiW (lpString1="Videos", lpString2="log") returned 1 [0119.561] lstrcmpiW (lpString1="Videos", lpString2="NTDETECT.COM") returned 1 [0119.561] lstrcmpiW (lpString1="Videos", lpString2="ntldr") returned 1 [0119.562] lstrcmpiW (lpString1="Videos", lpString2="MSDOS.SYS") returned 1 [0119.562] lstrcmpiW (lpString1="Videos", lpString2="IO.SYS") returned 1 [0119.562] lstrcmpiW (lpString1="Videos", lpString2="boot.ini") returned 1 [0119.562] lstrcmpiW (lpString1="Videos", lpString2="AUTOEXEC.BAT") returned 1 [0119.562] lstrcmpiW (lpString1="Videos", lpString2="ntuser.dat") returned 1 [0119.562] lstrcmpiW (lpString1="Videos", lpString2="desktop.ini") returned 1 [0119.562] lstrcmpiW (lpString1="Videos", lpString2="CONFIG.SYS") returned 1 [0119.562] lstrcmpiW (lpString1="Videos", lpString2="RECYCLER") returned 1 [0119.562] lstrcmpiW (lpString1="Videos", lpString2="BOOTSECT.BAK") returned 1 [0119.562] lstrcmpiW (lpString1="Videos", lpString2="bootmgr") returned 1 [0119.562] lstrcmpiW (lpString1="Videos", lpString2="programdata") returned 1 [0119.562] lstrcmpiW (lpString1="Videos", lpString2="appdata") returned 1 [0119.562] lstrcmpiW (lpString1="Videos", lpString2="program files") returned 1 [0119.562] lstrcmpiW (lpString1="Videos", lpString2="program files (x86)") returned 1 [0119.562] lstrcpyW (in: lpString1=0x24ded58, lpString2="C:\\Users\\Public\\" | out: lpString1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0119.562] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2="Videos" | out: lpString1="C:\\Users\\Public\\Videos") returned="C:\\Users\\Public\\Videos" [0119.562] lstrcatW (in: lpString1="C:\\Users\\Public\\Videos", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Videos\\") returned="C:\\Users\\Public\\Videos\\" [0119.562] lstrcpyW (in: lpString1=0x24de8e0, lpString2="C:\\Users\\Public\\Videos\\" | out: lpString1="C:\\Users\\Public\\Videos\\") returned="C:\\Users\\Public\\Videos\\" [0119.562] lstrcatW (in: lpString1="C:\\Users\\Public\\Videos\\", lpString2="*.*" | out: lpString1="C:\\Users\\Public\\Videos\\*.*") returned="C:\\Users\\Public\\Videos\\*.*" [0119.562] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Videos\\*.*", lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28886f39, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName=".", cAlternateFileName="")) returned 0x50a900 [0119.562] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0119.562] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28886f39, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="..", cAlternateFileName="")) returned 1 [0119.563] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0119.563] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0119.563] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x282dfaee, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28886f39, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0119.563] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0119.563] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0119.563] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0119.563] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0119.563] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0119.563] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0119.563] lstrcmpiW (lpString1="desktop.ini", lpString2="log") returned -1 [0119.563] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0119.563] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0119.563] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0119.563] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0119.563] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0119.563] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0119.563] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0119.563] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0119.563] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x802f4656, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="Sample Videos", cAlternateFileName="SAMPLE~1")) returned 1 [0119.563] lstrcmpiW (lpString1="Sample Videos", lpString2=".") returned 1 [0119.563] lstrcmpiW (lpString1="Sample Videos", lpString2="..") returned 1 [0119.563] lstrcmpiW (lpString1="Sample Videos", lpString2="...") returned 1 [0119.563] lstrcmpiW (lpString1="Sample Videos", lpString2="windows") returned -1 [0119.563] lstrcmpiW (lpString1="Sample Videos", lpString2="$RECYCLE.BIN") returned 1 [0119.563] lstrcmpiW (lpString1="Sample Videos", lpString2="rsa") returned 1 [0119.563] lstrcmpiW (lpString1="Sample Videos", lpString2="log") returned 1 [0119.564] lstrcmpiW (lpString1="Sample Videos", lpString2="NTDETECT.COM") returned 1 [0119.564] lstrcmpiW (lpString1="Sample Videos", lpString2="ntldr") returned 1 [0119.564] lstrcmpiW (lpString1="Sample Videos", lpString2="MSDOS.SYS") returned 1 [0119.564] lstrcmpiW (lpString1="Sample Videos", lpString2="IO.SYS") returned 1 [0119.564] lstrcmpiW (lpString1="Sample Videos", lpString2="boot.ini") returned 1 [0119.564] lstrcmpiW (lpString1="Sample Videos", lpString2="AUTOEXEC.BAT") returned 1 [0119.564] lstrcmpiW (lpString1="Sample Videos", lpString2="ntuser.dat") returned 1 [0119.564] lstrcmpiW (lpString1="Sample Videos", lpString2="desktop.ini") returned 1 [0119.564] lstrcmpiW (lpString1="Sample Videos", lpString2="CONFIG.SYS") returned 1 [0119.564] lstrcmpiW (lpString1="Sample Videos", lpString2="RECYCLER") returned 1 [0119.564] lstrcmpiW (lpString1="Sample Videos", lpString2="BOOTSECT.BAK") returned 1 [0119.564] lstrcmpiW (lpString1="Sample Videos", lpString2="bootmgr") returned 1 [0119.564] lstrcmpiW (lpString1="Sample Videos", lpString2="programdata") returned 1 [0119.564] lstrcmpiW (lpString1="Sample Videos", lpString2="appdata") returned 1 [0119.564] lstrcmpiW (lpString1="Sample Videos", lpString2="program files") returned 1 [0119.564] lstrcmpiW (lpString1="Sample Videos", lpString2="program files (x86)") returned 1 [0119.564] lstrcpyW (in: lpString1=0x24de6d8, lpString2="C:\\Users\\Public\\Videos\\" | out: lpString1="C:\\Users\\Public\\Videos\\") returned="C:\\Users\\Public\\Videos\\" [0119.564] lstrcatW (in: lpString1="C:\\Users\\Public\\Videos\\", lpString2="Sample Videos" | out: lpString1="C:\\Users\\Public\\Videos\\Sample Videos") returned="C:\\Users\\Public\\Videos\\Sample Videos" [0119.564] lstrcatW (in: lpString1="C:\\Users\\Public\\Videos\\Sample Videos", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Videos\\Sample Videos\\") returned="C:\\Users\\Public\\Videos\\Sample Videos\\" [0119.564] lstrcpyW (in: lpString1=0x24de260, lpString2="C:\\Users\\Public\\Videos\\Sample Videos\\" | out: lpString1="C:\\Users\\Public\\Videos\\Sample Videos\\") returned="C:\\Users\\Public\\Videos\\Sample Videos\\" [0119.564] lstrcatW (in: lpString1="C:\\Users\\Public\\Videos\\Sample Videos\\", lpString2="*.*" | out: lpString1="C:\\Users\\Public\\Videos\\Sample Videos\\*.*") returned="C:\\Users\\Public\\Videos\\Sample Videos\\*.*" [0119.564] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Videos\\Sample Videos\\*.*", lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x802f4656, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x360034, dwReserved1=0x24de8e0, cFileName=".", cAlternateFileName="")) returned 0x50a940 [0119.565] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0119.565] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x802f4656, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x360034, dwReserved1=0x24de8e0, cFileName="..", cAlternateFileName="")) returned 1 [0119.565] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0119.565] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0119.565] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x802f4656, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7be12937, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0x360034, dwReserved1=0x24de8e0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0119.565] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0119.565] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0119.565] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0119.565] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0119.565] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0119.565] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0119.565] lstrcmpiW (lpString1="desktop.ini", lpString2="log") returned -1 [0119.565] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0119.565] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0119.565] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0119.565] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0119.565] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0119.566] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0119.566] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0119.566] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0119.566] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80282235, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bda0516, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7be12937, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x1907b8a, dwReserved0=0x360034, dwReserved1=0x24de8e0, cFileName="Wildlife.wmv", cAlternateFileName="")) returned 1 [0119.566] lstrcmpiW (lpString1="Wildlife.wmv", lpString2=".") returned 1 [0119.566] lstrcmpiW (lpString1="Wildlife.wmv", lpString2="..") returned 1 [0119.566] lstrcmpiW (lpString1="Wildlife.wmv", lpString2="...") returned 1 [0119.566] lstrcmpiW (lpString1="Wildlife.wmv", lpString2="windows") returned -1 [0119.566] lstrcmpiW (lpString1="Wildlife.wmv", lpString2="$RECYCLE.BIN") returned 1 [0119.566] lstrcmpiW (lpString1="Wildlife.wmv", lpString2="rsa") returned 1 [0119.566] lstrcmpiW (lpString1="Wildlife.wmv", lpString2="log") returned 1 [0119.566] lstrcmpiW (lpString1="Wildlife.wmv", lpString2="NTDETECT.COM") returned 1 [0119.566] lstrcmpiW (lpString1="Wildlife.wmv", lpString2="ntldr") returned 1 [0119.566] lstrcmpiW (lpString1="Wildlife.wmv", lpString2="MSDOS.SYS") returned 1 [0119.566] lstrcmpiW (lpString1="Wildlife.wmv", lpString2="IO.SYS") returned 1 [0119.566] lstrcmpiW (lpString1="Wildlife.wmv", lpString2="boot.ini") returned 1 [0119.566] lstrcmpiW (lpString1="Wildlife.wmv", lpString2="AUTOEXEC.BAT") returned 1 [0119.566] lstrcmpiW (lpString1="Wildlife.wmv", lpString2="ntuser.dat") returned 1 [0119.566] lstrcmpiW (lpString1="Wildlife.wmv", lpString2="desktop.ini") returned 1 [0119.566] lstrcmpiW (lpString1="Wildlife.wmv", lpString2="CONFIG.SYS") returned 1 [0119.566] lstrcmpiW (lpString1="Wildlife.wmv", lpString2="RECYCLER") returned 1 [0119.566] lstrcmpiW (lpString1="Wildlife.wmv", lpString2="BOOTSECT.BAK") returned 1 [0119.566] lstrcmpiW (lpString1="Wildlife.wmv", lpString2="bootmgr") returned 1 [0119.566] lstrcmpiW (lpString1="Wildlife.wmv", lpString2="programdata") returned 1 [0119.567] lstrcmpiW (lpString1="Wildlife.wmv", lpString2="appdata") returned 1 [0119.567] lstrcmpiW (lpString1="Wildlife.wmv", lpString2="program files") returned 1 [0119.567] lstrcmpiW (lpString1="Wildlife.wmv", lpString2="program files (x86)") returned 1 [0119.567] lstrcpyW (in: lpString1=0x24de058, lpString2="C:\\Users\\Public\\Videos\\Sample Videos\\" | out: lpString1="C:\\Users\\Public\\Videos\\Sample Videos\\") returned="C:\\Users\\Public\\Videos\\Sample Videos\\" [0119.567] lstrcatW (in: lpString1="C:\\Users\\Public\\Videos\\Sample Videos\\", lpString2="Wildlife.wmv" | out: lpString1="C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv") returned="C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv" [0119.567] PathFindExtensionW (pszPath="Wildlife.wmv") returned=".wmv" [0119.567] lstrcmpiW (lpString1=".wmv", lpString2=".exe") returned 1 [0119.567] lstrcmpiW (lpString1=".wmv", lpString2=".log") returned 1 [0119.567] lstrcmpiW (lpString1=".wmv", lpString2=".cab") returned 1 [0119.567] lstrcmpiW (lpString1=".wmv", lpString2=".cmd") returned 1 [0119.567] lstrcmpiW (lpString1=".wmv", lpString2=".com") returned 1 [0119.567] lstrcmpiW (lpString1=".wmv", lpString2=".cpl") returned 1 [0119.567] lstrcmpiW (lpString1=".wmv", lpString2=".ini") returned 1 [0119.567] lstrcmpiW (lpString1=".wmv", lpString2=".dll") returned 1 [0119.567] lstrcmpiW (lpString1=".wmv", lpString2=".url") returned 1 [0119.567] lstrcmpiW (lpString1=".wmv", lpString2=".ttf") returned 1 [0119.567] lstrcmpiW (lpString1=".wmv", lpString2=".mp3") returned 1 [0119.567] lstrcmpiW (lpString1=".wmv", lpString2=".pif") returned 1 [0119.567] lstrcmpiW (lpString1=".wmv", lpString2=".mp4") returned 1 [0119.567] lstrcmpiW (lpString1=".wmv", lpString2=".NEPHILIM") returned 1 [0119.567] lstrcmpiW (lpString1=".wmv", lpString2=".msi") returned 1 [0119.567] lstrcmpiW (lpString1=".wmv", lpString2=".lnk") returned 1 [0119.567] lstrcmpiW (lpString1="Wildlife.wmv", lpString2="NEPHILIM-DECRYPT.txt") returned 1 [0119.568] lstrlenA (lpString="NEPHILIM") returned 8 [0119.568] GetProcessHeap () returned 0x4e0000 [0119.568] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x8) returned 0x50bfc0 [0119.568] lstrlenA (lpString="NEPHILIM") returned 8 [0119.568] CreateFileW (lpFileName="C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv" (normalized: "c:\\users\\public\\videos\\sample videos\\wildlife.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb4 [0119.568] GetFileSizeEx (in: hFile=0xb4, lpFileSize=0x24dddc8 | out: lpFileSize=0x24dddc8*=26246026) returned 1 [0119.568] GetProcessHeap () returned 0x4e0000 [0119.568] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50df10 [0119.569] GetProcessHeap () returned 0x4e0000 [0119.569] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x10) returned 0x50df28 [0119.569] SystemFunction036 (in: RandomBuffer=0x50df10, RandomBufferLength=0x10 | out: RandomBuffer=0x50df10) returned 1 [0119.569] SystemFunction036 (in: RandomBuffer=0x50df28, RandomBufferLength=0x10 | out: RandomBuffer=0x50df28) returned 1 [0119.569] GetProcessHeap () returned 0x4e0000 [0119.569] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e6a0 [0119.569] GetProcessHeap () returned 0x4e0000 [0119.569] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x100) returned 0x51e7a8 [0119.569] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e6a0*, pdwDataLen=0x24ddb88*=0x10, dwBufLen=0x100 | out: pbData=0x51e6a0*, pdwDataLen=0x24ddb88*=0x100) returned 1 [0119.569] CryptEncrypt (in: hKey=0x4ff008, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51e7a8*, pdwDataLen=0x24ddb84*=0x10, dwBufLen=0x100 | out: pbData=0x51e7a8*, pdwDataLen=0x24ddb84*=0x100) returned 1 [0119.569] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x1907b8a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.570] SetLastError (dwErrCode=0x0) [0119.570] WriteFile (in: hFile=0xb4, lpBuffer=0x51e6a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x51e6a0*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0119.583] GetLastError () returned 0x0 [0119.583] GetLastError () returned 0x0 [0119.583] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x1907c8a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.584] WriteFile (in: hFile=0xb4, lpBuffer=0x51e7a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x51e7a8*, lpNumberOfBytesWritten=0x24dddbc*=0x100, lpOverlapped=0x0) returned 1 [0119.584] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x1907d8a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.584] lstrlenA (lpString="NEPHILIM") returned 8 [0119.584] WriteFile (in: hFile=0xb4, lpBuffer=0x50bfc0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x50bfc0*, lpNumberOfBytesWritten=0x24dddbc*=0x8, lpOverlapped=0x0) returned 1 [0119.584] GetProcessHeap () returned 0x4e0000 [0119.584] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x927c0) returned 0x2110020 [0119.585] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.585] ReadFile (in: hFile=0xb4, lpBuffer=0x2110020, nNumberOfBytesToRead=0x927c0, lpNumberOfBytesRead=0x24dddb0, lpOverlapped=0x0 | out: lpBuffer=0x2110020*, lpNumberOfBytesRead=0x24dddb0*=0x927c0, lpOverlapped=0x0) returned 1 [0119.681] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.681] WriteFile (in: hFile=0xb4, lpBuffer=0x2110020*, nNumberOfBytesToWrite=0x927c0, lpNumberOfBytesWritten=0x24dddbc, lpOverlapped=0x0 | out: lpBuffer=0x2110020*, lpNumberOfBytesWritten=0x24dddbc*=0x927c0, lpOverlapped=0x0) returned 1 [0119.683] GetProcessHeap () returned 0x4e0000 [0119.684] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x2110020 | out: hHeap=0x4e0000) returned 1 [0119.687] CloseHandle (hObject=0xb4) returned 1 [0119.687] GetProcessHeap () returned 0x4e0000 [0119.687] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e6a0 | out: hHeap=0x4e0000) returned 1 [0119.688] GetProcessHeap () returned 0x4e0000 [0119.688] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x51e7a8 | out: hHeap=0x4e0000) returned 1 [0119.688] GetProcessHeap () returned 0x4e0000 [0119.688] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50df10 | out: hHeap=0x4e0000) returned 1 [0119.688] GetProcessHeap () returned 0x4e0000 [0119.688] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x50df28 | out: hHeap=0x4e0000) returned 1 [0119.688] lstrcpyW (in: lpString1=0x24ddba8, lpString2="C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv" | out: lpString1="C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv") returned="C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv" [0119.688] lstrcatW (in: lpString1="C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv", lpString2=".NEPHILIM" | out: lpString1="C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv.NEPHILIM") returned="C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv.NEPHILIM" [0119.688] MoveFileW (lpExistingFileName="C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv" (normalized: "c:\\users\\public\\videos\\sample videos\\wildlife.wmv"), lpNewFileName="C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv.NEPHILIM" (normalized: "c:\\users\\public\\videos\\sample videos\\wildlife.wmv.nephilim")) returned 1 [0119.689] FindNextFileW (in: hFindFile=0x50a940, lpFindFileData=0x24dde08 | out: lpFindFileData=0x24dde08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80282235, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bda0516, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7be12937, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x1907b8a, dwReserved0=0x360034, dwReserved1=0x24de8e0, cFileName="Wildlife.wmv", cAlternateFileName="")) returned 0 [0119.689] FindClose (in: hFindFile=0x50a940 | out: hFindFile=0x50a940) returned 1 [0119.689] FindNextFileW (in: hFindFile=0x50a900, lpFindFileData=0x24de488 | out: lpFindFileData=0x24de488*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x802f4656, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24def60, cFileName="Sample Videos", cAlternateFileName="SAMPLE~1")) returned 0 [0119.689] FindClose (in: hFindFile=0x50a900 | out: hFindFile=0x50a900) returned 1 [0119.689] FindNextFileW (in: hFindFile=0x50a8c0, lpFindFileData=0x24deb08 | out: lpFindFileData=0x24deb08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28886f39, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x24df5e0, cFileName="Videos", cAlternateFileName="")) returned 0 [0119.689] FindClose (in: hFindFile=0x50a8c0 | out: hFindFile=0x50a8c0) returned 1 [0119.689] FindNextFileW (in: hFindFile=0x4ff0b8, lpFindFileData=0x24df188 | out: lpFindFileData=0x24df188*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x917fa2ee, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x3c67b114, cFileName="Public", cAlternateFileName="")) returned 0 [0119.689] FindClose (in: hFindFile=0x4ff0b8 | out: hFindFile=0x4ff0b8) returned 1 [0119.689] FindNextFileW (in: hFindFile=0x4ff078, lpFindFileData=0x24df808 | out: lpFindFileData=0x24df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2fb4a840, ftLastAccessTime.dwHighDateTime=0x1d4d57d, ftLastWriteTime.dwLowDateTime=0x2fb4a840, ftLastWriteTime.dwHighDateTime=0x1d4d57d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0119.689] lstrcmpiW (lpString1="Windows", lpString2=".") returned 1 [0119.689] lstrcmpiW (lpString1="Windows", lpString2="..") returned 1 [0119.689] lstrcmpiW (lpString1="Windows", lpString2="...") returned 1 [0119.689] lstrcmpiW (lpString1="Windows", lpString2="windows") returned 0 [0119.689] FindNextFileW (in: hFindFile=0x4ff078, lpFindFileData=0x24df808 | out: lpFindFileData=0x24df808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2fb4a840, ftLastAccessTime.dwHighDateTime=0x1d4d57d, ftLastWriteTime.dwLowDateTime=0x2fb4a840, ftLastWriteTime.dwHighDateTime=0x1d4d57d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0 [0119.689] FindClose (in: hFindFile=0x4ff078 | out: hFindFile=0x4ff078) returned 1 Thread: id = 4 os_tid = 0x898 Thread: id = 5 os_tid = 0x8a8